FAM Onboarding Ops Guide
-
Create new OIDC clients for the new application in the terraform, depend on which environments they asked, create one for each environment, and config the following fields:
- Supported identity provider
- Login callback urls (normally we put debugger urls for dev and test, not prod)
- Logout callback urls
- Read attributes
-
Add new application to the database
- In the fam_application table, create a new application for each environment, follow the naming convention "ApplicationName_ENV" (like "FOM_DEV")
- In the fam_application_client table, create a new application client for each environment
- In the fam_role table, create a admin role for the new application for each enviornment in FAM, follow the naming convention "ApplicationName_ENV_ACCESS_ADMIN" (like "FOM_DEV_ACCESS_ADMIN")
- If our user request some test roles, we could create the test roles for them in the fam_role table as well for all environmets
-
Update the flyway infrastructure to pass new application client ids from Cognito
-
Update the pipeline
reusable_auth_function_ci.ymland the docker-compose file in the root directory to put flyway placeholder for the new application client ids, just random strings -
Update the test that gets all applications, update the assertion number when we add apps
-
Find the commit that we deployed to production last time, create a branch from that commit and switch to that branch
// from main branch git checkout [commit_number_where_we_last_deploy_to_main] git branch hotfix/onboard-[new_application_name] git checkout hotfix/onboard-[new_application_name]
-
Apply all the changes from the "Create a New Application" section. If want to apply a specific commit, could use
git cherry-pick [commit_number], create a pull request and allow team members to review -
Make a test deployment from this hotfix branch, and verify if the new applications are setted up correctly (dev, test and prod client). Use the OIDC Debugger tool to check the flow of getting authentication token and access and id tokens
-
Make a prod deploymetn from this hotfix branch, need to update the prod protection rule to allow deployment from the hotfix branch. Verify if the new applications are setted up correctly
-
Merge the hotfix branch to main branch
Return the following to our Client for each the environment they asked:
{
aws_cognito_region: "this is fam cognito region",
aws_user_pools_id: "this is the fam user pool id",
aws_user_pools_web_client_id: "this is the client id",
aws_mandatory_sign_in: 'enable',
oauth: {
domain: "this is the cognito oauth domain",
scope: ['openid'],
redirectSignIn: "this is the login redirect url we get from our client", // note, they could give multiple redirect urls, we just list one or let them config by themselves
redirectSignOut: "this is the logout chain url + the logout redirect url get from our client"
responseType: 'code',
},
federationTarget: 'COGNITO_USER_POOLS',
};