raindancers-cloudfront 0.0.0 → 0.0.1

package/lib/bicep/azure-functions/custom-claims-provider/function_app.py

@@ -0,0 +1,164 @@
+import azure.functions as func
+import logging
+import json
+import asyncio
+from azure.identity import DefaultAzureCredential
+from msgraph import GraphServiceClient
+
+app = func.FunctionApp()
+
+@app.function_name(name="CustomClaimsProvider")
+@app.route(route="CustomClaimsProvider", auth_level=func.AuthLevel.ANONYMOUS)
+async def token_issuance_start(req: func.HttpRequest) -> func.HttpResponse:
+    """
+    Azure Function for Custom Claims Provider - Token Issuance Start Event
+    
+    Receives token issuance event from Azure AD, queries user's app role assignments,
+    and returns separate AWS session tag claims for each role.
+    """
+    logging.info('Token issuance start event received')
+    
+    try:
+        # Parse request body from Azure AD
+        req_body = req.get_json()
+        
+        # Extract user ID and application service principal ID from authentication context
+        user_id = req_body['data']['authenticationContext']['user']['id']
+        app_service_principal_id = req_body['data']['authenticationContext']['clientServicePrincipal']['id']
+        
+        logging.info(f'Processing token issuance for user: {user_id}, app: {app_service_principal_id}')
+        
+        # Get user's app role assignments from Microsoft Graph API
+        roles = await get_user_roles(user_id, app_service_principal_id)
+        
+        claims = {}
+        if roles:
+            claims['Roles'] = ':' + ':'.join(roles) + ':'
+        logging.info(f'Emitting Roles claim: {claims.get("Roles", "(empty)")}')
+        
+        # Return response in format Azure AD expects
+        response = {
+            "data": {
+                "@odata.type": "microsoft.graph.onTokenIssuanceStartResponseData",
+                "actions": [
+                    {
+                        "@odata.type": "microsoft.graph.tokenIssuanceStart.provideClaimsForToken",
+                        "claims": claims
+                    }
+                ]
+            }
+        }
+        
+        return func.HttpResponse(
+            body=json.dumps(response),
+            mimetype="application/json",
+            status_code=200
+        )
+        
+    except Exception as e:
+        logging.error(f'Error processing token issuance event: {str(e)}')
+        # Return empty claims on error to allow authentication to proceed
+        return create_empty_response()
+
+
+async def get_user_roles(user_id: str, app_service_principal_id: str) -> list:
+    """
+    Query Microsoft Graph API to get user's app role assignments for a specific application.
+    
+    Uses Managed Identity (DefaultAzureCredential) for authentication.
+    Returns list of role display names (e.g., ["Animals", "PowerUsers"]).
+    
+    Args:
+        user_id: User's object ID
+        app_service_principal_id: Service principal ID of the application requesting the token
+    """
+    try:
+        # Authenticate using Managed Identity
+        credential = DefaultAzureCredential()
+        scopes = ['https://graph.microsoft.com/.default']
+        
+        # Create Graph API client
+        client = GraphServiceClient(credentials=credential, scopes=scopes)
+        
+        # Query user's app role assignments
+        # GET /users/{user-id}/appRoleAssignments
+        result = await client.users.by_user_id(user_id).app_role_assignments.get()
+        
+        if not result or not result.value:
+            logging.info(f'No app role assignments found for user {user_id}')
+            return []
+        
+        # Extract role display names from assignments for THIS application only
+        roles = []
+        for assignment in result.value:
+            # Only process assignments for the application requesting the token
+            if str(assignment.resource_id) == app_service_principal_id:
+                app_role_id = assignment.app_role_id
+                
+                if app_role_id:
+                    role_name = await get_role_name(client, app_service_principal_id, app_role_id)
+                    if role_name:
+                        roles.append(role_name)
+        
+        logging.info(f'Found {len(roles)} roles for user {user_id}: {roles}')
+        return roles
+        
+    except Exception as e:
+        logging.error(f'Error querying user roles from Graph API: {str(e)}')
+        return []
+
+
+async def get_role_name(client: GraphServiceClient, resource_id: str, app_role_id: str) -> str:
+    """
+    Get role display name by querying the service principal's app role definitions.
+    
+    Args:
+        client: Graph API client
+        resource_id: Service principal object ID
+        app_role_id: App role ID (GUID)
+    
+    Returns:
+        Role display name (e.g., "Animals") or None if not found
+    """
+    try:
+        # GET /servicePrincipals/{resource-id}
+        service_principal = await client.service_principals.by_service_principal_id(resource_id).get()
+        
+        if not service_principal or not service_principal.app_roles:
+            return None
+        
+        # Find the app role by ID
+        for app_role in service_principal.app_roles:
+            if str(app_role.id) == str(app_role_id):
+                return app_role.display_name
+        
+        return None
+        
+    except Exception as e:
+        logging.error(f'Error getting role name: {str(e)}')
+        return None
+
+
+def create_empty_response() -> func.HttpResponse:
+    """
+    Create response with empty claims object.
+    Used when no roles found or error occurs.
+    """
+    response = {
+        "data": {
+            "@odata.type": "microsoft.graph.onTokenIssuanceStartResponseData",
+            "actions": [
+                {
+                    "@odata.type": "microsoft.graph.tokenIssuanceStart.provideClaimsForToken",
+                    "claims": {}
+                }
+            ]
+        }
+    }
+    
+    return func.HttpResponse(
+        body=json.dumps(response),
+        mimetype="application/json",
+        status_code=200
+    )
+

