feat: add IdP Staging Terraform plan/apply steps

.github/module-filter.yml

@@ -31,6 +31,10 @@ hosted_zone:
   - *common
   - "aws/hosted_zone/**"
   - "env/cloud/hosted_zone/**"
+idp:
+  - *common
+  - "aws/idp/**"
+  - "env/cloud/idp/**"
 kms:
   - *common
   - "aws/kms/**"

.github/workflows/tag-and-push-lambda-images/action.yml → .github/workflows/tag-and-push-docker-images/action.yml

@@ -7,10 +7,13 @@ inputs:
     required: true
   aws-region:
     required: true
-  lambda-name:
+  image-name:
     required: true
   image-tag:
     required: true
+  repository-suffix:
+    default: '-lambda'
+    required: false
 
 runs:
   using: "composite"
@@ -28,11 +31,11 @@ runs:
 
     - name: Tag and push docker images
       env:
-        LAMBDA_NAME: ${{ inputs.lambda-name }}
+        IMAGE_NAME: ${{ inputs.image-name }}
         IMAGE_TAG: ${{ inputs.image-tag }}
         ECR_REGISTRY: ${{ steps.login-ecr-staging.outputs.registry }}
       run: |
-        REPOSITORY_NAME=$LAMBDA_NAME-lambda
+        REPOSITORY_NAME=$IMAGE_NAME${{ inputs.repository-suffix }}
         docker tag $REPOSITORY_NAME $ECR_REGISTRY/$REPOSITORY_NAME:$IMAGE_TAG
         docker tag $REPOSITORY_NAME $ECR_REGISTRY/$REPOSITORY_NAME:latest
         docker push $ECR_REGISTRY/$REPOSITORY_NAME:$IMAGE_TAG

.github/workflows/terragrunt-apply-production.yml

@@ -116,12 +116,12 @@ jobs:
           lambda-name: ${{ matrix.image }}
 
       - name: Tag and push Lambda images
-        uses: ./.github/workflows/tag-and-push-lambda-images
+        uses: ./.github/workflows/tag-and-push-docker-images
         with:
           aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
           aws-role-session-name: TFApply
           aws-region: ${{ env.AWS_REGION }}
-          lambda-name: ${{ matrix.image }}
+          image-name: ${{ matrix.image }}
           image-tag: ${{ env.VERSION }}
 
   terragrunt-apply-all-modules:

.github/workflows/terragrunt-apply-staging.yml

@@ -18,11 +18,13 @@ permissions:
 env:
   APP_ENV: staging
   APP_DOMAINS: ${{ vars.STAGING_APP_DOMAINS }}
+  IDP_DOMAIN: ${{ vars.STAGING_IDP_DOMAIN }}
   AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }}
   AWS_REGION: ca-central-1
   TERRAFORM_VERSION: 1.6.6
   TERRAGRUNT_VERSION: 0.54.8
   TF_INPUT: false
+  # App
   TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }}
   TF_VAR_recaptcha_secret: ${{ secrets.STAGING_RECAPTCHA_SITE_SECRET }}
   TF_VAR_recaptcha_public: 6LfJDN4eAAAAAGvdRF7ZnQ7ciqdo1RQnQDFmh0VY
@@ -37,6 +39,16 @@ env:
   TF_VAR_cognito_code_template_id: 12a18f84-062c-4a67-8310-bf114af051ea
   TF_VAR_email_address_contact_us: ${{ vars.STAGING_CONTACT_US_EMAIL }}
   TF_VAR_email_address_support: ${{ vars.STAGING_SUPPORT_EMAIL }}
+  # IdP
+  FF_IDP: true
+  TF_VAR_idp_database_cluster_admin_username: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }}
+  TF_VAR_idp_database_cluster_admin_password: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }}
+  TF_VAR_zitadel_admin_password: ${{ secrets.STAGING_ZITADEL_ADMIN_PASSWORD }}
+  TF_VAR_zitadel_admin_username: ${{ secrets.STAGING_ZITADEL_ADMIN_USERNAME }}
+  TF_VAR_zitadel_database_name: ${{ secrets.STAGING_ZITADEL_DATABASE_NAME }}
+  TF_VAR_zitadel_database_user_password: ${{ secrets.STAGING_ZITADEL_DATABASE_USER_PASSWORD }}
+  TF_VAR_zitadel_database_user_username: ${{ secrets.STAGING_ZITADEL_DATABASE_USER_USERNAME }}
+  TF_VAR_zitadel_secret_key: ${{ secrets.STAGING_ZITADEL_SECRET_KEY }}
 
 jobs:
   # We deploy ECR first to make sure it is available for the 'build-tag-push-lambda-images' job which will be run in parallel with `terragrunt-apply-all-modules`
@@ -95,16 +107,38 @@ jobs:
           lambda-name: ${{ matrix.image }}
 
