Rename IDP secret variable prefix. Add docs

NASA-IMPACT · Oct 29, 2024 · b538aea · b538aea
1 parent be03760
commit b538aea
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 7 deletions.
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -47,9 +47,9 @@ jobs:
           KEYCLOAK_VERSION: ${{ vars.KEYCLOAK_VERSION }}
           SSL_CERTIFICATE_ARN: ${{ vars.SSL_CERTIFICATE_ARN }}
           STAGE: ${{ vars.STAGE }}
-          # OAuth2 client secret arns
-          GH_OAUTH_CLIENT_SECRET: ${{ vars.GH_OAUTH_CLIENT_SECRET }}
-          CILOGON_OAUTH_CLIENT_SECRET: ${{ vars.CILOGON_OAUTH_CLIENT_SECRET }}
+          # Imported Identity Provider secrets
+          IDP_SECRET_ARN_GH: ${{ vars.IDP_SECRET_ARN_GH }}
+          IDP_SECRET_ARN_CILOGON: ${{ vars.IDP_SECRET_ARN_CILOGON }}
 
       - name: Get ConfigLambdaArn from CloudFormation
         id: get-lambda-arn

diff --git a/README.md b/README.md
@@ -21,6 +21,72 @@ We currently make use of the [keycloak-config-cli](https://github.com/adorsys/ke
 > [!IMPORTANT]
 > At each deployment, the keycloak-config-cli will likely overwrite changes made outside of the configuration stored within this repository for a given realm.
 
+#### OAuth Clients
+
+At time of deployment, environment variables starting with `IDP_SECRET_ARN_` will be treated as ARNs to Secrets stored within AWS Secrets Manager. These secrets should be JSON objects containing both an `id` and `secret` key. These values will be injected into the docker instance running the Keycloak Config CLI, making them avaiable under `{CLIENTID}_CLIENT_ID` and `{CLIENTID}_CLIENT_SECRET` environment variables, allowing for their usage within a Keycloak configuration YAML file.
+
+<details>
+
+<summary>Example of injecting an OAuth2 Client Secret</summary>
+
+For this example, let's imagine we're attempting to insert the Client ID and Client Secret for a Github Identity Provider. To achieve this, we would take the following steps:
+
+1. Submit these values to AWS Secrets Manager:
+
+   ```sh
+   $ aws secretsmanager \
+      create-secret \
+      --name veda-keycloak-github-idp-creds \
+      --secret-string '{"id": "cl13nt1d", "secret": "cl13ntS3cr3t!"}'
+   ```
+
+   AWS will respond with the ARN of the newly created Secret.
+
+1. Register the secret with the Github environment, named `IDP_SECRET_ARN_$CLIENTID`, where `$CLIENTID` is a unique identifier for that IDP (for this example, we'll use `GH`). This can be done via the Github CLI if run from within the project repo:
+
+   ```sh
+   # Add variable value for the current repository in an interactive prompt
+   $ gh variable set IDP_SECRET_ARN_GH --env dev
+   ```
+
+1. Update the Github Actions workflow to inject this variable into the runtime environment when calling `cdk deploy`:
+
+   ```diff
+    - name: Deploy CDK to dev environment
+      run: |
+         cdk deploy --require-approval never --outputs-file outputs.json
+      env:
+         # ...
+   +     IDP_SECRET_ARN_GH: ${{ vars.IDP_SECRET_ARN_GH }}
+   ```
+
+1. The `id` and `secret` will now be available when configuring Keycloak. We can add a secrtion like the following to make use of these variables with `config/src/master.yaml`:
+
+   ```yaml
+   identityProviders:
+   # GitHub with Org Check
+   - alias: github-org-check # NOTE: this alias appears in the redirect_uri for the auth flow, update Github OAuth settings accordingly
+      displayName: GitHub [NASA-IMPACT]
+      providerId: github-org
+      enabled: true
+      updateProfileFirstLoginMode: on
+      trustEmail: false
+      storeToken: false
+      addReadTokenRoleOnCreate: false
+      authenticateByDefault: false
+      linkOnly: false
+      config:
+         clientId: $(env:GH_CLIENT_ID)
+         clientSecret: $(env:GH_CLIENT_SECRET)
+         defaultScope: openid read:org user:email
+         organization: nasa-impact
+         caseSensitiveOriginalUsername: "false"
+         syncMode: FORCE
+   ```
+
+</details>
+
+
 ### Service Provider Interfaces
 
 Beyond configuration, customization of Keycloak (e.g. a custom Identity Providers) may require development of custom Service Provider Interfaces (SPIs).

diff --git a/deploy/app.ts b/deploy/app.ts
@@ -50,9 +50,9 @@ new KeycloakStack(app, `VedaKeycloakStack-${STAGE}`, {
  * @returns Record<string, string> - A map of OAuth client IDs to the ARN of their secrets
  */
 function getOauthSecrets(): Record<string, string> {
-  const oauthSecretSuffix = "_OAUTH_CLIENT_SECRET";
+  const oauthSecretPrefix = "IDP_SECRET_ARN_";
   const clientSecrets = Object.entries(process.env)
-    .filter(([k, v]) => k.endsWith(oauthSecretSuffix))
-    .map(([k, v]) => [k.split(oauthSecretSuffix)[0], v]);
+    .filter(([k, v]) => k.startsWith(oauthSecretPrefix))
+    .map(([k, v]) => [k.split(oauthSecretPrefix)[1], v]);
   return Object.fromEntries(clientSecrets);
 }
diff --git a/deploy/lib/KeycloakConfig.ts b/deploy/lib/KeycloakConfig.ts
@@ -3,7 +3,6 @@ import * as ecrAssets from "aws-cdk-lib/aws-ecr-assets";
 import * as ecs from "aws-cdk-lib/aws-ecs";
 import * as lambda from "aws-cdk-lib/aws-lambda";
 import * as secretsManager from "aws-cdk-lib/aws-secretsmanager";
-import * as customResources from "aws-cdk-lib/custom-resources";
 import { Construct } from "constructs";
 
 interface KeycloakConfigConstructProps {