package/lib/bicep/azure-functions/custom-claims-provider/host.json

@@ -0,0 +1,10 @@
+{
+  "version": "2.0",
+  "logging": {
+    "applicationInsights": {
+      "samplingSettings": {
+        "isEnabled": true
+      }
+    }
+  }
+}

package/lib/bicep/azure-functions/custom-claims-provider/requirements.txt

@@ -0,0 +1,8 @@
+# Azure Functions runtime
+azure-functions
+
+# Azure Identity for Managed Identity authentication
+azure-identity>=1.15.0
+
+# Microsoft Graph SDK for Python
+msgraph-sdk>=1.0.0

package/lib/bicep/deploy/lambda/Dockerfile

@@ -0,0 +1,10 @@
+FROM public.ecr.aws/lambda/python:3.12
+
+RUN pip install --upgrade boto3 botocore --no-cache-dir && \
+    pip install azure-cli --no-cache-dir
+
+RUN az bicep install
+
+COPY index.py ${LAMBDA_TASK_ROOT}
+
+CMD ["index.handler"]

package/lib/bicep/deploy/lambda/index.py

@@ -0,0 +1,341 @@
+import json
+import os
+import subprocess
+import time
+import boto3
+import urllib.request
+import urllib.parse
+import traceback
+
+sts = boto3.client('sts')
+s3 = boto3.client('s3')
+
+def handler(event, context):
+    """Main handler with CloudFormation response handling"""
+    response_url = event.get('ResponseURL')
+    
+    try:
+        request_type = event['RequestType']
+        
+        if request_type == 'Create':
+            result = on_create(event)
+        elif request_type == 'Update':
+            result = on_update(event)
+        elif request_type == 'Delete':
+            result = on_delete(event)
+        else:
+            raise Exception(f'Unknown request type: {request_type}')
+        
+        # Send success response to CloudFormation
+        if response_url:
+            send_response(event, context, 'SUCCESS', result)
+        return result
+        
+    except Exception as e:
+        print(f'Error: {str(e)}')
+        print(traceback.format_exc())
+        
+        # Send failure response to CloudFormation
+        if response_url:
+            send_response(event, context, 'FAILED', {
+                'PhysicalResourceId': event.get('PhysicalResourceId', 'NONE'),
+            }, reason=str(e)[:3000])
+        
+        raise
+
+def send_response(event, context, status, data, reason=None):
+    """Send response to CloudFormation"""
+    response_body = {
+        'Status': status,
+        'Reason': reason or f'See CloudWatch Log Stream: {context.log_stream_name}',
+        'PhysicalResourceId': data.get('PhysicalResourceId', context.log_stream_name),
+        'StackId': event['StackId'],
+        'RequestId': event['RequestId'],
+        'LogicalResourceId': event['LogicalResourceId'],
+        'Data': data.get('Data', {})
+    }
+    
+    json_response = json.dumps(response_body)
+    print(f'DEBUG: Response body size: {len(json_response)} bytes')
+    print(f'DEBUG: Response body: {json_response[:500]}...')  # Log first 500 chars
+    
+    headers = {
+        'Content-Type': '',
+        'Content-Length': str(len(json_response))
+    }
+    
+    req = urllib.request.Request(
+        event['ResponseURL'],
+        data=json_response.encode('utf-8'),
+        headers=headers,
+        method='PUT'
+    )
+    
+    try:
+        with urllib.request.urlopen(req) as response:
+            print(f'CloudFormation response status: {response.status}')
+    except Exception as e:
+        print(f'Failed to send response to CloudFormation: {str(e)}')
