Merge pull request #142 from sil-org/develop

Release 3.0.0 -- Import DynamoDB tables

Author: briskt

README.md

@@ -1,6 +1,6 @@
 # A Serverless MFA API with support for TOTP and WebAuthn
 
-This project provides a semi-generic backend API for supporting Time-based One Time Passcode (TOTP) and WebAuthn 
+This project provides a semi-generic backend API for supporting Time-based One Time Password (TOTP) and WebAuthn 
 Passkey registration and authentication. It is intended to be run in a manner as to be shared between multiple consuming
 applications. It uses an API key and secret to authenticate requests, and further uses that secret as the encryption 
 key. Loss of the API secret would mean loss of all credentials stored.
@@ -38,15 +38,15 @@ This endpoint has not yet been proven in production use. Proceed at your own ris
 1. `x-mfa-apikey` - The API Key
 2. `x-mfa-apisecret` - The API Key Secret
 
-### Create TOTP Passcode
+### Create TOTP
 
 `POST /totp`
 
-### Delete TOTP Passcode
+### Delete TOTP
 
 `DELETE /totp/{uuid}`
 
-### Validate TOTP Passcode
+### Validate TOTP
 
 `POST /totp/{uuid}/validate`
 

apikey_test.go

@@ -346,7 +346,7 @@ func (ms *MfaSuite) TestAppRotateApiKey() {
 	key := user.ApiKey
 	must(db.Store(config.ApiKeyTable, key))
 
-	totp := ms.newPasscode(key)
+	totp := ms.newTOTP(key)
 
 	newKey := newTestKey()
 	must(db.Store(config.ApiKeyTable, newKey))
@@ -508,7 +508,7 @@ func (ms *MfaSuite) TestApiKey_ReEncryptTOTPs() {
 	must(newKey.Activate())
 	must(ms.app.GetDB().Store(ms.app.GetConfig().ApiKeyTable, newKey))
 
-	_ = ms.newPasscode(oldKey)
+	_ = ms.newTOTP(oldKey)
 
 	complete, incomplete, err := newKey.ReEncryptTOTPs(storage, oldKey)
 	ms.NoError(err)

openapi.yaml

@@ -651,7 +651,7 @@ paths:
 
   /totp:
     post:
-      summary: Create a new passcode (TOTP)
+      summary: Create a new TOTP
       requestBody:
         content:
           application/json:
@@ -679,11 +679,11 @@ paths:
                 properties:
                   uuid:
                     type: string
-                    description: The unique identifier for the passcode.
+                    description: The unique identifier for the TOTP.
                     example: "aaaaaaaa-1111-aaaa-1111-aaaaaaaaaaaa"
                   totpKey:
                     type: string
-                    description: The passcode secret key.
+                    description: The TOTP secret key.
                     example: "0123456789ABCDEF0123456789ABCDEF"
                   imageUrl:
                     type: string
@@ -695,22 +695,22 @@ paths:
                   otpAuthUrl:
                     type: string
                     description: >-
-                      OTPAuthURL is an otpauth URI that contains the passcode secret key. It may also contain metadata 
+                      OTPAuthURL is an otpauth URI that contains the TOTP secret key. It may also contain metadata 
                       like issuer, algorithm, and number of digits.
                     example: "otpauth://totp/idp:john_smith?secret=0123456789ABCDEF0123456789ABCDEF&issuer=SIL%20IdP"
         401:
           $ref: "#/components/responses/UnauthorizedError"
   /totp/{uuid}:
     delete:
-      summary: Delete a passcode (TOTP)
+      summary: Delete a TOTP
       parameters:
         - in: path
           name: uuid
           schema:
             type: string
             format: uuid
           required: true
-          description: The unique identifier for the passcode.
+          description: The unique identifier for the TOTP.
       responses:
         "204":
           description: Success
@@ -720,15 +720,15 @@ paths:
           $ref: "#/components/responses/UnauthorizedError"
   /totp/{uuid}/validate:
     delete:
-      summary: Validate a passcode (TOTP)
+      summary: Validate a TOTP
       parameters:
         - in: path
           name: uuid
           schema:
             type: string
             format: uuid
           required: true
-          description: The unique identifier for the passcode.
+          description: The unique identifier for the TOTP.
       requestBody:
         content:
           application/json:

terraform/README.md

@@ -10,9 +10,3 @@ Terraform is responsible to:
  - Create IAM user for CDK to manage AWS resources
  - Create IAM role for Lambda function to assume and run as
  - Create DynamoDB tables
-
-### Note about DynamoDB tables
-This repo is coded in a way to create the necessary tables and use the default names based on `app_name` and
-`app_env`. However, if this is being deployed into an environment with existing tables, the table names can be 
-overwritten using the `api_key_table`, `totp_table`, and `webauthn_table` variables, as well as the
-`create_api_key_table`, `create_totp_key_table`, and `create_webauthn_table` variables set to `false`.

