From b3baa2e75e8def316adb4b68186bb65df584bdeb Mon Sep 17 00:00:00 2001 From: alxyok Date: Wed, 9 Oct 2024 09:47:02 +0200 Subject: [PATCH 1/2] feat: create cognito userpool client that exports both client ID and client secret to a kubernetes secret (connection details) --- .../cognito-userpool-client/definition.yaml | 46 ++++++ .../kustomization.yaml | 5 + .../userpool-client.yaml | 139 ++++++++++++++++++ .../upbound-aws-provider/kustomization.yaml | 1 + 4 files changed, 191 insertions(+) create mode 100644 compositions/upbound-aws-provider/cognito-userpool-client/definition.yaml create mode 100644 compositions/upbound-aws-provider/cognito-userpool-client/kustomization.yaml create mode 100644 compositions/upbound-aws-provider/cognito-userpool-client/userpool-client.yaml diff --git a/compositions/upbound-aws-provider/cognito-userpool-client/definition.yaml b/compositions/upbound-aws-provider/cognito-userpool-client/definition.yaml new file mode 100644 index 00000000..acf7c672 --- /dev/null +++ b/compositions/upbound-aws-provider/cognito-userpool-client/definition.yaml @@ -0,0 +1,46 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: xupcs.composite.awsblueprints.io +spec: + group: composite.awsblueprints.io + names: + kind: XUserpoolClient + plural: xupcs + claimNames: + kind: UserpoolClient + plural: upcs + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + parameters: + description: List of parameters reused in the composition to produce desired resources. + type: object + properties: + name: + description: Name for the user pool client. + type: string + namespace: + description: Namespace to create the user pool client in. + type: string + callback: + description: Callback URL to replace the placeholder in the composition. + type: string + userPoolId: + description: User pool ID to create the client in. + type: string + status: + description: List of status fields to be reused by the composition. + type: object + properties: + clientId: + description: Client ID of the user pool client. + type: string \ No newline at end of file diff --git a/compositions/upbound-aws-provider/cognito-userpool-client/kustomization.yaml b/compositions/upbound-aws-provider/cognito-userpool-client/kustomization.yaml new file mode 100644 index 00000000..7cb3cb12 --- /dev/null +++ b/compositions/upbound-aws-provider/cognito-userpool-client/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - definition.yaml + - cognito-userpool-client.yaml \ No newline at end of file diff --git a/compositions/upbound-aws-provider/cognito-userpool-client/userpool-client.yaml b/compositions/upbound-aws-provider/cognito-userpool-client/userpool-client.yaml new file mode 100644 index 00000000..76ff3a8e --- /dev/null +++ b/compositions/upbound-aws-provider/cognito-userpool-client/userpool-client.yaml @@ -0,0 +1,139 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: xupcs.composite.awsblueprints.io +spec: + # Placeholder. Will be replaced by the namespace provided as input + writeConnectionSecretsToNamespace: default + compositeTypeRef: + apiVersion: composite.awsblueprints.io/v1alpha1 + kind: XUserpoolClient + resources: + - name: userpoolclient + base: + apiVersion: cognitoidp.aws.upbound.io/v1beta1 + kind: UserPoolClient + metadata: + # Placeholder. Will be replaced by the name provided as input + name: client-0 + # Placeholder. Will be replaced by the namespace provided as input + namespace: default + spec: + providerConfigRef: + name: upbound-aws-irsa + forProvider: + # Placeholder. Will be replaced by the name provided as input + name: client-0 + # Placeholder. Will be replaced by the user pool ID provided as input + userPoolId: userpool-id + accessTokenValidity: 720 + idTokenValidity: 720 + region: us-east-1 + allowedOauthFlows: + - code + - implicit + allowedOauthFlowsUserPoolClient: true + allowedOauthScopes: + - aws.cognito.signin.user.admin + - email + - openid + - phone + - profile + authSessionValidity: 3 + # Placeholder. Will be replaced by the callback URL provided as input + callbackUrls: + - https://example.com + enablePropagateAdditionalUserContextData: false + enableTokenRevocation: true + explicitAuthFlows: + - ALLOW_ADMIN_USER_PASSWORD_AUTH + - ALLOW_CUSTOM_AUTH + - ALLOW_REFRESH_TOKEN_AUTH + - ALLOW_USER_SRP_AUTH + generateSecret: true + preventUserExistenceErrors: ENABLED + readAttributes: + - address + - birthdate + - email + - email_verified + - family_name + - gender + - given_name + - locale + - middle_name + - name + - nickname + - phone_number + - phone_number_verified + - picture + - preferred_username + - profile + - updated_at + - website + - zoneinfo + refreshTokenValidity: 30 + supportedIdentityProviders: + - COGNITO + - Okta + writeAttributes: + - address + - birthdate + - email + - family_name + - gender + - given_name + - locale + - middle_name + - name + - nickname + - phone_number + - picture + - preferred_username + - profile + - updated_at + - website + - zoneinfo + tokenValidityUnits: + - accessToken: minutes + idToken: minutes + refreshToken: days + writeConnectionSecretToRef: + # Write the client secret as a kubernetes secret with the name provided below + name: cognito-userpool-client-secret + # placeholder. Will be replaced by the namespace provided as input + namespace: default + patches: + # List of patches to apply to the resource + - fromFieldPath: spec.parameters.name + toFieldPath: metadata.name + type: FromCompositeFieldPath + - fromFieldPath: spec.parameters.name + toFieldPath: spec.forProvider.name + type: FromCompositeFieldPath + - fromFieldPath: spec.parameters.namespace + toFieldPath: metadata.namespace + type: FromCompositeFieldPath + - fromFieldPath: spec.parameters.namespace + toFieldPath: spec.writeConnectionSecretToRef.namespace + type: FromCompositeFieldPath + - fromFieldPath: spec.parameters.callback + toFieldPath: spec.forProvider.callbackUrls[0] + type: FromCompositeFieldPath + - fromFieldPath: spec.parameters.userPoolId + toFieldPath: spec.forProvider.userPoolId + type: FromCompositeFieldPath + - fromFieldPath: status.atProvider.id + toFieldPath: status.clientId + type: ToCompositeFieldPath + connectionDetails: + # Write both the client ID and the client secret in a kubernetes secret + - name: client_id + fromFieldPath: status.atProvider.id + - name: client_secret + fromConnectionSecretKey: attribute.client_secret + readinessChecks: + - matchCondition: + status: "True" + type: Ready + type: MatchCondition \ No newline at end of file diff --git a/compositions/upbound-aws-provider/kustomization.yaml b/compositions/upbound-aws-provider/kustomization.yaml index 861cb116..6ebd8da6 100644 --- a/compositions/upbound-aws-provider/kustomization.yaml +++ b/compositions/upbound-aws-provider/kustomization.yaml @@ -15,3 +15,4 @@ resources: - sns-sqs/ - apigw/ - serverless-microservice/ +- cognito-userpool-client From 764a238a51335d4a2a257c0963d2a4890c164757 Mon Sep 17 00:00:00 2001 From: alxyok Date: Wed, 9 Oct 2024 13:05:02 +0200 Subject: [PATCH 2/2] feat: add resource creation example --- .../composite-resources/cognito-upc.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 examples/upbound-aws-provider/composite-resources/cognito-upc.yaml diff --git a/examples/upbound-aws-provider/composite-resources/cognito-upc.yaml b/examples/upbound-aws-provider/composite-resources/cognito-upc.yaml new file mode 100644 index 00000000..6ee6fc6e --- /dev/null +++ b/examples/upbound-aws-provider/composite-resources/cognito-upc.yaml @@ -0,0 +1,13 @@ +apiVersion: composite.awsblueprint.io/alpha +kind: UserpoolClient +metadata: + name: rocket-userpool-client-id + namespace: moon +spec: + writeConnectionSecretToRef: + name: cognito-userpool-client-details + parameters: + name: rocket + namespace: moon + callback: https://awsblueprint.io/earth/oauth_callback + userPoolId: us-east-1_toZMoon11 \ No newline at end of file