+
+def on_create(event):
+    props = event['ResourceProperties']
+    
+    login_azure_federated(
+        props['AzureClientId'],
+        props['AzureTenantId'],
+        props['AzureSubscriptionId']
+    )
+    
+    deployment_name = props['DeploymentName']
+    resource_group = props['ResourceGroupName']
+    template_file = props['TemplateFile']
+    parameters = json.loads(props['Parameters'])
+    
+    result = deploy_bicep(deployment_name, resource_group, template_file, parameters)
+    
+    if props.get('FunctionCodeS3Bucket'):
+        deploy_function_code(
+            s3_bucket=props['FunctionCodeS3Bucket'],
+            s3_key=props['FunctionCodeS3Key'],
+            function_app_name=result['outputs']['functionAppName'],
+            resource_group=resource_group,
+        )
+    
+    # Only return essential outputs to stay under CloudFormation 4KB response limit
+    essential_outputs = {k: v for k, v in result['outputs'].items() if k in ['appId', 'tenantId']}
+    
+    response_data = {
+        'PhysicalResourceId': deployment_name,
+        'Data': essential_outputs
+    }
+    print(f'DEBUG: Returning response data: {json.dumps(response_data, indent=2)}')
+    return response_data
+
+def deploy_function_code(s3_bucket, s3_key, function_app_name, resource_group):
+    """Upload zip to Azure blob storage, set WEBSITE_RUN_FROM_PACKAGE to SAS URL"""
+    zip_path = '/tmp/function-code.zip'
+
+    print(f'Downloading function code from s3://{s3_bucket}/{s3_key}')
+    s3.download_file(s3_bucket, s3_key, zip_path)
+
+    # Get storage account name from function app
+    result = subprocess.run([
+        'az', 'functionapp', 'show',
+        '--name', function_app_name,
+        '--resource-group', resource_group,
+        '--query', 'storageAccountRequired',
+        '--output', 'tsv',
+    ], capture_output=True, text=True, check=True)
+
+    # Get storage account linked to the function app
+    result = subprocess.run([
+        'az', 'functionapp', 'config', 'appsettings', 'list',
+        '--name', function_app_name,
+        '--resource-group', resource_group,
+        '--query', "[?name=='AzureWebJobsStorage'].value",
+        '--output', 'tsv',
+    ], capture_output=True, text=True, check=True)
+    conn_str = result.stdout.strip()
+
+    # Extract account name from connection string
+    storage_account_name = next(
+        part.split('=', 1)[1] for part in conn_str.split(';') if part.startswith('AccountName=')
+    )
+
+    container = 'function-releases'
+    blob_name = f'{function_app_name}.zip'
+
+    # Create container if it doesn't exist
+    subprocess.run([
+        'az', 'storage', 'container', 'create',
+        '--name', container,
+        '--account-name', storage_account_name,
+    ], check=True)
+
+    # Upload zip
+    subprocess.run([
+        'az', 'storage', 'blob', 'upload',
+        '--account-name', storage_account_name,
+        '--container-name', container,
+        '--name', blob_name,
+        '--file', zip_path,
+        '--overwrite',
+    ], check=True)
+
+    # Generate SAS URL with account key (long expiry)
+    result = subprocess.run([
+        'az', 'storage', 'blob', 'generate-sas',
+        '--account-name', storage_account_name,
+        '--container-name', container,
+        '--name', blob_name,
+        '--permissions', 'r',
+        '--expiry', '2036-01-01T00:00:00Z',
