Merge pull request #160 from rekejarikre/main

Feature: Amplify Custom Domain

deployment/cognito.sh

@@ -24,9 +24,19 @@ fi
 
 cognitoUserpoolId=`aws cognito-idp list-user-pools --region $REGION --max-results 10 --output json | jq -r '.UserPools[] | select(.Name | contains("team06dbb7fc")) | .Id'`
 clientID=`aws cognito-idp list-user-pool-clients --region $REGION --user-pool-id $cognitoUserpoolId --output json | jq -r '.UserPoolClients[] | select(.ClientName | contains("clientWeb")) | .ClientId'`
-applicationURL=`aws amplify list-apps --region $REGION --output json | jq -r '.apps[] | select(.name=="TEAM-IDC-APP") | .defaultDomain' `
-appURL=`aws cognito-idp describe-user-pool-client --region $REGION --user-pool-id $cognitoUserpoolId --client-id $clientID --output json | jq -r '.UserPoolClient | .CallbackURLs[]'`
-callbackUrl="$appURL"
+
+
+amplifyAppId=`aws amplify list-apps --output json | jq -r '.apps[] | select(.name=="TEAM-IDC-APP") | .appId'`
+amplifyDomain=`aws amplify list-apps --output json | jq -r '.apps[] | select(.name=="TEAM-IDC-APP") | .defaultDomain'`
+amplifyDomain="main.$amplifyDomain"
+
+amplifyCustomDomains=`aws amplify list-domain-associations --app-id $amplifyAppId --output json`
+amplifyCustomDomain=`echo $amplifyCustomDomains | jq -r 'select(.domainAssociations | length > 0) | .domainAssociations[0].domainName'`
+
+if [ -n "$amplifyCustomDomain" ]; then
+  amplifyCustomDomainPrefix=$(echo $amplifyCustomDomains | jq -r 'select(.domainAssociations | length > 0) | .domainAssociations[0].subDomains[] | select(.subDomainSetting.branchName=="main") | .subDomainSetting.prefix')
+  amplifyDomain=$([ -z "$amplifyCustomDomainPrefix" ] && echo $amplifyCustomDomain || echo $amplifyCustomDomainPrefix.$amplifyCustomDomain)
+fi
 
 aws cognito-idp create-identity-provider --region $REGION --user-pool-id $cognitoUserpoolId --provider-name=IDC --provider-type SAML --provider-details file://details.json --attribute-mapping email=Email --idp-identifiers team
 aws cognito-idp update-user-pool-client --region $REGION --user-pool-id $cognitoUserpoolId \
@@ -35,6 +45,6 @@ aws cognito-idp update-user-pool-client --region $REGION --user-pool-id $cognito
 --supported-identity-providers IDC \
 --allowed-o-auth-flows code \
 --allowed-o-auth-scopes "phone" "email" "openid" "profile" "aws.cognito.signin.user.admin" \
---logout-urls $callbackUrl \
---callback-urls $callbackUrl \
---allowed-o-auth-flows-user-pool-client
+--logout-urls "https://$amplifyDomain/"  \
+--callback-urls "https://$amplifyDomain/" \
+--allowed-o-auth-flows-user-pool-client

deployment/deploy.sh

@@ -31,28 +31,55 @@ git remote add origin codecommit::$REGION://team-idc-app
 git push origin main
 
