govuk-one-login · CarlyG55 · May 28, 2024 · May 22, 2024 · May 23, 2024 · May 24, 2024
@@ -165,6 +165,8 @@
       var.orch_ipv_callback_enabled,
       var.orch_register_enabled,
       var.orch_authentication_callback_enabled,
+      var.orch_auth_code_enabled,
+      var.orch_userinfo_enabled,
     ]))
   }
 
@@ -196,6 +198,9 @@
     aws_api_gateway_integration.orch_ipv_callback_integration,
     aws_api_gateway_integration.orch_register_integration,
     aws_api_gateway_integration.orch_authentication_callback_integration,
+    aws_api_gateway_integration.orch_auth_code_integration,
+    aws_api_gateway_integration.orch_userinfo_integration,
+    aws_api_gateway_integration.orch_update_client_integration
   ]
 }
 
@@ -1017,6 +1022,28 @@
   authorization = "NONE"
 }
 
+resource "aws_api_gateway_resource" "orch_auth_code_resource" {
+  count       = var.orch_auth_code_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  parent_id   = aws_api_gateway_rest_api.di_authentication_api.root_resource_id
+  path_part   = "auth-code"
+  depends_on = [
+    module.auth-code
+  ]
+}
+
+resource "aws_api_gateway_method" "orch_auth_code_method" {
+  count       = var.orch_auth_code_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  resource_id = aws_api_gateway_resource.orch_auth_code_resource[0].id
+  http_method = "GET"
+
+  depends_on = [
+    aws_api_gateway_resource.orch_auth_code_resource
+  ]
+  authorization = "NONE"
+}
+
 resource "aws_api_gateway_integration" "orch_authorisation_integration" {
   for_each    = var.orch_authorisation_enabled ? toset(["GET", "POST"]) : []
   rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
@@ -1136,6 +1163,44 @@
   uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${var.orch_account_id}:function:${var.orch_register_name}:latest/invocations"
 }
 
+resource "aws_api_gateway_resource" "orch_update_client_resource" {
+  count       = var.orch_register_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  parent_id   = aws_api_gateway_resource.orch_register_resource[0].id
+  path_part   = "{clientId}"
+  depends_on = [
+    module.update
+  ]
+}
+
+resource "aws_api_gateway_method" "orch_update_client_method" {
+  count              = var.orch_register_enabled ? 1 : 0
+  rest_api_id        = aws_api_gateway_rest_api.di_authentication_api.id
+  resource_id        = aws_api_gateway_resource.orch_update_client_resource[0].id
+  http_method        = "PUT"
+  api_key_required   = true
+  request_parameters = { "method.request.path.clientId" = true }
+
+  depends_on = [
+    aws_api_gateway_resource.orch_update_client_resource
+  ]
+  authorization = "NONE"
+}
+
+resource "aws_api_gateway_integration" "orch_update_client_integration" {
+  count       = var.orch_register_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  resource_id = aws_api_gateway_resource.orch_update_client_resource[0].id
+  http_method = aws_api_gateway_method.orch_update_client_method[0].http_method
+  depends_on = [
+    aws_api_gateway_resource.orch_update_client_resource
+  ]
+  request_parameters      = { "integration.request.path.clientId" = "method.request.path.clientId" }
+  type                    = "AWS_PROXY"
+  integration_http_method = "POST"
+  uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${var.orch_account_id}:function:${var.orch_update_client_name}:latest/invocations"
+}
+
 resource "aws_api_gateway_resource" "orch_authentication_callback_resource" {
   count       = var.orch_authentication_callback_enabled ? 1 : 0
   rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
@@ -1169,4 +1234,53 @@
   type                    = "AWS_PROXY"
   integration_http_method = "POST"
   uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${var.orch_account_id}:function:${var.orch_authentication_callback_name}:latest/invocations"
-}
+}
+
+resource "aws_api_gateway_integration" "orch_auth_code_integration" {
+  count       = var.orch_auth_code_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  resource_id = aws_api_gateway_resource.orch_auth_code_resource[0].id
+  http_method = aws_api_gateway_method.orch_auth_code_method[0].http_method
+  depends_on = [
+    aws_api_gateway_resource.orch_auth_code_resource
+  ]
+  type                    = "AWS_PROXY"
+  integration_http_method = "POST"
+  uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${var.orch_account_id}:function:${var.orch_auth_code_name}:latest/invocations"
+}
+
+
+resource "aws_api_gateway_resource" "orch_userinfo_resource" {
+  count       = var.orch_userinfo_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  parent_id   = aws_api_gateway_rest_api.di_authentication_api.root_resource_id
+  path_part   = "userinfo"
+  depends_on = [
+    module.userinfo
+  ]
+}
+
+resource "aws_api_gateway_method" "orch_userinfo_method" {
+  count       = var.orch_userinfo_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  resource_id = aws_api_gateway_resource.orch_userinfo_resource[0].id
+  http_method = "GET"
+
+  depends_on = [
+    aws_api_gateway_resource.orch_userinfo_resource
+  ]
+  authorization = "NONE"
+}
+
+resource "aws_api_gateway_integration" "orch_userinfo_integration" {
+  count       = var.orch_userinfo_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  resource_id = aws_api_gateway_resource.orch_userinfo_resource[0].id
+  http_method = aws_api_gateway_method.orch_userinfo_method[0].http_method
+  depends_on = [
+    aws_api_gateway_resource.orch_userinfo_resource
+  ]
+  type                    = "AWS_PROXY"
+  integration_http_method = "POST"
+  uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${var.orch_account_id}:function:${var.orch_userinfo_name}:latest/invocations"
+}
@@ -21,7 +21,7 @@ module "auth-code" {
   source = "../modules/endpoint-module"
 
