Merge pull request theonestack#67 from theonestack/feature/cognito_su…

…pport

Feature/cognito support

.github/workflows/rspec.yaml

@@ -3,23 +3,6 @@ name: cftest
 on: [push, pull_request]
 
 jobs:
-  test:
-    name: test
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v2
-    - name: set up ruby 2.7
-      uses: actions/setup-ruby@v1
-      with:
-        ruby-version: 2.7.x
-    - name: install gems
-      run: gem install cfhighlander rspec 
-    - name: set cfndsl spec
-      run: cfndsl -u
-    - name: cftest
-      run: rspec
-      env:
-        AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
-        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        AWS_REGION: ap-southeast-2
+  rspec:
+    uses: theonestack/shared-workflows/.github/workflows/rspec.yaml@main
+    secrets: inherit

ecs-service.cfhighlander.rb

@@ -9,13 +9,17 @@
   end
 
   DependsOn 'lib-iam'
+  DependsOn 'lib-alb'
 
   Description "ecs-service - #{component_name} - #{component_version}"
 
   Parameters do
     ComponentParam 'EnvironmentName', 'dev', isGlobal: true
     ComponentParam 'EnvironmentType', 'development', allowedValues: ['development','production'], isGlobal: true
     ComponentParam 'EcsCluster'
+    ComponentParam 'UserPoolId', ''
+    ComponentParam 'UserPoolClientId', ''
+    ComponentParam 'UserPoolDomainName', ''
 
     if (defined? targetgroup) || ((defined? network_mode) && (network_mode == "awsvpc"))
       ComponentParam 'VPCId', type: 'AWS::EC2::VPC::Id'

ecs-service.cfndsl.rb

@@ -17,6 +17,7 @@
 
   Condition('IsScalingEnabled', FnEquals(Ref('EnableScaling'), 'true'))
   Condition('NoDesiredCount', FnEquals(Ref('DesiredCount'), '-1'))
+  Condition(:EnableCognito, FnNot(FnEquals(Ref(:UserPoolClientId), '')))
 
   log_retention = external_parameters.fetch(:log_retention, 7)
   loggroup_name = external_parameters.fetch(:loggroup_name, Ref('AWS::StackName'))
@@ -401,9 +402,12 @@
             rule_name = "TargetRule#{index}"
           end
           rule_names << rule_name
+
+          actions = [{ Type: "forward", Order: 5000, TargetGroupArn: Ref(targetgroup['resource_name'])}]
+          actions_with_cognito = actions + [cognito(Ref(:UserPoolId), Ref(:UserPoolClientId), Ref(:UserPoolDomainName))]
 
           ElasticLoadBalancingV2_ListenerRule(rule_name) do
-            Actions [{ Type: "forward", TargetGroupArn: Ref(targetgroup['resource_name']) }]
+            Actions FnIf(:EnableCognito, actions_with_cognito, actions)
             Conditions listener_conditions
             ListenerArn Ref(targetgroup['listener_resource'])
             Priority rule['priority']

spec/ephemeral_storage_spec.rb

@@ -12,7 +12,23 @@
 
   context "Resource" do
 
+
+    context "LogGroup" do
+      let(:resource) { template["Resources"]["LogGroup"] }
 
+      it "is of type AWS::Logs::LogGroup" do
+          expect(resource["Type"]).to eq("AWS::Logs::LogGroup")
+      end
+
+      it "to have property LogGroupName" do
+          expect(resource["Properties"]["LogGroupName"]).to eq({"Ref"=>"AWS::StackName"})
+      end
+
+      it "to have property RetentionInDays" do
+          expect(resource["Properties"]["RetentionInDays"]).to eq("7")
+      end
+
+    end
 
     context "Task" do
       let(:resource) { template["Resources"]["Task"] }
@@ -24,17 +40,66 @@
       it "to have property ContainerDefinitions" do
           expect(resource["Properties"]["ContainerDefinitions"]).to eq([{"Name"=>"nginx", "Image"=>{"Fn::Join"=>["", ["nginx/", "nginx", ":", "latest"]]}, "LogConfiguration"=>{"LogDriver"=>"awslogs", "Options"=>{"awslogs-group"=>{"Ref"=>"LogGroup"}, "awslogs-region"=>{"Ref"=>"AWS::Region"}, "awslogs-stream-prefix"=>"nginx"}}}])
       end
-
-      it "to have property ContainerDefinitions" do
-        expect(resource["Properties"]["ContainerDefinitions"]).to eq([{"Name"=>"nginx", "Image"=>{"Fn::Join"=>["", ["nginx/", "nginx", ":", "latest"]]}, "LogConfiguration"=>{"LogDriver"=>"awslogs", "Options"=>{"awslogs-group"=>{"Ref"=>"LogGroup"}, "awslogs-region"=>{"Ref"=>"AWS::Region"}, "awslogs-stream-prefix"=>"nginx"}}}])
-    end
 
       it "to have property EphemeralStorage" do
           expect(resource["Properties"]["EphemeralStorage"]).to eq({"SizeInGiB"=>50})
       end
 
