diff --git a/amplify/backend/api/team/schema.graphql b/amplify/backend/api/team/schema.graphql index 61c59b4c..ad9103e9 100644 --- a/amplify/backend/api/team/schema.graphql +++ b/amplify/backend/api/team/schema.graphql @@ -265,9 +265,6 @@ type Query { getMgmtPermissions: MgmtPs @function(name: "teamgetMgmtAccountDetails-${env}") @auth(rules: [{ allow: private }]) - getGroups: Groups - @function(name: "teamgetGroups-${env}") - @auth(rules: [{ allow: private }]) getIdCGroups: [IdCGroups] @function(name: "teamgetIdCGroups-${env}") @auth(rules: [{ allow: private }]) diff --git a/amplify/backend/auth/team06dbb7fc/cli-inputs.json b/amplify/backend/auth/team06dbb7fc/cli-inputs.json index deac89a6..f7c449be 100644 --- a/amplify/backend/auth/team06dbb7fc/cli-inputs.json +++ b/amplify/backend/auth/team06dbb7fc/cli-inputs.json @@ -41,7 +41,11 @@ "usernameAttributes": [ "email" ], - "triggers": {}, + "triggers": { + "PreTokenGeneration": [ + "alter-claims" + ] + }, "userPoolGroupList": [ "Auditors", "Admin" @@ -62,18 +66,29 @@ ] }, "breakCircularDependency": true, - "dependsOn": [], + "dependsOn": [ + { + "category": "function", + "resourceName": "team06dbb7fcPreTokenGeneration", + "triggerProvider": "Cognito", + "attributes": [ + "Arn", + "Name" + ] + } + ], "hostedUI": true, "parentStack": { "Ref": "AWS::StackId" }, "permissions": [], - "hostedUIDomainName": "d11r99we6v7d2t", + "hostedUIDomainName": "d1s5ncogc730zk", "authProvidersUserPool": [], "hostedUIProviderMeta": "[]", "authProviders": [], "hostedUIProviderCreds": "[]", "adminQueryGroup": "Admin", - "oAuthMetadata": "{\"AllowedOAuthFlows\":[\"code\"],\"AllowedOAuthScopes\":[\"phone\",\"email\",\"openid\",\"profile\",\"aws.cognito.signin.user.admin\"],\"CallbackURLs\":[\"https://main.d11r99we6v7d2t.amplifyapp.com/\"],\"LogoutURLs\":[\"https://main.d11r99we6v7d2t.amplifyapp.com/\"]}" + "authTriggerConnections": "[\n {\n \"triggerType\": \"PreTokenGeneration\",\n \"lambdaFunctionName\": \"team06dbb7fcPreTokenGeneration\"\n }\n]", + "oAuthMetadata": "{\"AllowedOAuthFlows\":[\"code\"],\"AllowedOAuthScopes\":[\"phone\",\"email\",\"openid\",\"profile\",\"aws.cognito.signin.user.admin\"],\"CallbackURLs\":[\"https://main.d1s5ncogc730zk.amplifyapp.com/\"],\"LogoutURLs\":[\"https://main.d1s5ncogc730zk.amplifyapp.com/\"]}" } } \ No newline at end of file diff --git a/amplify/backend/backend-config.json b/amplify/backend/backend-config.json index 9cd0579a..bbde5ad5 100644 --- a/amplify/backend/backend-config.json +++ b/amplify/backend/backend-config.json @@ -36,7 +36,17 @@ "auth": { "team06dbb7fc": { "customAuth": false, - "dependsOn": [], + "dependsOn": [ + { + "attributes": [ + "Arn", + "Name" + ], + "category": "function", + "resourceName": "team06dbb7fcPreTokenGeneration", + "triggerProvider": "Cognito" + } + ], "frontendAuthConfig": { "mfaConfiguration": "OFF", "mfaTypes": [ @@ -119,6 +129,21 @@ } }, "function": { + "team06dbb7fcPreTokenGeneration": { + "build": true, + "dependsOn": [ + { + "attributes": [ + "GraphQLAPIIdOutput", + "GraphQLAPIEndpointOutput" + ], + "category": "api", + "resourceName": "team" + } + ], + "providerPlugin": "awscloudformation", + "service": "Lambda" + }, "teamGetPermissionSets": { "build": true, "dependsOn": [ @@ -264,35 +289,6 @@ "providerPlugin": "awscloudformation", "service": "Lambda" }, - "teamgetGroups": { - "build": true, - "dependsOn": [ - { - "attributes": [ - "GraphQLAPIIdOutput", - "GraphQLAPIEndpointOutput" - ], - "category": "api", - "resourceName": "team" - }, - { - "attributes": [ - "UserPoolId" - ], - "category": "auth", - "resourceName": "team06dbb7fc" - }, - { - "attributes": [ - "Arn" - ], - "category": "function", - "resourceName": "teamapplicationboto3layer" - } - ], - "providerPlugin": "awscloudformation", - "service": "Lambda" - }, "teamgetIdCGroups": { "build": true, "providerPlugin": "awscloudformation", @@ -410,6 +406,22 @@ } }, "parameters": { + "AMPLIFY_function_teamGetPermissionSets_deploymentBucketName": { + "usedBy": [ + { + "category": "function", + "resourceName": "teamGetPermissionSets" + } + ] + }, + "AMPLIFY_function_teamGetPermissionSets_s3Key": { + "usedBy": [ + { + "category": "function", + "resourceName": "teamGetPermissionSets" + } + ] + }, "AMPLIFY_function_teamListGroups_deploymentBucketName": { "usedBy": [ { @@ -442,6 +454,22 @@ } ] }, + "AMPLIFY_function_teamPublishOUs_deploymentBucketName": { + "usedBy": [ + { + "category": "function", + "resourceName": "teamPublishOUs" + } + ] + }, + "AMPLIFY_function_teamPublishOUs_s3Key": { + "usedBy": [ + { + "category": "function", + "resourceName": "teamPublishOUs" + } + ] + }, "AMPLIFY_function_teamRouter_deploymentBucketName": { "usedBy": [ { @@ -522,22 +550,6 @@ } ] }, - "AMPLIFY_function_teamgetGroups_deploymentBucketName": { - "usedBy": [ - { - "category": "function", - "resourceName": "teamgetGroups" - } - ] - }, - "AMPLIFY_function_teamgetGroups_s3Key": { - "usedBy": [ - { - "category": "function", - "resourceName": "teamgetGroups" - } - ] - }, "AMPLIFY_function_teamgetIdCGroups_deploymentBucketName": { "usedBy": [ { diff --git a/amplify/backend/custom/cloudtrailLake/parameters.json b/amplify/backend/custom/cloudtrailLake/parameters.json index 1617e428..ad18a1f8 100644 --- a/amplify/backend/custom/cloudtrailLake/parameters.json +++ b/amplify/backend/custom/cloudtrailLake/parameters.json @@ -1,3 +1,3 @@ { - "CloudTrailAuditLogs": "arn:aws:cloudtrail:us-east-1:843551180572:eventdatastore/c2b1db81-d0ab-4857-a8d4-d85170209f9f" + "CloudTrailAuditLogs": "read_write" } \ No newline at end of file diff --git a/amplify/backend/function/teamgetGroups/Pipfile b/amplify/backend/function/team06dbb7fcPreTokenGeneration/Pipfile similarity index 87% rename from amplify/backend/function/teamgetGroups/Pipfile rename to amplify/backend/function/team06dbb7fcPreTokenGeneration/Pipfile index f1529fdb..88b01f8a 100644 --- a/amplify/backend/function/teamgetGroups/Pipfile +++ b/amplify/backend/function/team06dbb7fcPreTokenGeneration/Pipfile @@ -9,4 +9,4 @@ verify_ssl = true src = {editable = true, path = "./src"} [requires] -python_version = "3.9" +python_version = "3.8" diff --git a/amplify/backend/function/teamgetGroups/amplify.state b/amplify/backend/function/team06dbb7fcPreTokenGeneration/amplify.state similarity index 100% rename from amplify/backend/function/teamgetGroups/amplify.state rename to amplify/backend/function/team06dbb7fcPreTokenGeneration/amplify.state diff --git a/amplify/backend/function/teamgetGroups/custom-policies.json b/amplify/backend/function/team06dbb7fcPreTokenGeneration/custom-policies.json similarity index 100% rename from amplify/backend/function/teamgetGroups/custom-policies.json rename to amplify/backend/function/team06dbb7fcPreTokenGeneration/custom-policies.json diff --git a/amplify/backend/function/team06dbb7fcPreTokenGeneration/function-parameters.json b/amplify/backend/function/team06dbb7fcPreTokenGeneration/function-parameters.json new file mode 100644 index 00000000..e74c3ac9 --- /dev/null +++ b/amplify/backend/function/team06dbb7fcPreTokenGeneration/function-parameters.json @@ -0,0 +1,10 @@ +{ + "permissions": { + "api": { + "team": [ + "Query" + ] + } + }, + "lambdaLayers": [] +} \ No newline at end of file diff --git a/amplify/backend/function/team06dbb7fcPreTokenGeneration/parameters.json b/amplify/backend/function/team06dbb7fcPreTokenGeneration/parameters.json new file mode 100644 index 00000000..d422d1b8 --- /dev/null +++ b/amplify/backend/function/team06dbb7fcPreTokenGeneration/parameters.json @@ -0,0 +1,4 @@ +{ + "teamAdminGroup": "TEAM-admins", + "teamAuditorGroup": "TEAM-auditors" +} \ No newline at end of file diff --git a/amplify/backend/function/teamgetGroups/src/event.json b/amplify/backend/function/team06dbb7fcPreTokenGeneration/src/event.json similarity index 100% rename from amplify/backend/function/teamgetGroups/src/event.json rename to amplify/backend/function/team06dbb7fcPreTokenGeneration/src/event.json diff --git a/amplify/backend/function/teamgetGroups/src/index.py b/amplify/backend/function/team06dbb7fcPreTokenGeneration/src/index.py similarity index 68% rename from amplify/backend/function/teamgetGroups/src/index.py rename to amplify/backend/function/team06dbb7fcPreTokenGeneration/src/index.py index 6e4abf40..613fe167 100644 --- a/amplify/backend/function/teamgetGroups/src/index.py +++ b/amplify/backend/function/team06dbb7fcPreTokenGeneration/src/index.py @@ -1,12 +1,12 @@ -# © 2023 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. +# © 