       - name: Tag and push Lambda images
-        uses: ./.github/workflows/tag-and-push-lambda-images
+        uses: ./.github/workflows/tag-and-push-docker-images
         with:
           aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
           aws-role-session-name: TFApply
           aws-region: ${{ env.AWS_REGION }}
-          lambda-name: ${{ matrix.image }}
+          image-name: ${{ matrix.image }}
           image-tag: ${{ github.sha }}
 
+  build-tag-push-idp-image:
+    needs: terragrunt-apply-ecr-only
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Build IdP image
+        working-directory: idp
+        run: |
+          make build
+
+      - name: Tag and push IdP image
+        uses: ./.github/workflows/tag-and-push-docker-images
+        with:
+          aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
+          aws-role-session-name: TFApply
+          aws-region: ${{ env.AWS_REGION }}
+          image-name: idp/zitadel
+          image-tag: ${{ github.sha }}
+          repository-suffix: ''
+
   terragrunt-apply-all-modules:
-    needs: build-tag-push-lambda-images
+    needs: [build-tag-push-lambda-images, build-tag-push-idp-image]
     if: ${{ !failure() && !cancelled() }}
     runs-on: ubuntu-latest
     steps:
@@ -180,6 +214,10 @@ jobs:
         working-directory: env/cloud/rds
         run: terragrunt apply --terragrunt-non-interactive -auto-approve
 
+      - name: Terragrunt apply idp
+        working-directory: env/cloud/idp
+        run: terragrunt apply --terragrunt-non-interactive -auto-approve
+
       # Depends on everything
       - name: Terragrunt apply app
         working-directory: env/cloud/app
@@ -227,6 +265,7 @@ jobs:
       [
         terragrunt-apply-ecr-only,
         build-tag-push-lambda-images,
+        build-tag-push-idp-image,
         terragrunt-apply-all-modules,
         update-lambda-function-image,
       ]

.github/workflows/terragrunt-plan-all-staging.yml

@@ -10,12 +10,14 @@ permissions:
 env:
   APP_ENV: staging
   APP_DOMAINS: ${{ vars.STAGING_APP_DOMAINS }}
+  IDP_DOMAIN: ${{ vars.STAGING_IDP_DOMAIN }}
   AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }}
   AWS_REGION: ca-central-1
   CONFTEST_VERSION: 0.46.0
   TERRAFORM_VERSION: 1.6.6
   TERRAGRUNT_VERSION: 0.54.8
   TF_INPUT: false
+  # App
   TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }}
   TF_VAR_recaptcha_secret: ${{ secrets.STAGING_RECAPTCHA_SITE_SECRET }}
   TF_VAR_recaptcha_public: 6LfJDN4eAAAAAGvdRF7ZnQ7ciqdo1RQnQDFmh0VY
@@ -30,6 +32,16 @@ env:
   TF_VAR_cognito_code_template_id: 12a18f84-062c-4a67-8310-bf114af051ea
   TF_VAR_email_address_contact_us: ${{ vars.STAGING_CONTACT_US_EMAIL }}
   TF_VAR_email_address_support: ${{ vars.STAGING_SUPPORT_EMAIL }}
+  # IdP
+  FF_IDP: true
+  TF_VAR_idp_database_cluster_admin_username: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }}
+  TF_VAR_idp_database_cluster_admin_password: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }}
+  TF_VAR_zitadel_admin_password: ${{ secrets.STAGING_ZITADEL_ADMIN_PASSWORD }}
+  TF_VAR_zitadel_admin_username: ${{ secrets.STAGING_ZITADEL_ADMIN_USERNAME }}
+  TF_VAR_zitadel_database_name: ${{ secrets.STAGING_ZITADEL_DATABASE_NAME }}
+  TF_VAR_zitadel_database_user_password: ${{ secrets.STAGING_ZITADEL_DATABASE_USER_PASSWORD }}
+  TF_VAR_zitadel_database_user_username: ${{ secrets.STAGING_ZITADEL_DATABASE_USER_USERNAME }}
+  TF_VAR_zitadel_secret_key: ${{ secrets.STAGING_ZITADEL_SECRET_KEY }}
 
 jobs:
   terragrunt-plan:
@@ -158,6 +170,13 @@ jobs:
           comment: "false"
           terragrunt: "true"
 
