diff --git a/infrastructure/environments/demo-cfn-create-args.yaml b/infrastructure/environments/demo-cfn-create-args.yaml index 419858fd..69f579ff 100644 --- a/infrastructure/environments/demo-cfn-create-args.yaml +++ b/infrastructure/environments/demo-cfn-create-args.yaml @@ -33,7 +33,13 @@ Parameters: # - ParameterKey: IAMRoleAndPolicyPrefix # ParameterValue: xxxxxxxxxx # - ParameterKey: CustomDomain -# ParameterValue: xxxxxxxxxx +# ParameterValue: pcui.example.com +# - ParameterKey: CustomDomainCertificateArn +# ParameterValue: arn::acm:::certificate/ +# - ParameterKey: CognitoCustomDomain +# ParameterValue: auth-pcui.example.com +# - ParameterKey: CognitoCustomDomainCertificateArn +# ParameterValue: arn::acm:::certificate/ Capabilities: - CAPABILITY_AUTO_EXPAND - CAPABILITY_NAMED_IAM diff --git a/infrastructure/environments/demo-cfn-update-args.yaml b/infrastructure/environments/demo-cfn-update-args.yaml index 6c2dae37..cc2a154c 100644 --- a/infrastructure/environments/demo-cfn-update-args.yaml +++ b/infrastructure/environments/demo-cfn-update-args.yaml @@ -34,6 +34,12 @@ Parameters: UsePreviousValue: true - ParameterKey: CustomDomain UsePreviousValue: true + - ParameterKey: CustomDomainCertificateArn + UsePreviousValue: true + - ParameterKey: CognitoCustomDomain + UsePreviousValue: true + - ParameterKey: CognitoCustomDomainCertificateArn + UsePreviousValue: true Capabilities: - CAPABILITY_AUTO_EXPAND - CAPABILITY_NAMED_IAM diff --git a/infrastructure/parallelcluster-ui-cognito.yaml b/infrastructure/parallelcluster-ui-cognito.yaml index 062ea7c2..93efd61d 100644 --- a/infrastructure/parallelcluster-ui-cognito.yaml +++ b/infrastructure/parallelcluster-ui-cognito.yaml @@ -17,10 +17,19 @@ Parameters: Description: 'Prefix applied to the name of every IAM role and policy (max length: 10)' Default: '' MaxLength: 10 + CustomDomain: + Type: String + Description: (Optional) Custom domain name. If omitted, the default domain name will be used. + Default: '' + CustomDomainCertificateArn: + Type: String + Description: '(Optional) ARN of the ACM Certificate issued for the custom domain. This is required only if `CustomDomain` is specified.' + Default: '' Conditions: GovCloud: !Equals [!Ref AWS::Region, 'us-gov-west-1'] UsePermissionBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryPolicy, '' ] ] + UseCustomDomain: !Not [!Equals [!Ref CustomDomain, '']] Metadata: AWS::CloudFormation::Interface: @@ -34,6 +43,11 @@ Metadata: Parameters: - IAMRoleAndPolicyPrefix - PermissionsBoundaryPolicy + - Label: + default: (Optional) Custom Domain + Parameters: + - CustomDomain + - CustomDomainCertificateArn ParameterLabels: AdminUserEmail: default: Initial Admin's Email @@ -73,7 +87,14 @@ Resources: Type: AWS::Cognito::UserPoolDomain Properties: UserPoolId: !Ref CognitoUserPool - Domain: !Join [ "-", ["pcui-auth", !Select [2, !Split [ "/", !Ref 'AWS::StackId']]]] + Domain: !If + - UseCustomDomain + - !Ref CustomDomain + - !Join [ "-", ["pcui-auth", !Select [2, !Split [ "/", !Ref 'AWS::StackId']]]] + CustomDomainConfig: !If + - UseCustomDomain + - { CertificateArn: !Ref CustomDomainCertificateArn } + - !Ref AWS::NoValue CognitoUserPool: Type: AWS::Cognito::UserPool @@ -125,9 +146,19 @@ Outputs: UserPoolAuthDomain: Description: The domain of the authorization server. - Value: !Sub - - https://${Domain}.${Auth}.${AWS::Region}.amazoncognito.com - - {Domain: !Ref UserPoolDomain, Auth: !If [GovCloud, 'auth-fips', 'auth']} + Value: !If + - UseCustomDomain + - !Sub https://${UserPoolDomain} + - !Sub + - https://${Domain}.${Auth}.