CDD-2443 Create user mig pre signup and post auth lambdas

terraform/20-app/cognito.tf

@@ -62,6 +62,8 @@ module "cognito" {
   oidc_client_secret  = "oidc-client-secret"
   oidc_issuer_url     = "https://example.com/issuer"
   oidc_attributes_url = "https://example.com/attributes"
+
+  prefix = local.prefix
 }
 
 module "app_security_group" {

terraform/modules/cognito/main.tf

@@ -3,6 +3,12 @@ resource "aws_cognito_user_pool" "user_pool" {
 
   mfa_configuration = var.enable_mfa ? "ON" : "OFF"
 
+  lambda_config {
+    post_authentication  = aws_lambda_function.cognito_post_auth_lambda.arn
+    pre_sign_up          = aws_lambda_function.cognito_pre_signup_lambda.arn
+    user_migration       = aws_lambda_function.cognito_user_migration_lambda.arn
+  }
+
   dynamic "sms_configuration" {
     for_each = var.enable_sms ? [1] : []
 
@@ -32,8 +38,8 @@ resource "aws_cognito_user_pool" "user_pool" {
 
 resource "aws_cognito_user_pool_client" "user_pool_client" {
   depends_on = [
-    aws_cognito_identity_provider.oidc_idp,
-    aws_cognito_identity_provider.saml_idp
+    aws_cognito_identity_provider.cognito_oidc_idp,
+    aws_cognito_identity_provider.cognito_saml_idp
   ]
 
   name         = var.client_name
@@ -49,7 +55,7 @@ resource "aws_cognito_user_pool_client" "user_pool_client" {
   supported_identity_providers = var.enable_oidc ? ["COGNITO", "TBCSAML", "TBCOIDC"] : ["COGNITO"]
 }
 
-resource "aws_cognito_user_pool_domain" "user_pool_domain" {
+resource "aws_cognito_user_pool_domain" "cognito_user_pool_domain" {
   domain       = var.user_pool_domain
   user_pool_id = aws_cognito_user_pool.user_pool.id
 
@@ -59,7 +65,7 @@ resource "aws_cognito_user_pool_domain" "user_pool_domain" {
 }
 
 # Stubbed SAML Identity Provider
-resource "aws_cognito_identity_provider" "saml_idp" {
+resource "aws_cognito_identity_provider" "cognito_saml_idp" {
   count = var.enable_saml ? 1 : 0
 
   user_pool_id  = aws_cognito_user_pool.user_pool.id
@@ -73,7 +79,7 @@ resource "aws_cognito_identity_provider" "saml_idp" {
 }
 
 # Stubbed OIDC Identity Provider
-resource "aws_cognito_identity_provider" "oidc_idp" {
+resource "aws_cognito_identity_provider" "cognito_oidc_idp" {
   count = var.enable_oidc ? 1 : 0
 
   user_pool_id  = aws_cognito_user_pool.user_pool.id
@@ -91,11 +97,90 @@ resource "aws_cognito_identity_provider" "oidc_idp" {
   }
 }
 
-resource "aws_cognito_user_group" "user_groups" {
+resource "aws_cognito_user_group" "cognito_user_groups" {
   for_each = toset(["Admin", "Analyst", "Viewer"])
   name         = each.value
   user_pool_id = aws_cognito_user_pool.user_pool.id
   precedence = lookup(var.group_precedence, each.value, null)
   description  = "Group for ${each.value} role"
 }
 
