Merge pull request #157 from bleggett/cognito-terraform

Use Terraform to provision Cognito resources, rather than shell script

installscripts/Installer.sh

@@ -15,7 +15,7 @@
 # URLS
 JAVA_URL="http://download.oracle.com/otn-pub/java/jdk/8u131-b11/d54c1d3a095b4ff2b6607d096fa80163/jdk-8u131-linux-x64.rpm"
 AWSCLI_URL="https://s3.amazonaws.com/aws-cli/awscli-bundle.zip"
-TERRAFORM_URL="https://releases.hashicorp.com/terraform/0.9.11/terraform_0.9.11_linux_amd64.zip?_ga=2.191030627.850923432.1499789921-755991382.1496973261"
+TERRAFORM_URL="https://releases.hashicorp.com/terraform/0.11.6/terraform_0.11.6_linux_amd64.zip"
 ATLASSIAN_CLI_URL="https://bobswift.atlassian.net/wiki/download/attachments/16285777/atlassian-cli-6.7.1-distribution.zip"
 INSTALLER_GITHUB_URL="https://github.com/tmobile/jazz-installer.git"
 PIP_URL="https://bootstrap.pypa.io/get-pip.py"
@@ -82,7 +82,7 @@ function install_packages () {
   # 2. Java Jdk - 8u112-linux-x64
   # 3. Unzip
   # 4. AWSCLI
-  # 5. Terraform - 0.9.11
+  # 5. Terraform
   # 7. Atlassian CLI - 6.7.1
 
   #Fork output redirection so we can control output if VERBOSE is set

installscripts/jazz-terraform-unix-noinstances/cognito.tf

@@ -1,15 +1,59 @@
 #
 # Cognito resources
 #
-resource "null_resource" "cognito_user_pool" {
-
-provisioner "local-exec" {
-    command = "${var.cognito_cmd}  ${var.envPrefix} ${var.envPrefix}-api-onboarding ${var.cognito_pool_username} ${var.cognito_pool_password} ${var.jenkinsjsonpropsfile}"
-  }  
-provisioner "local-exec" {
-    when = "destroy"
-  command = "${var.cognitoDelete_cmd}  ${var.envPrefix}"
+resource "aws_cognito_user_pool" "pool"{
+  name = "${var.envPrefix}"
+  username_attributes = ["email"]
+  schema = [
+    {
+      name = "email"
+      attribute_data_type = "String"
+      required = true
+    },
+    {
+      name = "reg-code"
+      attribute_data_type = "String"
+      string_attribute_constraints = {
+        min_length = 1
+      },
+    }
+  ]
+  tags = {
+    Application = "Jazz"
+    JazzInstance = "${var.envPrefix}"
+  }
+  auto_verified_attributes = ["email"]
+  verification_message_template = {
+    email_subject_by_link = "Jazz Notification - Account Verification"
+    email_message_by_link = "Hello,\n<br><br>\nThanks for signing up!\n<br><br>\nPlease click the link to verify your email address: {##VERIFY EMAIL##}\n<br><br>\nTo know more about Jazz, please refer to link https://github.com/tmobile/jazz-core/wiki\n<br><br>\nBest,<br>\nJazz Team"
+    default_email_option = "CONFIRM_WITH_LINK"
+  }
+  password_policy = {
+    minimum_length    = 8
+    require_lowercase = true
+    require_numbers   = false
+    require_symbols   = false
+    require_uppercase = false
   }
+}
+
+resource "aws_cognito_user_pool_client" "client" {
+  name = "${var.envPrefix}-api-onboarding"
+  generate_secret = false
+  user_pool_id = "${aws_cognito_user_pool.pool.id}"
 
+  provisioner "local-exec" {
+    command = "${var.cognito_cmd} ${var.envPrefix} ${aws_cognito_user_pool.pool.id} ${aws_cognito_user_pool_client.client.id} ${var.cognito_pool_username} ${var.cognito_pool_password}"
+  }
+  provisioner "local-exec" {
+    command = "${var.modifyPropertyFile_cmd} USER_POOL_ID ${aws_cognito_user_pool.pool.id} ${var.jenkinsjsonpropsfile}"
+  }
+  provisioner "local-exec" {
+    command = "${var.modifyPropertyFile_cmd} CLIENT_ID ${aws_cognito_user_pool_client.client.id} ${var.jenkinsjsonpropsfile}"
+  }
 }
 
