-
Notifications
You must be signed in to change notification settings - Fork 2
/
auth0-cis-webhook-consumer.yaml
419 lines (419 loc) · 14.2 KB
/
auth0-cis-webhook-consumer.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
AWSTemplateFormatVersion: 2010-09-09
Description: Auth0 CIS WebHook Consumer Lambda function and API Gateway
Metadata:
Source: https://github.com/mozilla-iam/auth0-cis-webhook-consumer/auth0-cis-webhook-consumer.yaml
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: API Gateway
Parameters:
- CustomDomainName
- DomainNameZone
- CertificateArn
- Label:
default: Configuration
Parameters:
- EnvironmentName
- UserWhitelist
- NotificationDiscoveryUrl
- NotificationAudience
- PersonAPIDiscoveryUrl
- PersonAPIClientID
- PersonAPIAudience
- ManagementAPIClientID
- ManagementAPIAudience
- ManagementAPIDiscoveryUrl
ParameterLabels:
CustomDomainName:
default: Custom DNS Domain Name
DomainNameZone:
default: DNS Zone containing the Custom DNS Domain Name
CertificateArn:
default: AWS ACM Certificate ARN for the Custom DNS Domain Name
EnvironmentName:
default: The name of the environment which is used in AWS Secrets Manager Secrets paths
UserWhitelist:
default: Comma delimited list of user_id values that should be the only users modified in Auth0
NotificationDiscoveryUrl:
default: The discovery URL for the environment used by the CIS Webhook notifier
NotificationAudience:
default: The expected audience of the token
PersonAPIDiscoveryUrl:
default: The discovery URL for the environment used by the CIS PersonAPI
PersonAPIClientID:
default: Auth0 Application Client ID used to query the CIS PersonAPI
PersonAPIAudience:
default: OIDC Audience for the CIS PersonAPI
ManagementAPIClientID:
default: Auth0 Application Client ID used to write to the Auth0 Management API
ManagementAPIAudience:
default: OIDC Audience for the Auth0 Management API
ManagementAPIDiscoveryUrl:
default: The discovery URL for the environment used by the Auth0 Management API
Parameters:
CustomDomainName:
Type: String
Description: The custom domain name to use for the API
Default: ''
DomainNameZone:
Type: String
Description: The Route53 DNS zone containing the custom domain name
Default: ''
CertificateArn:
Type: String
Description: The ARN of the AWS ACM Certificate for your custom domain name
Default: ''
EnvironmentName:
Type: String
Description: The name of the environment which is used in AWS Secrets Manager Secrets paths
UserWhitelist:
Type: CommaDelimitedList
Description: Comma delimited list of user_id values that should be the only users modified in Auth0
NotificationDiscoveryUrl:
Type: String
Description: The discovery URL for the environment used by the CIS Webhook notifier
NotificationAudience:
Type: String
Description: The expected audience of the token
PersonAPIDiscoveryUrl:
Type: String
Description: The discovery URL for the environment used by the CIS PersonAPI
PersonAPIClientID:
Type: String
Description: Auth0 Application Client ID used to query the CIS PersonAPI
PersonAPIAudience:
Type: String
Description: OIDC Audience for the CIS PersonAPI
ManagementAPIClientID:
Type: String
Description: Auth0 Application Client ID used to write to the Auth0 Management API
ManagementAPIAudience:
Type: String
Description: OIDC Audience for the Auth0 Management API
ManagementAPIDiscoveryUrl:
Type: String
Description: The discovery URL for the environment used by the Auth0 Management API
Conditions:
UseCustomDomainName: !Not
- !Equals
- !Ref CustomDomainName
- ''
Rules:
DomainNameAndCertificateArnProvided:
RuleCondition: !Or
- !Not
- !Equals
- !Ref CustomDomainName
- ''
- !Not
- !Equals
- !Ref DomainNameZone