+      it "to have property Tags" do
+          expect(resource["Properties"]["Tags"]).to eq([{"Key"=>"Name", "Value"=>"ecs-service"}, {"Key"=>"Environment", "Value"=>{"Ref"=>"EnvironmentName"}}, {"Key"=>"EnvironmentType", "Value"=>{"Ref"=>"EnvironmentType"}}])
+      end
+
+    end
+
+    context "Role" do
+      let(:resource) { template["Resources"]["Role"] }
+
+      it "is of type AWS::IAM::Role" do
+          expect(resource["Type"]).to eq("AWS::IAM::Role")
+      end
+
+      it "to have property AssumeRolePolicyDocument" do
+          expect(resource["Properties"]["AssumeRolePolicyDocument"]).to eq({"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Allow", "Principal"=>{"Service"=>"ecs.amazonaws.com"}, "Action"=>"sts:AssumeRole"}]})
+      end
+
+      it "to have property Path" do
+          expect(resource["Properties"]["Path"]).to eq("/")
+      end
+
+      it "to have property ManagedPolicyArns" do
+          expect(resource["Properties"]["ManagedPolicyArns"]).to eq(["arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"])
+      end
+
     end
 
+    context "Service" do
+      let(:resource) { template["Resources"]["Service"] }
+
+      it "is of type AWS::ECS::Service" do
+          expect(resource["Type"]).to eq("AWS::ECS::Service")
+      end
+
+      it "to have property Cluster" do
+          expect(resource["Properties"]["Cluster"]).to eq({"Ref"=>"EcsCluster"})
+      end
+
+      it "to have property DesiredCount" do
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+      end
+
+      it "to have property DeploymentConfiguration" do
+          expect(resource["Properties"]["DeploymentConfiguration"]).to eq({"MinimumHealthyPercent"=>{"Ref"=>"MinimumHealthyPercent"}, "MaximumPercent"=>{"Ref"=>"MaximumPercent"}})
+      end
+
+      it "to have property TaskDefinition" do
+          expect(resource["Properties"]["TaskDefinition"]).to eq({"Ref"=>"Task"})
+      end
+
+      it "to have property Tags" do
+          expect(resource["Properties"]["Tags"]).to eq([{"Key"=>"Name", "Value"=>"ecs-service"}, {"Key"=>"Environment", "Value"=>{"Ref"=>"EnvironmentName"}}, {"Key"=>"EnvironmentType", "Value"=>{"Ref"=>"EnvironmentType"}}])
+      end
+
+    end
 
   end
 

spec/extra_hosts_spec.rb

@@ -80,7 +80,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/fargate_spec.rb

@@ -83,7 +83,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/linux_parameters_spec.rb

@@ -80,7 +80,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/multiple_links_spec.rb

@@ -80,7 +80,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/multiple_scaling_policies_spec.rb

@@ -80,7 +80,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/multiple_target_groups_parameter_spec.rb

@@ -80,7 +80,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/multiple_target_groups_spec.rb

@@ -88,7 +88,7 @@
       end
 
       it "to have property Actions" do
-          expect(resource["Properties"]["Actions"]).to eq([{"Type"=>"forward", "TargetGroupArn"=>{"Ref"=>"nginxhttpTargetGroup"}}])
+          expect(resource["Properties"]["Actions"]).to eq({"Fn::If"=>["EnableCognito", [{"Type"=>"forward", "Order"=>5000, "TargetGroupArn"=>{"Ref"=>"nginxhttpTargetGroup"}}, {"Type"=>"authenticate-cognito", "Order"=>1, "AuthenticateCognitoConfig"=>{"UserPoolArn"=>{"Ref"=>"UserPoolId"}, "UserPoolClientId"=>{"Ref"=>"UserPoolClientId"}, "UserPoolDomain"=>{"Ref"=>"UserPoolDomainName"}}}], [{"Type"=>"forward", "Order"=>5000, "TargetGroupArn"=>{"Ref"=>"nginxhttpTargetGroup"}}]]})
       end
 
       it "to have property Conditions" do
@@ -146,7 +146,7 @@
       end
 
       it "to have property Actions" do
-          expect(resource["Properties"]["Actions"]).to eq([{"Type"=>"forward", "TargetGroupArn"=>{"Ref"=>"nginxhttpsTargetGroup"}}])
+          expect(resource["Properties"]["Actions"]).to eq({"Fn::If"=>["EnableCognito", [{"Type"=>"forward", "Order"=>5000, "TargetGroupArn"=>{"Ref"=>"nginxhttpsTargetGroup"}}, {"Type"=>"authenticate-cognito", "Order"=>1, "AuthenticateCognitoConfig"=>{"UserPoolArn"=>{"Ref"=>"UserPoolId"}, "UserPoolClientId"=>{"Ref"=>"UserPoolClientId"}, "UserPoolDomain"=>{"Ref"=>"UserPoolDomainName"}}}], [{"Type"=>"forward", "Order"=>5000, "TargetGroupArn"=>{"Ref"=>"nginxhttpsTargetGroup"}}]]})
       end
 
       it "to have property Conditions" do
@@ -196,7 +196,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/nginx_service_spec.rb

