support integrating Cognito into the Load Balancer

[jamin-aws-ospo]

It would be useful to be able to integrate authentication at the Load Balancer. This can be done using Cognito, an example:

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

Right now, Cognito can be configured via an addon, but it is unclear how that can then be integrated with the Load Balancer created by copilot as part of a deploy. Sure some post-deploy glue can be used, but it is likely that glue would be needed after most/all copilot deploy actions.

[jamin-aws-ospo]

So, it turns out both a pre and post deploy adjustment are needed. Without the pre-deploy action, the copilot deploy will fail due to the modified Load Balancer. I've come up with a script to perform both actions automatically. Unfortunately, this means that there is a bit of service interruption on each deployment as these actions are being taken outside of CloudFormation.

The following script relies on aws CLI, jq, grep, tr, cat and mktemp:
https://gist.github.com/jamin-aws-ospo/8b244a2ca84321e92349802b26187436

[TakaraShinya]

👍

[Lou1415926]

Related: #1411 #1982

[iamhopaul123]

Hello everyone. Now since we have svc override available, it is much easier to modify the LB listener rule. I did a prototype and here's my workaround for Cognito for now before we have native support.

copilot/environment/addons/cognito.yml

Parameters:
  App:
    Type: String
    Description: Your application's name.
  Env:
    Type: String
    Description: The environment name your service, job, or workflow is being deployed to.

Resources:
  MyUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Sub "${Env}.${App}"
      EmailConfiguration:
        EmailSendingAccount: COGNITO_DEFAULT
      AutoVerifiedAttributes:
        - email
      VerificationMessageTemplate:
        DefaultEmailOption: CONFIRM_WITH_CODE
      UsernameAttributes:
        - email

  UserPoolClient:
    Type: AWS::Cognito::UserPoolClient  
    DependsOn: UserPoolResourceServer
    Properties:
      ClientName: !Sub "${Env}.${App}"
      GenerateSecret: true
      UserPoolId: !Ref MyUserPool
      SupportedIdentityProviders:
        - COGNITO
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthFlows:
        - code
        - implicit
      AllowedOAuthScopes:
        - openid
      CallbackURLs:
        - https://${YOUR_ALIAS_NAME}/oauth2/idpresponse

  UserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      Domain: !Sub "${Env}-${App}"
      UserPoolId: !Ref MyUserPool

  UserPoolResourceServer:
    Type: AWS::Cognito::UserPoolResourceServer
    Properties:
      UserPoolId: !Ref MyUserPool
      Identifier: !Sub "${Env}.${App}"
      Name: !Sub "${Env}.${App}"
      Scopes:
        - ScopeName: "api.readwrite"
          ScopeDescription: "All access"

Outputs:
  ClientId:
    Value: !Ref UserPoolClient
    Export:
      Name: !Sub ${App}-${Env}-UserpoolClientId
  UserpoolArn:
    Value: !GetAtt MyUserPool.Arn
    Export:
      Name: !Sub ${App}-${Env}-UserpoolArn
  UserpoolId:
    Value: !Ref MyUserPool
    Export:
      Name: !Sub ${App}-${Env}-UserpoolId

copilot/web/overrides/cfn.patches.yml

- op: replace
  path: /Resources/HTTPSListenerRule/Properties/Actions
  value:
    - Type: authenticate-cognito
      AuthenticateCognitoConfig:
        UserPoolArn:
          Fn::ImportValue:
            !Sub ${AppName}-${EnvName}-UserpoolArn
        UserPoolClientId:
          Fn::ImportValue:
            !Sub ${AppName}-${EnvName}-UserpoolClientId
        UserPoolDomain: !Sub ${EnvName}-${AppName}
        SessionCookieName: AWSELBAuthSessionCookie
        Scope: openid
        SessionTimeout: 86400
        AuthenticationRequestExtraParams:
          display: page
          prompt: login
        OnUnauthenticatedRequest: authenticate
      Order: 1

    - TargetGroupArn: !Ref TargetGroup
      Type: forward
      Order: 2