Merge pull request #347 from april/master

Update documentation, create CI for production

Author: april

.github/workflows/production.yml

@@ -6,7 +6,7 @@ env:
   NODE_ENV: 'production'
   nodeVersion: '14.x'
   pythonVersion: '3.x'
-  AUTH0_DOMAIN: 'auth-dev.mozilla.auth0.com'
+  AUTH0_DOMAIN: 'auth.mozilla.auth0.com'
   AUTH0_CLIENT_ID: ${{ secrets.PRODUCTION_AUTH0_CLIENT_ID }}
   AUTH0_CLIENT_SECRET: ${{ secrets.PRODUCTION_AUTH0_CLIENT_SECRET }}
   AWS_CDN_BUCKET_NAME: ${{ secrets.PRODUCTION_AWS_CDN_BUCKET_NAME }}

README.md

@@ -3,7 +3,6 @@
 | description | status |
 |------------ | ----------- |
 | latest commit | ![](https://github.com/mozilla-iam/auth0-custom-lock/workflows/auth0-custom-lock-push/badge.svg)
-| latest pull request | ![](https://github.com/mozilla-iam/auth0-custom-lock/workflows/auth0-custom-lock-pull/badge.svg)
 | development release | ![](https://github.com/mozilla-iam/auth0-custom-lock/workflows/auth0-custom-lock-pre/badge.svg)
 | production release | ![](https://github.com/mozilla-iam/auth0-custom-lock/workflows/auth0-custom-lock-prod/badge.svg)
 
@@ -54,30 +53,28 @@ to rebuild.
 
 If you do need to deploy manually (as is currently required for production), you can install
 [act](https://github.com/nektos/act) on a local machine, and run:
-`act --secret-file config/secrets.dev -j dev-build-and-deploy` or
-`act --secret-file config/secrets.prod -j prod-build-and-deploy`.
+`act --secret-file config/secrets -j dev-build-and-deploy` or
+`act --secret-file config/secrets -j prod-build-and-deploy`.
 
 You'll also need to set your secrets file to contain the following environmental variables:
 
 ```
+# these are needed to invoke `act --secret-file config/secrets -j dev-build-and-deploy`
 DEVELOPMENT_AWS_ACCESS_KEY_ID=...
 DEVELOPMENT_AWS_SECRET_ACCESS_KEY=...
 DEVELOPMENT_AWS_CDN_BUCKET_NAME=...
 DEVELOPMENT_AUTH0_CLIENT_ID=...
 DEVELOPMENT_AUTH0_CLIENT_SECRET=...
-```
-
-Or:
 
-```
+# these are needed to invoke `act --secret-file config/secrets -j prod-build-and-deploy`
 PRODUCTION_AWS_ACCESS_KEY_ID=...
 PRODUCTION_AWS_SECRET_ACCESS_KEY=...
 PRODUCTION_AWS_CDN_BUCKET_NAME=...
 PRODUCTION_AUTH0_CLIENT_ID=...
 PRODUCTION_AUTH0_CLIENT_SECRET=...
 ```
 
-Contact a member of the Mozilla-IAM team for a copy of these credentials, or push to the repo and request them
+Contact a member of the Mozilla-IAM team for a copy of these credentials, or push to the repo and create a release
 to deploy.
 
 ## Coding standards
@@ -133,3 +130,20 @@ Auto-login Settings screen. Allows user to enable or disable auto-login.
 ### account_verification=true
 
 This is a specific parameter that is set when the log in screen is used for _account verification_.
+
+## Backend setup
+
+First, run the CloudFormation template in AWS. Currently, this is done in the `infosec-dev` and `infosec-prod` AWS accounts.
+This will generate the `environment_AWS_ACCESS_KEY_ID` and `environment_AWS_SECRET_ACCESS_KEY` values needed to run `act` or
+invoke the GitHub Action.
+
+Secondly, create an Application in Auth0 with the correct scopes to the Auth0 Management API:
+
+application name: `github.com/mozilla-iam/auth0-custom-lock`
+application type: Machine to Machine
+description: `Owner: Mozilla-IAM (Your Name)`
+apis: Auth0 Management API
+scopes: `read:clients`, `update:clients`, `read:client_keys`, `update:client_keys`, `update:tenant_settings`
+
+This will generate the `environment_AUTH0_CLIENT_ID` and `environment_AUTH0_CLIENT_SECRET` needed to run `a0deploy` inside
+the GitHub action.

ci/cloudformation/github-actions-user.yml renamed to ci/cloudformation/development.yml

@@ -0,0 +1,45 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: auth0-custom-lock GitHub Actions IAM User used to upload the NLX files to S3
+Metadata:
+  Source: https://github.com/mozilla-iam/auth0-custom-lock/tree/master/ci/cloudformation
+Resources:
+  GitHubActionsAuth0CustomLockUser:
+    Type: AWS::IAM::User
+    Properties:
+      Policies:
+        - PolicyName: AllowPutAuth0CustomLockFilesInS3
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - s3:ListAllMyBuckets
+                Resource: '*'
+              - Effect: Allow
+                Action:
+                  - s3:