@infoxchange/make-it-so 2.9.1 → 2.10.0-internal-testing-vdt-199-add-oidc-auth.2

package/README.md

@@ -13,6 +13,8 @@ npm --save-dev @infoxchange/make-it-so
 yarn add --dev @infoxchange/make-it-so
 ```
 
+
+
 ## Features
 
 ### deployConfig
@@ -20,7 +22,9 @@ yarn add --dev @infoxchange/make-it-so
 The IX pipeline provides certain information about the deployment currently in progress via environment variables. deployConfig gives you a friendly (and typed) way to access these details.
 
 ```typescript
-import deployConfig from "@infoxchange/make-it-so/deployConfig";
+import deployConfig, {
+  getDeployConfig,
+} from "@infoxchange/make-it-so/deployConfig";
 
 if (deployConfig.isIxDeploy) {
   console.log(
@@ -29,6 +33,10 @@ if (deployConfig.isIxDeploy) {
 } else {
   console.log(`Not deploying via the IX deploy pipeline`);
 }
+
+// Will return the same object but calculated when the function is run rather than when imported. Useful if any IX
+// deployment related environment variables are changed at runtime.
+console.log(getDeployConfig());
 ```
 
 <details>

package/commitlint.config.ts

@@ -0,0 +1,14 @@
+import type { UserConfig } from "@commitlint/types";
+
+export default {
+  ignores: [
+    (message) =>
+      // Allow "wip" commits except when publishing a production release or on PR CI jobs
+      process.env.GITHUB_EVENT_NAME !== "pull_request" &&
+      (process.env.GITHUB_WORKFLOW !== "Publish" ||
+        (process.env.GITHUB_REF_NAME?.startsWith("internal-testing-") ??
+          true)) &&
+      (message === "wip" || message.startsWith("wip:")),
+  ],
+  extends: ["@commitlint/config-conventional"],
+} satisfies UserConfig;

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=auth-check.d.ts.map

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-check.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts"],"names":[],"mappings":""}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.js

@@ -0,0 +1,135 @@
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+// @ts-nocheck
+// Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
+import crypto from "crypto";
+// @ts-expect-error -- This library only exists in the CloudFront Functions runtime that this code runs in
+import cf from "cloudfront";
+//Response when JWT is not valid.
+// const response401 = {
+//     statusCode: 401,
+//     statusDescription: 'Unauthorized'
+// };
+const response401 = {
+    statusCode: 302,
+    headers: {
+        location: { value: "/auth/oidc/authorize" },
+    },
+};
+// Remember to associate the KVS with your function before calling the const kvsKey = 'jwt.secret'.
+// https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions-associate.html
+const kvsKey = "__placeholder-for-jwt-secret-key__";
+// set to true to enable console logging
+const loggingEnabled = true; // false;
+function jwt_decode(token, key, noVerify, algorithm) {
+    // check token
+    if (!token) {
+        throw new Error("No token supplied");
+    }
+    // check segments
+    const segments = token.split(".");
+    if (segments.length !== 3) {
+        throw new Error("Not enough or too many segments");
+    }
+    // All segment should be base64
+    const headerSeg = segments[0];
+    const payloadSeg = segments[1];
+    const signatureSeg = segments[2];
+    // base64 decode and parse JSON
+    const payload = JSON.parse(_base64urlDecode(payloadSeg));
+    if (!noVerify) {
+        const signingMethod = "sha256";
+        const signingType = "hmac";
+        // Verify signature. `sign` will return base64 string.
+        const signingInput = [headerSeg, payloadSeg].join(".");
+        if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
+            throw new Error("Signature verification failed");
+        }
+        // Support for nbf and exp claims.
+        // According to the RFC, they should be in seconds.
+        if (payload.nbf && Date.now() < payload.nbf * 1000) {
+            throw new Error("Token not yet active");
+        }
+        if (payload.exp && Date.now() > payload.exp * 1000) {
+            throw new Error("Token expired");
+        }
+    }
+    return payload;
+}
+//Function to ensure a constant time comparison to prevent
+//timing side channels.
+function _constantTimeEquals(a, b) {
+    if (a.length != b.length) {
+        return false;
+    }
+    let xor = 0;
+    for (let i = 0; i < a.length; i++) {
+        xor |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return 0 === xor;
+}
+function _verify(input, key, method, type, signature) {
+    if (type === "hmac") {
+        return _constantTimeEquals(signature, _sign(input, key, method));
+    }
+    else {
+        throw new Error("Algorithm type not recognized");
+    }
+}
+function _sign(input, key, method) {
+    return crypto.createHmac(method, key).update(input).digest("base64url");
+}
+function _base64urlDecode(str) {
+    return Buffer.from(str, "base64url");
+}
+async function handler(event) {
+    const request = event.request;
+    //Secret key used to verify JWT token.
+    //Update with your own key.
+    const secret_key = await getSecret();
+    if (!secret_key) {
+        return response401;
+    }
+    console.log("request");
+    console.log(request);
+    console.log(request.cookies);
+    console.log(request.cookies["auth-token"]);
+    console.log(Object.keys(request.cookies));
+    // console.logObject.keys(request.cookies))
+    // If no JWT token, then generate HTTP redirect 401 response.
+    if (!request.cookies["auth-token"]) {
+        log("Error: No JWT in the cookies");
+        return response401;
+    }
+    const jwtToken = request.cookies["auth-token"].value;
+    try {
+        jwt_decode(jwtToken, secret_key);
+    }
+    catch (e) {
+        log(e);
+        return response401;
+    }
+    //Remove the JWT from the query string if valid and return.