terraform/main.tf

@@ -1,42 +1,37 @@
 locals {
   stage_for_api = var.app_env == "dev" ? var.app_env : var.app_environment
   api_name      = "${var.app_name}-${local.stage_for_api}"
+  aws_account   = data.aws_caller_identity.this.account_id
 }
 
-/*
- * Module docs: https://registry.terraform.io/modules/silinternational/serverless-user/aws/latest
- * Create IAM user with permissions to create lambda function, API gateway, etc.
-*/
-module "serverless-user" {
-  source  = "silinternational/serverless-user/aws"
-  version = "~> 0.4.2"
-
-  app_name           = "${var.app_name}-${var.app_env}"
-  aws_region_policy  = "*"
-  enable_api_gateway = true
-  extra_policies = [jsonencode({
+data "aws_caller_identity" "this" {}
+
+# CDK IAM user
+resource "aws_iam_user" "cdk" {
+  name = "${var.app_name}-cdk"
+}
+
+resource "aws_iam_access_key" "cdk" {
+  user = aws_iam_user.cdk.name
+}
+
+resource "aws_iam_policy" "cdk" {
+  name        = "${var.app_name}-cdk"
+  description = "CDK deployment policy"
+
+  policy = jsonencode({
     Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "sts:AssumeRole",
-        ]
-        Resource = "arn:aws:iam::*:role/cdk-*"
-      },
-      {
-        Effect = "Allow"
-        Action = [
-          "ec2:CreateTags",
-          "ec2:DeleteTags",
-          "iam:getRolePolicy",
-          "logs:FilterLogEvents",
-          "apigateway:UpdateRestApiPolicy",
-        ]
-        Resource = "*"
-      }
-    ]
-  })]
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "sts:AssumeRole"
+      Resource = "arn:aws:iam::*:role/cdk-*"
+    }]
+  })
+}
+
+resource "aws_iam_user_policy_attachment" "cdk" {
+  user       = aws_iam_user.cdk.name
+  policy_arn = aws_iam_policy.cdk.arn
 }
 
 // Set up custom domain name for easier fail-over.
@@ -73,23 +68,17 @@ resource "aws_iam_role" "lambdaRole" {
   })
 }
 
-locals {
-  api_key_table  = try(var.api_key_table, one(aws_dynamodb_table.apiKeyTable[*].name))
-  totp_table     = try(var.totp_table, one(aws_dynamodb_table.totp[*].name))
-  webauthn_table = try(var.webauthn_table, one(aws_dynamodb_table.webauthnTable[*].name))
-}
-
 data "template_file" "lambdaRolePolicy" {
   template = file("${path.module}/lambda-role-policy.json")
   vars = {
-    aws_account = var.aws_account_id
+    aws_account = local.aws_account
     app_name    = var.app_name
     app_env     = var.app_env
-    table_arns = join(",", compact([
-      local.api_key_table == null ? null : "\"arn:aws:dynamodb:*:${var.aws_account_id}:table/${local.api_key_table}\"",
-      local.webauthn_table == null ? null : "\"arn:aws:dynamodb:*:${var.aws_account_id}:table/${local.webauthn_table}\"",
-      local.totp_table == null ? null : "\"arn:aws:dynamodb:*:${var.aws_account_id}:table/${local.totp_table}\"",
-    ]))
+    table_arns = join(",", [
+      aws_dynamodb_table.api_key.arn,
+      aws_dynamodb_table.totp.arn,
+      aws_dynamodb_table.webauthn.arn,
+    ])
   }
 }
 
@@ -99,30 +88,37 @@ resource "aws_iam_role_policy" "lambdaRolePolicy" {
   policy = data.template_file.lambdaRolePolicy.rendered
 }
 