+        '--output', 'tsv',
+    ], capture_output=True, text=True, check=True)
+    sas_token = result.stdout.strip()
+
+    blob_url = f'https://{storage_account_name}.blob.core.windows.net/{container}/{blob_name}?{sas_token}'
+
+    # Set WEBSITE_RUN_FROM_PACKAGE
+    subprocess.run([
+        'az', 'functionapp', 'config', 'appsettings', 'set',
+        '--name', function_app_name,
+        '--resource-group', resource_group,
+        '--settings', f'WEBSITE_RUN_FROM_PACKAGE={blob_url}',
+    ], check=True)
+
+    print(f'Deployed function code to {function_app_name} via WEBSITE_RUN_FROM_PACKAGE')
+
+
+def on_update(event):
+    return on_create(event)
+
+def on_delete(event):
+    """Handle delete - if resource never created successfully, just return success"""
+    physical_resource_id = event.get('PhysicalResourceId', 'NONE')
+    
+    # If the resource was never created (PhysicalResourceId is NONE or missing),
+    # just return success without trying to delete anything
+    if not physical_resource_id or physical_resource_id == 'NONE':
+        return {'PhysicalResourceId': physical_resource_id}
+    
+    props = event['ResourceProperties']
+    deployment_name = physical_resource_id
+    
+    try:
+        login_azure_federated(
+            props['AzureClientId'],
+            props['AzureTenantId'],
+            props['AzureSubscriptionId']
+        )
+        
+        subprocess.run([
+            'az', 'deployment', 'group', 'delete',
+            '--name', deployment_name,
+            '--resource-group', props['ResourceGroupName'],
+            '--yes'
+        ], check=True)
+    except Exception as e:
+        # Log the error but don't fail the delete
+        # CloudFormation should be able to clean up even if Azure delete fails
+        print(f'Warning: Failed to delete Azure deployment: {str(e)}')
+    
+    return {'PhysicalResourceId': deployment_name}
+
+def login_azure_federated(client_id, tenant_id, subscription_id):
+    """Authenticate to Azure using AWS IAM Outbound Identity Federation"""
+    
+    # Set HOME to /tmp so all tools use writable directory
+    os.environ['HOME'] = '/tmp'
+    # Set Azure CLI config directory to /tmp (Lambda's writable directory)
+    os.environ['AZURE_CONFIG_DIR'] = '/tmp/.azure'
+    # Set .NET bundle extract directory to /tmp (required for Bicep)
+    os.environ['DOTNET_BUNDLE_EXTRACT_BASE_DIR'] = '/tmp'
+    # Run Bicep without globalization support (sufficient for IaC)
+    os.environ['DOTNET_SYSTEM_GLOBALIZATION_INVARIANT'] = '1'
+    
+    # Use AWS IAM Outbound Identity Federation to get a JWT token
+    # This requires the feature to be enabled in the AWS account
+    # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_outbound.html
+    
+    try:
+        # GetWebIdentityToken requires specific parameters
+        response = sts._make_api_call(
+            'GetWebIdentityToken',
+            {
+                'Audience': ['api://AzureADTokenExchange'],  # Must be a list
+                'DurationSeconds': 3600,
+                'SigningAlgorithm': 'RS256'  # Required parameter
+            }
+        )
+        
+        aws_jwt_token = response['WebIdentityToken']
+        
+    except Exception as e:
+        error_msg = str(e)
+        if 'Unknown operation' in error_msg or 'InvalidAction' in error_msg:
+            raise Exception(
