Wire auth: in app.yaml to Cognito app client + injected secrets#127
Merged
Alexanderamiri merged 2 commits intomainfrom May 9, 2026
Merged
Wire auth: in app.yaml to Cognito app client + injected secrets#127Alexanderamiri merged 2 commits intomainfrom
Alexanderamiri merged 2 commits intomainfrom
Conversation
Apps can now opt into Cognito by adding `auth: internal` (shorthand) or the full object form to app.yaml. The generator emits a cognito-app-client module, registers an OAuth client in the chosen pool, and injects pool config + client credentials into the ECS task — pool ID/domain/issuer URL as plain env vars, client_id/client_secret via SSM-backed task secrets. Module redesign: cognito-app-client now looks up its pool by name internally (was unused, so freely changed). This keeps platform-data untouched — apps without auth: aren't affected by Cognito pool availability. The module also constructs the OIDC issuer URL itself, so the generator doesn't need a locals workaround for HCL interpolation. Also widens the shared ECS execution role's SSM policy to cover /javabin/platform-apps/* so the cognito client_id/secret can be fetched at task launch. Group membership stays out of scope — auth.groups is reference-only, exposed as COGNITO_GROUPS for the app's own authorization checks. auth.pool: both is rejected with a clear error until a concrete need lands and we can pick the env-var naming convention.
Terraform Plan🚧 Changes detected — Plan: 0 to add, 1 to change, 0 to destroy. Plan outputLLM ReviewRisk: 🟢 LOW Routine IAM policy update expanding ECS execution role SSM parameter access to include platform-apps namespace.
|
Every app on this platform is server-side Fargate — there's one correct answer (always generate a secret). Exposing the knob in app.yaml made users think about a non-decision. The module variable stays for direct module callers, defaulted to true.
Terraform Plan🚧 Changes detected — Plan: 0 to add, 1 to change, 0 to destroy. Plan outputLLM ReviewRisk: 🟢 LOW Routine IAM policy update expanding ECS execution role permissions to include platform-apps SSM parameters alongside existing apps parameters.
|
Alexanderamiri
added a commit
that referenced
this pull request
May 9, 2026
## Summary
Closes the gap where `cognito-app-client` existed but was unused — apps
couldn't actually opt into Cognito via `app.yaml`.
- App.yaml now accepts `auth: internal` (shorthand) or the full object
form. Generator emits a `cognito-app-client` module, registers an OAuth
client in the chosen pool, and injects pool config + credentials into
the ECS task.
- `cognito-app-client` is now self-contained: looks up its pool by name
internally and constructs the OIDC issuer URL itself. No changes to
`platform-data` — apps without `auth:` are unaffected.
- Widens the shared ECS execution role's SSM policy to cover
`/javabin/platform-apps/*` so the client_id/secret can be fetched at
task launch (otherwise tasks fail with `ResourceInitializationError`).
## Schema
```yaml
# Shorthand
auth: internal
# Full form
auth:
pool: internal # 'internal' or 'external' ('both' deferred)
callback_urls: [...] # optional, default = [https://{host}/, https://{host}/auth/callback]
logout_urls: [...] # optional, default = [https://{host}/]
scopes: [openid, email, profile]
groups: [admins, editors] # reference-only, exposed as COGNITO_GROUPS
```
## Injected env vars
| Var | Source |
|---|---|
| `COGNITO_USER_POOL_ID` | Looked up from the platform pool |
| `COGNITO_DOMAIN` | Hosted-UI FQDN |
| `COGNITO_ISSUER_URL` | OIDC issuer for JWT validation |
| `COGNITO_CLIENT_ID` | SSM SecureString via ECS task `secrets` |
| `COGNITO_CLIENT_SECRET` | SSM SecureString via ECS task `secrets`
(skipped when `generate_secret: false`) |
| `COGNITO_GROUPS` | Comma-joined list from `auth.groups` |
## Out of scope
- `auth.pool: both` — generator rejects with a clear
`NotImplementedError`. Defer until a concrete app needs it (will inform
the env-var naming convention).
- Group creation / membership sync from `app.yaml` — stays with the
team-provisioner Lambda. `groups:` here is reference-only.
## Test plan
- [x] `terraform validate` clean on
`terraform/modules/cognito-app-client/` and `terraform/platform/iam/`
- [x] `terraform fmt -recursive -check` clean across the repo
- [x] Generator produces valid HCL for: shorthand, full form with
groups, external pool with explicit `callback_urls` + `generate_secret:
false`
- [x] Generator rejects `auth.pool: both` with `NotImplementedError`
- [x] Generator rejects `auth:` without `routing.host` with `ValueError`
- [x] `auth: none` and omitted `auth:` produce no `module "auth"` block
- [ ] Apply IAM widening (PR landing) before any app sets `auth:` —
order matters; widening is unconditional and a single-line policy change
with no resource impact for apps that don't use auth
- [ ] First real app (e.g. platform-test-app) sets `auth: internal`,
plan shows only Cognito client + SSM params, apply succeeds, ECS task
starts, `printenv | grep COGNITO_` shows expected vars
- [ ] Identity stack must be deployed before any app uses `auth:`
(currently gated on Google OAuth credentials in the deployment notes —
flagged in the existing CLAUDE.md status table)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the gap where
cognito-app-clientexisted but was unused — apps couldn't actually opt into Cognito viaapp.yaml.auth: internal(shorthand) or the full object form. Generator emits acognito-app-clientmodule, registers an OAuth client in the chosen pool, and injects pool config + credentials into the ECS task.cognito-app-clientis now self-contained: looks up its pool by name internally and constructs the OIDC issuer URL itself. No changes toplatform-data— apps withoutauth:are unaffected./javabin/platform-apps/*so the client_id/secret can be fetched at task launch (otherwise tasks fail withResourceInitializationError).Schema
Injected env vars
COGNITO_USER_POOL_IDCOGNITO_DOMAINCOGNITO_ISSUER_URLCOGNITO_CLIENT_IDsecretsCOGNITO_CLIENT_SECRETsecrets(skipped whengenerate_secret: false)COGNITO_GROUPSauth.groupsOut of scope
auth.pool: both— generator rejects with a clearNotImplementedError. Defer until a concrete app needs it (will inform the env-var naming convention).app.yaml— stays with the team-provisioner Lambda.groups:here is reference-only.Test plan
terraform validateclean onterraform/modules/cognito-app-client/andterraform/platform/iam/terraform fmt -recursive -checkclean across the repocallback_urls+generate_secret: falseauth.pool: bothwithNotImplementedErrorauth:withoutrouting.hostwithValueErrorauth: noneand omittedauth:produce nomodule "auth"blockauth:— order matters; widening is unconditional and a single-line policy change with no resource impact for apps that don't use authauth: internal, plan shows only Cognito client + SSM params, apply succeeds, ECS task starts,printenv | grep COGNITO_shows expected varsauth:(currently gated on Google OAuth credentials in the deployment notes — flagged in the existing CLAUDE.md status table)