   endpoint_name   = "auth-code"
-  path_part       = "auth-code"
+  path_part       = var.orch_auth_code_enabled ? "auth-code-auth" : "auth-code"
   endpoint_method = ["GET"]
 
   handler_environment_variables = {

@@ -71,6 +71,7 @@ resource "aws_lambda_alias" "backchannel_logout_request_lambda_active" {
 }
 
 resource "aws_lambda_event_source_mapping" "backchannel_logout_lambda_sqs_mapping" {
+  count            = var.auth_backchannel_logout_disabled ? 0 : 1
   event_source_arn = aws_sqs_queue.back_channel_logout_queue.arn
   function_name    = aws_lambda_function.backchannel_logout_request_lambda.arn
 

@@ -76,6 +76,13 @@ orch_register_enabled                = true
 orch_register_name                   = "dev-ClientRegistrationFunction"
 orch_authentication_callback_enabled = true
 orch_authentication_callback_name    = "dev-AuthenticationCallbackFunction"
+auth_backchannel_logout_disabled     = true
+auth_spot_response_disabled          = true
+orch_auth_code_enabled               = true
+orch_auth_code_name                  = "dev-AuthCodeFunction"
+orch_userinfo_enabled                = true
+orch_userinfo_name                   = "dev-UserInfoFunction"
+orch_update_client_name              = "dev-UpdateClientConfigFunction"
 
 orch_account_id                                  = "816047645251"
 back_channel_logout_cross_account_access_enabled = true

@@ -61,7 +61,7 @@ resource "aws_iam_policy" "spot_response_sqs_read_policy" {
 }
 
 resource "aws_lambda_event_source_mapping" "spot_response_lambda_sqs_mapping" {
-  count            = var.spot_enabled ? 1 : 0
+  count            = var.spot_enabled && !var.auth_spot_response_disabled ? 1 : 0
   event_source_arn = aws_ssm_parameter.spot_response_queue_arn.value
   function_name    = aws_lambda_function.spot_response_lambda.arn
   batch_size       = 1

@@ -14,8 +14,6 @@ lockout_duration                     = 7200
 reduced_lockout_duration             = 900
 incorrect_password_lockout_count_ttl = 7200
 