- ''
- !Not
- !Equals
- !Ref CertificateArn
- ''
Assertions:
- Assert: !And
- !Not
- !Equals
- !Ref CustomDomainName
- ''
- !Not
- !Equals
- !Ref DomainNameZone
- ''
- !Not
- !Equals
- !Ref CertificateArn
- ''
AssertDescription: If you set a CustomDomainName, DomainNameZone or CertificateArn you must provide all values
Resources:
Auth0CISWebHookConsumerAsyncFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: AllowLambdaLogging
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: '*'
- PolicyName: GetSecretsManagerSecrets
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- secretsmanager:BatchGetSecretValue
- secretsmanager:GetSecretValue
Resource: !Join
- ''
- - 'arn:aws:secretsmanager:'
- !Ref AWS::Region
- ':'
- !Ref AWS::AccountId
- ':secret/iam/cis/'
- !Ref EnvironmentName
- /auth0_cis_webhook_consumer
- Effect: Allow
Action:
- secretsmanager:BatchGetSecretValue
- secretsmanager:GetSecretValue
Resource: !Join
- ''
- - 'arn:aws:secretsmanager:'
- !Ref AWS::Region
- ':'
- !Ref AWS::AccountId
- ':secret/iam/cis/'
- !Ref EnvironmentName
- /auth0_cis_webhook_consumer/*
Auth0CISWebHookConsumerFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: AllowLambdaInvoke
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- lambda:InvokeFunction
Resource: !GetAtt Auth0CISWebHookConsumerAsyncFunction.Arn
Auth0CISWebHookConsumerAsyncFunction:
Type: AWS::Lambda::Function
Properties:
Description: Auth0 CIS WebHook Consumer
Code: build/
Environment:
Variables:
LOG_LEVEL: DEBUG
DOMAIN_NAME: !Ref CustomDomainName
ENVIRONMENT_NAME: !Ref EnvironmentName
USER_WHITELIST: !Join
- ','
- !Ref UserWhitelist
NOTIFICATION_DISCOVERY_URL: !Ref NotificationDiscoveryUrl
NOTIFICATION_AUDIENCE: !Ref NotificationAudience
PERSON_API_DISCOVERY_URL: !Ref PersonAPIDiscoveryUrl
PERSON_API_CLIENT_ID: !Ref PersonAPIClientID
PERSON_API_AUDIENCE: !Ref PersonAPIAudience
MANAGEMENT_API_CLIENT_ID: !Ref ManagementAPIClientID
MANAGEMENT_API_AUDIENCE: !Ref ManagementAPIAudience
MANAGEMENT_API_DISCOVERY_URL: !Ref ManagementAPIDiscoveryUrl
Handler: auth0_cis_webhook_consumer.app.lambda_handler
Runtime: python3.12
Role: !GetAtt Auth0CISWebHookConsumerAsyncFunctionRole.Arn
Tags:
- Key: application
Value: auth0-cis-webhook-consumer
- Key: stack
Value: !Ref AWS::StackName
- Key: source
Value: https://github.com/mozilla-iam/auth0-cis-webhook-consumer/
Timeout: 900
Auth0CISWebHookConsumerFunction:
Type: AWS::Lambda::Function
Properties:
Description: Auth0 CIS WebHook Consumer Launcher
Code:
ZipFile: |
import boto3, os, json
def lambda_handler(event: dict, context: dict) -> dict:
client = boto3.client('lambda')
response = client.invoke(
FunctionName=os.getenv('FUNCTION_NAME'),
InvocationType='Event',
LogType='None',
Payload=json.dumps(event).encode('utf-8'))
return {
'headers': {'Content-Type': 'text/html'},
'statusCode': response['StatusCode'],
'body': 'Webhook received'}
Environment:
Variables:
FUNCTION_NAME: !Ref Auth0CISWebHookConsumerAsyncFunction
Handler: index.lambda_handler
Runtime: python3.12
Role: !GetAtt Auth0CISWebHookConsumerFunctionRole.Arn
Tags:
- Key: application
Value: auth0-cis-webhook-consumer
- Key: stack
Value: !Ref AWS::StackName
- Key: source
Value: https://github.com/mozilla-iam/auth0-cis-webhook-consumer/
Timeout: 15
Auth0CISWebHookConsumerAsyncFunctionLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join
- /
- - /aws/lambda
- !Ref Auth0CISWebHookConsumerAsyncFunction
RetentionInDays: 30
Auth0CISWebHookConsumerDomainName:
Type: AWS::ApiGateway::DomainName
Condition: UseCustomDomainName
Properties:
RegionalCertificateArn: !Ref CertificateArn
DomainName: !Ref CustomDomainName
