Added cognito authentication

2025-05-15 14:18:55 -05:00
parent 8c9ea4187e
commit a07a28525f
4 changed files with 86 additions and 6 deletions
--- a/infrastructure/stack.py
+++ b/infrastructure/stack.py
@@ -3,6 +3,7 @@ from aws_cdk import (
    Stack,
    aws_ec2 as ec2,
    aws_iam as iam,
+    aws_cognito as cognito,
    CfnOutput
 )
 from constructs import Construct
@@ -78,6 +79,10 @@ class IptvUpdaterStack(Stack):
        # Creates a userdata object for Linux hosts
        userdata = ec2.UserData.for_linux()
        # Adds one or more commands to the userdata object.
+        userdata.add_commands(
+            f'echo "COGNITO_USER_POOL_ID={user_pool.user_pool_id}" >> /etc/environment',
+            f'echo "COGNITO_CLIENT_ID={client.user_pool_client_id}" >> /etc/environment'
+        )
        userdata.add_commands(str(userdata_file, 'utf-8'))

        # EC2 Instance
@@ -104,8 +109,45 @@ class IptvUpdaterStack(Stack):
            instance_id=instance.instance_id
        )

+        # Add Cognito User Pool
+        user_pool = cognito.UserPool(
+            self, "IptvUpdaterUserPool",
+            user_pool_name="iptv-updater-users",
+            self_sign_up_enabled=False,  # Only admins can create users
+            password_policy=cognito.PasswordPolicy(
+                min_length=8,
+                require_lowercase=True,
+                require_numbers=True,
+                require_symbols=True,
+                require_uppercase=True
+            ),
+            account_recovery=cognito.AccountRecovery.EMAIL_ONLY
+        )
+
+        # Add App Client
+        client = user_pool.add_client("IptvUpdaterClient",
+            o_auth=cognito.OAuthSettings(
+                flows=cognito.OAuthFlows(
+                    authorization_code_grant=True
+                ),
+                scopes=[cognito.OAuthScope.OPENID],
+                callback_urls=[f"https://{instance.instance_public_dns_name}/auth/callback"]
+            )
+        )
+
+        # Add Cognito permissions to instance role
+        role.add_managed_policy(
+            iam.ManagedPolicy.from_aws_managed_policy_name(
+                "AmazonCognitoReadOnly"
+            )
+        )
+
        # Output the public DNS name
        CfnOutput(
            self, "InstancePublicDNS",
-            value=eip.attr_public_ip
-        )
+            value=instance.instance_public_dns_name,
+        )
+
+        # Output Cognito information
+        CfnOutput(self, "UserPoolId", value=user_pool.user_pool_id)
+        CfnOutput(self, "UserPoolClientId", value=client.user_pool_client_id)