 cd ./deployment
-if [[ ! -z "$TAGS" ]];
-then
-  aws cloudformation deploy --region $REGION --template-file template.yml \
-  --stack-name TEAM-IDC-APP \
-  --parameter-overrides \
-    Login=$IDC_LOGIN_URL \
-    CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
-    teamAdminGroup="$TEAM_ADMIN_GROUP" \
-    teamAuditGroup="$TEAM_AUDITOR_GROUP" \
-    tags="$TAGS" \
-    teamAccount="$TEAM_ACCOUNT" \
-  --tags $TAGS \
-  --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+if [[ ! -z "$TAGS" ]]; then
+  if [[ ! -z "$UI_DOMAIN" ]]; then
+    aws cloudformation deploy --region $REGION --template-file template.yml \
+      --stack-name TEAM-IDC-APP \
+      --parameter-overrides \
+        Login=$IDC_LOGIN_URL \
+        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+        teamAdminGroup="$TEAM_ADMIN_GROUP" \
+        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+        tags="$TAGS" \
+        teamAccount="$TEAM_ACCOUNT" \
+        customAmplifyDomain="$UI_DOMAIN" \
+      --tags $TAGS \
+      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  else
+    aws cloudformation deploy --region $REGION --template-file template.yml \
+      --stack-name TEAM-IDC-APP \
+      --parameter-overrides \
+        Login=$IDC_LOGIN_URL \
+        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+        teamAdminGroup="$TEAM_ADMIN_GROUP" \
+        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+        tags="$TAGS" \
+        teamAccount="$TEAM_ACCOUNT" \
+      --tags $TAGS \
+      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  fi
 else
-  aws cloudformation deploy --region $REGION --template-file template.yml \
-  --stack-name TEAM-IDC-APP \
-  --parameter-overrides \
-    Login=$IDC_LOGIN_URL \
-    CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
-    teamAdminGroup="$TEAM_ADMIN_GROUP" \
-    teamAuditGroup="$TEAM_AUDITOR_GROUP" \
-    tags="$TAGS" \
-    teamAccount="$TEAM_ACCOUNT" \
-  --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  if [[ ! -z "$UI_DOMAIN" ]]; then
+    aws cloudformation deploy --region $REGION --template-file template.yml \
+      --stack-name TEAM-IDC-APP \
+      --parameter-overrides \
+        Login=$IDC_LOGIN_URL \
+        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+        teamAdminGroup="$TEAM_ADMIN_GROUP" \
+        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+        teamAccount="$TEAM_ACCOUNT" \
+        tags="$TAGS" \
+        customAmplifyDomain="$UI_DOMAIN" \
+      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  else
+    aws cloudformation deploy --region $REGION --template-file template.yml \
+      --stack-name TEAM-IDC-APP \
+      --parameter-overrides \
+        Login=$IDC_LOGIN_URL \
+        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+        teamAdminGroup="$TEAM_ADMIN_GROUP" \
+        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+        teamAccount="$TEAM_ACCOUNT" \
+      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  fi
 fi

deployment/integration.sh

@@ -2,7 +2,7 @@
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
-# You may obtain a copy of the License ateiifccuguhukbglvivtflddnheicjudncrlcdhjtlucr
+# You may obtain a copy of the License 
 
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
@@ -27,15 +27,23 @@ green='\033[0;32m'
 clear='\033[0m'
 cognitoUserpoolId=`aws cognito-idp list-user-pools --region $REGION --max-results 10 --output json | jq -r '.UserPools[] | select(.Name | contains("team06dbb7fc")) | .Id'`
 cognitouserpoolhostedUIdomain=`aws cognito-idp describe-user-pool --region $REGION --user-pool-id $cognitoUserpoolId --output json | jq -r '.UserPool.Domain'`
-applicationURL=`aws amplify list-apps --region $REGION --output json | jq -r '.apps[] | select(.name=="TEAM-IDC-APP") | .defaultDomain' `
-clientID=`aws cognito-idp list-user-pool-clients --region $REGION --user-pool-id $cognitoUserpoolId --output json | jq -r '.UserPoolClients[] | select(.ClientName | contains("clientWeb")) | .ClientId'`
+cognitoClientWebClientID=`aws cognito-idp list-user-pool-clients --region $REGION --user-pool-id $cognitoUserpoolId --output json | jq -r '.UserPoolClients[] | select(.ClientName | contains("clientWeb")) | .ClientId'`
+cognitoHostedUIdomain=$cognitouserpoolhostedUIdomain.auth.$REGION.amazoncognito.com
 
-hostedUIdomain=$cognitouserpoolhostedUIdomain.auth.$REGION.amazoncognito.com
-appURL=https://main.$applicationURL
+amplifyAppId=`aws amplify list-apps --output json | jq -r '.apps[] | select(.name=="TEAM-IDC-APP") | .appId'`
+amplifyDomain=`aws amplify list-apps --output json | jq -r '.apps[] | select(.name=="TEAM-IDC-APP") | .defaultDomain'`
 