+    delete request.querystring.jwt;
+    log("Valid JWT token");
+    return request;
+}
+const publicKey = `very-secret`;
+// get secret from key value store
+async function getSecret() {
+    //   console.log("auth key is:", publicKey)
+    //   return publicKey
+    // initialize cloudfront kv store and get the key value
+    try {
+        const kvsHandle = cf.kvs();
+        return await kvsHandle.get(kvsKey);
+    }
+    catch (err) {
+        log(`Error reading value for key: ${kvsKey}, error: ${err}`);
+        return null;
+    }
+}
+function log(message) {
+    if (loggingEnabled) {
+        console.log(message);
+    }
+}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.d.ts

@@ -0,0 +1,2 @@
+export declare const handler: (event: any, context: any) => Promise<any>;
+//# sourceMappingURL=auth-route.d.ts.map

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAiDnB,CAAC"}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.js

@@ -0,0 +1,84 @@
+import { AuthHandler, OidcAdapter } from "sst/node/auth";
+import { Issuer } from "openid-client";
+import jwt from "jsonwebtoken";
+const oidcClientId = process.env.OIDC_CLIENT_ID;
+if (!oidcClientId) {
+    throw new Error("OIDC_CLIENT_ID not set");
+}
+const oidcIssuerUrl = process.env.OIDC_ISSUER_URL;
+if (!oidcIssuerUrl) {
+    throw new Error("OIDC_ISSUER_URL not set");
+}
+const oidcScope = process.env.OIDC_SCOPE;
+if (!oidcScope) {
+    throw new Error("OIDC_SCOPE not set");
+}
+const jwtSecret = process.env.JWT_SECRET;
+if (!jwtSecret) {
+    throw new Error("JWT_SECRET not set");
+}
+const oidcIssuerConfigUrl = new URL(`${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`);
+export const handler = convertApiGatewayHandlerToCloudFrontHandler(AuthHandler({
+    providers: {
+        oidc: OidcAdapter({
+            issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
+            clientID: oidcClientId,
+            scope: oidcScope,
+            onSuccess: async (tokenset) => {
+                console.log("tokenset", tokenset, tokenset.claims());
+                console.log("Config.jwtSecret:", jwtSecret);
+                // Payload to include in the token
+                const payload = {
+                    userID: tokenset.claims().sub,
+                };
+                // Options (optional)
+                const options = {
+                    algorithm: "HS256",
+                    expiresIn: "1h",
+                };
+                // Create the token
+                const token = jwt.sign(payload, jwtSecret, options);
+                const expires = new Date(
+                // @ ts-ignore error in GH action
+                Date.now() + 1000 * 60 * 60 * 24 * 7);
+                return {
+                    statusCode: 302,
+                    headers: {
+                        location: "/",
+                    },
+                    cookies: [
+                        `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expires}`,
+                    ],
+                };
+                // return Session.cookie({
+                //   redirect: "https://openidconnect.net/callback",
+                //   type: "public",
+                //   properties: {
+                //     userID: tokenset.claims().sub,
+                //   },
+                // });
+            },
+        }),
+    },
+}));
+// @ts-expect-error - testing
+function convertApiGatewayHandlerToCloudFrontHandler(callback) {
+    // @ts-expect-error - testing
+    return async function (event, context) {
+        // Used by AuthHandler to create callback url sent to oidc server
+        event.requestContext.domainName = event.headers["x-forwarded-host"];
+        console.log("----", event, context);
+        // console.log("event", event)
+        // console.log("context", context)
+        const response = await callback(event, context);
+        // if (response.cookies) {
+        //   if (!response.headers) {
+        //     response.headers = {}
+        //   }
+        //   response.headers["set-cookie"] = response.cookies
+        // }
+        // response.headers.location += "&cake=blar"
+        // response.headers.foo = "bar"
+        return response;
+    };
+}

package/dist/cdk-constructs/CloudWatchOidcAuth/index.d.ts

@@ -0,0 +1,27 @@
+import { Construct } from "constructs";
+import { BaseSiteCdkDistributionProps } from "sst/constructs/BaseSite.js";
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+type Mutable<T> = {
+    -readonly [P in keyof T]: T[P];
+};
+type Props = {
+    oidcIssuerUrl: string;
+    oidcClientId: string;
+    oidcScope: string;
+};
+export declare class CloudWatchOidcAuth extends Construct {
+    readonly oidcIssuerUrl: string;
+    readonly oidcClientId: string;
+    readonly oidcScope: string;
+    readonly id: string;
+    constructor(scope: ConstructScope, id: ConstructId, props: Props);
+    addToDistributionDefinition<DistributionProps extends BaseSiteCdkDistributionProps>(scope: ConstructScope, { distributionDefinition, prefix, }: {
+        distributionDefinition: Mutable<DistributionProps>;
+        prefix?: string;
+    }): Mutable<DistributionProps>;
+    private getFunctionAssociation;
+    private getAuthBehaviorOptions;
+}
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cdk-constructs/CloudWatchOidcAuth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAUvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAG1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA6C5E,OAAO,CAAC,sBAAsB;IA2H9B,OAAO,CAAC,sBAAsB;CA0E/B"}

package/dist/cdk-constructs/CloudWatchOidcAuth/index.js

@@ -0,0 +1,195 @@
+import { Construct } from "constructs";
+import SecretsManager from "aws-cdk-lib/aws-secretsmanager";
+import CloudFront from "aws-cdk-lib/aws-cloudfront";
+import CDK from "aws-cdk-lib";
+import CdkCustomResources from "aws-cdk-lib/custom-resources";
+import Lambda from "aws-cdk-lib/aws-lambda";
+import { getFileContentsWithoutTypes } from "../../lib/utils/source-code.js";
+import * as SST from "sst/constructs";
+import { Config as SSTInternalConfig } from "sst/config.js";
+import CloudFrontOrigins from "aws-cdk-lib/aws-cloudfront-origins";
+import path from "node:path";
+export class CloudWatchOidcAuth extends Construct {
+    oidcIssuerUrl;
+    oidcClientId;
+    oidcScope;
+    id;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.oidcIssuerUrl = props.oidcIssuerUrl;
+        this.oidcClientId = props.oidcClientId;
+        this.oidcScope = props.oidcScope;
+        this.id = id;
+    }
+    addToDistributionDefinition(scope, { distributionDefinition, prefix = "/auth", }) {
+        console.log("------", import.meta.dirname, import.meta.url, import.meta.filename);
+        const updatedDistributionDefinition = { ...distributionDefinition };
+        const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
+        updatedDistributionDefinition.additionalBehaviors =
+            updatedDistributionDefinition.additionalBehaviors
+                ? { ...updatedDistributionDefinition.additionalBehaviors }
+                : {};
+        if (updatedDistributionDefinition.additionalBehaviors[behaviourName]) {