-// Create DynamoDB tables
-resource "aws_dynamodb_table" "apiKeyTable" {
-  count        = var.create_api_key_table ? 1 : 0
-  name         = "${var.app_name}-${var.app_env}-api-key"
-  billing_mode = "PAY_PER_REQUEST"
-  hash_key     = "value"
+// DynamoDB tables
+resource "aws_dynamodb_table" "api_key" {
+  name                        = "mfa-api_${var.app_env}_api-key_global"
+  billing_mode                = "PAY_PER_REQUEST"
+  hash_key                    = "value"
+  deletion_protection_enabled = true
+  stream_enabled              = true
+  stream_view_type            = "NEW_IMAGE"
 
   attribute {
     name = "value"
     type = "S"
   }
 
-  tags = {
-    app_name = var.app_name
-    app_env  = var.app_env
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  replica {
+    region_name = var.aws_region_secondary
+  }
+
+  lifecycle {
+    ignore_changes = [replica]
   }
 }
 
 resource "aws_dynamodb_table" "totp" {
-  count = var.create_totp_table ? 1 : 0
-
-  name                        = "${var.app_name}_${var.app_env}_totp_global"
-  hash_key                    = "uuid"
+  name                        = "mfa-api_${var.app_env}_totp_global"
   billing_mode                = "PAY_PER_REQUEST"
+  hash_key                    = "uuid"
   deletion_protection_enabled = true
   stream_enabled              = true
   stream_view_type            = "NEW_IMAGE"
@@ -145,19 +141,28 @@ resource "aws_dynamodb_table" "totp" {
   }
 }
 
-resource "aws_dynamodb_table" "webauthnTable" {
-  count        = var.create_webauthn_table ? 1 : 0
-  name         = "${var.app_name}-${var.app_env}-webauthn"
-  billing_mode = "PAY_PER_REQUEST"
-  hash_key     = "uuid"
+resource "aws_dynamodb_table" "webauthn" {
+  name                        = "mfa-api_${var.app_env}_u2f_global"
+  hash_key                    = "uuid"
+  billing_mode                = "PAY_PER_REQUEST"
+  deletion_protection_enabled = true
+  stream_enabled              = true
+  stream_view_type            = "NEW_IMAGE"
 
   attribute {
     name = "uuid"
     type = "S"
   }
 
-  tags = {
-    app_name = var.app_name
-    app_env  = var.app_env
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  replica {
+    region_name = var.aws_region_secondary
+  }
+
+  lifecycle {
+    ignore_changes = [replica]
   }
 }

terraform/outputs.tf

@@ -1,8 +1,3 @@
-output "serverless_user_key_secret" {
-  value     = "${module.serverless-user.aws_access_key_id},${module.serverless-user.aws_secret_access_key}"
-  sensitive = true
-}
-
 output "lambda_role_arn" {
   value = aws_iam_role.lambdaRole.arn
 }

terraform/variables.tf

@@ -1,7 +1,7 @@
 variable "app_name" {
   type        = string
   description = "A short name for this application, example: backup-service"
-  default     = "serverless-mfa-api-go"
+  default     = "twosv-api"
 }
 
 variable "app_env" {
@@ -14,11 +14,6 @@ variable "aws_access_key_id" {
   description = "Access Key ID for user with permissions to create resources for CDK"
 }
 
-variable "aws_account_id" {
-  type        = string
-  description = "AWS Account ID for use in IAM policy resource references"
-}
-
 variable "aws_region" {
   description = "Primary AWS region where this lambda will be deployed"
   type        = string
@@ -34,40 +29,6 @@ variable "aws_secret_access_key" {
   description = "Secret access Key ID for user with permissions to create resources for CDK"
 }
 
-variable "api_key_table" {
-  type        = string
-  description = "Override api key table name"
-  default     = ""
-}
-
-variable "create_api_key_table" {
-  type    = bool
-  default = true
-}
-
-variable "totp_table" {
-  description = "Override totp table name"
-  type        = string
-  default     = null
-}
-
-variable "create_totp_table" {
-  description = "enable the creation of a DynamoDB table for TOTP credentials"
-  type        = bool
-  default     = false
-}
-
-variable "webauthn_table" {
-  type        = string
-  description = "Override webauthn table name"
-  default     = ""
-}
-
-variable "create_webauthn_table" {
-  type    = bool
-  default = true
-}
-
 variable "cloudflare_token" {
   description = "The Cloudflare limited access API token"
   type        = string