+resource "aws_lambda_function" "cognito_post_auth_lambda" {
+  function_name = "post-auth-lambda-${var.prefix}"
+  runtime       = "nodejs18.x" # Updated runtime
+  role          = aws_iam_role.cognito_lambda_role.arn
+
+  handler       = "index.handler"
+  source_code_hash = filebase64sha256("${path.module}/post_auth_lambda.zip")
+  filename      = "${path.module}/post_auth_lambda.zip"
+  timeout       = 15
+}
+
+resource "aws_lambda_function" "cognito_pre_signup_lambda" {
+  function_name = "pre-signup-lambda-${var.prefix}"
+  runtime       = "nodejs18.x" # Updated runtime
+  role          = aws_iam_role.cognito_lambda_role.arn
+
+  handler       = "index.handler"
+  source_code_hash = filebase64sha256("${path.module}/pre_signup_lambda.zip")
+  filename      = "${path.module}/pre_signup_lambda.zip"
+  timeout       = 15
+}
+
+resource "aws_lambda_function" "cognito_user_migration_lambda" {
+  function_name = "user-migration-lambda-${var.prefix}"
+  runtime       = "nodejs18.x" # Updated runtime
+  role          = aws_iam_role.cognito_lambda_role.arn
+
+  handler       = "index.handler"
+  source_code_hash = filebase64sha256("${path.module}/user_migration_lambda.zip")
+  filename      = "${path.module}/user_migration_lambda.zip"
+  timeout       = 15
+}
+
+resource "aws_iam_role" "cognito_lambda_role" {
+  name = "lambda-execution-role-${var.prefix}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "cognito_lambda_role_policy" {
+  name   = "lambda-execution-policy-${var.prefix}"
+  role   = aws_iam_role.cognito_lambda_role.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow",
+        Action   = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"],
+        Resource = "*"
+      },
+      {
+        Effect   = "Allow",
+        Action   = ["cognito-idp:PostAuthentication"],
+        Resource = "*"
+      },
+      {
+        Effect   = "Allow",
+        Action   = ["cognito-idp:PreSignUp"],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+variable "prefix" {
+  description = "Prefix for naming resources"
+  type        = string
+}

terraform/modules/cognito/outputs.tf

@@ -12,30 +12,30 @@ output "cognito_user_pool_client_id" {
 
 output "cognito_user_pool_domain" {
   description = "The domain prefix for the Cognito User Pool"
-  value       = aws_cognito_user_pool_domain.user_pool_domain.domain
+  value       = aws_cognito_user_pool_domain.cognito_user_pool_domain.domain
   sensitive   = true
 }
 
 output "cognito_oauth_authorize_url" {
   description = "The Cognito User Pool OAuth authorize URL"
-  value       = "https://${aws_cognito_user_pool_domain.user_pool_domain.domain}.auth.${var.region}.amazoncognito.com/oauth2/authorize"
+  value       = "https://${aws_cognito_user_pool_domain.cognito_user_pool_domain.domain}.auth.${var.region}.amazoncognito.com/oauth2/authorize"
   sensitive   = true
 }
 
 output "cognito_oauth_logout_url" {
   description = "The Cognito User Pool OAuth logout URL"
-  value       = "https://${aws_cognito_user_pool_domain.user_pool_domain.domain}.auth.${var.region}.amazoncognito.com/logout"
+  value       = "https://${aws_cognito_user_pool_domain.cognito_user_pool_domain.domain}.auth.${var.region}.amazoncognito.com/logout"
   sensitive   = true
 }
 
 output "cognito_oauth_token_url" {
   description = "The Cognito User Pool OAuth token URL"
-  value       = "https://${aws_cognito_user_pool_domain.user_pool_domain.domain}.auth.${var.region}.amazoncognito.com/oauth2/token"
+  value       = "https://${aws_cognito_user_pool_domain.cognito_user_pool_domain.domain}.auth.${var.region}.amazoncognito.com/oauth2/token"
   sensitive   = true
 }
 
 output "cognito_oauth_userinfo_url" {
   description = "The Cognito User Pool OAuth userinfo URL"
-  value       = "https://${aws_cognito_user_pool_domain.user_pool_domain.domain}.auth.${var.region}.amazoncognito.com/oauth2/userInfo"
+  value       = "https://${aws_cognito_user_pool_domain.cognito_user_pool_domain.domain}.auth.${var.region}.amazoncognito.com/oauth2/userInfo"
   sensitive   = true
 }

terraform/modules/cognito/post_auth.js

@@ -0,0 +1,4 @@
+exports.handler = async (event) => {
+    console.log("Post-auth Lambda invoked");
+    return event;
+};

terraform/modules/cognito/pre_signup.js

@@ -0,0 +1,4 @@
+exports.handler = async (event) => {
+    console.log("Pre-signup Lambda invoked");
+    return event;
+};

terraform/modules/cognito/user_migration.js

@@ -0,0 +1,4 @@
+exports.handler = async (event) => {
+    console.log("User migration Lambda invoked");
+    return event;
+};