+            throw new Error(`Behavior for prefix ${prefix} already exists in distribution definition`);
+        }
+        const jwtSecret = new SecretsManager.Secret(this, `${this.id}JwtSecret`, {
+            description: "JWT Signing Secret",
+            generateSecretString: {
+                passwordLength: 32,
+                excludePunctuation: true,
+                includeSpace: false,
+                requireEachIncludedType: true,
+            },
+            // Secret is only used for sessions so it's safe to delete on stack removal
+            removalPolicy: CDK.RemovalPolicy.DESTROY,
+        });
+        updatedDistributionDefinition.defaultBehavior = {
+            ...updatedDistributionDefinition.defaultBehavior,
+            functionAssociations: [
+                ...(updatedDistributionDefinition.defaultBehavior
+                    ?.functionAssociations || []),
+                this.getFunctionAssociation(scope, jwtSecret),
+            ],
+        };
+        updatedDistributionDefinition.additionalBehaviors[behaviourName] =
+            this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
+        return updatedDistributionDefinition;
+    }
+    getFunctionAssociation(scope, jwtSecret) {
+        const cfKeyValueStore = new CloudFront.KeyValueStore(scope, `${this.id}CFKeyValueStore`);
+        const kvStoreId = cfKeyValueStore.keyValueStoreId; // Your KV store ID
+        const key = "jwt-secret";
+        const kvsArn = `arn:aws:cloudfront::${CDK.Stack.of(this).account}:key-value-store/${kvStoreId}`;
+        // Updating the KVM requires a valid ETag to be provided in the IfMatch parameter so we first must fetch the ETag
+        const getEtag = new CdkCustomResources.AwsCustomResource(this, `${this.id}GetKVStoreEtag`, {
+            installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
+            onUpdate: {
+                // Since there's no onCreate, onUpdate will be called for CREATE events
+                service: "@aws-sdk/client-cloudfront-keyvaluestore",
+                action: "describeKeyValueStore",
+                parameters: { KvsARN: kvsArn },
+                // We include a timestamp in the physicalResourceId to ensure we fetch the latest etag on every update
+                physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${kvStoreId}-etag-${Date.now()}`),
+            },
+            policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
+                resources: [kvsArn],
+            }),
+        });
+        const etag = getEtag.getResponseField("ETag");
+        // An annoying limitation of CloudFormation is that it won't resolve dynamic references for secrets when
+        // used as a parameter to a custom resource. To get around this we manually resolve it with another custom
+        // resource. Note this won't result in the secret being exposed in CloudFormation templates but it will
+        // be visible in the CloudWatch logs of the custom resource lambda. In our case that is acceptable.
+        // https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/341
+        const secretValue = new CdkCustomResources.AwsCustomResource(this, `${this.id}GetSecret`, {
+            // There's no real benefit of fetching the latest sdk our case for the cost of a longer execution time
+            installLatestAwsSdk: false,
+            // Since there's no onCreate, onUpdate will be called for CREATE events
+            onUpdate: {
+                service: "@aws-sdk/client-secrets-manager",
+                action: "getSecretValue",
+                parameters: {
+                    SecretId: jwtSecret.secretArn,
+                },
+                // We include a timestamp in the physicalResourceId to ensure we fetch the latest secret value on every update
+                physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${this.id}GetSecret-${Date.now()}`),
+            },
+            policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
+                resources: [jwtSecret.secretArn],
+            }),
+        });
+        // Now we can actually update the KVS with the secret value
+        const putKeyValue = new CdkCustomResources.AwsCustomResource(this, `${this.id}PutKeyValue`, {
+            installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
+            onUpdate: {
+                // Since there's no onCreate, onUpdate will be called for CREATE events
+                service: "@aws-sdk/client-cloudfront-keyvaluestore",
+                action: "putKey",
+                parameters: {
+                    KvsARN: kvsArn,
+                    Key: key,
+                    Value: secretValue.getResponseField("SecretString"),
+                    IfMatch: etag,
+                },
+                physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${kvStoreId}-${key}`),
+            },
+            policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
+                resources: [kvsArn],
+            }),
+        });
+        // putKey in the @aws-sdk/client-cloudfront-keyvaluestore package requires @aws-sdk/signature-v4-crt to be imported
+        // as well. But AwsCustomResource doesn't give us direct access to the underlying Lambda function so we inject a
+        // NODE_OPTIONS env var to import on start. At some point AwsCustomResource will presumably switch to a later node
+        // version and we might need to update this to '--import=' instead of '--require='.
+        const fn = putKeyValue.node.findChild("Provider");
+        if (!(fn instanceof Lambda.SingletonFunction)) {
+            throw new Error("Could not find the underlying Lambda function of the AwsCustomResource");
+        }
+        fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
+        const edgeFuncAuthCheck = new CloudFront.Function(scope, `${this.id}EdgeFunctionAuthCheck`, {
+            code: CloudFront.FunctionCode.fromInline(getFileContentsWithoutTypes(path.join(import.meta.dirname, "auth-check.ts")).replace("__placeholder-for-jwt-secret-key__", key)),
+            runtime: CloudFront.FunctionRuntime.JS_2_0,
+            keyValueStore: cfKeyValueStore,
+        });
+        return {
+            function: edgeFuncAuthCheck,
+            eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
+        };
+    }
+    getAuthBehaviorOptions(scope, jwtSecret, prefix) {
+        const edgeFuncAuth = new SST.Function(scope, `${this.id}EdgeFunctionAuth`, {
+            runtime: "nodejs20.x",
+            handler: path.join(import.meta.dirname, "auth-route.handler"),
+            environment: {
+                OIDC_ISSUER_URL: this.oidcIssuerUrl,
+                OIDC_CLIENT_ID: this.oidcClientId,
+                OIDC_SCOPE: this.oidcScope,
+                JWT_SECRET: jwtSecret.secretValue.toString(),
+            },
+        });
+        // edgeFuncAuth uses SST's AuthHandler construct which is normally run inside a lambda that's
+        // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
+        // by the Auth construct so we have to set them ourselves here to keep it happy.