+resource "aws_cognito_user_pool_domain" "domain" {
+  domain = "${var.envPrefix}"
+  user_pool_id = "${aws_cognito_user_pool.pool.id}"
+}

installscripts/jazz-terraform-unix-noinstances/commands.tf

@@ -55,10 +55,6 @@ variable "cognito_cmd" {
   type = "string"
   default = "./scripts/cognito.sh"
 }
-variable "cognitoDelete_cmd" {
-  type = "string"
-  default = "./scripts/cognitoDelete.sh"
-}
 variable "deployS3Webapp_cmd" {
   type = "string"
   default = "./scripts/deployS3Webapp.sh"

installscripts/jazz-terraform-unix-noinstances/providers.tf

@@ -0,0 +1,7 @@
+provider "aws" {
+  version = "~> 1.14"
+}
+
+provider "null" {
+  version = "~> 1.0"
+}

installscripts/jazz-terraform-unix-noinstances/scripts/cognito.sh

@@ -1,39 +1,15 @@
 #!/bin/bash
 
 POOL_NAME=$1
-CLIENT_NAME=$2
-POOL_USER_NAME=$3
-POOL_USER_PASSWORD=$4
-jenkinsjsonpropsfile=$5
-
-
-
-#Create the userpool
-aws cognito-idp create-user-pool --pool-name $POOL_NAME  --username-attributes email --schema '{"Name": "email", "AttributeDataType": "String", "Required": true}' > /tmp/$POOL_NAME-user-pool
-USER_POOL_ID=$(grep -E '"Id":' /tmp/$POOL_NAME-user-pool | awk -F'"' '{print $4}')
-echo "Created User Pool: " $USER_POOL_ID
-
-#Update password policy and email verification information
-aws cognito-idp update-user-pool --user-pool-id $USER_POOL_ID --user-pool-tags Application="Jazz",JazzInstance="$POOL_NAME"  --auto-verified-attributes email --verification-message-template '{"EmailSubjectByLink": "Jazz Notification - Account Verification", "EmailMessageByLink": "Hello,\n<br><br>\nThanks for signing up!\n<br><br>\nPlease click the link to verify your email address: {##Verify Email##}\n<br><br>\nTo know more about Jazz, please refer to link https://github.com/tmobile/jazz-core/wiki\n<br><br>\nBest,<br>\nJazz Team" , "DefaultEmailOption": "CONFIRM_WITH_LINK"}' --policies '{"PasswordPolicy": {"MinimumLength": 6,"RequireUppercase": false,"RequireLowercase": false, "RequireNumbers": false, "RequireSymbols": false}}' > /tmp/$POOL_NAME-user-pool
-
-#Update the custom attributes
-aws cognito-idp add-custom-attributes --user-pool-id $USER_POOL_ID --custom-attributes '{"Name": "reg-code", "AttributeDataType": "String", "StringAttributeConstraints":{"MinLength": "1"}}'
-
-#Create a userpool client
-aws cognito-idp create-user-pool-client --user-pool-id $USER_POOL_ID --no-generate-secret --client-name $CLIENT_NAME > /tmp/$POOL_NAME-app-client
-CLIENT_ID=$(grep -E '"ClientId":' /tmp/$POOL_NAME-app-client | awk -F'"' '{print $4}')
-echo "Created App Client: " $CLIENT_ID
-
-#Create a domain for the userpool
-aws cognito-idp create-user-pool-domain --domain $POOL_NAME --user-pool-id $USER_POOL_ID
+USER_POOL_ID=$2
+CLIENT_ID=$3
+POOL_USER_NAME=$4
+POOL_USER_PASSWORD=$5
 
 #Create a user
-aws cognito-idp sign-up --client-id $CLIENT_ID --username $POOL_USER_NAME --password $POOL_USER_PASSWORD > /tmp/$POOL_NAME-signup
+aws cognito-idp sign-up --client-id $CLIENT_ID --username $POOL_USER_NAME --password $POOL_USER_PASSWORD > $POOL_NAME-signup
 
-username_rand=`cat /tmp/$POOL_NAME-signup  | grep -i usersub | awk '{print $2}' |tr -d '",'`
+username_rand=`cat $POOL_NAME-signup  | grep -i usersub | awk '{print $2}' |tr -d '",'`
 
 #Auto verify the user
 aws cognito-idp admin-confirm-sign-up  --user-pool-id $USER_POOL_ID --username $username_rand
-
-sed -i "s/USER_POOL_ID\".*.$/USER_POOL_ID\": \"$USER_POOL_ID\",/g" $jenkinsjsonpropsfile
-sed -i "s/CLIENT_ID\".*.$/CLIENT_ID\": \"$CLIENT_ID\"/g" $jenkinsjsonpropsfile