@@ -84,7 +84,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/scheduling_strategy_replica_spec.rb

@@ -80,7 +80,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/secrets_spec.rb

@@ -71,7 +71,7 @@
       end
 
       it "to have property Policies" do
-          expect(resource["Properties"]["Policies"]).to eq([{"PolicyName"=>"ssm-secrets", "PolicyDocument"=>{"Statement"=>[{"Sid"=>"ssmsecrets", "Action"=>"ssm:GetParameters", "Resource"=>[{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/key"}, {"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/secret"}], "Effect"=>"Allow"}]}}, {"PolicyName"=>"secretsmanager", "PolicyDocument"=>{"Statement"=>[{"Sid"=>"secretsmanager", "Action"=>"secretsmanager:GetSecretValue", "Resource"=>[{"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/dont/use/accesskeys-*"}, {"Ref"=>"EnvironmentName"}], "Effect"=>"Allow"}]}}])
+          expect(resource["Properties"]["Policies"]).to eq([{"PolicyName"=>"ssm-secrets", "PolicyDocument"=>{"Statement"=>[{"Sid"=>"ssmsecrets", "Action"=>"ssm:GetParameters", "Resource"=>[{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/key*"}, {"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/secret*"}], "Effect"=>"Allow"}]}}, {"PolicyName"=>"secretsmanager", "PolicyDocument"=>{"Statement"=>[{"Sid"=>"secretsmanager", "Action"=>"secretsmanager:GetSecretValue", "Resource"=>[{"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/dont/use/accesskeys*"}, {"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:{\"Ref\"=>\"EnvironmentName\"}*"}], "Effect"=>"Allow"}]}}])
       end
 
     end
@@ -84,7 +84,7 @@
       end
 
       it "to have property ContainerDefinitions" do
-          expect(resource["Properties"]["ContainerDefinitions"]).to eq([{"Name"=>"nginx", "Image"=>{"Fn::Join"=>["", ["nginx/", "nginx", ":", "latest"]]}, "LogConfiguration"=>{"LogDriver"=>"awslogs", "Options"=>{"awslogs-group"=>{"Ref"=>"LogGroup"}, "awslogs-region"=>{"Ref"=>"AWS::Region"}, "awslogs-stream-prefix"=>"nginx"}}, "Secrets"=>[{"Name"=>"API_KEY", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/key"}}, {"Name"=>"API_SECRET", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/secret"}}, {"Name"=>"ACCESSKEY", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/dont/use/accesskeys"}}, {"Name"=>"SECRETKEY", "ValueFrom"=>{"Ref"=>"EnvironmentName"}}]}])
+          expect(resource["Properties"]["ContainerDefinitions"]).to eq([{"Name"=>"nginx", "Image"=>{"Fn::Join"=>["", ["nginx/", "nginx", ":", "latest"]]}, "LogConfiguration"=>{"LogDriver"=>"awslogs", "Options"=>{"awslogs-group"=>{"Ref"=>"LogGroup"}, "awslogs-region"=>{"Ref"=>"AWS::Region"}, "awslogs-stream-prefix"=>"nginx"}}, "Secrets"=>[{"Name"=>"API_KEY", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/key"}}, {"Name"=>"API_SECRET", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/secret"}}, {"Name"=>"ACCESSKEY", "ValueFrom"=>"/dont/use/accesskeys"}, {"Name"=>"SECRETKEY", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:{\"Ref\"=>\"EnvironmentName\"}"}}]}])
       end
 
       it "to have property TaskRoleArn" do
@@ -134,7 +134,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/security_group_spec.rb

@@ -104,7 +104,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/task_placement_constraint_spec.rb

@@ -84,7 +84,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/user_spec.rb

@@ -80,7 +80,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do

spec/volumes_spec.rb

@@ -109,7 +109,7 @@
       end
 
       it "to have property DesiredCount" do
-          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If" => ["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
+          expect(resource["Properties"]["DesiredCount"]).to eq({"Fn::If"=>["NoDesiredCount", {"Ref"=>"AWS::NoValue"}, {"Ref"=>"DesiredCount"}]})
       end
 
       it "to have property DeploymentConfiguration" do