+        const envVarName = SSTInternalConfig.envFor({
+            type: "Auth",
+            id: "id", // It seems like the env var will still be found no matter what this value is
+            prop: "prefix",
+        });
+        edgeFuncAuth.addEnvironment(envVarName, prefix);
+        const edgeFuncAuthUrl = edgeFuncAuth.addFunctionUrl({
+            authType: Lambda.FunctionUrlAuthType.NONE,
+        });
+        const forwardHostHeaderCfFunction = new CloudFront.Function(scope, `${this.id}ForwardHostHeaderFunction`, {
+            code: CloudFront.FunctionCode.fromInline(`
+        function handler(event) {
+          const request = event.request;
+          request.headers["x-forwarded-host"] = { value: request.headers.host.value };
+          return request;
+        }
+      `),
+            runtime: CloudFront.FunctionRuntime.JS_2_0,
+        });
+        return {
+            origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(edgeFuncAuthUrl.url)),
+            allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
+            cachePolicy: new CloudFront.CachePolicy(scope, `${this.id}AllowAllCookiesPolicy`, {
+                cachePolicyName: "AllowAllCookiesPolicy",
+                comment: "Cache policy that forwards all cookies",
+                defaultTtl: CDK.Duration.seconds(1),
+                minTtl: CDK.Duration.seconds(1),
+                maxTtl: CDK.Duration.seconds(1),
+                cookieBehavior: CloudFront.CacheCookieBehavior.all(),
+                headerBehavior: CloudFront.CacheHeaderBehavior.allowList("X-Forwarded-Host"),
+                queryStringBehavior: CloudFront.CacheQueryStringBehavior.all(),
+                enableAcceptEncodingGzip: true,
+                enableAcceptEncodingBrotli: true,
+            }),
+            functionAssociations: [
+                {
+                    function: forwardHostHeaderCfFunction,
+                    eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
+                },
+            ],
+        };
+    }
+}

package/dist/cdk-constructs/index.d.ts

@@ -6,4 +6,5 @@ export * from "./IxStaticSite.js";
 export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
+export * from "./CloudWatchOidcAuth/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/cdk-constructs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cdk-constructs/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,4BAA4B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cdk-constructs/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,4BAA4B,CAAC;AAC3C,cAAc,+BAA+B,CAAC"}

package/dist/cdk-constructs/index.js

@@ -6,3 +6,4 @@ export * from "./IxStaticSite.js";
 export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
+export * from "./CloudWatchOidcAuth/index.js";

package/dist/deployConfig.d.ts

@@ -34,4 +34,39 @@ declare const _default: {
     smtpPort?: number | undefined;
 };
 export default _default;
+export declare const getDeployConfig: () => {
+    isIxDeploy: true;
+    appName: string;
+    environment: "dev" | "test" | "uat" | "prod";
+    workloadGroup: "ds" | "srs";
+    primaryAwsRegion: "ap-southeast-2";
+    siteDomains: string[];
+    siteDomainAliases: string[];
+    isInternalApp: boolean;
+    deploymentType: "docker" | "serverless";
+    sourceCommitRef: string;
+    sourceCommitHash: string;
+    deployTriggeredBy: string;
+    smtpHost: string;
+    smtpPort: number;
+    clamAVUrl: string;
+    vpcHttpProxy: string;
+} | {
+    isIxDeploy: false;
+    appName: string;
+    environment: string;
+    workloadGroup: string;
+    primaryAwsRegion: string;
+    siteDomains: string[];
+    siteDomainAliases: string[];
+    deploymentType: string;
+    sourceCommitRef: string;
+    sourceCommitHash: string;
+    deployTriggeredBy: string;
+    smtpHost: string;
+    clamAVUrl: string;
+    vpcHttpProxy: string;
+    isInternalApp?: boolean | undefined;
+    smtpPort?: number | undefined;
+};
 //# sourceMappingURL=deployConfig.d.ts.map

package/dist/deployConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deployConfig.d.ts","sourceRoot":"","sources":["../src/deployConfig.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkFA,wBAAqC"}
+{"version":3,"file":"deployConfig.d.ts","sourceRoot":"","sources":["../src/deployConfig.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmFA,wBAA0C;AAG1C,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAAmC,CAAC"}

package/dist/deployConfig.js

@@ -1,5 +1,5 @@
 import { z } from "zod";
-const envVars = {
+const getEnvVars = () => ({
     isIxDeploy: process.env.IX_DEPLOYMENT?.toLowerCase() === "true", // This needs to start as a bool for the discriminated union
     appName: process.env.IX_APP_NAME ?? "",
     environment: process.env.IX_ENVIRONMENT ?? "",
@@ -16,7 +16,7 @@ const envVars = {
     smtpPort: process.env.SMTP_PORT ?? "",
     clamAVUrl: process.env.CLAMAV_URL ?? "",
     vpcHttpProxy: process.env.VPC_HTTP_PROXY ?? "",
-};
+});
 const ixDeployConfigSchema = z
     .object({
     isIxDeploy: z.literal(true),
@@ -73,4 +73,6 @@ const schema = z.discriminatedUnion("isIxDeploy", [
     ixDeployConfigSchema,
     nonIxDeployConfigSchema,
 ]);
-export default schema.parse(envVars);
+export default schema.parse(getEnvVars());
+// process.env values can change at runtime so we provide a way to re-parse the config as needed
+export const getDeployConfig = () => schema.parse(getEnvVars());

package/dist/lib/utils/source-code.d.ts

@@ -0,0 +1,2 @@
+export declare function getFileContentsWithoutTypes(filePath: string): string;
+//# sourceMappingURL=source-code.d.ts.map

package/dist/lib/utils/source-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"source-code.d.ts","sourceRoot":"","sources":["../../../src/lib/utils/source-code.ts"],"names":[],"mappings":"AAGA,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAUpE"}

package/dist/lib/utils/source-code.js

@@ -0,0 +1,12 @@
+import ts from "typescript";
+import fs from "fs";
+export function getFileContentsWithoutTypes(filePath) {
+    const source = fs.readFileSync(filePath, "utf8");
+    const result = ts.transpileModule(source, {
+        compilerOptions: {
+            module: ts.ModuleKind.ESNext,
+            target: ts.ScriptTarget.ES2020,
+        },
+    });
+    return result.outputText;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.9.1",
+  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.2",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",
@@ -30,6 +30,7 @@
     "@commitlint/prompt-cli": "^19.3.1",
     "@eslint/js": "^9.3.0",
     "@tsconfig/node21": "^21.0.3",
+    "@types/jsonwebtoken": "^9.0.10",
     "aws-cdk-lib": "2.142.1",
     "constructs": "^10.3.0",
     "eslint": "^8.57.0",
@@ -50,6 +51,7 @@
     "sst": "^2.0.0"
   },
   "dependencies": {
+    "jsonwebtoken": "^9.0.2",
     "zod": "^3.24.2"
   }
 }

package/src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts

@@ -0,0 +1,161 @@
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+// @ts-nocheck
+// Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
+
+import crypto from "crypto";
+// @ts-expect-error -- This library only exists in the CloudFront Functions runtime that this code runs in
+import cf from "cloudfront";
+
+//Response when JWT is not valid.
