feat: Added OIDC connections for internal apps. (#9)

Author: jamesiarmes

tofu/config/development/infra/main.tf

@@ -59,6 +59,7 @@ module "app" {
   services         = each.value.services
   database_engine  = try(each.value.database.type, null)
   database_version = try(each.value.database.version, null)
+  internal         = try(each.value.internal, true)
   domain = try(
     each.value.domain,
     try(each.value.internal, true) ? module.hosted_zones.route53_zone_name.internal : module.hosted_zones.route53_zone_name.external

tofu/modules/app/database.tf

@@ -1,5 +1,5 @@
 module "database" {
-  source = "../database"
+  source   = "../database"
   for_each = var.database_engine != null ? toset(["this"]) : toset([])
 
   project         = var.project
@@ -26,8 +26,8 @@ resource "aws_vpc_security_group_ingress_rule" "database" {
 
 locals {
   database_environment_variables = {
-    DATABASE_HOST     = try(module.database["this"].host, null)
-    DATABASE_PORT     = try(module.database["this"].port, null)
+    DATABASE_HOST = try(module.database["this"].host, null)
+    DATABASE_PORT = try(module.database["this"].port, null)
   }
   database_environment_secrets = {
     DATABASE_USERNAME = length(module.database) > 0 ? "${module.database["this"].secret_arn}:username" : null

tofu/modules/app/local.tf

@@ -9,6 +9,13 @@ locals {
     data.aws_cloudwatch_log_groups.ecs_insights.log_group_names,
     data.aws_cloudwatch_log_groups.rds.log_group_names
   )
+  oidc_settings = !var.internal ? null : {
+    client_secret_arn      = module.secrets.secrets["oidc"].secret_arn
+    authorization_endpoint = "https://codeforamerica.okta.com/oauth2/v1/authorize"
+    issuer                 = "https://codeforamerica.okta.com"
+    token_endpoint         = "https://codeforamerica.okta.com/oauth2/v1/token"
+    user_info_endpoint     = "https://codeforamerica.okta.com/oauth2/v1/userinfo"
+  }
   production    = var.environment == "production"
   project_short = var.project_short != null ? var.project_short : var.project
   tags = {

tofu/modules/app/main.tf

@@ -3,11 +3,27 @@ module "secrets" {
 
   project     = var.project
   environment = var.environment
+
+  secrets = var.internal ? {
+    "oidc" = {
+      description = "OIDC secrets for ${var.project} - ${var.environment}"
+      tags        = local.tags
+      # We need to set something here so that we can use the secret in the
+      # OIDC settings for the service module.
+      start_value = jsonencode({
+        "client_id"     = "abc",
+        "client_secret" = "123",
+      })
+    }
+  } : {}
 }
 
 module "service" {
-  source   = "github.com/codeforamerica/tofu-modules-aws-fargate-service?ref=1.3.0"
+  source   = "github.com/codeforamerica/tofu-modules-aws-fargate-service?ref=1.4.0"
   for_each = var.services
+  depends_on = [
+    module.secrets
+  ]
 
   project            = var.project
   project_short      = local.project_short
@@ -20,6 +36,8 @@ module "service" {
 
   domain    = var.domain
   subdomain = "${try(each.value.subdomain, "www")}${local.domain_prefix}"
+  force_delete      = !local.production
+  oidc_settings     = local.oidc_settings
 
   vpc_id                   = var.vpc_id
   private_subnets          = var.private_subnets

tofu/modules/app/variables.tf

@@ -20,6 +20,12 @@ variable "environment" {
   type        = string
 }
 
+variable "internal" {
+  description = "Whether this application is internal, meaning it should only be accessible to staff via an OIDC connection."
+  type        = bool
+  default     = true
+}
+
 variable "logging_key_arn" {
   description = "The ARN of the KMS key used for logging."
   type        = string