Add cognito policy

FIAP-3SOAT-G15 · Aug 9, 2024 · 75da84c · 75da84c
1 parent 2fcc00c
commit 75da84c
Show file tree

Hide file tree

Showing 10 changed files with 43 additions and 35 deletions.
diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
@@ -37,18 +37,18 @@ jobs:
           aws-region: ${{ vars.AWS_REGION }}
 
       - name: Update kubeconfig
-        if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch'
+        #if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch'
         run: aws eks update-kubeconfig --name ${{ vars.AWS_EKS_CLUSTER_NAME }} --region ${{ vars.AWS_REGION }}
 
       - name: Deploy to EKS
-        if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch'
+        #if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch'
         run: |
           kubectl apply -f orders
           kubectl apply -f payments
           kubectl apply -f stock
 
       - name: Recreate
-        if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch'
+        #if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch'
         run: |
           kubectl rollout restart deployment -n orders orders-deployment
           kubectl rollout restart deployment -n payments payments-deployment

diff --git a/.github/workflows/provision.yml b/.github/workflows/provision.yml
@@ -63,5 +63,5 @@ jobs:
         run: exit 1
 
       - name: Terraform Apply
-        if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch'
+        #if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch'
         run: terraform apply -auto-approve -input=false
diff --git a/manifests/orders/deployment.yml b/manifests/orders/deployment.yml
@@ -88,9 +88,9 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: cognito-secrets
-                  key: issuer-uri
+                  key: issueruri
             - name: COGNITO_JWK_SET_URI
               valueFrom:
                 secretKeyRef:
                   name: cognito-secrets
-                  key: jwk-set-uri
+                  key: jwkseturi
diff --git a/manifests/orders/secret-provider.yml b/manifests/orders/secret-provider.yml
@@ -20,20 +20,20 @@ spec:
     - secretName: cognito-secrets
       type: Opaque
       data:
-        - objectName: "issuer-uri"
-          key: "issuer-uri"
-        - objectName: "jwk-set-uri"
-          key: "jwk-set-uri"
+        - objectName: issueruri
+          key: issueruri
+        - objectName: jwkseturi
+          key: jwkseturi
   parameters:
     region: us-east-1
     objects: |
       - objectName: "/live/cognito"
         objectType: "ssmparameter"
         jmesPath:
-          - path: "issuer-uri"
-            objectAlias: "issuer-uri"
-          - path: "jwk-set-uri"
-            objectAlias: "jwk-set-uri"
+          - path: "issueruri"
+            objectAlias: "issueruri"
+          - path: "jwkseturi"
+            objectAlias: "jwkseturi"
       - objectName: "/live/orders/db"
         objectType: "ssmparameter"
         jmesPath:

diff --git a/manifests/payments/deployment.yml b/manifests/payments/deployment.yml
@@ -86,9 +86,9 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: cognito-secrets
-                  key: issuer-uri
+                  key: issueruri
             - name: COGNITO_JWK_SET_URI
               valueFrom:
                 secretKeyRef:
                   name: cognito-secrets
-                  key: jwk-set-uri
+                  key: jwkseturi
diff --git a/manifests/payments/secret-provider.yml b/manifests/payments/secret-provider.yml
@@ -20,20 +20,20 @@ spec:
     - secretName: cognito-secrets
       type: Opaque
       data:
-        - objectName: "issuer-uri"
-          key: "issuer-uri"
-        - objectName: "jwk-set-uri"
-          key: "jwk-set-uri"
+        - objectName: issueruri
+          key: issueruri
+        - objectName: jwkseturi
+          key: jwkseturi
   parameters:
     region: us-east-1
     objects: |
-      - objectName: "live/cognito"
+      - objectName: "/live/cognito"
         objectType: "ssmparameter"
         jmesPath:
-          - path: "issuer-uri"
-            objectAlias: "issuer-uri"
-          - path: "jwk-set-uri"
-            objectAlias: "jwk-set-uri"
+          - path: "issueruri"
+            objectAlias: "issueruri"
+          - path: "jwkseturi"
+            objectAlias: "jwkseturi"
       - objectName: "live/payments/mercadopago"
         objectType: "secretsmanager"
         jmesPath:

diff --git a/manifests/stock/deployment.yml b/manifests/stock/deployment.yml
@@ -84,9 +84,9 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: cognito-secrets
-                  key: issuer-uri
+                  key: issueruri
             - name: COGNITO_JWK_SET_URI
               valueFrom:
                 secretKeyRef:
                   name: cognito-secrets
-                  key: jwk-set-uri
+                  key: jwkseturi
diff --git a/manifests/stock/secret-provider.yml b/manifests/stock/secret-provider.yml
@@ -20,20 +20,20 @@ spec:
     - secretName: cognito-secrets
       type: Opaque
       data:
-        - objectName: "issuer-uri"
-          key: "issuer-uri"
-        - objectName: "jwk-set-uri"
-          key: "jwk-set-uri"
+        - objectName: issueruri
+          key: issueruri
+        - objectName: jwkseturi
+          key: jwkseturi
   parameters:
     region: us-east-1
     objects: |
       - objectName: "/live/cognito"
         objectType: "ssmparameter"
         jmesPath:
-          - path: "issuer-uri"
-            objectAlias: "issuer-uri"
-          - path: "jwk-set-uri"
-            objectAlias: "jwk-set-uri"
+          - path: "issueruri"
+            objectAlias: "issueruri"
+          - path: "jwkseturi"
+            objectAlias: "jwkseturi"
       - objectName: "/live/stock/db"
         objectType: "ssmparameter"
         jmesPath:

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -245,6 +245,7 @@ module "orders_service_account_role" {
   role_policy_arns = {
     OrdersRDSSecretsReadOnlyPolicy = data.terraform_remote_state.orders-api.outputs.rds_secrets_read_only_policy_arn
     OrdersRDSParamsReadOnlyPolicy  = data.terraform_remote_state.orders-api.outputs.rds_params_read_only_policy_arn
+    CognitoSecretsReadOnlyPolicy   = var.cognito_policy
   }
 
   tags = var.tags
@@ -266,6 +267,7 @@ module "payments_service_account_role" {
   role_policy_arns = {
     PaymentsDynamoDBTablePolicy      = data.terraform_remote_state.payments-api.outputs.payments_dynamodb_table_policy_arn
     MercadoPagoSecretsReadOnlyPolicy = data.terraform_remote_state.payments-api.outputs.mercado_pago_secrets_read_only_policy_arn
+    CognitoSecretsReadOnlyPolicy     = var.cognito_policy
   }
 
   tags = var.tags
@@ -287,6 +289,7 @@ module "stock_service_account_role" {
   role_policy_arns = {
     StockRDSSecretsReadOnlyPolicy = data.terraform_remote_state.stock-api.outputs.rds_secrets_read_only_policy_arn
     StockRDSParamsReadOnlyPolicy  = data.terraform_remote_state.stock-api.outputs.rds_params_read_only_policy_arn
+    CognitoSecretsReadOnlyPolicy  = var.cognito_policy
   }
 
   tags = var.tags

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -9,3 +9,8 @@ variable "tags" {
     managed_by_terraform = true
   }
 }
+
+variable "cognito_policy" {
+  type    = string
+  default = "arn:aws:iam::202062340677:policy/TechChallengeCognitoReadOnlyPolicy"
+}