idtoken_for_roles.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Lambda function and API which accepts an OIDC ID Token and returns a list of IAM Roles
Metadata:
  Source: https://github.com/mozilla-iam/federated-aws-cli/blob/master/cloudformation/idtoken_for_roles/idtoken_for_roles.yaml
  'AWS::CloudFormation::Interface':
    ParameterGroups:
    - Label:
        default: S3
      Parameters:
      - S3BucketName
      - GroupRoleMapS3FilePath
      - AccountAliasesS3FilePath
    - Label:
        default: Authentication
      Parameters:
      - AllowedIssuer
      - AllowedAudience
      - AllowedMapBuilderSubPrefix
    - Label:
        default: API
      Parameters:
      - CustomDomainName
      - DomainNameZone
      - CertificateArn
    ParameterLabels:
      S3BucketName:
        default: S3 Bucket Name
      GroupRoleMapS3FilePath:
        default: Group Role Map S3 File Path
      AccountAliasesS3FilePath:
        default: AWS Account Alias Map S3 File Path
      AllowedIssuer:
        default: Allowed OIDC Issuer
      AllowedAudience:
        default: Allowed OIDC Audience
      AllowedMapBuilderSubPrefix:
        default: The prefix of the sub OIDC claim that is required for premission to initiate a group role map rebuild
      CustomDomainName:
        default: Custom DNS Domain Name
      DomainNameZone:
        default: DNS Zone containing the Custom DNS Domain Name
      CertificateArn:
        default: AWS ACM Certificate ARN for the Custom DNS Domain Name
Parameters:
  S3BucketName:
    Type: String
    Description: The S3 bucket containing the group role map file in
  GroupRoleMapS3FilePath:
    Type: String
    Description: The path to the group role map file
    Default: access-group-iam-role-map.json
  AccountAliasesS3FilePath:
    Type: String
    Description: The path to the account aliases map file
    Default: account-aliases.json
  AllowedIssuer:
    Type: String
    Description: OIDC Issuer Identifier
  AllowedAudience:
    Type: String
    Description: OIDC Audience. For Mozilla this is the Auth0 Client ID
  AllowedMapBuilderSubPrefix:
    Type: String
    Description: The prefix of the sub OIDC claim that is required for premission to initiate a group role map rebuild
  CustomDomainName:
    Type: String
    Description: The custom domain name to use for the API
    Default: ''
  DomainNameZone:
    Type: String
    Description: The Route53 DNS zone containing the custom domain name
    Default: ''
  CertificateArn:
    Type: String
    Description: The ARN of the AWS ACM Certificate for your custom domain name
    Default: ''
Conditions:
  UseCustomDomainName: !Not [ !Equals [ !Ref 'CustomDomainName', '' ] ]
Rules:
  DomainNameAndCertificateArnProvided:
    RuleCondition: !Or [ !Not [ !Equals [ !Ref 'CustomDomainName', '' ] ], !Not [ !Equals [ !Ref 'DomainNameZone', '' ] ], !Not [ !Equals [ !Ref 'CertificateArn', '' ] ] ]
    Assertions:
      - Assert: !And [ !Not [ !Equals [ !Ref 'CustomDomainName', '' ] ], !Not [ !Equals [ !Ref 'DomainNameZone', '' ] ], !Not [ !Equals [ !Ref 'CertificateArn', '' ] ] ]
        AssertDescription: If you set a CustomDomainName, DomainNameZone or CertificateArn you must provide all values
Resources:
  IdtokenForRolesFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Policies:
        - PolicyName: AllowLambdaLogging
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: '*'
        - PolicyName: AllowReadS3GroupRoleMap
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource:
                  - !Join ['', ['arn:aws:s3:::', !Ref 'S3BucketName', '/', !Ref 'GroupRoleMapS3FilePath']]
                  - !Join ['', ['arn:aws:s3:::', !Ref 'S3BucketName', '/', !Ref 'AccountAliasesS3FilePath']]
              - Effect: Allow
                Action:
                  - s3:ListBucket
                Resource: !Join ['', ['arn:aws:s3:::', !Ref 'S3BucketName']]
        - PolicyName: AllowInvokeGroupRoleMapBuilder
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                - lambda:Invoke*
                Resource:
                  - !ImportValue GroupRoleMapBuilderFunctionArn
  IdtokenForRolesFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: Given an ID Token return the IAM Roles stored in the group role map file which are related to the groups in the ID Token
      Code: build/
      Environment:
        Variables:
          S3_BUCKET_NAME: !Ref S3BucketName
          S3_FILE_PATH_GROUP_ROLE_MAP: !Ref GroupRoleMapS3FilePath
          S3_FILE_PATH_ALIAS_MAP: !Ref AccountAliasesS3FilePath
          ALLOWED_ISSUER: !Ref AllowedIssuer
          ALLOWED_AUDIENCE: !Ref AllowedAudience
          LOG_LEVEL: INFO
          ALLOWED_MAP_BUILDER_SUB_PREFIX: !Ref AllowedMapBuilderSubPrefix
          GROUP_ROLE_MAP_BUILDER_FUNCTION_NAME: !ImportValue GroupRoleMapBuilderFunctionName
      Handler: idtoken_for_roles.lambda_handler
      Runtime: python3.8
      Role: !GetAtt IdtokenForRolesFunctionRole.Arn
      Tags:
        - Key: application
          Value: idtoken-for-roles
        - Key: stack
          Value: !Ref AWS::StackName
        - Key: source
          Value: https://github.com/mozilla-iam/federated-aws-cli/tree/master/cloudformation
      Timeout: 900
  IdtokenForRolesFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      # Let's hope that the Lambda function doesn't execute before this LogGroup