2024 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. # This AWS Content is provided subject to the terms of the AWS Customer Agreement available at # http: // aws.amazon.com/agreement or other written agreement between Customer and either # Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. import os from botocore.exceptions import ClientError import boto3 +import json -user_pool_id = os.getenv("AUTH_AWSPIM06DBB7FC_USERPOOLID") team_admin_group = os.getenv("TEAM_ADMIN_GROUP") team_auditor_group = os.getenv("TEAM_AUDITOR_GROUP") settings_table_name = os.getenv("SETTINGS_TABLE_NAME") @@ -31,31 +31,6 @@ def get_team_groups(): print(f"Error retrieving TEAM settings from database: {e}") return team_admin_group, team_auditor_group -def add_user_to_group(username, groupname): - client = boto3.client('cognito-idp') - try: - response = client.admin_add_user_to_group( - UserPoolId=user_pool_id, - Username=username, - GroupName=groupname - ) - print(f"user {username} added to {groupname} group") - except ClientError as e: - print(e.response['Error']['Message']) - - -def remove_user_from_group(username, groupname): - client = boto3.client('cognito-idp') - try: - response = client.admin_remove_user_from_group( - UserPoolId=user_pool_id, - Username=username, - GroupName=groupname - ) - print(f"user {username} removed from {groupname} group") - except ClientError as e: - print(e.response['Error']['Message']) - def get_identity_store_id(): client = boto3.client('sso-admin') @@ -123,29 +98,35 @@ def list_idc_group_membership(userId): def handler(event, context): team_admin_group, team_auditor_group = get_team_groups() - user = event["identity"]["username"] - # Strip idc prefix - username = user.removeprefix("idc_") - userId = get_user(username) + user = event["userName"].split("_", 1)[1] + userId = get_user(user) admin = get_group(team_admin_group) auditor = get_group(team_auditor_group) groups = [] - groupIds = [] + groupIds = str() groupData = list_idc_group_membership(userId) - + for group in groupData: - groupIds.append(group["GroupId"]) - if group['GroupId'] == admin: - add_user_to_group(user, "Admin") + groupIds += group["GroupId"] + "," + if group["GroupId"] == admin: + # add_user_to_group(user, "Admin") groups.append("Admin") - elif group['GroupId'] == auditor: - add_user_to_group(user, "Auditors") + elif group["GroupId"] == auditor: + # add_user_to_group(user, "Auditors") groups.append("Auditors") - if "Admin" not in groups: - remove_user_from_group(user, "Admin") - elif "Auditors" not in groups: - remove_user_from_group(user, "Auditors") + event["response"] = { + "claimsOverrideDetails": { + "claimsToAddOrOverride": { + "userId": userId, + "groupIds": groupIds, + "groups": ",".join(groups) + }, + "groupOverrideDetails": { + "groupsToOverride": groups, + }, + } + } - return {"groups": groups, "userId": userId, "groupIds": groupIds} \ No newline at end of file + return event \ No newline at end of file diff --git a/amplify/backend/function/teamgetGroups/src/setup.py b/amplify/backend/function/team06dbb7fcPreTokenGeneration/src/setup.py similarity index 100% rename from amplify/backend/function/teamgetGroups/src/setup.py rename to amplify/backend/function/team06dbb7fcPreTokenGeneration/src/setup.py diff --git a/amplify/backend/function/team06dbb7fcPreTokenGeneration/team06dbb7fcPreTokenGeneration-cloudformation-template.json b/amplify/backend/function/team06dbb7fcPreTokenGeneration/team06dbb7fcPreTokenGeneration-cloudformation-template.json new file mode 100644 index 00000000..f87bfa83 --- /dev/null +++ b/amplify/backend/function/team06dbb7fcPreTokenGeneration/team06dbb7fcPreTokenGeneration-cloudformation-template.json @@ -0,0 +1,286 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Lambda Function resource stack creation using Amplify CLI", + "Parameters": { + "CloudWatchRule": { + "Type": "String", + "Default": "NONE", + "Description": " Schedule Expression" + }, + "deploymentBucketName": { + "Type": "String" + }, + "env": { + "Type": "String" + }, + "s3Key": { + "Type": "String" + }, + "apiteamGraphQLAPIIdOutput": { + "Type": "String", + "Default": "apiteamGraphQLAPIIdOutput" + }, + "apiteamGraphQLAPIEndpointOutput": { + "Type": "String", + "Default": "apiteamGraphQLAPIEndpointOutput" + }, + "teamAdminGroup": { + "Type": "String" + }, + "teamAuditorGroup": { + "Type": "String" + } + }, + "Conditions": { + "ShouldNotCreateEnvResources": { + "Fn::Equals": [ + { + "Ref": "env" + }, + "NONE" + ] + } + }, + "Resources": { + "LambdaFunction": { + "Type": "AWS::Lambda::Function", + "Metadata": { + "aws:asset:path": "./src", + "aws:asset:property": "Code" + }, + "Properties": { + "Architectures": [ + "arm64" + ], + "Code": { + "S3Bucket": { + "Ref": "deploymentBucketName" + }, + "S3Key": { + "Ref": "s3Key" + } + }, + "Handler": "index.handler", + "FunctionName": { + "Fn::If": [ + "ShouldNotCreateEnvResources", + "team06dbb7fcPreTokenGeneration", + { + "Fn::Join": [ + "", + [ + "team06dbb7fcPreTokenGeneration", + "-", + { + "Ref": "env" + } + ] + ] + } + ] + }, + "Environment": { + "Variables": { + "ENV": { + "Ref": "env" + }, + "REGION": { + "Ref": "AWS::Region" + }, + "API_TEAM_GRAPHQLAPIIDOUTPUT": { + "Ref": "apiteamGraphQLAPIIdOutput" + }, + "API_TEAM_GRAPHQLAPIENDPOINTOUTPUT": { + "Ref": "apiteamGraphQLAPIEndpointOutput" + }, + "SETTINGS_TABLE_NAME": { + "Fn::ImportValue": { + "Fn::Sub": "${apiteamGraphQLAPIIdOutput}:GetAtt:SettingsTable:Name" + } + }, + "TEAM_ADMIN_GROUP": { + "Ref": "teamAdminGroup" + }, + "TEAM_AUDITOR_GROUP": { + "Ref": "teamAuditorGroup" + } + } + }, + "Role": { + "Fn::GetAtt": [ + "LambdaExecutionRole", + "Arn" + ] + }, + "Runtime": "python3.12", + "Layers": [], + "Timeout": 120 + } + }, + "LambdaExecutionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "RoleName": { + "Fn::If": [ + "ShouldNotCreateEnvResources", + "teamidcappLambdaRole1a94c239", + { + "Fn::Join": [ + "", + [ + "teamidcappLambdaRole1a94c239", + "-", + { + "Ref": "env" + } + ] + ] + } + ] + }, + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + } + } + }, + "lambdaexecutionpolicy": { + "DependsOn": [ + "LambdaExecutionRole" + ], + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "lambda-execution-policy", + "Roles": [ + { + "Ref": "LambdaExecutionRole" + } + ], + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": { + "Fn::Sub": [ + "arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*", + { + "region": { + "Ref": "AWS::Region" + }, + "account": { + "Ref": "AWS::AccountId" + }, + "lambda": { + "Ref": "LambdaFunction" + } + } + ] + } + }, + { + "Effect": "Allow", + "Action": [ + "dynamodb:GetItem" + ], + "Resource": [ + { + "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/Settings-*" + } + ] + } + ] + } + } + }, + "AmplifyResourcesPolicy": { + "DependsOn": [ + "LambdaExecutionRole" + ], + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "amplify-lambda-execution-policy", + "Roles": [ + { + "Ref": "LambdaExecutionRole" + } + ], + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "appsync:GraphQL" + ], + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:aws:appsync:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":apis/", + { + "Ref": "apiteamGraphQLAPIIdOutput" + }, + "/types/Query/*" + ] + ] + } + ] + } + ] + } + } + } + }, + "Outputs": { + "Name": { + "Value": { + "Ref": "LambdaFunction" + } + }, + "Arn": { + "Value": { + "Fn::GetAtt": [ + "LambdaFunction", + "Arn" + ] + } + }, + "Region": { + "Value": { + "Ref": "AWS::Region" + } + }, + "LambdaExecutionRole": { + "Value": { + "Ref": "LambdaExecutionRole" + } + } + } +} \ No newline at end of file diff --git a/amplify/backend/function/teamGetPermissionSets/teamGetPermissionSets-cloudformation-template.json b/amplify/backend/function/teamGetPermissionSets/teamGetPermissionSets-cloudformation-template.json index b6577d42..7af70382 100644 --- a/amplify/backend/function/teamGetPermissionSets/teamGetPermissionSets-cloudformation-template.json +++ b/amplify/backend/function/teamGetPermissionSets/teamGetPermissionSets-cloudformation-template.json @@ -251,6 +251,45 @@ ] } } + }, + "CustomLambdaExecutionPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "custom-lambda-execution-policy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sso:DescribePermissionSet", + "sso:ListPermissionSets", + "sso:ListInstances", + "sso:ListTagsForResource", + "sso:ListPermissionSetsProvisionedToAccount" + ], + "Resource": [ + "*" + ], + "Effect": "Allow" + }, + { + "Action": [ + "organizations:DescribeOrganization" + ], + "Resource": [ + "*" + ], + "Effect": "Allow" + } + ] + }, + "Roles": [ + { + "Ref": "LambdaExecutionRole" + } + ] + }, + "DependsOn": "LambdaExecutionRole" } }, "Outputs": { @@ -276,6 +315,14 @@ "Value": { "Ref": "LambdaExecutionRole" } + }, + "LambdaExecutionRoleArn": { + "Value": { + "Fn::GetAtt": [ + "LambdaExecutionRole", + "Arn" + ] + } } } } \ No newline at end of file diff --git a/amplify/backend/function/teamPublishOUs/teamPublishOUs-cloudformation-template.json b/amplify/backend/function/teamPublishOUs/teamPublishOUs-cloudformation-template.json index ed4cddb5..ae909e2a 100644 --- a/amplify/backend/function/teamPublishOUs/teamPublishOUs-cloudformation-template.json +++ b/amplify/backend/function/teamPublishOUs/teamPublishOUs-cloudformation-template.json @@ -248,6 +248,33 @@ ] } } + }, + "CustomLambdaExecutionPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "custom-lambda-execution-policy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "organizations:Describe*", + "organizations:List*" + ], + "Resource": [ + "*" + ], + "Effect": "Allow" + } + ] + }, + "Roles": [ + { + "Ref": "LambdaExecutionRole" + } + ] + }, + "DependsOn": "LambdaExecutionRole" } }, "Outputs": { @@ -273,6 +300,14 @@ "Value": { "Ref": "LambdaExecutionRole" } + }, + "LambdaExecutionRoleArn": { + "Value": { + "Fn::GetAtt": [ + "LambdaExecutionRole", + "Arn" + ] + } } } } \ No newline at end of file diff --git a/amplify/backend/function/teamRouter/parameters.json b/amplify/backend/function/teamRouter/parameters.json index 0de64904..3b435a45 100644 --- a/amplify/backend/function/teamRouter/parameters.json +++ b/amplify/backend/function/teamRouter/parameters.json @@ -1,3 +1,3 @@ { - "SSOLoginUrl": "https://d-90676de17c.awsapps.com/start" + "SSOLoginUrl": "https://d-9067924314.awsapps.com/start" } \ No newline at end of file diff --git a/amplify/backend/function/teamapplicationboto3layer/parameters.json b/amplify/backend/function/teamapplicationboto3layer/parameters.json index 5fbdd6f7..70de6a35 100644 --- a/amplify/backend/function/teamapplicationboto3layer/parameters.json +++ b/amplify/backend/function/teamapplicationboto3layer/parameters.json @@ -3,5 +3,5 @@ "python3.8", "python3.9" ], - "description": "Updated layer version 2024-06-22T20:22:28.683Z" + "description": "Updated layer version 2024-11-06T11:17:57.493Z" } \ No newline at end of file diff --git a/amplify/backend/function/teamapplicationboto3layer/teamapplicationboto3layer-awscloudformation-template.json b/amplify/backend/function/teamapplicationboto3layer/teamapplicationboto3layer-awscloudformation-template.json index 31453f7a..42414e02 100644 --- a/amplify/backend/function/teamapplicationboto3layer/teamapplicationboto3layer-awscloudformation-template.json +++ b/amplify/backend/function/teamapplicationboto3layer/teamapplicationboto3layer-awscloudformation-template.json @@ -20,7 +20,7 @@ } }, "Resources": { - "LambdaLayerVersionfefba24d": { + "LambdaLayerVersionf2146902": { "Type": "AWS::Lambda::LayerVersion", "Properties": { "CompatibleRuntimes": { @@ -51,12 +51,12 @@ "DeletionPolicy": "Delete", "UpdateReplacePolicy": "Retain" }, - "LambdaLayerPermissionPrivatefefba24d": { + "LambdaLayerPermissionPrivatef2146902": { "Type": "AWS::Lambda::LayerVersionPermission", "Properties": { "Action": "lambda:GetLayerVersion", "LayerVersionArn": { - "Ref": "LambdaLayerVersionfefba24d" + "Ref": "LambdaLayerVersionf2146902" }, "Principal": { "Ref": "AWS::AccountId" @@ -67,7 +67,7 @@ "Outputs": { "Arn": { "Value": { - "Ref": "LambdaLayerVersionfefba24d" + "Ref": "LambdaLayerVersionf2146902" } } } diff --git a/amplify/backend/function/teamgetGroups/Pipfile.lock b/amplify/backend/function/teamgetGroups/Pipfile.lock deleted file mode 100644 index 9417b657..00000000 --- a/amplify/backend/function/teamgetGroups/Pipfile.lock +++ /dev/null @@ -1,25 +0,0 @@ -{ - "_meta": { - "hash": { - "sha256": "ea7af8211da08840e2e5163d2738939b1a7636e7879b271198563357812a8f7d" - }, - "pipfile-spec": 6, - "requires": { - "python_version": "3.9" - }, - "sources": [ - { - "name": "pypi", - "url": "https://pypi.org/simple", - "verify_ssl": true - } - ] - }, - "default": { - "src": { - "editable": true, - "path": "./src" - } - }, - "develop": {} -} diff --git a/amplify/backend/function/teamgetGroups/function-parameters.json b/amplify/backend/function/teamgetGroups/function-parameters.json deleted file mode 100644 index 2f657e76..00000000 --- a/amplify/backend/function/teamgetGroups/function-parameters.