feat: Onboarding CSP - OIDC Client#2175
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds Terraform-managed Amazon Cognito User Pool OIDC clients for the CSP application across dev/test/prod in the LZA server infrastructure, and exposes the new client IDs to the Flyway migration invocation as placeholders.
Changes:
- Added
aws_cognito_user_pool_clientresources for CSP in dev/test/prod with environment-specific callback and logout URLs. - Added CSP client IDs to the Flyway Lambda invocation placeholder map so migrations/config can reference them.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| lza-infrastructure/terraform/server/oidc_clients_csp.tf | Defines new Cognito User Pool clients for CSP (dev/test/prod) following existing OIDC client patterns. |
| lza-infrastructure/terraform/server/flyway.tf | Wires CSP Cognito client IDs into Flyway placeholder inputs for downstream use. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Hello @gpascucci and @kamal-mohammed !
Thanks for the PR.
I wondering if you have all the information to onboard "CSP"? If possible, better do it in one PR for all the scripts. Please reference to recent closed pr for onboarding to FAM: https://github.com/bcgov/nr-forests-access-management/pull/2144/changes .
If still needs some clarification from business, please contact Olga or maybe Ann-Marie I guess she can discuss with Olga as well; sometimes they will need to finalize some changes from Business, that's my understanding.
ps: If application and its roles information is still not clear yet, can do it later but then you won't be able to use it to grant a user.
I fixed the PR title, you can also follow previous PR convention.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (2)
lza-infrastructure/terraform/server/oidc_clients_csp.tf:51
- The test client allows both
/int/cspand/pub/cspcallback URLs, but the logout allow-list only includes the/pub/csp/logoutURL. Existing INT/PUB clients in this directory include both logout URLs, so sign-out redirects from the INT CSP route would be rejected by Cognito.
logout_urls = [
var.oidc_sso_playground_url,
"${var.cognito_app_client_logout_chain_url.test}https://testapps.nrs.gov.bc.ca/pub/csp/logout"
lza-infrastructure/terraform/server/oidc_clients_csp.tf:87
- The prod client allows both
/int/cspand/pub/cspcallback URLs, but the logout allow-list only includes the/pub/csp/logoutURL. Existing INT/PUB clients in this directory include both logout URLs, so sign-out redirects from the INT CSP route would be rejected by Cognito.
logout_urls = [
var.oidc_sso_playground_url,
"${var.cognito_app_client_logout_chain_url.prod}https://apps.nrs.gov.bc.ca/pub/csp/logout"
| access_token: 5 minutes | ||
| id_token: 5 minutes | ||
| refresh_token: 60 minutes |
| @@ -0,0 +1,109 @@ | |||
| resource "aws_cognito_user_pool_client" "dev_csp_oidc_client" { | |||
| logout_urls = [ | ||
| var.oidc_sso_playground_url, | ||
| "${var.cognito_app_client_logout_chain_url.dev}http://localhost:3000/logout", | ||
| "${var.cognito_app_client_logout_chain_url.dev}https://dlvrapps.nrs.gov.bc.ca/pub/csp/logout" |
|
Title
Add CSP Cognito OIDC Terraform clients
Description
Summary
This PR adds Terraform configuration for CSP OIDC clients in the LZA server infrastructure.
Changes
Details
The new clients follow the existing OIDC client pattern:
Testing
Notes
This branch also includes CHANGELOG.md and version.txt updates from the merge with main; the functional change in this PR is the CSP Terraform
addition.