[DEV-1312] Create resources to authorize Cognito users (#576)

pagopa · Jan 23, 2024 · 28fa8dd · 28fa8dd
1 parent 1d963ae
commit 28fa8dd
Showing 1 changed file with 115 additions and 0 deletions.
diff --git a/.infrastructure/55_cognito.tf b/.infrastructure/55_cognito.tf
@@ -330,3 +330,118 @@ resource "aws_cognito_user_pool_domain" "devportal" {
   certificate_arn = aws_acm_certificate.auth.arn
   user_pool_id    = aws_cognito_user_pool.devportal.id
 }
+
+resource "aws_cognito_identity_pool" "devportal" {
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  identity_pool_name               = "devportal-identity"
+  allow_unauthenticated_identities = false
+  allow_classic_flow               = false
+
+  cognito_identity_providers {
+    client_id               = aws_cognito_user_pool_client.devportal_website.id
+    provider_name           = aws_cognito_user_pool.devportal.endpoint
+    server_side_token_check = false
+  }
+
+}
+
+data "aws_iam_policy_document" "authenticated_users_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cognito-identity.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "cognito-identity.amazonaws.com:aud"
+      values   = [aws_cognito_identity_pool.devportal.id]
+    }
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "cognito-identity.amazonaws.com:amr"
+      values   = ["authenticated"]
+    }
+  }
+}
+
+resource "aws_iam_role" "devportal_authenticated_user" {
+  name               = "DevPortalAuthenticatedUser"
+  description        = "The role assumed by the authenticated devportal users"
+  assume_role_policy = data.aws_iam_policy_document.authenticated_users_policy.json
+}
+
+resource "aws_iam_role" "devportal_authenticated_host_user" {
+  name               = "DevPortalAuthenticatedHostUser"
+  description        = "The role assumed by the authenticated host devportal users"
+  assume_role_policy = data.aws_iam_policy_document.authenticated_users_policy.json
+}
+
+resource "aws_cognito_identity_pool_roles_attachment" "main" {
+  identity_pool_id = aws_cognito_identity_pool.devportal.id
+
+  role_mapping {
+    identity_provider = format(
+      "cognito-idp.%s.amazonaws.com/%s:%s",
+      var.aws_region, aws_cognito_user_pool.devportal.id, aws_cognito_user_pool_client.devportal_website.id
+    )
+    ambiguous_role_resolution = "AuthenticatedRole"
+    type                      = "Token"
+  }
+
+  roles = {
+    authenticated = aws_iam_role.devportal_authenticated_user.arn
+  }
+}
+
+resource "aws_cognito_user_group" "hosts" {
+  name         = "hosts"
+  user_pool_id = aws_cognito_user_pool.devportal.id
+  role_arn     = aws_iam_role.devportal_authenticated_host_user.arn
+}
+
+resource "aws_iam_role_policy" "devportal_authenticated_user" {
+  name = "DevPortalAuthenticatedUserPolicy"
+  role = aws_iam_role.devportal_authenticated_user.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "dynamodb:PutItem",
+        ],
+        Resource = [
+          "${module.dynamodb_webinar_questions.dynamodb_table_arn}",
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "devportal_authenticated_host_user" {
+  name = "DevPortalAuthenticatedHostUserPolicy"
+  role = aws_iam_role.devportal_authenticated_host_user.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "dynamodb:PutItem",
+          "dynamodb:Query",
+        ],
+        Resource = [
+          "${module.dynamodb_webinar_questions.dynamodb_table_arn}",
+        ]
+      }
+    ]
+  })
+}