add stackset for service catalog products and a resource server product

Author: tmclaugh

.github/workflows/main.yml

@@ -29,9 +29,15 @@ jobs:
       - name: Validate template
         run: sam validate --lint
 
-      - name: Validate template
+      - name: Validate template (userpool stackset)
         run: sam validate --lint --template ./stacksets/userpool/stackset.yaml
 
+      - name: Validate template (products stackset)
+        run: sam validate --lint --template ./products/stackset.yaml
+
+      - name: Validate template (server product)
+        run: sam validate --lint --template ./products/server/product.yaml
+
       - name: Synethsize StackSet templates
         run: |
           for _f in $(find . -type f -name 'template.yaml'); do
@@ -68,6 +74,13 @@ jobs:
           build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }}
           deploy_aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
 
+      - name: Sync product templates to S3
+        id: sync-templates
+        shell: bash
+        env:
+          AWS_ACCOUNT_ID: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
+        run: aws s3 sync products/ s3://aws-service-catalog-templates-${AWS_ACCOUNT_ID}-${AWS_REGION}/serverlessops-api-authnz/${GITHUB_SHA}/
+
       - name: Deploy via AWS SAM
         uses: ServerlessOpsIO/gha-deploy-aws-sam@v1
         with:

cfn-parameters.json

@@ -9,4 +9,6 @@
     "TargetOuIds": $secrets.DEPLOYMENT_TARGET_OU,
     "TargetRegions": "us-east-1",
     "TargetAccountIds": $secrets.DEPLOYMENT_TARGET_ACCOUNT_ID,
+    "GitHubSha": $env.GITHUB_SHA,
+    "CfnTemplateBucket": $secrets.CFN_TEMPLATE_BUCKET
 }

stacksets/client/stackset.yaml products/client/product.yamlstacksets/client/stackset.yaml renamed to products/client/product.yaml

@@ -0,0 +1,68 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Create a Cognito Resource Server
+
+Parameters:
+  CognitoUserPoolId:
+    Type: AWS::SSM::Parameter::Value<String>
+    Description: The ID of the user pool to which the resource server belongs
+    Default: /org/authnz/UserPoolId
+  ApplicationName:
+    Type: String
+    Description: The name of the application
+  ApplicationUrl:
+    Type: String
+    Description: The URL of the application
+  ScopeName:
+    Type: String
+    Description: The name of the scope
+  ReadActionAvailable:
+    Type: String
+    Description: Whether the read scope is available
+    Default: 'true'
+  WriteActionAvailable:
+    Type: String
+    Description: Whether the write scope is available
+    Default: 'true'
+  ListActionAvailable:
+    Type: String
+    Description: Whether the list scope is available
+    Default: 'true'
+  AdminActionAvailable:
+    Type: String
+    Description: Whether the admin scope is available
+    Default: 'false'
+
+Conditions:
+  HasReadAction: !Equals [!Ref ReadActionAvailable, 'true']
+  HasWriteAction: !Equals [!Ref WriteActionAvailable, 'true']
+  HasListAction: !Equals [!Ref ListActionAvailable, 'true']
+  HasAdminAction: !Equals [!Ref AdminActionAvailable, 'true']
+
+Resources:
+  CognitoResourceServer:
+    Type: AWS::Cognito::UserPoolResourceServer
+    Properties:
+      Name: !Ref ApplicationName
+      Identifier: !Ref ApplicationUrl
+      UserPoolId: !Ref CognitoUserPoolId
+      Scopes:
+        - Fn::If:
+          - HasReadAction
+          - ScopeName: !Sub '${ScopeName}.read'
+            ScopeDescription: Read access
+          - Ref: AWS::NoValue
+        - Fn::If:
+          - HasWriteAction
+          - ScopeName: !Sub '${ScopeName}.write'
+            ScopeDescription: Write access
+          - Ref: AWS::NoValue
+        - Fn::If:
+          - HasListAction
+          - ScopeName: !Sub '${ScopeName}.list'
+            ScopeDescription: List access
+          - Ref: AWS::NoValue
+        - Fn::If:
+          - HasAdminAction
+          - ScopeName: !Sub '${ScopeName}.admin'
+            ScopeDescription: Admin access
+          - Ref: AWS::NoValue