-applicationStartURL="https://$hostedUIdomain/authorize?client_id=$clientID&response_type=code&scope=aws.cognito.signin.user.admin+email+openid+phone+profile&redirect_uri=$appURL/&idp_identifier=team"
-applicationACSURL="https://$hostedUIdomain/saml2/idpresponse"
-applicationSAMLAudience="urn:amazon:cognito:sp:$cognitoUserpoolId"
+amplifyCustomDomains=`aws amplify list-domain-associations --app-id $amplifyAppId --output json`
+amplifyCustomDomain=`echo $amplifyCustomDomains | jq -r 'select(.domainAssociations | length > 0) | .domainAssociations[0].domainName'`
+
+if [ -n "$amplifyCustomDomain" ]; then
+  amplifyCustomDomainPrefix=$(echo $amplifyCustomDomains | jq -r 'select(.domainAssociations | length > 0) | .domainAssociations[0].subDomains[] | select(.subDomainSetting.branchName=="main") | .subDomainSetting.prefix')
+  amplifyDomain=$([ -z "$amplifyCustomDomainPrefix" ] && echo $amplifyCustomDomain || echo $amplifyCustomDomainPrefix.$amplifyCustomDomain)
+fi
 
+echo $amplifyDomain
+applicationStartURL="https://$cognitoHostedUIdomain/authorize?client_id=$cognitoClientWebClientID&response_type=code&scope=aws.cognito.signin.user.admin+email+openid+phone+profile&redirect_uri=https://$amplifyDomain/&idp_identifier=team"
+applicationACSURL="https://$cognitoHostedUIdomain/saml2/idpresponse"
+applicationSAMLAudience="urn:amazon:cognito:sp:$cognitoUserpoolId"
 
-printf "\n${green}applicationStartURL:${clear} %s\n${green}applicationACSURL:${clear} %s\n${green}applicationSAMLAudience:${clear} %s\n\n" "$applicationStartURL" "$applicationACSURL" "$applicationSAMLAudience"
+printf "\n${green}applicationStartURL:${clear} %s\n${green}applicationACSURL:${clear} %s\n${green}applicationSAMLAudience:${clear} %s\n\n" "$applicationStartURL" "$applicationACSURL" "$applicationSAMLAudience"

deployment/parameters-mgmt-template.sh

@@ -18,4 +18,5 @@ ORG_MASTER_PROFILE=org_master_profile
 TEAM_ADMIN_GROUP="team_admin_group_name"
 TEAM_AUDITOR_GROUP="team_auditor_group_name"
 TAGS="project=iam-identity-center-team environment=prod"
-CLOUDTRAIL_AUDIT_LOGS=read_write
+CLOUDTRAIL_AUDIT_LOGS=read_write
+UI_DOMAIN=portal.teamtest.online

deployment/parameters-template.sh

@@ -20,4 +20,5 @@ TEAM_ACCOUNT_PROFILE=team_account_profile
 TEAM_ADMIN_GROUP="team_admin_group_name"
 TEAM_AUDITOR_GROUP="team_auditor_group_name"
 TAGS="project=iam-identity-center-team environment=prod"
-CLOUDTRAIL_AUDIT_LOGS=read_write
+CLOUDTRAIL_AUDIT_LOGS=read_write
+UI_DOMAIN=portal.teamtest.online

deployment/template.yml

@@ -26,6 +26,10 @@ Parameters:
   teamAccount:
     Type: String
     Description: TEAM deployment account ID
+  customAmplifyDomain:
+    Type: String
+    Description: Custom domain for the TEAM application
+    Default: ""
 
 Conditions:
   IsEmptyCloudTrailAuditLogs: !Equals [!Ref CloudTrailAuditLogs, ""]
@@ -136,6 +140,8 @@ Resources:
           Value: !Ref teamAuditGroup
         - Name: TAGS
           Value: !Ref tags
+        - Name: AMPLIFY_CUSTOM_DOMAIN
+          Value: !Ref customAmplifyDomain
       Tags:
         - Key: Branch
           Value: main
@@ -212,4 +218,4 @@ Resources:
                 Resource: "*"
 Outputs:
   DefaultDomain:
-    Value: !GetAtt AmplifyApp.DefaultDomain
+    Value: !GetAtt AmplifyApp.DefaultDomain

deployment/update.sh

@@ -28,30 +28,57 @@ git remote add origin codecommit::$REGION://team-idc-app
 git remote add team https://github.com/aws-samples/iam-identity-center-team.git
 git pull team main
 