-orch_openid_configuration_name = "staging-OpenIdConfigurationFunction"
-
 orch_account_id                                  = "590183975515"
 back_channel_logout_cross_account_access_enabled = true
 kms_cross_account_access_enabled                 = true
@@ -29,9 +27,27 @@ phone_checker_with_retry = false
 oidc_origin_domain_enabled  = true
 oidc_cloudfront_dns_enabled = true
 
-orch_doc_app_callback_enabled        = false
+orch_openid_configuration_enabled    = true
+orch_openid_configuration_name       = "staging-OpenIdConfigurationFunction"
+orch_doc_app_callback_enabled        = true
 orch_doc_app_callback_name           = "staging-DocAppCallbackFunction"
+orch_token_enabled                   = true
+orch_token_name                      = "staging-TokenFunction"
+orch_jwks_enabled                    = true
+orch_jwks_name                       = "staging-JwksFunction"
+orch_authorisation_enabled           = true
+orch_authorisation_name              = "staging-AuthorisationFunction"
+orch_logout_enabled                  = true
+orch_logout_name                     = "staging-LogoutFunction"
+orch_ipv_callback_enabled            = true
+orch_ipv_callback_name               = "staging-IpvCallbackFunction"
 orch_register_enabled                = true
 orch_register_name                   = "staging-ClientRegistrationFunction"
 orch_authentication_callback_enabled = true
 orch_authentication_callback_name    = "staging-AuthenticationCallbackFunction"
+auth_backchannel_logout_disabled     = true
+auth_spot_response_disabled          = true
+orch_auth_code_enabled               = true
+orch_auth_code_name                  = "staging-AuthCodeFunction"
+orch_userinfo_enabled                = true
+orch_userinfo_name                   = "staging-UserInfoFunction"
@@ -26,7 +26,7 @@ module "userinfo" {
   source = "../modules/endpoint-module"
 
   endpoint_name   = "userinfo"
-  path_part       = "userinfo"
+  path_part       = var.orch_userinfo_enabled ? "userinfo-auth" : "userinfo"
   endpoint_method = ["GET"]
   environment     = var.environment
 

@@ -535,6 +535,18 @@ variable "orch_authorisation_enabled" {
   default     = false
 }
 
+variable "auth_backchannel_logout_disabled" {
+  description = "Flag to disable routing back channel logout traffic to the authentication account"
+  type        = bool
+  default     = false
+}
+
+variable "auth_spot_response_disabled" {
+  description = "Flag to disable routing spot response traffic to the authentication account"
+  type        = bool
+  default     = false
+}
+
 variable "orch_logout_enabled" {
   description = "Flag to enable routing logout traffic to the orchestration account"
   type        = bool
@@ -559,6 +571,18 @@ variable "orch_authentication_callback_enabled" {
   default     = false
 }
 
+variable "orch_auth_code_enabled" {
+  description = "Flag to enable routing auth code traffic to the orchestration account"
+  type        = bool
+  default     = false
+}
+
+variable "orch_userinfo_enabled" {
+  description = "Flag to enable routing userinfo traffic to the orchestration account"
+  type        = bool
+  default     = false
+}
+
 variable "orch_openid_configuration_name" {
   type    = string
   default = ""
@@ -609,6 +633,21 @@ variable "orch_authentication_callback_name" {
   default = ""
 }
 
+variable "orch_auth_code_name" {
+  type    = string
+  default = ""
+}
+
+variable "orch_userinfo_name" {
+  type    = string
+  default = ""
+}
+
+variable "orch_update_client_name" {
+  type    = string
+  default = ""
+}
+
 variable "account_intervention_service_action_enabled" {
   default = false
   type    = bool

@@ -65,4 +65,5 @@ kms_cross_account_access_enabled                                    = true
 doc_app_cross_account_access_enabled                                = true
 user_profile_table_cross_account_access_enabled                     = true
 client_registry_table_cross_account_access_enabled                  = true
-authentication_callback_userinfo_table_cross_account_access_enabled = true
+identity_credentials_cross_account_access_enabled                   = true
+authentication_callback_userinfo_table_cross_account_access_enabled = true