+                'GetWebIdentityToken API not available. '
+                'This requires: 1) boto3 version 1.35.36 or later, '
+                '2) Outbound identity federation enabled in your AWS account. '
+                'See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_outbound_getting_started.html'
+            )
+        raise Exception(f'Failed to get AWS OIDC token: {error_msg}')
+    
+    # Login to Azure CLI with the AWS JWT token (federated token)
+    # The Azure CLI will exchange this token internally
+    subprocess.run([
+        'az', 'login',
+        '--service-principal',
+        '--username', client_id,
+        '--tenant', tenant_id,
+        '--federated-token', aws_jwt_token
+    ], check=True)
+    
+    # Set subscription
+    subprocess.run([
+        'az', 'account', 'set',
+        '--subscription', subscription_id
+    ], check=True)
+
+def wait_for_deployments(resource_group, poll_interval=15, timeout=600):
+    """Wait until no deployments in the resource group are in Running state"""
+    deadline = time.time() + timeout
+    while time.time() < deadline:
+        result = subprocess.run([
+            'az', 'deployment', 'group', 'list',
+            '--resource-group', resource_group,
+            '--query', "[?properties.provisioningState=='Running'].name",
+            '--output', 'json'
+        ], capture_output=True, text=True, check=True)
+        running = json.loads(result.stdout)
+        if not running:
+            return
+        print(f'Waiting for running deployments: {running}')
+        time.sleep(poll_interval)
+    raise Exception(f'Timed out waiting for running deployments in {resource_group}')
+
+def deploy_bicep(name, resource_group, template_file, parameters):
+    # Write template content to a file in /tmp
+    template_path = f'/tmp/{name}.bicep'
+    with open(template_path, 'w') as f:
+        f.write(template_file)
+    
+    param_args = []
+    for key, value in parameters.items():
+        param_args.extend(['--parameters', f'{key}={value}'])
+
+    cmd = [
+        'az', 'deployment', 'group', 'create',
+        '--name', name,
+        '--resource-group', resource_group,
+        '--template-file', template_path,
+        *param_args,
+        '--query', '{outputs:properties.outputs}',
+        '--output', 'json'
+    ]
+
+    result = subprocess.run(cmd, capture_output=True, text=True)
+
+    if result.returncode != 0 and 'DeploymentActive' in result.stderr:
+        print('DeploymentActive detected — waiting for running deployments to finish')
+        wait_for_deployments(resource_group)
+        result = subprocess.run(cmd, capture_output=True, text=True)
+
+    if result.returncode != 0:
+        error_msg = f'Bicep deployment failed.\nSTDOUT: {result.stdout}\nSTDERR: {result.stderr}'
+        print(error_msg)
+        raise Exception(error_msg)
+    
+    deployment = json.loads(result.stdout)
+    print(f'DEBUG: Deployment response: {json.dumps(deployment, indent=2)}')
+    
+    outputs = {}
+    deployment_outputs = deployment.get('outputs', {})
+    print(f'DEBUG: Deployment outputs: {json.dumps(deployment_outputs, indent=2)}')
+    
+    for key, value in deployment_outputs.items():
+        outputs[key] = value['value']
+    
+    print(f'DEBUG: Extracted outputs: {json.dumps(outputs, indent=2)}')
+    return {'outputs': outputs}

