Merge pull request #41 from NHSDigital/aiva2/ccm-6010-amplifyBasicAuth

CCM-6010 adding basic auth to amplify auth app
NHSDigital · Aug 29, 2024 · 3df160f · 3df160f
2 parents f0e73c7 + 927380b
commit 3df160f
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 1 deletion.
diff --git a/infrastructure/terraform/components/iam/amplify_app.tf b/infrastructure/terraform/components/iam/amplify_app.tf
@@ -9,6 +9,18 @@ resource "aws_amplify_app" "main" {
   enable_branch_auto_build    = var.enable_amplify_branch_auto_build
   platform                    = "WEB_COMPUTE"
 
+  enable_basic_auth      = var.enable_amplify_basic_auth ? true : false
+  basic_auth_credentials = var.enable_amplify_basic_auth ? base64encode("${local.csi}:${aws_ssm_parameter.amplify_password[0].value}") : null
+
+  dynamic "auto_branch_creation_config" {
+    for_each = var.enable_amplify_basic_auth ? [1] : []
+
+    content {
+      basic_auth_credentials = base64encode("${local.csi}:${aws_ssm_parameter.amplify_password[0].value}")
+      enable_basic_auth      = true
+    }
+  }
+
   auto_branch_creation_patterns = [
     "*",
     "*/**"

diff --git a/infrastructure/terraform/components/iam/amplify_domain_association.tf b/infrastructure/terraform/components/iam/amplify_domain_association.tf
@@ -25,7 +25,7 @@ resource "null_resource" "amplify_domain_association" {
 
   provisioner "local-exec" {
     when    = create
-    command = "aws amplify create-domain-association --app-id ${self.triggers.amplify_app_id} --domain-name ${self.triggers.amplify_domain_name} --sub-domain-settings prefix=\"\",branchName=\"${self.triggers.amplify_branch_name}\" prefix=\"${self.triggers.amplify_branch_name}\",branchName=\"${self.triggers.amplify_branch_name}\" --enable-auto-sub-domain --auto-sub-domain-creation-patterns \"*,pr*\""
+    command = "aws amplify create-domain-association --app-id ${self.triggers.amplify_app_id} --domain-name ${self.triggers.amplify_domain_name} --sub-domain-settings prefix=\"\",branchName=\"${self.triggers.amplify_branch_name}\" prefix=\"${self.triggers.amplify_branch_name}\",branchName=\"${self.triggers.amplify_branch_name}\" --enable-auto-sub-domain --auto-sub-domain-creation-patterns \"*,*/*,pr*\""
   }
 
   provisioner "local-exec" {

diff --git a/infrastructure/terraform/components/iam/route53_record_root.tf b/infrastructure/terraform/components/iam/route53_record_root.tf
@@ -5,4 +5,13 @@ resource "aws_route53_record" "root" {
   type    = "A"
   ttl     = 300
   records = ["127.0.0.1"]
+  lifecycle {
+    # Amplify is going to overwrite this record, but due to some provider wierdness this must exist initialy or cognito fails to deploy, even with depends_on configured.
+    ignore_changes = [
+      alias,
+      records,
+      type,
+      ttl,
+    ]
+  }
 }
diff --git a/infrastructure/terraform/components/iam/ssm_parameter_amplify_password.tf b/infrastructure/terraform/components/iam/ssm_parameter_amplify_password.tf
@@ -0,0 +1,14 @@
+resource "aws_ssm_parameter" "amplify_password" {
+  count = var.enable_amplify_basic_auth ? 1 : 0
+
+  name  = "/${local.csi}/amplify_password"
+  type  = "String"
+  value = random_password.password[0].result
+}
+
+resource "random_password" "password" {
+  count = var.enable_amplify_basic_auth ? 1 : 0
+
+  length  = 16
+  special = true
+}
diff --git a/infrastructure/terraform/components/iam/variables.tf b/infrastructure/terraform/components/iam/variables.tf
@@ -86,3 +86,9 @@ variable "enable_cognito_built_in_idp" {
   description = "Enable the use of Cognito as an IDP; CIS2 is prefered"
   default     = false
 }
+
+variable "enable_amplify_basic_auth" {
+  type        = bool
+  description = "Enable a basic set of credentials in the form of a dynamicly generated username and password for the amplify app branches. Not intended for production use"
+  default     = false
+}