+// const response401 = {
+//     statusCode: 401,
+//     statusDescription: 'Unauthorized'
+// };
+const response401 = {
+  statusCode: 302,
+  headers: {
+    location: { value: "/auth/oidc/authorize" },
+  },
+};
+
+// Remember to associate the KVS with your function before calling the const kvsKey = 'jwt.secret'.
+// https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions-associate.html
+const kvsKey = "__placeholder-for-jwt-secret-key__";
+// set to true to enable console logging
+const loggingEnabled = true; // false;
+
+function jwt_decode(token, key, noVerify, algorithm) {
+  // check token
+  if (!token) {
+    throw new Error("No token supplied");
+  }
+  // check segments
+  const segments = token.split(".");
+  if (segments.length !== 3) {
+    throw new Error("Not enough or too many segments");
+  }
+
+  // All segment should be base64
+  const headerSeg = segments[0];
+  const payloadSeg = segments[1];
+  const signatureSeg = segments[2];
+
+  // base64 decode and parse JSON
+  const payload = JSON.parse(_base64urlDecode(payloadSeg));
+
+  if (!noVerify) {
+    const signingMethod = "sha256";
+    const signingType = "hmac";
+
+    // Verify signature. `sign` will return base64 string.
+    const signingInput = [headerSeg, payloadSeg].join(".");
+
+    if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
+      throw new Error("Signature verification failed");
+    }
+
+    // Support for nbf and exp claims.
+    // According to the RFC, they should be in seconds.
+    if (payload.nbf && Date.now() < payload.nbf * 1000) {
+      throw new Error("Token not yet active");
+    }
+
+    if (payload.exp && Date.now() > payload.exp * 1000) {
+      throw new Error("Token expired");
+    }
+  }
+
+  return payload;
+}
+
+//Function to ensure a constant time comparison to prevent
+//timing side channels.
+function _constantTimeEquals(a, b) {
+  if (a.length != b.length) {
+    return false;
+  }
+
+  let xor = 0;
+  for (let i = 0; i < a.length; i++) {
+    xor |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+
+  return 0 === xor;
+}
+
+function _verify(input, key, method, type, signature) {
+  if (type === "hmac") {
+    return _constantTimeEquals(signature, _sign(input, key, method));
+  } else {
+    throw new Error("Algorithm type not recognized");
+  }
+}
+
+function _sign(input, key, method) {
+  return crypto.createHmac(method, key).update(input).digest("base64url");
+}
+
+function _base64urlDecode(str) {
+  return Buffer.from(str, "base64url");
+}
+
+async function handler(event) {
+  const request = event.request;
+
+  //Secret key used to verify JWT token.
+  //Update with your own key.
+  const secret_key = await getSecret();
+
+  if (!secret_key) {
+    return response401;
+  }
+
+  console.log("request");
+  console.log(request);
+  console.log(request.cookies);
+  console.log(request.cookies["auth-token"]);
+  console.log(Object.keys(request.cookies));
+  // console.logObject.keys(request.cookies))
+
+  // If no JWT token, then generate HTTP redirect 401 response.
+  if (!request.cookies["auth-token"]) {
+    log("Error: No JWT in the cookies");
+    return response401;
+  }
+
+  const jwtToken = request.cookies["auth-token"].value;
+
+  try {
+    jwt_decode(jwtToken, secret_key);
+  } catch (e) {
+    log(e);
+    return response401;
+  }
+
+  //Remove the JWT from the query string if valid and return.