${AWS::Region}.amazoncognito.com + - {Domain: !Ref UserPoolDomain, Auth: !If [GovCloud, 'auth-fips', 'auth']} + + CustomDomainEndpoint: + Condition: UseCustomDomain + Description: | + The endpoint associated with the custom domain name. + Add an A record in your DNS for the custom domain name pointing to this endpoint. + Value: !GetAtt UserPoolDomain.CloudFrontDistribution UserPoolId: Description: Cognito UserPool Id diff --git a/infrastructure/parallelcluster-ui.yaml b/infrastructure/parallelcluster-ui.yaml index c9a84204..f1355f6f 100644 --- a/infrastructure/parallelcluster-ui.yaml +++ b/infrastructure/parallelcluster-ui.yaml @@ -66,6 +66,18 @@ Parameters: Type: String Description: (Optional) Custom domain name. If omitted, the default domain name will be used. Default: '' + CustomDomainCertificateArn: + Type: String + Description: '(Optional) ARN of the ACM Certificate issued for the custom domain. This is required only if `CustomDomain` is specified.' + Default: '' + CognitoCustomDomain: + Type: String + Description: '(Optional) Custom domain name for Cognito. If omitted, the default Cognito domain name will be used.' + Default: '' + CognitoCustomDomainCertificateArn: + Type: String + Description: '(Optional) ARN of the ACM Certificate issued for the Cognito custom domain. This is required only if `CognitoCustomDomain` is specified.' + Default: '' Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -108,6 +120,9 @@ Metadata: default: (Optional) Custom Domain Parameters: - CustomDomain + - CustomDomainCertificateArn + - CognitoCustomDomain + - CognitoCustomDomainCertificateArn - Label: default: (Debugging only) Infrastructure S3 Bucket Parameters: @@ -153,6 +168,7 @@ Conditions: UsePermissionBoundaryPCAPI: !Not [!Equals [!Ref PermissionsBoundaryPolicyPCAPI, '']] UseIAMRoleAndPolicyPrefix: !Not [!Equals [!Ref IAMRoleAndPolicyPrefix, '']] UseCustomDomain: !Not [!Equals [!Ref CustomDomain, '']] + UseCognitoCustomDomain: !Not [!Equals [!Ref CognitoCustomDomain, '']] Mappings: ParallelClusterUI: @@ -171,6 +187,8 @@ Resources: AdminUserEmail: !Ref AdminUserEmail PermissionsBoundaryPolicy: !Ref PermissionsBoundaryPolicy IAMRoleAndPolicyPrefix: !Ref IAMRoleAndPolicyPrefix + CustomDomain: !Ref CognitoCustomDomain + CustomDomainCertificateArn: !Ref CognitoCustomDomainCertificateArn TemplateURL: !Sub - '${Bucket}/parallelcluster-ui-cognito.yaml' - Bucket: !If @@ -1026,6 +1044,26 @@ Resources: Effect: Allow Sid: SsmGetCommandInvocationPolicy + ApiGatewayCustomDomain: + Condition: UseCustomDomain + Type: AWS::ApiGateway::DomainName + Properties: +# CertificateArn: !Ref CustomDomainCertificateArn + DomainName: !Ref CustomDomain + EndpointConfiguration: + Types: + - REGIONAL + RegionalCertificateArn: !Ref CustomDomainCertificateArn + SecurityPolicy: TLS_1_2 + + ApiGatewayCustomDomainMapping: + Condition: UseCustomDomain + Type: AWS::ApiGateway::BasePathMapping + Properties: + BasePath: !FindInMap [ ParallelClusterUI, Constants, CustomDomainBasePath ] + DomainName: !Ref ApiGatewayCustomDomain + RestApiId: !Ref ApiGatewayRestApi + Stage: !Ref ApiGatewayRestStage Outputs: ParallelClusterUILambdaArn: @@ -1043,6 +1081,12 @@ Outputs: - !Sub - https://${Api}.execute-api.${AWS::Region}.${AWS::URLSuffix}/${Stage} - { Api: !Ref ApiGatewayRestApi, Stage: !Ref ApiGatewayRestStage } + CustomDomainEndpoint: + Condition: UseCustomDomain + Description: | + The endpoint associated with the custom domain name. + Add an A record in your DNS for the PCUI custom domain name pointing to this endpoint. + Value: !GetAtt ApiGatewayCustomDomain.RegionalDomainName AppClientId: Description: The id of the Cognito app client Value: !Ref CognitoAppClient @@ -1052,3 +1096,9 @@ Outputs: UserPoolClientSecretName: Description: The app client secret name for ParallelCluster UI. Value: !GetAtt UserPoolClientSecret.SecretName + CognitoCustomDomainEndpoint: + Condition: UseCognitoCustomDomain + Description: | + The endpoint associated with the Cognito custom domain name. + Add an A record in your DNS for the Cognito custom domain name pointing to this endpoint. + Value: !GetAtt Cognito.Outputs.CustomDomainEndpoint