add support for redirect paths with patched in functionality. paramet…

…erize lambda settings

.gitignore

@@ -3,3 +3,4 @@
 .idea
 *.zip
 .vscode
+dist

CHANGELOG.md

@@ -7,13 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.1.0] - TBD
 
 ### Added
-- Added support for Cognito custom user pool domains.
-- Added support for additional cognito@edge settings via `cognito_additional_settings`.
+- Added support for Cognito custom user pool domains via new variable `cognito_user_pool_domain`.
+- Added support for custom redirect endpoint for Cognito@Edge via new variable `cognito_redirect_path`.
+- Added support for additional Cognito@Edge settings via new variable `cognito_additional_settings`.
 
 ### Changed
-- Update Lambda@Edge NodeJS version to `nodejs20.x` (was `nodejs14.x`).
+- Expand TF AWS provider range to allow support for `5.0.0` and greater.
+- Update Lambda@Edge NodeJS version to `nodejs20.x` (was `nodejs14.x`) and make it user configurable via new variable `lambda_runtime`.
+- Lambda@Edge lambda zip is now bundled via `esbuild` to reduce package size.
+- Change default lambda timeout to `5` seconds (was `3` seconds) and make it user configurable via new variable `lambda_timeout`.
 - Remove `aws-sdk` in favor of `@aws-sdk` v3 libraries.
-- Expand TF AWS provider range to allow `5.0.0` and greater support.
 
 ## [1.0.1] - 2022-06-22
 

README.md

@@ -7,7 +7,7 @@ enforce Cognito Authentication through a configured Cognito User Pool.
 