installscripts/jazz-terraform-unix-noinstances/scripts/create.sh

@@ -1,20 +1,41 @@
-#!/bin/bash
+#!/bin/sh
+
+print_error()
+{
+    printf "\r${RED}$1${NC}\n" 1>&3 2>&4
+}
+
 rm -f ./settings.txt
 date
-terraform apply \
-          -var "aws_access_key=${AWS_ACCESS_KEY_ID}" \
-          -var "aws_secret_key=${AWS_SECRET_ACCESS_KEY}" \
-          -var "region=${AWS_DEFAULT_REGION}"
-date
-echo " ======================================================="
-echo " The following stack has been created in AWS"
-echo " ________________________________________________"
-terraform state list
-echo " ======================================================="
-echo " Please use the following values for checking out Jazz"
-echo " ________________________________________________"
-cat ./settings.txt
-echo " ======================================================="
-echo " Installation complete! To cleanup Jazz stack and its resources execute ./destroy.sh in this directory."
-realpath ../../
-echo " ======================================================="
+terraform init && terraform apply \
+                            --auto-approve \
+                            -var "aws_access_key=${AWS_ACCESS_KEY_ID}" \
+                            -var "aws_secret_key=${AWS_SECRET_ACCESS_KEY}" \
+                            -var "region=${AWS_DEFAULT_REGION}"
+if [ $? -gt 0 ]
+then
+    date
+    print_error "$message....Failed"
+    print_error "Destroying created AWS resources because of failure"
+    terraform destroy --auto-approve
+    echo " ======================================================="
+    echo " To cleanup Jazz stack and its resources execute ./destroy.sh in this directory."
+    realpath ../../
+    echo " ======================================================="
+    exit
+else
+    date
+    echo " ======================================================="
+    echo " The following stack has been created in AWS"
+    echo " ________________________________________________"
+    terraform state list
+    echo " ======================================================="
+    echo " Please use the following values for checking out Jazz"
+    echo " ________________________________________________"
+    cat ./settings.txt
+    echo " ======================================================="
+    echo " Installation complete! To cleanup Jazz stack and its resources execute ./destroy.sh in this directory."
+    realpath ../../
+    echo " ======================================================="
+    exit
+fi

installscripts/jazz-terraform-unix-noinstances/scripts/destroy.sh

@@ -20,7 +20,7 @@ fi
 # Rename any stack_deletion out files if any
 for x in ~/jazz-installer/stack_de*.out
 do
-    if [ -f "$x" ] 
+    if [ -f "$x" ]
     then
         mv $x ${x%.out}-old.out
     fi
@@ -48,7 +48,7 @@ if [ "$1" == "all" ]; then
     #Deleting Platform services
     /usr/bin/python scripts/DeleteStackPlatformServices.py $stack_name true
 
-    #Deleting Cloud Front Distributions 
+    #Deleting Cloud Front Distributions
     cd ~/jazz-installer/installscripts/jazz-terraform-unix-noinstances
     /usr/bin/python scripts/DeleteStackCloudFrontDists.py $stack_name true
 
@@ -85,8 +85,9 @@ if [ "$1" == "frameworkonly" ]; then
     #Deleting Platform services
     /usr/bin/python scripts/DeleteStackPlatformServices.py $stack_name false
 