-if [[ ! -z "$TAGS" ]];
-then
-  aws cloudformation deploy --region $REGION --template-file template.yml \
-  --stack-name TEAM-IDC-APP \
-  --parameter-overrides \
-    Login=$IDC_LOGIN_URL \
-    CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
-    teamAdminGroup="$TEAM_ADMIN_GROUP" \
-    teamAuditGroup="$TEAM_AUDITOR_GROUP" \
-    tags="$TAGS" \
-    teamAccount="$TEAM_ACCOUNT" \
-  --tags $TAGS \
-  --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+if [[ ! -z "$TAGS" ]]; then
+  if [[ ! -z "$UI_DOMAIN" ]]; then
+    aws cloudformation deploy --region $REGION --template-file template.yml \
+      --stack-name TEAM-IDC-APP \
+      --parameter-overrides \
+        Login=$IDC_LOGIN_URL \
+        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+        teamAdminGroup="$TEAM_ADMIN_GROUP" \
+        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+        tags="$TAGS" \
+        teamAccount="$TEAM_ACCOUNT" \
+        customAmplifyDomain="$UI_DOMAIN" \
+      --tags $TAGS \
+      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  else
+    aws cloudformation deploy --region $REGION --template-file template.yml \
+      --stack-name TEAM-IDC-APP \
+      --parameter-overrides \
+        Login=$IDC_LOGIN_URL \
+        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+        teamAdminGroup="$TEAM_ADMIN_GROUP" \
+        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+        tags="$TAGS" \
+        teamAccount="$TEAM_ACCOUNT" \
+      --tags $TAGS \
+      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  fi
 else
-  aws cloudformation deploy --region $REGION --template-file template.yml \
-  --stack-name TEAM-IDC-APP \
-  --parameter-overrides \
-    Login=$IDC_LOGIN_URL \
-    CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
-    teamAdminGroup="$TEAM_ADMIN_GROUP" \
-    teamAuditGroup="$TEAM_AUDITOR_GROUP" \
-    tags="$TAGS" \
-    teamAccount="$TEAM_ACCOUNT" \
-  --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  if [[ ! -z "$UI_DOMAIN" ]]; then
+    aws cloudformation deploy --region $REGION --template-file template.yml \
+      --stack-name TEAM-IDC-APP \
+      --parameter-overrides \
+        Login=$IDC_LOGIN_URL \
+        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+        teamAdminGroup="$TEAM_ADMIN_GROUP" \
+        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+        teamAccount="$TEAM_ACCOUNT" \
+        tags="$TAGS" \
+        customAmplifyDomain="$UI_DOMAIN" \
+      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  else
+    aws cloudformation deploy --region $REGION --template-file template.yml \
+      --stack-name TEAM-IDC-APP \
+      --parameter-overrides \
+        Login=$IDC_LOGIN_URL \
+        CloudTrailAuditLogs=$CLOUDTRAIL_AUDIT_LOGS \
+        teamAdminGroup="$TEAM_ADMIN_GROUP" \
+        teamAuditGroup="$TEAM_AUDITOR_GROUP" \
+        teamAccount="$TEAM_ACCOUNT" \
+      --no-fail-on-empty-changeset --capabilities CAPABILITY_NAMED_IAM
+  fi
 fi
 
 git push origin main

docs/docs/deployment/deployment_process.md

@@ -62,6 +62,7 @@ Optional:
   - `read` - record only read events
   - `write` - record only write events
   - `none` - disable event logging
+- **UI_DOMAIN** - Custom domain for Amplify hosted frontend application 
 
 For example:
 