+      - name: Terragrunt plan idp
+        uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
+        with:
+          directory: "env/cloud/idp"
+          comment: "false"
+          terragrunt: "true"
+
       # Depends on everything
       - name: Terragrunt plan app
         uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2

.github/workflows/terragrunt-plan-staging.yml

@@ -19,12 +19,14 @@ permissions:
 env:
   APP_ENV: staging
   APP_DOMAINS: ${{ vars.STAGING_APP_DOMAINS }}
+  IDP_DOMAIN: ${{ vars.STAGING_IDP_DOMAIN }}
   AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }}
   AWS_REGION: ca-central-1
   CONFTEST_VERSION: 0.46.0
   TERRAFORM_VERSION: 1.6.6
   TERRAGRUNT_VERSION: 0.54.8
   TF_INPUT: false
+  # App
   TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }}
   TF_VAR_recaptcha_secret: ${{ secrets.STAGING_RECAPTCHA_SITE_SECRET }}
   TF_VAR_recaptcha_public: 6LfJDN4eAAAAAGvdRF7ZnQ7ciqdo1RQnQDFmh0VY
@@ -39,6 +41,16 @@ env:
   TF_VAR_cognito_code_template_id: 12a18f84-062c-4a67-8310-bf114af051ea
   TF_VAR_email_address_contact_us: ${{ vars.STAGING_CONTACT_US_EMAIL }}
   TF_VAR_email_address_support: ${{ vars.STAGING_SUPPORT_EMAIL }}
+  # IdP
+  FF_IDP: true
+  TF_VAR_idp_database_cluster_admin_username: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }}
+  TF_VAR_idp_database_cluster_admin_password: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }}
+  TF_VAR_zitadel_admin_password: ${{ secrets.STAGING_ZITADEL_ADMIN_PASSWORD }}
+  TF_VAR_zitadel_admin_username: ${{ secrets.STAGING_ZITADEL_ADMIN_USERNAME }}
+  TF_VAR_zitadel_database_name: ${{ secrets.STAGING_ZITADEL_DATABASE_NAME }}
+  TF_VAR_zitadel_database_user_password: ${{ secrets.STAGING_ZITADEL_DATABASE_USER_PASSWORD }}
+  TF_VAR_zitadel_database_user_username: ${{ secrets.STAGING_ZITADEL_DATABASE_USER_USERNAME }}
+  TF_VAR_zitadel_secret_key: ${{ secrets.STAGING_ZITADEL_SECRET_KEY }}
 
 jobs:
   detect-lambda-changes:
@@ -92,6 +104,18 @@ jobs:
           lambda-directory: lambda-code/${{ matrix.image }}
           lambda-name: ${{ matrix.image }}
 
+  build-idp-image:
+    if: ${{ ! startsWith(github.head_ref , 'release-please--') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Build IdP image
+        working-directory: idp
+        run: |
+          make build
+
   terragrunt-plan:
     if: ${{ ! startsWith(github.head_ref , 'release-please--') }}
     runs-on: ubuntu-latest
@@ -269,6 +293,16 @@ jobs:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           terragrunt: "true"
 
+      - name: Terragrunt plan idp
+        if: steps.filter.outputs.idp == 'true'
+        uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
+        with:
+          directory: "env/cloud/idp"
+          comment-delete: "true"
+          comment-title: "Staging: idp"
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          terragrunt: "true"
+
       # Depends on everything
       - name: Terragrunt plan app
         if: steps.filter.outputs.app == 'true'

aws/ecr/ecr.tf

@@ -86,4 +86,4 @@ resource "aws_ecr_lifecycle_policy" "idp" {
 
   repository = aws_ecr_repository.idp[0].name
   policy     = file("${path.module}/policy/lifecycle.json")
-}
+}

aws/idp/lb.tf

@@ -97,7 +97,7 @@ resource "aws_lb_listener" "idp_http_redirect" {
   tags = local.common_tags
 }
 