EndpointConfiguration:
Types:
- REGIONAL
Auth0CISWebHookConsumerRoute53RecordSet:
Type: AWS::Route53::RecordSet
Condition: UseCustomDomainName
Properties:
AliasTarget:
DNSName: !GetAtt Auth0CISWebHookConsumerDomainName.RegionalDomainName
HostedZoneId: !GetAtt Auth0CISWebHookConsumerDomainName.RegionalHostedZoneId
Comment: Bind the custom domain name to the Auth0CISWebHookConsumer API Gateway
HostedZoneName: !Ref DomainNameZone
Name: !Ref CustomDomainName
Type: A
Auth0CISWebHookConsumerApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: Auth0CISWebHookConsumer
Description: MozDef Slack Triage Bot API
FailOnWarnings: true
EndpointConfiguration:
Types:
- REGIONAL
Auth0CISWebHookConsumerBasePathMapping:
Type: AWS::ApiGateway::BasePathMapping
Condition: UseCustomDomainName
Properties:
DomainName: !Ref Auth0CISWebHookConsumerDomainName
RestApiId: !Ref Auth0CISWebHookConsumerApi
Stage: !Ref Auth0CISWebHookConsumerApiStage
Auth0CISWebHookConsumerLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:invokeFunction
FunctionName: !GetAtt Auth0CISWebHookConsumerFunction.Arn
Principal: apigateway.amazonaws.com
SourceArn: !Join
- ''
- - 'arn:aws:execute-api:'
- !Ref AWS::Region
- ':'
- !Ref AWS::AccountId
- ':'
- !Ref Auth0CISWebHookConsumerApi
- /*/*
Auth0CISWebHookConsumerApiStage:
Type: AWS::ApiGateway::Stage
Properties:
DeploymentId: !Ref Auth0CISWebHookConsumerApiDeployment
MethodSettings:
- DataTraceEnabled: true
HttpMethod: '*'
LoggingLevel: ERROR
ResourcePath: /*
RestApiId: !Ref Auth0CISWebHookConsumerApi
Tags:
- Key: application
Value: auth0-cis-webhook-consumer
- Key: stack
Value: !Ref AWS::StackName
- Key: source
Value: https://github.com/mozilla-iam/auth0-cis-webhook-consumer/
Auth0CISWebHookConsumerApiDeployment:
Type: AWS::ApiGateway::Deployment
DependsOn:
- Auth0CISWebHookConsumerRequest
Properties:
RestApiId: !Ref Auth0CISWebHookConsumerApi
StageName: DummyStage
Auth0CISWebHookConsumerResource:
Type: AWS::ApiGateway::Resource
Properties:
RestApiId: !Ref Auth0CISWebHookConsumerApi
ParentId: !GetAtt Auth0CISWebHookConsumerApi.RootResourceId
PathPart: '{proxy+}'
Auth0CISWebHookConsumerRequest:
DependsOn: Auth0CISWebHookConsumerLambdaPermission
Type: AWS::ApiGateway::Method
Properties:
AuthorizationType: NONE
HttpMethod: GET
Integration:
Type: AWS_PROXY
IntegrationHttpMethod: POST
Uri: !Join
- ''
- - 'arn:aws:apigateway:'
- !Ref AWS::Region
- ':lambda:path/2015-03-31/functions/'
- !GetAtt Auth0CISWebHookConsumerFunction.Arn
- /invocations
ResourceId: !Ref Auth0CISWebHookConsumerResource
RestApiId: !Ref Auth0CISWebHookConsumerApi
Auth0CISWebHookConsumerPOSTRequest:
DependsOn: Auth0CISWebHookConsumerLambdaPermission
Type: AWS::ApiGateway::Method
Properties:
AuthorizationType: NONE
HttpMethod: POST
Integration:
Type: AWS_PROXY
IntegrationHttpMethod: POST
Uri: !Join
- ''
- - 'arn:aws:apigateway:'
- !Ref AWS::Region
- ':lambda:path/2015-03-31/functions/'
- !GetAtt Auth0CISWebHookConsumerFunction.Arn
- /invocations
ResourceId: !Ref Auth0CISWebHookConsumerResource
RestApiId: !Ref Auth0CISWebHookConsumerApi
Outputs:
Auth0CISWebHookConsumerUrl:
Description: The URL of the API
Value: !If
- UseCustomDomainName
- !Join
- ''
- - https://
- !Ref CustomDomainName
- /
- !Join
- ''
- - https://
- !Ref Auth0CISWebHookConsumerApi
- .execute-api.
- !Ref AWS::Region
- .amazonaws.com/
- !Ref Auth0CISWebHookConsumerApiStage
- /
Auth0CISWebHookConsumerFunctionName:
Description: The AWS Lambda function name
Value: !Ref Auth0CISWebHookConsumerFunction
Auth0CISWebHookConsumerAsyncFunctionLogGroup:
Description: The AWS CloudWatch LogGroup path
Value: !Ref Auth0CISWebHookConsumerAsyncFunctionLogGroup