@@ -75,6 +76,7 @@ TEAM_ADMIN_GROUP="team_admin_group_name"
 TEAM_AUDITOR_GROUP="team_auditor_group_name"
 TAGS="tag1=value1 tag2=value2"
 CLOUDTRAIL_AUDIT_LOGS=read_write
+UI_DOMAIN=portal.teamtest.online
 ```
 
 ---
@@ -126,6 +128,16 @@ Once the deployment script has completed execution and the cloudformation stack
 > It takes about 20 mins to complete the build and deployment of the Amplify application stack
 {: .note}
 
+## Custom Domain Registration
+> This step is optional and required only if you have included a **UI_DOMAIN** parameter and intend to use a custom domain for your TEAM deployment instead of the default amplify generated domain name. 
+
+Go to Amplify console: AWS AMPLIFY → All Apps → TEAM-IDC-APP → Domain Management → Add domain.
+
+![custom](../assets/images/custom.png)
+
+Follow instructions in Amplify documentation for more details on [setting up custom domains](https://docs.aws.amazon.com/amplify/latest/userguide/custom-domains.html)
+
+
 ## Verify app deployment
 Go to Amplify console: **AWS Amplify -> All apps -> TEAM-IDC-APP -> Hosting environments**. On the **Hosting environments** tab, click on the application URL to confirm that it was deployed successfully and you can access the TEAM application landing page as shown in the video below:
 

docs/docs/deployment/update.md

@@ -30,8 +30,28 @@ cd deployment
 
 Once the upgrade script has completed execution, go to the AWS Amplify console to monitor the status of the TEAM application build and deployment.
 
-## If upgrading from v1.0.0 - v1.0.5, re-set notifications settings
-TEAM v1.0.6 introduces additional notifications settings, and **will break the email notification configuration on previous versions**. After upgrading, navigate to the settings page and update the notification settings. To continue using email notifications, select Amazon SES and the notification service and set the source email address.
+## If upgrading to v1.1.1 (Custom Domain)
+> This step is optional and required only if you intend to use a custom domain for your TEAM deployment instead of the default amplify generated domain name.
+
+TEAM v1.1.1 introduces the use of custom domain instead of the default amplify generated domain name.
+To use a custom domain, ensure to update the **parameters.sh** in the **deployment** folder with **UI_DOMAIN** key and your custom domain name before running the **./update.sh** script.
+
+Follow the steps below to integrate your custom domain with amplify once the update deployment is complete.
+
+### Custom domain integration (If Using Custom Domain)
+
+Go to Amplify console: AWS AMPLIFY → All Apps → TEAM-IDC-APP → Domain Management → Add domain.
+![custom](../assets/images/custom.png)
+
+Follow instructions in Amplify documentation for more details on [setting up custom domains](https://docs.aws.amazon.com/amplify/latest/userguide/custom-domains.html)
+
+Execute the **integration.sh** script and update the applicationstartURL in AWS IAM Identity Center for your TEAM application
+
+Execute the **cognito.sh** script 
+
+> Ensure your custom domain is reflected in  Allowed Callback URLs and Allowed sign-out URLs 
+Amazon Cognito → User pools → $(User Pool Name) → App Integration → $(ClientWeb) → HostedUI
+
 
 ## Verify app deployment
 Go to Amplify console: **AWS Amplify -> All apps -> TEAM-IDC-APP -> Hosting environments**. On the **Hosting environments** tab, click on the application URL to confirm that it was deployed successfully and you can access the TEAM application landing page as shown in the video below:

parameters.js

@@ -6,7 +6,7 @@
 const fs = require("fs");
 const path = require("path");
 
-const { AWS_APP_ID, AWS_BRANCH, SSO_LOGIN, TEAM_ADMIN_GROUP, TEAM_AUDITOR_GROUP, TAGS, CLOUDTRAIL_AUDIT_LOGS, TEAM_ACCOUNT } = process.env;
+const { AWS_APP_ID, AWS_BRANCH, SSO_LOGIN, TEAM_ADMIN_GROUP, TEAM_AUDITOR_GROUP, TAGS, CLOUDTRAIL_AUDIT_LOGS, TEAM_ACCOUNT, AMPLIFY_CUSTOM_DOMAIN } = process.env;
 
 async function update_auth_parameters() {
   console.log(`updating amplify config for branch "${AWS_BRANCH}"...`);
@@ -24,12 +24,13 @@ async function update_auth_parameters() {
   );
   oAuthMetadata.CallbackURLs.pop();
   oAuthMetadata.LogoutURLs.pop();
-  oAuthMetadata.CallbackURLs.push(
-    `https://${AWS_BRANCH}.${AWS_APP_ID}.amplifyapp.com/`
-  );
-  oAuthMetadata.LogoutURLs.push(
-    `https://${AWS_BRANCH}.${AWS_APP_ID}.amplifyapp.com/`
-  );
+
+  const amplifyDomain = AMPLIFY_CUSTOM_DOMAIN ? `https://${AMPLIFY_CUSTOM_DOMAIN}/` :`https://${AWS_BRANCH}.${AWS_APP_ID}.amplifyapp.com/`
+
+  console.log("domain",amplifyDomain)
+  oAuthMetadata.CallbackURLs.push(amplifyDomain);
+  oAuthMetadata.LogoutURLs.push(amplifyDomain);
+
   authParametersJson.cognitoConfig.oAuthMetadata =
     JSON.stringify(oAuthMetadata);