+  delete request.querystring.jwt;
+  log("Valid JWT token");
+  return request;
+}
+
+const publicKey = `very-secret`;
+
+// get secret from key value store
+async function getSecret() {
+  //   console.log("auth key is:", publicKey)
+  //   return publicKey
+  // initialize cloudfront kv store and get the key value
+  try {
+    const kvsHandle = cf.kvs();
+    return await kvsHandle.get(kvsKey);
+  } catch (err) {
+    log(`Error reading value for key: ${kvsKey}, error: ${err}`);
+    return null;
+  }
+}
+
+function log(message) {
+  if (loggingEnabled) {
+    console.log(message);
+  }
+}

package/src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts

@@ -0,0 +1,97 @@
+import { AuthHandler, OidcAdapter } from "sst/node/auth";
+import { Issuer } from "openid-client";
+import jwt from "jsonwebtoken";
+
+const oidcClientId = process.env.OIDC_CLIENT_ID;
+if (!oidcClientId) {
+  throw new Error("OIDC_CLIENT_ID not set");
+}
+const oidcIssuerUrl = process.env.OIDC_ISSUER_URL;
+if (!oidcIssuerUrl) {
+  throw new Error("OIDC_ISSUER_URL not set");
+}
+const oidcScope = process.env.OIDC_SCOPE;
+if (!oidcScope) {
+  throw new Error("OIDC_SCOPE not set");
+}
+const jwtSecret = process.env.JWT_SECRET;
+if (!jwtSecret) {
+  throw new Error("JWT_SECRET not set");
+}
+
+const oidcIssuerConfigUrl = new URL(
+  `${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`,
+);
+
+export const handler = convertApiGatewayHandlerToCloudFrontHandler(
+  AuthHandler({
+    providers: {
+      oidc: OidcAdapter({
+        issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
+        clientID: oidcClientId,
+        scope: oidcScope,
+        onSuccess: async (tokenset) => {
+          console.log("tokenset", tokenset, tokenset.claims());
+
+          console.log("Config.jwtSecret:", jwtSecret);
+
+          // Payload to include in the token
+          const payload = {
+            userID: tokenset.claims().sub,
+          };
+
+          // Options (optional)
+          const options = {
+            algorithm: "HS256",
+            expiresIn: "1h",
+          } as const;
+
+          // Create the token
+          const token = jwt.sign(payload, jwtSecret, options);
+          const expires = new Date(
+            // @ ts-ignore error in GH action
+            Date.now() + 1000 * 60 * 60 * 24 * 7,
+          );
+          return {
+            statusCode: 302,
+            headers: {
+              location: "/",
+            },
+            cookies: [
+              `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expires}`,
+            ],
+          };
+          // return Session.cookie({
+          //   redirect: "https://openidconnect.net/callback",
+          //   type: "public",
+          //   properties: {
+          //     userID: tokenset.claims().sub,
+          //   },
+          // });
+        },
+      }),
+    },
+  }),
+);
+
+// @ts-expect-error - testing
+function convertApiGatewayHandlerToCloudFrontHandler(callback) {
+  // @ts-expect-error - testing
+  return async function (event, context) {
+    // Used by AuthHandler to create callback url sent to oidc server
+    event.requestContext.domainName = event.headers["x-forwarded-host"];
+    console.log("----", event, context);
+    // console.log("event", event)
+    // console.log("context", context)
+    const response = await callback(event, context);
+    // if (response.cookies) {
+    //   if (!response.headers) {
+    //     response.headers = {}
+    //   }
+    //   response.headers["set-cookie"] = response.cookies
+    // }
+    // response.headers.location += "&cake=blar"
+    // response.headers.foo = "bar"
+    return response;
+  };
+}

package/src/cdk-constructs/CloudWatchOidcAuth/index.ts

@@ -0,0 +1,290 @@
+import { Construct } from "constructs";
+import SecretsManager from "aws-cdk-lib/aws-secretsmanager";
+import CloudFront from "aws-cdk-lib/aws-cloudfront";
+import CDK from "aws-cdk-lib";
+import CdkCustomResources from "aws-cdk-lib/custom-resources";
+import Lambda from "aws-cdk-lib/aws-lambda";
+import { getFileContentsWithoutTypes } from "../../lib/utils/source-code.js";
+import * as SST from "sst/constructs";
+import { Config as SSTInternalConfig } from "sst/config.js";
+import CloudFrontOrigins from "aws-cdk-lib/aws-cloudfront-origins";
+import { BaseSiteCdkDistributionProps } from "sst/constructs/BaseSite.js";
+import path from "node:path";
+
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+
+type Mutable<T> = {
+  -readonly [P in keyof T]: T[P];
+};
+
+type Props = {
+  oidcIssuerUrl: string;
+  oidcClientId: string;
+  oidcScope: string;
+};
+
+export class CloudWatchOidcAuth extends Construct {
+  readonly oidcIssuerUrl: string;
+  readonly oidcClientId: string;
+  readonly oidcScope: string;
+  readonly id: string;
+
+  constructor(scope: ConstructScope, id: ConstructId, props: Props) {
+    super(scope, id);
+    this.oidcIssuerUrl = props.oidcIssuerUrl;
+    this.oidcClientId = props.oidcClientId;
+    this.oidcScope = props.oidcScope;
+    this.id = id;
+  }
+
+  addToDistributionDefinition<
+    DistributionProps extends BaseSiteCdkDistributionProps,
+  >(
+    scope: ConstructScope,
+    {
+      distributionDefinition,
+      prefix = "/auth",
+    }: { distributionDefinition: Mutable<DistributionProps>; prefix?: string },
+  ) {
+    console.log(
+      "------",
+      import.meta.dirname,
+      import.meta.url,
+      import.meta.filename,
+    );
+    const updatedDistributionDefinition = { ...distributionDefinition };
+    const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
+    updatedDistributionDefinition.additionalBehaviors =
+      updatedDistributionDefinition.additionalBehaviors
+        ? { ...updatedDistributionDefinition.additionalBehaviors }
+        : {};
+    if (updatedDistributionDefinition.additionalBehaviors[behaviourName]) {
+      throw new Error(
+        `Behavior for prefix ${prefix} already exists in distribution definition`,
+      );
+    }
+
+    const jwtSecret = new SecretsManager.Secret(this, `${this.id}JwtSecret`, {
+      description: "JWT Signing Secret",
+      generateSecretString: {
+        passwordLength: 32,
+        excludePunctuation: true,
+        includeSpace: false,
+        requireEachIncludedType: true,
+      },
+      // Secret is only used for sessions so it's safe to delete on stack removal
+      removalPolicy: CDK.RemovalPolicy.DESTROY,
+    });
+
+    updatedDistributionDefinition.defaultBehavior = {
+      ...updatedDistributionDefinition.defaultBehavior,
+      functionAssociations: [
+        ...(updatedDistributionDefinition.defaultBehavior
+          ?.functionAssociations || []),
+        this.getFunctionAssociation(scope, jwtSecret),
+      ],
+    };
+    updatedDistributionDefinition.additionalBehaviors[behaviourName] =
+      this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
+    return updatedDistributionDefinition;
+  }
+
+  private getFunctionAssociation(
+    scope: ConstructScope,
+    jwtSecret: SecretsManager.Secret,
+  ): CloudFront.FunctionAssociation {
+    const cfKeyValueStore = new CloudFront.KeyValueStore(
+      scope,
+      `${this.id}CFKeyValueStore`,
+    );
+
+    const kvStoreId = cfKeyValueStore.keyValueStoreId; // Your KV store ID
+    const key = "jwt-secret";
+    const kvsArn = `arn:aws:cloudfront::${CDK.Stack.of(this).account}:key-value-store/${kvStoreId}`;
+
+    // Updating the KVM requires a valid ETag to be provided in the IfMatch parameter so we first must fetch the ETag
+    const getEtag = new CdkCustomResources.AwsCustomResource(
+      this,
+      `${this.id}GetKVStoreEtag`,
+      {
+        installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
+        onUpdate: {
+          // Since there's no onCreate, onUpdate will be called for CREATE events
+          service: "@aws-sdk/client-cloudfront-keyvaluestore",
+          action: "describeKeyValueStore",
+          parameters: { KvsARN: kvsArn },
+          // We include a timestamp in the physicalResourceId to ensure we fetch the latest etag on every update
+          physicalResourceId: CdkCustomResources.PhysicalResourceId.of(
+            `${kvStoreId}-etag-${Date.now()}`,
+          ),
+        },
+        policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
+          resources: [kvsArn],
+        }),
+      },
+    );
+    const etag = getEtag.getResponseField("ETag");
+
+    // An annoying limitation of CloudFormation is that it won't resolve dynamic references for secrets when
+    // used as a parameter to a custom resource. To get around this we manually resolve it with another custom
+    // resource. Note this won't result in the secret being exposed in CloudFormation templates but it will
+    // be visible in the CloudWatch logs of the custom resource lambda. In our case that is acceptable.