      # resource is created, creating the LogGroup with no expiration and
      # preventing this resource from creating
      LogGroupName: !Join [ '/', ['/aws/lambda', !Ref 'IdtokenForRolesFunction' ] ]
      RetentionInDays: 14
  IdtokenForRolesDomainName:
    Type: AWS::ApiGateway::DomainName
    Condition: UseCustomDomainName
    Properties:
      RegionalCertificateArn: !Ref CertificateArn
      DomainName: !Ref CustomDomainName
      EndpointConfiguration:
        Types:
          - REGIONAL
  IdtokenForRolesRoute53RecordSet:
    Type: AWS::Route53::RecordSet
    Condition: UseCustomDomainName
    Properties:
      AliasTarget:
        DNSName: !GetAtt IdtokenForRolesDomainName.RegionalDomainName
        HostedZoneId: !GetAtt IdtokenForRolesDomainName.RegionalHostedZoneId
      Comment: Bind the custom domain name to the IdtokenForRoles API Gateway
      HostedZoneName: !Ref DomainNameZone
      Name: !Ref CustomDomainName
      Type: A
  IdtokenForRolesApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: IdTokenForRoles
      Description: Exchange an ID Token for a list of IAM Roles
      FailOnWarnings: true
      EndpointConfiguration:
        Types:
          - REGIONAL
  IdtokenForRolesBasePathMapping:
    Type: AWS::ApiGateway::BasePathMapping
    Condition: UseCustomDomainName
    Properties:
      DomainName: !Ref IdtokenForRolesDomainName
      RestApiId: !Ref IdtokenForRolesApi
      Stage: !Ref IdtokenForRolesApiStage
  IdtokenForRolesLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:invokeFunction
      FunctionName: !GetAtt IdtokenForRolesFunction.Arn
      Principal: apigateway.amazonaws.com
      SourceArn: !Join [ '', [ 'arn:aws:execute-api:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref 'IdtokenForRolesApi', '/*/*' ] ]
  IdtokenForRolesApiStage:
    Type: AWS::ApiGateway::Stage
    Properties:
      DeploymentId: !Ref IdtokenForRolesApiDeployment
      MethodSettings:
        - DataTraceEnabled: true
          HttpMethod: '*'
          # LoggingLevel: INFO
          ResourcePath: /*
      RestApiId: !Ref IdtokenForRolesApi
      Tags:
        - Key: application
          Value: idtoken-for-roles
        - Key: stack
          Value: !Ref AWS::StackName
        - Key: source
          Value: https://github.com/mozilla-iam/federated-aws-cli/tree/master/cloudformation
      # Description: x
      # StageName: LATEST
  IdtokenForRolesApiDeployment:
    Type: AWS::ApiGateway::Deployment
    DependsOn:
      - IdtokenForRoleRolesGetRequest
      - IdtokenForRoleRolesPostRequest
    Properties:
      RestApiId: !Ref IdtokenForRolesApi
      StageName: DummyStage
      # Note This property is required by API Gateway. We recommend that you
      # specify a name using any value (see Examples) and that you don’t use
      # this stage. We recommend not using this stage because it is tied to
      # this deployment, which means you can’t delete one without deleting the
      # other. For example, if you delete this deployment, API Gateway also
      # deletes this stage, which you might want to keep. Instead, use the
      # AWS::ApiGateway::Stage resource to create and associate a stage with
      # this deployment.
  IdtokenForRolesResource:
    Type: AWS::ApiGateway::Resource
    Properties:
      RestApiId: !Ref IdtokenForRolesApi
      ParentId: !GetAtt IdtokenForRolesApi.RootResourceId
      PathPart: '{proxy+}'
  IdtokenForRoleRolesGetRequest:
    DependsOn: IdtokenForRolesLambdaPermission
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        Type: AWS_PROXY
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#set-up-lambda-proxy-integration-using-cli
        # "For Lambda integrations, you must use the HTTP method of POST for the
        # integration request, according to the specification of the Lambda service
        # action for function invocations."
        IntegrationHttpMethod: POST
        Uri: !Join [ '', [ 'arn:aws:apigateway:', !Ref 'AWS::Region', ':lambda:path/2015-03-31/functions/', !GetAtt 'IdtokenForRolesFunction.Arn', '/invocations' ] ]
      ResourceId: !Ref IdtokenForRolesResource
      RestApiId: !Ref IdtokenForRolesApi
  IdtokenForRoleRolesPostRequest:
    DependsOn: IdtokenForRolesLambdaPermission
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: NONE
      HttpMethod: POST
      Integration:
        Type: AWS_PROXY
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#set-up-lambda-proxy-integration-using-cli
        # "For Lambda integrations, you must use the HTTP method of POST for the
        # integration request, according to the specification of the Lambda service
        # action for function invocations."
        IntegrationHttpMethod: POST
        Uri: !Join [ '', [ 'arn:aws:apigateway:', !Ref 'AWS::Region', ':lambda:path/2015-03-31/functions/', !GetAtt 'IdtokenForRolesFunction.Arn', '/invocations' ] ]
      ResourceId: !Ref IdtokenForRolesResource
      RestApiId: !Ref IdtokenForRolesApi
Outputs:
  EndpointUrl:
    Description: The URL of the ID token for roles API Endpoint
    Value:
      Fn::If:
        - UseCustomDomainName
        - !Join [ '', [ 'https://', !Ref 'CustomDomainName', '/'] ]
        - !Join [ '', [ 'https://', !Ref 'IdtokenForRolesApi', '.execute-api.', !Ref 'AWS::Region', '.amazonaws.com/', !Ref 'IdtokenForRolesApiStage', '/' ] ]