 ## Requirements
 - Terraform version >= 1.0.X 
-- NodeJS + NPM (compatible with NodeJS 14.X.X)
+- NodeJS + NPM (compatible with NodeJS 18.X.X)
   - Used for `npm ci` dependency installation for Lambda@Edge Bundle.
 - Terraform AWS Provider in `us-east-1`
   - Requirement for CloudFront + Lambda@Edge runtime.
@@ -54,7 +54,7 @@ resource "aws_cloudfront_distribution" "my_cloudfront_distribution" {
 
 ```
 
-### Destroy Issues
+### Destroy Issues (AWS Provider :: > v4.57.0)
 Note that if a destroy action is performed on this terraform module, terraform is unable to delete the Lambda@Edge that was published as a part of this infrastructure (This is noted by this [issue](https://github.com/hashicorp/terraform-provider-aws/issues/1721) on the Terraform provider). 
 In order to properly delete this resource, it should be manually cleaned up, [instructions here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-delete-replicas.html) and manually removed from the state.
 
@@ -76,9 +76,9 @@ terraform state rm 'module.<my_module_name>.aws_lambda_function.cloudfront_auth_
 
 | Name | Version |
 |------|---------|
-| <a name="provider_archive"></a> [archive](#provider\_archive) | n/a |
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+| <a name="provider_archive"></a> [archive](#provider\_archive) | 2.4.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.26.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.2 |
 
 ## Modules
 
@@ -106,12 +106,15 @@ No modules.
 | <a name="input_cognito_cookie_expiration_days"></a> [cognito\_cookie\_expiration\_days](#input\_cognito\_cookie\_expiration\_days) | Number of days to keep the cognito cookie valid. | `number` | `7` | no |
 | <a name="input_cognito_disable_cookie_domain"></a> [cognito\_disable\_cookie\_domain](#input\_cognito\_disable\_cookie\_domain) | Sets domain attribute in cookies, defaults to false. | `bool` | `false` | no |
 | <a name="input_cognito_log_level"></a> [cognito\_log\_level](#input\_cognito\_log\_level) | Logging level. Default: 'silent' | `string` | `"silent"` | no |
+| <a name="input_cognito_redirect_path"></a> [cognito\_redirect\_path](#input\_cognito\_redirect\_path) | Optional path to redirect to after a successful cognito login. | `string` | `""` | no |
 | <a name="input_cognito_user_pool_app_client_id"></a> [cognito\_user\_pool\_app\_client\_id](#input\_cognito\_user\_pool\_app\_client\_id) | Cognito User Pool App Client ID for the targeted user pool. | `string` | n/a | yes |
 | <a name="input_cognito_user_pool_app_client_secret"></a> [cognito\_user\_pool\_app\_client\_secret](#input\_cognito\_user\_pool\_app\_client\_secret) | Cognito User Pool App Client Secret for the targeted user pool. NOTE: This is currently not compatible with AppSync applications. | `string` | `null` | no |
 | <a name="input_cognito_user_pool_domain"></a> [cognito\_user\_pool\_domain](#input\_cognito\_user\_pool\_domain) | Optional: Full Domain of the Cognito User Pool to utilize. Mutually exclusive with 'cognito\_user\_pool\_name'. | `string` | `""` | no |
 | <a name="input_cognito_user_pool_id"></a> [cognito\_user\_pool\_id](#input\_cognito\_user\_pool\_id) | Cognito User Pool ID for the targeted user pool. | `string` | n/a | yes |
 | <a name="input_cognito_user_pool_name"></a> [cognito\_user\_pool\_name](#input\_cognito\_user\_pool\_name) | Name of the Cognito User Pool to utilize. Required if 'cognito\_user\_pool\_domain' is not set. | `string` | `""` | no |
 | <a name="input_cognito_user_pool_region"></a> [cognito\_user\_pool\_region](#input\_cognito\_user\_pool\_region) | AWS region where the cognito user pool was created. | `string` | `"us-west-2"` | no |
+| <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | Lambda runtime to utilize for Lambda@Edge. | `string` | `"nodejs20.x"` | no |
+| <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Amount of timeout in seconds to set on for Lambda@Edge. | `number` | `5` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to prefix on all infrastructure created by this module. | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to attach to all AWS resources created by this module. | `map(string)` | `{}` | no |
 

files/deployable/index.js

@@ -1,10 +1,9 @@
-const { IAM } = require('@aws-sdk/client-iam');
-const { SSM } = require('@aws-sdk/client-ssm');
-const { STS } = require('@aws-sdk/client-sts');
+const { IAMClient, GetRolePolicyCommand } = require('@aws-sdk/client-iam');
+const { SSMClient, GetParameterCommand } = require('@aws-sdk/client-ssm');
+const { STSClient, GetCallerIdentityCommand } = require('@aws-sdk/client-sts');
 
 const NodeCache = require("node-cache");
 const { Authenticator } = require('cognito-at-edge');
-
 const { getLogger } = require('./logger');
 
 // Global Static variables
@@ -51,20 +50,20 @@ async function createAuthenticatorFromConfiguration() {
   const rootLogger = getLogger();
 
   try {
-    const ssmClient = new SSM({ region: 'us-east-1' });
-    const stsClient = new STS({ region: 'us-east-1' });
-    const iamClient = new IAM({ region: 'us-east-1' });
+    const ssmClient = new SSMClient({ region: 'us-east-1' });
+    const stsClient = new STSClient({ region: 'us-east-1' });
+    const iamClient = new IAMClient({ region: 'us-east-1' });
 
     // Get the IAM role that is currently running this lambda.
     rootLogger.info('Attempting to get current execution IAM Role.');
-    const curIdentity = await stsClient.getCallerIdentity();
+    const curIdentity = await stsClient.send(new GetCallerIdentityCommand({}));
     const iamRole = curIdentity.Arn;
     rootLogger.info(`Running as IAM Role[${iamRole}].`);
     const iamRoleName = getRoleNameFromExecutionARN(iamRole, 'role')
 
     // Get the predefined policy which references the SSM Parameter we need to pull
     rootLogger.info(`Fetching Policy[${POLICY_NAME}] from IAM Role[${iamRole}].`);
-    const { PolicyDocument } = await iamClient.getRolePolicy({ PolicyName: POLICY_NAME, RoleName: iamRoleName });
+    const { PolicyDocument } = await iamClient.send(new GetRolePolicyCommand({ PolicyName: POLICY_NAME, RoleName: iamRoleName }));
     rootLogger.info('Successfully fetched Policy document.');
 
     const parsedPolicyDoc = decodeURIComponent(PolicyDocument);
@@ -75,7 +74,7 @@ async function createAuthenticatorFromConfiguration() {
 
     // Fetch the data from parameter store
     rootLogger.info(`Fetching Parameter[${ssmParameterName}].`);
-    const { Parameter } = await ssmClient.getParameter({ Name: ssmParameterName, WithDecryption: true });
+    const { Parameter } = await ssmClient.send(new GetParameterCommand({ Name: ssmParameterName, WithDecryption: true }));
     rootLogger.info(`Successfully fetched Parameter[${ssmParameterName}].`);
 
     const authConfig = JSON.parse(Parameter.Value);