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "permissions": { - "api": { - "awspim": [ - "Query" - ] - }, - "auth": { - "awspim06dbb7fc": [ - "create", - "read", - "update", - "delete" - ] - } - }, - "lambdaLayers": [ - { - "type": "ProjectLayer", - "resourceName": "awspamapplicationboto3layer", - "env": "master", - "version": "Always choose latest version", - "isLatestVersionSelected": true - } - ] -} \ No newline at end of file diff --git a/amplify/backend/function/teamgetGroups/parameters.json b/amplify/backend/function/teamgetGroups/parameters.json deleted file mode 100644 index f23b8fbd..00000000 --- a/amplify/backend/function/teamgetGroups/parameters.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "teamAdminGroup": "team-admin", - "teamAuditorGroup": "team-auditor" -} \ No newline at end of file diff --git a/amplify/backend/function/teamgetGroups/teamgetGroups-cloudformation-template.json b/amplify/backend/function/teamgetGroups/teamgetGroups-cloudformation-template.json deleted file mode 100644 index 5181e817..00000000 --- a/amplify/backend/function/teamgetGroups/teamgetGroups-cloudformation-template.json +++ /dev/null @@ -1,464 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Lambda Function resource stack creation using Amplify CLI", - "Parameters": { - "deploymentBucketName": { - "Type": "String" - }, - "env": { - "Type": "String" - }, - "s3Key": { - "Type": "String" - }, - "apiteamGraphQLAPIIdOutput": { - "Type": "String", - "Default": "apiteamGraphQLAPIIdOutput" - }, - "apiteamGraphQLAPIEndpointOutput": { - "Type": "String", - "Default": "apiteamGraphQLAPIEndpointOutput" - }, - "authteam06dbb7fcUserPoolId": { - "Type": "String", - "Default": "authteam06dbb7fcUserPoolId" - }, - "functionteamapplicationboto3layerArn": { - "Type": "String", - "Default": "functionteamapplicationboto3layerArn" - }, - "teamAdminGroup": { - "Type": "String" - }, - "teamAuditorGroup": { - "Type": "String" - } - }, - "Conditions": { - "ShouldNotCreateEnvResources": { - "Fn::Equals": [ - { - "Ref": "env" - }, - "NONE" - ] - } - }, - "Resources": { - "LambdaFunction": { - "Type": "AWS::Lambda::Function", - "Metadata": { - "aws:asset:path": "./src", - "aws:asset:property": "Code" - }, - "Properties": { - "Architectures": [ - "arm64" - ], - "Code": { - "S3Bucket": { - "Ref": "deploymentBucketName" - }, - "S3Key": { - "Ref": "s3Key" - } - }, - "Handler": "index.handler", - "FunctionName": { - "Fn::If": [ - "ShouldNotCreateEnvResources", - "teamgetGroups", - { - "Fn::Join": [ - "", - [ - "teamgetGroups", - "-", - { - "Ref": "env" - } - ] - ] - } - ] - }, - "Environment": { - "Variables": { - "ENV": { - "Ref": "env" - }, - "REGION": { - "Ref": "AWS::Region" - }, - "API_AWSPIM_GRAPHQLAPIIDOUTPUT": { - "Ref": "apiteamGraphQLAPIIdOutput" - }, - "API_TEAM_GRAPHQLAPIENDPOINTOUTPUT": { - "Ref": "apiteamGraphQLAPIEndpointOutput" - }, - "AUTH_AWSPIM06DBB7FC_USERPOOLID": { - "Ref": "authteam06dbb7fcUserPoolId" - }, - "SETTINGS_TABLE_NAME": { - "Fn::ImportValue": { - "Fn::Sub": "${apiteamGraphQLAPIIdOutput}:GetAtt:SettingsTable:Name" - } - }, - "TEAM_ADMIN_GROUP": { - "Ref": "teamAdminGroup" - }, - "TEAM_AUDITOR_GROUP": { - "Ref": "teamAuditorGroup" - } - } - }, - "Role": { - "Fn::GetAtt": [ - "LambdaExecutionRole", - "Arn" - ] - }, - "Runtime": "python3.9", - "Layers": [ - { - "Ref": "functionteamapplicationboto3layerArn" - } - ], - "Timeout": 120 - } - }, - "LambdaExecutionRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "RoleName": { - "Fn::If": [ - "ShouldNotCreateEnvResources", - "teamapplicationLambdaRoledc40f306", - { - "Fn::Join": [ - "", - [ - "teamapplicationLambdaRoledc40f306", - "-", - { - "Ref": "env" - } - ] - ] - } - ] - }, - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] - } - } - }, - "lambdaexecutionpolicy": { - "DependsOn": [ - "LambdaExecutionRole" - ], - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyName": "lambda-execution-policy", - "Roles": [ - { - "Ref": "LambdaExecutionRole" - } - ], - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": { - "Fn::Sub": [ - "arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*", - { - "region": { - "Ref": "AWS::Region" - }, - "account": { - "Ref": "AWS::AccountId" - }, - "lambda": { - "Ref": "LambdaFunction" - } - } - ] - } - }, - { - "Effect": "Allow", - "Action": [ - "dynamodb:GetItem" - ], - "Resource": [ - { - "Fn::Sub": "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/Settings-*" - } - ] - } - ] - } - } - }, - "AmplifyResourcesPolicy": { - "DependsOn": [ - "LambdaExecutionRole" - ], - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyName": "amplify-lambda-execution-policy", - "Roles": [ - { - "Ref": "LambdaExecutionRole" - } - ], - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "appsync:GraphQL" - ], - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:aws:appsync:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":apis/", - { - "Ref": "apiteamGraphQLAPIIdOutput" - }, - "/types/Query/*" - ] - ] - } - ] - }, - { - "Effect": "Allow", - "Action": [ - "cognito-idp:ConfirmSignUp", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserImportJob", - "cognito-idp:AdminSetUserSettings", - "cognito-idp:AdminLinkProviderForUser", - "cognito-idp:CreateIdentityProvider", - "cognito-idp:AdminConfirmSignUp", - "cognito-idp:AdminDisableUser", - "cognito-idp:AdminRemoveUserFromGroup", - "cognito-idp:SetUserMFAPreference", - "cognito-idp:SetUICustomization", - "cognito-idp:SignUp", - "cognito-idp:VerifyUserAttribute", - "cognito-idp:SetRiskConfiguration", - "cognito-idp:StartUserImportJob", - "cognito-idp:AdminSetUserPassword", - "cognito-idp:AssociateSoftwareToken", - "cognito-idp:CreateResourceServer", - "cognito-idp:RespondToAuthChallenge", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:AdminUserGlobalSignOut", - "cognito-idp:GlobalSignOut", - "cognito-idp:AddCustomAttributes", - "cognito-idp:CreateGroup", - "cognito-idp:CreateUserPool", - "cognito-idp:AdminForgetDevice", - "cognito-idp:AdminAddUserToGroup", - "cognito-idp:AdminRespondToAuthChallenge", - "cognito-idp:ForgetDevice", - "cognito-idp:CreateUserPoolDomain", - "cognito-idp:AdminEnableUser", - "cognito-idp:AdminUpdateDeviceStatus", - "cognito-idp:StopUserImportJob", - "cognito-idp:InitiateAuth", - "cognito-idp:AdminInitiateAuth", - "cognito-idp:AdminSetUserMFAPreference", - "cognito-idp:ConfirmForgotPassword", - "cognito-idp:SetUserSettings", - "cognito-idp:VerifySoftwareToken", - "cognito-idp:AdminDisableProviderForUser", - "cognito-idp:SetUserPoolMfaConfig", - "cognito-idp:ChangePassword", - "cognito-idp:ConfirmDevice", - "cognito-idp:AdminResetUserPassword", - "cognito-idp:ResendConfirmationCode", - "cognito-identity:Describe*", - "cognito-identity:Get*", - "cognito-identity:List*", - "cognito-idp:Describe*", - "cognito-idp:AdminGetDevice", - "cognito-idp:AdminGetUser", - "cognito-idp:AdminList*", - "cognito-idp:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:List*", - "iam:ListOpenIdConnectProviders", - "iam:ListRoles", - "sns:ListPlatformApplications", - "cognito-idp:ForgotPassword", - "cognito-idp:UpdateAuthEventFeedback", - "cognito-idp:UpdateResourceServer", - "cognito-idp:UpdateUserPoolClient", - "cognito-idp:AdminUpdateUserAttributes", - "cognito-idp:UpdateUserAttributes", - "cognito-idp:UpdateUserPoolDomain", - "cognito-idp:UpdateIdentityProvider", - "cognito-idp:UpdateGroup", - "cognito-idp:AdminUpdateAuthEventFeedback", - "cognito-idp:UpdateDeviceStatus", - "cognito-idp:UpdateUserPool", - "cognito-idp:DeleteUserPoolDomain", - "cognito-idp:DeleteResourceServer", - "cognito-idp:DeleteGroup", - "cognito-idp:AdminDeleteUserAttributes", - "cognito-idp:DeleteUserPoolClient", - "cognito-idp:DeleteUserAttributes", - "cognito-idp:DeleteUserPool", - "cognito-idp:AdminDeleteUser", - "cognito-idp:DeleteIdentityProvider", - "cognito-idp:DeleteUser" - ], - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:aws:cognito-idp:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":userpool/", - { - "Ref": "authteam06dbb7fcUserPoolId" - } - ] - ] - } - ] - } - ] - } - } - }, - "CustomLambdaExecutionPolicy": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyName": "custom-lambda-execution-policy", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "identitystore:GetUserId" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - }, - { - "Action": [ - "identitystore:GetGroupId" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - }, - { - "Action": [ - "identitystore:ListGroupMembershipsForMember" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - }, - { - "Action": [ - "sso:ListInstances" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - }, - "Roles": [ - { - "Ref": "LambdaExecutionRole" - } - ] - }, - "DependsOn": "LambdaExecutionRole" - } - }, - "Outputs": { - "Name": { - "Value": { - "Ref": "LambdaFunction" - } - }, - "Arn": { - "Value": { - "Fn::GetAtt": [ - "LambdaFunction", - "Arn" - ] - } - }, - "Region": { - "Value": { - "Ref": "AWS::Region" - } - }, - "LambdaExecutionRole": { - "Value": { - "Ref": "LambdaExecutionRole" - } - }, - "LambdaExecutionRoleArn": { - "Value": { - "Fn::GetAtt": [ - "LambdaExecutionRole", - "Arn" - ] - } - } - } -} \ No newline at end of file diff --git a/amplify/backend/types/amplify-dependent-resources-ref.d.ts b/amplify/backend/types/amplify-dependent-resources-ref.d.ts index e1031544..36b0b8a8 100644 --- a/amplify/backend/types/amplify-dependent-resources-ref.d.ts +++ b/amplify/backend/types/amplify-dependent-resources-ref.d.ts @@ -38,6 +38,13 @@ export type AmplifyDependentResourcesAttributes = { } }, "function": { + "teamGetPermissionSets": { + "Arn": "string", + "LambdaExecutionRole": "string", + "LambdaExecutionRoleArn": "string", + "Name": "string", + "Region": "string" + }, "teamListGroups": { "Arn": "string", "LambdaExecutionRole": "string", @@ -52,6 +59,13 @@ export type AmplifyDependentResourcesAttributes = { "Name": "string", "Region": "string" }, + "teamPublishOUs": { + "Arn": "string", + "LambdaExecutionRole": "string", + "LambdaExecutionRoleArn": "string", + "Name": "string", + "Region": "string" + }, "teamRouter": { "Arn": "string", "LambdaExecutionRole": "string", diff --git a/parameters.js b/parameters.js index 61f4e287..8456bb46 100644 --- a/parameters.js +++ b/parameters.js @@ -66,10 +66,10 @@ async function update_react_parameters() { } async function update_groups_parameters() { - console.log(`updating teamgetgroups lambda parameters"...`); + console.log(`updating team06dbb7fcPreTokenGeneration lambda parameters"...`); const groupsParametersJsonPath = path.resolve( - `./amplify/backend/function/teamgetGroups/parameters.json` + `./amplify/backend/function/team06dbb7fcPreTokenGeneration/parameters.json` ); const groupsParametersJson = require(groupsParametersJsonPath); diff --git a/src/App.js b/src/App.js index b6279d57..568ead3a 100644 --- a/src/App.js +++ b/src/App.js @@ -3,7 +3,7 @@ // http://aws.amazon.com/agreement or other written agreement between Customer and either // Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both. import React, { useEffect, useState } from "react"; -import { Amplify, Auth, Hub } from "aws-amplify"; +import { Amplify, Auth, Hub } from "aws-amplify"; import { Spin, Layout } from "antd"; import awsconfig from "./aws-exports"; import Nav from "./components/Navigation/Nav"; @@ -49,7 +49,7 @@ function App() { switch (event) { case "signIn": console.log("User signed in"); - break + break; // eslint-disable-next-line no-fallthrough case "cognitoHostedUI": setData(); @@ -60,26 +60,25 @@ function App() { break; case "signIn_failure": console.log("User sign in failure"); - break + break; case "cognitoHostedUI_failure": console.log("Sign in failure"); break; } }); - - setData() + + setData(); }, []); function setData() { getUser().then((userData) => { setUser(userData); - setcognitoGroups(userData.signInUserSession.idToken.payload['cognito:groups']) - fetchGroups(userData.username).then(({userId,groupIds,groups}) => { - setUserId(userId) - setGroupIds( groupIds ); - setGroups( groups ); - setLoading(false); - }); + const payload = userData.signInUserSession.idToken.payload; + setcognitoGroups(payload["cognito:groups"]); + setUserId(payload.userId); + setGroupIds((payload.groupIds).split(',')); + setGroups((payload.groups).split(',')); + setLoading(false); }); } @@ -96,7 +95,13 @@ function App() { return (
{groups ? ( -