products/server/product.yaml

@@ -0,0 +1,53 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Create a Cognito Resource Server
+
+Parameters:
+  GitHubSha:
+    Type: String
+    Description: GitHub SHA
+  CfnTemplateBucket:
+    Type: String
+    Description: The S3 bucket CloudFormation templates are stored
+
+Resources:
+  # Portfolio
+  ApiAuthnzPortfolio:
+    Type: AWS::ServiceCatalog::Portfolio
+    Properties:
+      DisplayName: ServerlessOpsAuthnz
+      Description: "API Authentication & Authorization services"
+      ProviderName: ServerlessOps
+
+  ApiAuthnzPortfolioPrincipalAdmin:
+    Type: AWS::ServiceCatalog::PortfolioPrincipalAssociation
+    Properties:
+      PortfolioId: !Ref ApiAuthnzPortfolio
+      PrincipalARN: !Sub 'arn:${AWS::Partition}:iam:::role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_*'
+      PrincipalType: IAM_PATTERN
+
+  ApiAuthnzPortfolioPrincipalPowerUser:
+    Type: AWS::ServiceCatalog::PortfolioPrincipalAssociation
+    Properties:
+      PortfolioId: !Ref ApiAuthnzPortfolio
+      PrincipalARN: !Sub 'arn:${AWS::Partition}:iam:::role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSPowerUserAccess_*'
+      PrincipalType: IAM_PATTERN
+
+
+  # Products
+  CognitoResourceServerProduct:
+    Type: AWS::ServiceCatalog::CloudFormationProduct
+    Properties:
+      Name: Cognito Resource Server
+      Description: Create a Cognito Resource Server
+      Owner: ServerlessOps
+      ProvisioningArtifactParameters:
+        - Name: latest
+          Description: latest release
+          Info:
+            LoadTemplateFromURL: !Sub 'https://${CfnTemplateBucket}.s3.amazonaws.com/serverlessops-api-authnz/${GitHubSha}/server/product.yaml'
+
+  CognitoResourceServerProductAssociation:
+    Type: AWS::ServiceCatalog::PortfolioProductAssociation
+    Properties:
+      PortfolioId: !Ref ApiAuthnzPortfolio
+      ProductId: !Ref CognitoResourceServerProduct

products/stackset.yaml

@@ -1,6 +1,8 @@
 Metadata:
   UserPool:
     localTemplateFile: &user_pool_template_body ./stacksets/userpool/stackset.yaml
+  Products:
+    localTemplateFile: &products_template_body ./products/stackset.yaml
 
 AWSTemplateFormatVersion: '2010-09-09'
 Description: ServerlessOps API Authnz Service
@@ -24,6 +26,12 @@ Parameters:
   ParentDnsZoneId:
     Type: String
     Description: "Route53 Hosted Zone ID of parent zone"
+  GitHubSha:
+    Type: String
+    Description: GitHub SHA
+  CfnTemplateBucket:
+    Type: String
+    Description: The S3 bucket CloudFormation templates are stored
 
 Resources:
   UserPoolStackSet:
@@ -57,4 +65,35 @@ Resources:
       Capabilities:
         - CAPABILITY_NAMED_IAM
         - CAPABILITY_AUTO_EXPAND
-      TemplateBody: *user_pool_template_body
+      TemplateBody: *user_pool_template_body
+
+  ProductsStackSet:
+    Type: AWS::CloudFormation::StackSet
+    Properties:
+      StackSetName: ServerlessOpsAuthnzProducts
+      Description: ServerlessOps Authnz Service Catalog Products
+      Parameters:
+        - ParameterKey: GitHubSha
+          ParameterValue: !Ref GitHubSha
+        - ParameterKey: CfnTemplateBucket
+          ParameterValue: !Ref CfnTemplateBucket
+      StackInstancesGroup:
+        - DeploymentTargets:
+            AccountFilterType: INTERSECTION
+            OrganizationalUnitIds: !Ref TargetOuIds
+            Accounts: !Ref TargetAccountIds
+          Regions: !Ref TargetRegions
+      AutoDeployment:
+        Enabled: true
+        RetainStacksOnAccountRemoval: false
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        RegionConcurrencyType: PARALLEL
+        FailureToleranceCount: 1
+        MaxConcurrentCount: 5
+      PermissionModel: SERVICE_MANAGED
+      Capabilities:
+        - CAPABILITY_NAMED_IAM
+        - CAPABILITY_AUTO_EXPAND
+      TemplateBody: *products_template_body