-resource "aws_shield_protection" "alb" {
-  name         = "LoadBalancer"
+resource "aws_shield_protection" "idp" {
+  name         = "LoadBalancerIdP"
   resource_arn = aws_lb.idp.arn
 }

aws/idp/rds.tf

@@ -14,9 +14,8 @@ module "idp_database" {
   serverless_max_capacity = var.idp_database_max_acu
   use_proxy               = false # TODO: enable for prod loads if performance requires it
 
-  username               = var.idp_database_cluster_admin_username
-  password               = var.idp_database_cluster_admin_password
-  proxy_secret_auth_arns = [aws_secretsmanager_secret.zidatel_database_proxy_auth.arn]
+  username = var.idp_database_cluster_admin_username
+  password = var.idp_database_cluster_admin_password
 
   backup_retention_period      = 14
   preferred_backup_window      = "02:00-04:00"
@@ -50,7 +49,7 @@ resource "aws_ssm_parameter" "zitadel_database_host" {
   # checkov:skip=CKV_AWS_337: Default SSM service key encryption is acceptable
   name  = "zitadel_database_host"
   type  = "SecureString"
-  value = module.idp_database.proxy_endpoint
+  value = module.idp_database.rds_cluster_endpoint
   tags  = local.common_tags
 }
 
@@ -77,17 +76,3 @@ resource "aws_ssm_parameter" "zitadel_database_user_password" {
   value = var.zitadel_database_user_password
   tags  = local.common_tags
 }
-
-resource "aws_secretsmanager_secret" "zidatel_database_proxy_auth" {
-  # checkov:skip=CKV2_AWS_57: Automatic secret rotation not required
-  name = "zidatel_database_proxy_auth"
-  tags = local.common_tags
-}
-
-resource "aws_secretsmanager_secret_version" "zidatel_database_proxy_auth" {
-  secret_id = aws_secretsmanager_secret.zidatel_database_proxy_auth.id
-  secret_string = jsonencode({
-    username = var.zitadel_database_user_username,
-    password = var.zitadel_database_user_password
-  })
-}

aws/idp/waf.tf

@@ -39,7 +39,7 @@ resource "aws_wafv2_web_acl" "idp" {
 
     statement {
       rule_group_reference_statement {
-        arn = aws_wafv2_rule_group.rate_limiters_group.arn
+        arn = aws_wafv2_rule_group.rate_limiters_group_idp.arn
       }
     }
 
@@ -100,9 +100,9 @@ resource "aws_wafv2_web_acl" "idp" {
   tags = local.common_tags
 }
 
-resource "aws_wafv2_rule_group" "rate_limiters_group" {
+resource "aws_wafv2_rule_group" "rate_limiters_group_idp" {
   capacity = 32 // 2, as a base cost. For each custom aggregation key that you specify, add 30 WCUs.
-  name     = "RateLimitersGroup"
+  name     = "RateLimitersGroupIdP"
   scope    = "REGIONAL"
 
   rule {

env/cloud/idp/terragrunt.hcl

@@ -61,13 +61,13 @@ inputs = {
   vpc_id                    = dependency.network.outputs.vpc_id
 
   zitadel_image_ecr_url = dependency.ecr.outputs.ecr_repository_url_idp
-  zitadel_image_tag     = "v2.55.0"
+  zitadel_image_tag     = "latest" # TODO: pin to specific tag for prod
 
   kinesis_firehose_waf_logs_arn = dependency.load_balancer.outputs.kinesis_firehose_waf_logs_arn
 
   # 1 ACU ~= 2GB of memory and 1vCPU
-  idp_database_min_acu = 2
-  idp_database_max_acu = 4
+  idp_database_min_acu = 1
+  idp_database_max_acu = 2
 }
 
 include {

idp/Makefile

@@ -13,5 +13,5 @@ cert:
 		-x509 -days 3650 \
 		-keyout ./docker/private.key \
 		-out ./docker/certificate.crt \
-		-subj "/C=CA/ST=Ontario/L=Ottawa/O=cds-snc/OU=platform/CN=auth.forms-formulaires.alpha.canada.ca/[email protected]" &&\
+		-subj "/C=CA/ST=Ontario/L=Ottawa/O=cds-snc/OU=platform/CN=auth.forms-formulaires.alpha.canada.ca/[email protected]" > /dev/null 2>&1 &&\
 	chmod +r ./docker/private.key