-    #Calling the terraform destroy 
-    terraform destroy -target=aws_kinesis_stream.kinesis_stream_prod -target=aws_iam_role_policy_attachment.kinesisaccess -target=aws_dynamodb_table.dynamodb-Environments_Dev -target=aws_dynamodb_table.dynamodb-Environments_Stg -target=aws_dynamodb_table.dynamodb-Environments_Prod -target=aws_dynamodb_table.dynamodb-table_Event_Handler_Stg -target=null_resource.configureExistingBitbucketServer -target=aws_dynamodb_table.dynamodb-Event_Name_Prod -target=aws_dynamodb_table.dynamodb-Event_Type_Dev -target=aws_s3_bucket.oab-apis-deployment-stg -target=aws_s3_bucket_policy.dev-serverless-static-bucket-contents-policy -target=null_resource.outputVariables -target=aws_cloudfront_distribution.jazz -target=aws_cloudfront_origin_access_identity.origin_access_identity -target=aws_dynamodb_table.dynamodb-Event_Name_Stg -target=aws_iam_role_policy_attachment.cognitopoweruser -target=aws_s3_bucket_policy.stg-serverless-static-bucket-contents-policy -target=aws_s3_bucket_policy.jazz-web-bucket-contents-policy -target=aws_dynamodb_table.dynamodb-table-stg -target=aws_dynamodb_table.dynamodb-table_Event_Handler_Dev -target=aws_s3_bucket.oab-apis-deployment-dev -target=aws_iam_role_policy_attachment.vpccrossaccountaccess -target=aws_s3_bucket_policy.prod-serverless-static-bucket-contents-policy -target=aws_s3_bucket.oab-apis-deployment-prod -target=aws_dynamodb_table.dynamodb-Event_Type_Prod -target=aws_dynamodb_table.dynamodb-table_Event_Handler_Prod -target=data.aws_canonical_user_id.current -target=aws_dynamodb_table.dynamodb-Event_Name_Dev -target=aws_kinesis_stream.kinesis_stream_stg -target=aws_dynamodb_table.dynamodb-Event_Status_Prod -target=aws_dynamodb_table.dynamodb-table-prod -target=aws_dynamodb_table.dynamodb-Event_Status_Dev -target=aws_dynamodb_table.dynamodb-Events_Stg -target=aws_elasticsearch_domain.elasticsearch_domain -target=aws_dynamodb_table.dynamodb-Event_Type_Stg -target=aws_dynamodb_table.dynamodb-Events_Prod -target=aws_kinesis_stream.kinesis_stream_dev -target=null_resource.configureExistingJenkinsServer -target=aws_s3_bucket.jazz-web -target=aws_dynamodb_table.dynamodb-table-dev -target=aws_dynamodb_table.dynamodb-Event_Status_Stg -target=aws_dynamodb_table.dynamodb-Events_Dev -target=null_resource.cognito_user_pool -target=aws_s3_bucket.jazz_s3_api_doc
+    #Calling the terraform destroy
+    # TODO This is a code smell, if we have correctly declared resource dependencies in our terraform scripts, terraform should destroy everything we created without us having to maintan a list of every resource and pass it to `terraform destroy` like this.
+    terraform destroy -target=aws_kinesis_stream.kinesis_stream_prod -target=aws_iam_role_policy_attachment.kinesisaccess -target=aws_dynamodb_table.dynamodb-Environments_Dev -target=aws_dynamodb_table.dynamodb-Environments_Stg -target=aws_dynamodb_table.dynamodb-Environments_Prod -target=aws_dynamodb_table.dynamodb-table_Event_Handler_Stg -target=null_resource.configureExistingBitbucketServer -target=aws_dynamodb_table.dynamodb-Event_Name_Prod -target=aws_dynamodb_table.dynamodb-Event_Type_Dev -target=aws_s3_bucket.oab-apis-deployment-stg -target=aws_s3_bucket_policy.dev-serverless-static-bucket-contents-policy -target=null_resource.outputVariables -target=aws_cloudfront_distribution.jazz -target=aws_cloudfront_origin_access_identity.origin_access_identity -target=aws_dynamodb_table.dynamodb-Event_Name_Stg -target=aws_iam_role_policy_attachment.cognitopoweruser -target=aws_s3_bucket_policy.stg-serverless-static-bucket-contents-policy -target=aws_s3_bucket_policy.jazz-web-bucket-contents-policy -target=aws_dynamodb_table.dynamodb-table-stg -target=aws_dynamodb_table.dynamodb-table_Event_Handler_Dev -target=aws_s3_bucket.oab-apis-deployment-dev -target=aws_iam_role_policy_attachment.vpccrossaccountaccess -target=aws_s3_bucket_policy.prod-serverless-static-bucket-contents-policy -target=aws_s3_bucket.oab-apis-deployment-prod -target=aws_dynamodb_table.dynamodb-Event_Type_Prod -target=aws_dynamodb_table.dynamodb-table_Event_Handler_Prod -target=data.aws_canonical_user_id.current -target=aws_dynamodb_table.dynamodb-Event_Name_Dev -target=aws_kinesis_stream.kinesis_stream_stg -target=aws_dynamodb_table.dynamodb-Event_Status_Prod -target=aws_dynamodb_table.dynamodb-table-prod -target=aws_dynamodb_table.dynamodb-Event_Status_Dev -target=aws_dynamodb_table.dynamodb-Events_Stg -target=aws_elasticsearch_domain.elasticsearch_domain -target=aws_dynamodb_table.dynamodb-Event_Type_Stg -target=aws_dynamodb_table.dynamodb-Events_Prod -target=aws_kinesis_stream.kinesis_stream_dev -target=null_resource.configureExistingJenkinsServer -target=aws_s3_bucket.jazz-web -target=aws_dynamodb_table.dynamodb-table-dev -target=aws_dynamodb_table.dynamodb-Event_Status_Stg -target=aws_dynamodb_table.dynamodb-Events_Dev -target=aws_cognito_user_pool.pool -target=aws_s3_bucket.jazz_s3_api_doc
 
     date
     exit 0

installscripts/jazz-terraform-unix-noinstances/ses.tf

@@ -2,7 +2,7 @@
 # SES Resource
 #
 resource "null_resource" "ses_setup" {
-    depends_on = ["aws_iam_role.lambda_role", "null_resource.cognito_user_pool"]
+  depends_on = ["aws_iam_role.lambda_role", "aws_cognito_user_pool.pool"]
 
     provisioner "local-exec" {
         command = "${var.ses_cmd} ${var.cognito_pool_username} ${var.region} ${var.jenkinsattribsfile} ${var.aws_access_key} ${var.aws_secret_key} ${var.envPrefix}"