add cognito auth to our API

.github/workflows/deploy-sandbox.yaml

@@ -58,6 +58,7 @@ jobs:
     needs: [deploy]
     uses: ./.github/workflows/shared-post-deploy-validations.yaml
     with:
+      ENVIRONMENT: sandbox
       BASE_URL: ${{ needs.deploy.outputs.API_BASE_URL }}
     secrets: inherit
 

.github/workflows/shared-deploy-api.yaml

@@ -34,7 +34,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-to-assume: ${{ vars.PIPELINE_EXECUTION_ROLE }}
+          role-to-assume: ${{ secrets.PIPELINE_EXECUTION_ROLE }}
           role-session-name: sam-deploy
           role-duration-seconds: 3600
           role-skip-session-tagging: true
@@ -43,21 +43,22 @@ jobs:
         run: |
           npm install -g esbuild
           npm ci
-          
+
           sam --info
 
           sam build
 
           sam deploy \
           --stack-name ${{inputs.STACK_NAME }} \
-          --s3-bucket ${{ vars.ARTIFACTS_BUCKET_NAME }} \
+          --s3-bucket ${{ secrets.ARTIFACTS_BUCKET_NAME }} \
           --no-fail-on-empty-changeset \
-          --role-arn ${{ vars.CLOUDFORMATION_EXECUTION_ROLE }}
+          --role-arn ${{ secrets.CLOUDFORMATION_EXECUTION_ROLE }}
 
       - id: getStackOutputs
         name: Get Stack Outputs
         run: |
-          url=$(aws cloudformation describe-stacks --stack-name ${{inputs.STACK_NAME }} --query "Stacks[0].Outputs[?OutputKey=='ApiURL'].OutputValue" --output text)
+          stackOutputJson=$(aws cloudformation describe-stacks --output json --stack-name ${{inputs.STACK_NAME }} --query "Stacks[0].Outputs")
+          url=$(echo $stackOutputJson | jq -r '.[] | select(.OutputKey=="ApiURL") | .OutputValue')
 
           echo "# API" >> $GITHUB_STEP_SUMMARY
           echo "* API - $url" >> $GITHUB_STEP_SUMMARY

.github/workflows/shared-post-deploy-validations.yaml

@@ -3,6 +3,9 @@ name: Post-deployment Validations
 on:
   workflow_call:
     inputs:
+      ENVIRONMENT:
+        required: true
+        type: string
       BASE_URL:
         type: string
         required: true
@@ -11,9 +14,14 @@ jobs:
   test-api:
     name: Run Portman
     runs-on: ubuntu-latest
+    environment: ${{ inputs.ENVIRONMENT }}
     steps:
       - uses: actions/checkout@v4
       - name: Test API
         run: |
           npm ci
+
+          TOKEN_RESPONSE=$(curl --location '${{ secrets.COGNITOPOOL_URL }}/oauth2/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'client_id=${{ secrets.TEST_CLIENT_ID }}' --data-urlencode 'client_secret=${{ secrets.TEST_CLIENT_SECRET }}' --data-urlencode 'scope=${{ secrets.SCOPES }}' | jq -r '.access_token')
+          echo "PORTMAN_ACCESS_TOKEN=$TOKEN_RESPONSE" > ./portman/.env-portman
+
           npx @apideck/portman --cliOptionsFile portman/portman-cli.json --baseUrl ${{ inputs.BASE_URL }}

README.md

@@ -1,4 +1,5 @@
 Repository used as an example for the [Drop the layers, bundle up with ESBuild instead](https://andmore.dev/layerless-esbuild-lambda) article.
+**Update** - This includes authentication now. This is all explained in [Secure API Gateway with Amazon Cognito using SAM](https://andmore.dev/api-cognito).
 
 # Deploy using the SAM CLI
 ## Clone/fork the repository
@@ -29,9 +30,11 @@ Clone or fork this repository and push it to your own GitHub account.
 
 ## Setup GitHub environment
 1. Create an GitHub environment named *sandbox*
-2. Add your Pipeline Execution Role (PIPELINE_EXECUTION_ROLE), CloudFormation Execution Role (CLOUDFORMATION_EXECUTION_ROLE) and a target S3 bucket name for the artifacts (ARTIFACTS_BUCKET_NAME). Here is an explanation by [Chris Ebert](https://twitter.com/realchrisebert) on how to set this up.
-
-![GitHub Environment Configuration](docs/images/github-configuration.png)
+1. Add your Pipeline Execution Role (PIPELINE_EXECUTION_ROLE), CloudFormation Execution Role (CLOUDFORMATION_EXECUTION_ROLE) and a target S3 bucket name for the artifacts (ARTIFACTS_BUCKET_NAME) as secrets. Here is an explanation by [Chris Ebert](https://twitter.com/realchrisebert) on how to set this up.
+1. Setup authentication secrets, you can learn how to set these up by looking at the post mentioned above around securing your APIs with cognito. 
+    a. Add COGNITOPOOL_URL you can get this from the Cognito service in the console and append `/oauth/token` to the url.
+    b. TEST_CLIENT_ID and TEST_CLIENT_SECRET. These values can be found in your user pool client.
+    c. SCOPES should be whatever you set for your resource server to accept.
 
 ## Run Deployment
 In the Actions in GitHub you can select the *Deploy to Sandbox* Workflow. There will be a button to *Run workflow* where you can now select the branch you wish to deploy.

portman/portman-config.json

@@ -109,7 +109,7 @@
     "rawReplacements": [],
     "securityOverwrites": {
       "bearer": {
-        "token": ""
+        "token": "{{accessToken}}"
       }
     }
   }

template.yaml

@@ -16,11 +16,51 @@ Globals:
         POWERTOOLS_SERVICE_NAME: layerless-esbuild-lambda-api
         POWERTOOLS_METRICS_NAMESPACE: layerless-esbuild-lambda
 
+Parameters:
+  CognitoUserPoolId:
+    Type: 'AWS::SSM::Parameter::Value<String>'
+    Default: '/andmoredev-auth/CognitoUserPoolId'
+
+  CognitoUserPoolArn:
+    Type: 'AWS::SSM::Parameter::Value<String>'
+    Default: '/andmoredev-auth/CognitoUserPoolArn'
+
 Resources:
+  LayerlessESBuildResourceServer:
+    Type: AWS::Cognito::UserPoolResourceServer
+    Properties:
+      UserPoolId: !Ref CognitoUserPoolId
+      Identifier: layerless-esbuild
+      Name: Echo Scopes
+      Scopes:
+        - ScopeName: echo
+          ScopeDescription: Trigger an echo
+
+  CognitoTestAutomationClient:
+    Type: AWS::Cognito::UserPoolClient
+    DependsOn:
+      - LayerlessESBuildResourceServer
+    Properties:
+      UserPoolId: !Ref CognitoUserPoolId
+      GenerateSecret: true
+      AllowedOAuthFlows:
+        - client_credentials
+      AllowedOAuthScopes:
+        - layerless-esbuild/echo
+      AllowedOAuthFlowsUserPoolClient: true
+
   API:
     Type: AWS::Serverless::Api
     Properties:
       StageName: api
+      Auth:
+        DefaultAuthorizer: ClientCognitoAuthorizer
+        Authorizers:
+          ClientCognitoAuthorizer:
+            UserPoolArn: !Ref CognitoUserPoolArn
+            AuthorizationScopes:
+              - layerless-esbuild/echo
+
       DefinitionBody:
         Fn::Transform:
           Name: AWS::Include