package/lib/bicep/patterns/scripts/LOCALDEBUGREADME.md

@@ -0,0 +1,86 @@
+# Local Debugging: wire-custom-claims-extension.sh
+
+## How the script runs in deployment vs locally
+
+### Deployment mode (default)
+In deployment, this script runs inside an Azure `DeploymentScript` resource, executed by a managed identity that has been granted the required Graph application permissions. The managed identity authenticates via the Azure CLI (`az account get-access-token`), which works automatically in that container environment.
+
+### Local mode
+Locally, the `az` CLI uses your personal delegated token, which does **not** have the Graph application permissions (`CustomAuthenticationExtension.ReadWrite.All`, `EventListener.ReadWrite.All`, `Policy.ReadWrite.ApplicationConfiguration`, `Policy.Read.All`, `Application.ReadWrite.All`) needed by this script. You must use a service principal with those permissions granted via `client_credentials` instead.
+
+## Running locally
+
+### Step 1: Create a test service principal
+
+Run the setup script once to create an app registration with the required Graph application permissions:
+
+```bash
+bash scripts/setup-test-sp.sh
+```
+
+This outputs `TEST_TENANT_ID`, `TEST_CLIENT_ID`, and `TEST_CLIENT_SECRET`. Export them:
+
+```bash
+export TEST_TENANT_ID=<value>
+export TEST_CLIENT_ID=<value>
+export TEST_CLIENT_SECRET=<value>
+```
+
+### Step 2: Set the script's required environment variables
+
+These are the same env vars the `DeploymentScript` injects at deployment time. Get the values from the deployed Azure resources:
+
+```bash
+export FUNCTION_HOSTNAME="<function-app-hostname>"   # e.g. clf-claims-func-6qx5xi3p.azurewebsites.net
+export FUNCTION_APP_ID="<function-app-registration-appId>"
+export CLF_APP_ID="<clf-app-registration-appId>"
+export EXT_DISPLAY_NAME="<namePrefix>-claims-provider"  # e.g. clf-claims-provider
+```
+
+### Step 3: Run the script
+
+```bash
+bash src/constructsForPackaging/cdk-bicep/src/patterns/scripts/wire-custom-claims-extension.sh
+```
+
+When `TEST_CLIENT_ID` is set, the script automatically uses `client_credentials` to obtain a token. When it is not set (deployment), it uses `az account get-access-token`.
+
+### Step 4: Clean up the test service principal
+
+```bash
+az ad app delete --id $TEST_CLIENT_ID
+```
+
+## Why we use curl instead of az rest
+
+Microsoft's recommended pattern for calling Graph API from Azure CLI DeploymentScripts is `az rest`, which handles authentication automatically using the managed identity context. However, this script uses raw `curl` with manual token management for a specific reason: the permission propagation retry loop.
+
+The retry loop acquires a token, decodes the JWT payload, and inspects the `roles` claim to verify all required Graph permissions have propagated before proceeding. `az rest` acquires its own token internally and doesn't expose it, making JWT inspection impossible. Manual token management via `az account get-access-token` is therefore required to support this retry logic.
+
+If the propagation retry is ever removed, the script should be refactored to use `az rest`.
+
+## Why delegated az CLI tokens don't work
+
+The `az` CLI authenticates as the Microsoft Azure CLI app registration, which has not been granted the required Graph **application** permissions in your tenant. You will see errors like `"The application does not have any of the required delegated permissions"`. The test SP uses `client_credentials` which grants application permissions — exactly replicating what the managed identity does in deployment.
+
+## Known issue: `set -x` causes deployment failures
+
+Do **not** add `set -x` to this script for deployment debugging. The script acquires a Graph JWT (~2KB) and `set -x` prints every command with its full arguments, including `TOKEN=<full JWT>` and `Authorization: Bearer <full JWT>` on every curl call. With 6 retry iterations this easily exceeds Azure's 256KB aggregated error message limit, causing the deployment to fail with:
+
+```
+The aggregated deployment error is too large. Please list deployment operations to get the deployment details.
+```
+
+To debug deployment failures, use `az deployment-scripts show-log` after the script runs, or add targeted `echo` statements instead of `set -x`.
+
+## Known issue: permission propagation race condition
+
+The managed identity's Graph app role assignments (`Policy.Read.All`, `Policy.ReadWrite.ApplicationConfiguration`, `Application.ReadWrite.All`, etc.) are created in the same Bicep deployment as the DeploymentScript. Entra may not have propagated these permissions by the time the script runs, causing the token to be missing required roles.
+
+The script handles this with a retry loop at startup: it acquires a token, decodes the JWT, checks all required roles are present, and retries up to 6 times with 20s gaps (120s total) before failing. You will see output like:
+
+```
+Waiting for role propagation (attempt 1/6), missing: Policy.Read.All Policy.ReadWrite.ApplicationConfiguration
+```
+
+This is expected on fresh deployments. If it fails after 120s, check the managed identity's app role assignments in Entra.