+    // https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/341
+    const secretValue = new CdkCustomResources.AwsCustomResource(
+      this,
+      `${this.id}GetSecret`,
+      {
+        // There's no real benefit of fetching the latest sdk our case for the cost of a longer execution time
+        installLatestAwsSdk: false,
+        // Since there's no onCreate, onUpdate will be called for CREATE events
+        onUpdate: {
+          service: "@aws-sdk/client-secrets-manager",
+          action: "getSecretValue",
+          parameters: {
+            SecretId: jwtSecret.secretArn,
+          },
+          // We include a timestamp in the physicalResourceId to ensure we fetch the latest secret value on every update
+          physicalResourceId: CdkCustomResources.PhysicalResourceId.of(
+            `${this.id}GetSecret-${Date.now()}`,
+          ),
+        },
+        policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
+          resources: [jwtSecret.secretArn],
+        }),
+      },
+    );
+
+    // Now we can actually update the KVS with the secret value
+    const putKeyValue = new CdkCustomResources.AwsCustomResource(
+      this,
+      `${this.id}PutKeyValue`,
+      {
+        installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
+        onUpdate: {
+          // Since there's no onCreate, onUpdate will be called for CREATE events
+          service: "@aws-sdk/client-cloudfront-keyvaluestore",
+          action: "putKey",
+          parameters: {
+            KvsARN: kvsArn,
+            Key: key,
+            Value: secretValue.getResponseField("SecretString"),
+            IfMatch: etag,
+          },
+          physicalResourceId: CdkCustomResources.PhysicalResourceId.of(
+            `${kvStoreId}-${key}`,
+          ),
+        },
+        policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
+          resources: [kvsArn],
+        }),
+      },
+    );
+
+    // putKey in the @aws-sdk/client-cloudfront-keyvaluestore package requires @aws-sdk/signature-v4-crt to be imported
+    // as well. But AwsCustomResource doesn't give us direct access to the underlying Lambda function so we inject a
+    // NODE_OPTIONS env var to import on start. At some point AwsCustomResource will presumably switch to a later node
+    // version and we might need to update this to '--import=' instead of '--require='.
+    const fn = putKeyValue.node.findChild("Provider");
+    if (!(fn instanceof Lambda.SingletonFunction)) {
+      throw new Error(
+        "Could not find the underlying Lambda function of the AwsCustomResource",
+      );
+    }
+    fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
+
+    const edgeFuncAuthCheck = new CloudFront.Function(
+      scope,
+      `${this.id}EdgeFunctionAuthCheck`,
+      {
+        code: CloudFront.FunctionCode.fromInline(
+          getFileContentsWithoutTypes(
+            path.join(import.meta.dirname, "auth-check.ts"),
+          ).replace("__placeholder-for-jwt-secret-key__", key),
+        ),
+        runtime: CloudFront.FunctionRuntime.JS_2_0,
+        keyValueStore: cfKeyValueStore,
+      },
+    );
+
+    return {
+      function: edgeFuncAuthCheck,
+      eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
+    };
+  }
+
+  private getAuthBehaviorOptions(
+    scope: ConstructScope,
+    jwtSecret: SecretsManager.Secret,
+    prefix: string,
+  ): CloudFront.BehaviorOptions {
+    const edgeFuncAuth = new SST.Function(scope, `${this.id}EdgeFunctionAuth`, {
+      runtime: "nodejs20.x",
+      handler: path.join(import.meta.dirname, "auth-route.handler"),
+      environment: {
+        OIDC_ISSUER_URL: this.oidcIssuerUrl,
+        OIDC_CLIENT_ID: this.oidcClientId,
+        OIDC_SCOPE: this.oidcScope,
+        JWT_SECRET: jwtSecret.secretValue.toString(),
+      },
+    });
+
+    // edgeFuncAuth uses SST's AuthHandler construct which is normally run inside a lambda that's
+    // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
+    // by the Auth construct so we have to set them ourselves here to keep it happy.
+    const envVarName = SSTInternalConfig.envFor({
+      type: "Auth",
+      id: "id", // It seems like the env var will still be found no matter what this value is
+      prop: "prefix",
+    });
+    edgeFuncAuth.addEnvironment(envVarName, prefix);
+
+    const edgeFuncAuthUrl = edgeFuncAuth.addFunctionUrl({
+      authType: Lambda.FunctionUrlAuthType.NONE,
+    });
+    const forwardHostHeaderCfFunction = new CloudFront.Function(
+      scope,
+      `${this.id}ForwardHostHeaderFunction`,
+      {
+        code: CloudFront.FunctionCode.fromInline(`
+        function handler(event) {
+          const request = event.request;
+          request.headers["x-forwarded-host"] = { value: request.headers.host.value };
+          return request;
+        }
+      `),
+        runtime: CloudFront.FunctionRuntime.JS_2_0,
+      },
+    );
+
+    return {
+      origin: new CloudFrontOrigins.HttpOrigin(
+        CDK.Fn.parseDomainName(edgeFuncAuthUrl.url),
+      ),
+      allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
+      cachePolicy: new CloudFront.CachePolicy(
+        scope,
+        `${this.id}AllowAllCookiesPolicy`,
+        {
+          cachePolicyName: "AllowAllCookiesPolicy",
+          comment: "Cache policy that forwards all cookies",
+          defaultTtl: CDK.Duration.seconds(1),
+          minTtl: CDK.Duration.seconds(1),
+          maxTtl: CDK.Duration.seconds(1),
+          cookieBehavior: CloudFront.CacheCookieBehavior.all(),
+          headerBehavior:
+            CloudFront.CacheHeaderBehavior.allowList("X-Forwarded-Host"),
+          queryStringBehavior: CloudFront.CacheQueryStringBehavior.all(),
+          enableAcceptEncodingGzip: true,
+          enableAcceptEncodingBrotli: true,
+        },
+      ),
+      functionAssociations: [
+        {
+          function: forwardHostHeaderCfFunction,
+          eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
+        },
+      ],
+    };
+  }
+}

package/src/cdk-constructs/index.ts

@@ -6,3 +6,4 @@ export * from "./IxStaticSite.js";
 export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
+export * from "./CloudWatchOidcAuth/index.js";

package/src/deployConfig.ts

@@ -1,23 +1,24 @@
 import { z } from "zod";
 
-const envVars = {
-  isIxDeploy: process.env.IX_DEPLOYMENT?.toLowerCase() === "true", // This needs to start as a bool for the discriminated union
-  appName: process.env.IX_APP_NAME ?? "",
-  environment: process.env.IX_ENVIRONMENT ?? "",
-  workloadGroup: process.env.IX_WORKLOAD_GROUP ?? "",
-  primaryAwsRegion: process.env.IX_PRIMARY_AWS_REGION ?? "",
-  siteDomains: process.env.IX_SITE_DOMAINS ?? "",
-  siteDomainAliases: process.env.IX_SITE_DOMAIN_ALIASES ?? "",
-  isInternalApp: process.env.IX_INTERNAL_APP ?? "",
-  deploymentType: process.env.IX_DEPLOYMENT_TYPE ?? "",
-  sourceCommitRef: process.env.IX_SOURCE_COMMIT_REF ?? "",
-  sourceCommitHash: process.env.IX_SOURCE_COMMIT_HASH ?? "",
-  deployTriggeredBy: process.env.IX_DEPLOY_TRIGGERED_BY ?? "",
-  smtpHost: process.env.SMTP_HOST ?? "",
-  smtpPort: process.env.SMTP_PORT ?? "",
-  clamAVUrl: process.env.CLAMAV_URL ?? "",
-  vpcHttpProxy: process.env.VPC_HTTP_PROXY ?? "",
-} satisfies Record<string, string | boolean>;
+const getEnvVars = () =>
+  ({
+    isIxDeploy: process.env.IX_DEPLOYMENT?.toLowerCase() === "true", // This needs to start as a bool for the discriminated union
+    appName: process.env.IX_APP_NAME ?? "",
+    environment: process.env.IX_ENVIRONMENT ?? "",
+    workloadGroup: process.env.IX_WORKLOAD_GROUP ?? "",
+    primaryAwsRegion: process.env.IX_PRIMARY_AWS_REGION ?? "",
+    siteDomains: process.env.IX_SITE_DOMAINS ?? "",
+    siteDomainAliases: process.env.IX_SITE_DOMAIN_ALIASES ?? "",
+    isInternalApp: process.env.IX_INTERNAL_APP ?? "",
+    deploymentType: process.env.IX_DEPLOYMENT_TYPE ?? "",
+    sourceCommitRef: process.env.IX_SOURCE_COMMIT_REF ?? "",
+    sourceCommitHash: process.env.IX_SOURCE_COMMIT_HASH ?? "",
+    deployTriggeredBy: process.env.IX_DEPLOY_TRIGGERED_BY ?? "",
+    smtpHost: process.env.SMTP_HOST ?? "",
+    smtpPort: process.env.SMTP_PORT ?? "",
+    clamAVUrl: process.env.CLAMAV_URL ?? "",
+    vpcHttpProxy: process.env.VPC_HTTP_PROXY ?? "",
+  }) satisfies Record<string, string | boolean>;
 
 const ixDeployConfigSchema = z
   .object({
@@ -41,7 +42,7 @@ const ixDeployConfigSchema = z
     smtpPort: z.coerce.number().int(),
     clamAVUrl: z.string().url(),
     vpcHttpProxy: z.string().url(),
-  } satisfies Record<keyof typeof envVars, unknown>)
+  } satisfies Record<keyof ReturnType<typeof getEnvVars>, unknown>)
   .strip();
 
 const nonIxDeployConfigSchema = z
@@ -72,7 +73,7 @@ const nonIxDeployConfigSchema = z
       ),
     clamAVUrl: z.string(),
     vpcHttpProxy: z.string(),
-  } satisfies Record<keyof typeof envVars, unknown>)
+  } satisfies Record<keyof ReturnType<typeof getEnvVars>, unknown>)
   .strip();
 
 const schema = z.discriminatedUnion("isIxDeploy", [
@@ -80,4 +81,7 @@ const schema = z.discriminatedUnion("isIxDeploy", [
   nonIxDeployConfigSchema,
 ]);
 
-export default schema.parse(envVars);
+export default schema.parse(getEnvVars());
+
+// process.env values can change at runtime so we provide a way to re-parse the config as needed
+export const getDeployConfig = () => schema.parse(getEnvVars());

package/src/lib/utils/source-code.ts

@@ -0,0 +1,14 @@
+import ts from "typescript";
+import fs from "fs";
+
+export function getFileContentsWithoutTypes(filePath: string): string {
+  const source = fs.readFileSync(filePath, "utf8");
+
+  const result = ts.transpileModule(source, {
+    compilerOptions: {
+      module: ts.ModuleKind.ESNext,
+      target: ts.ScriptTarget.ES2020,
+    },
+  });
+  return result.outputText;
+}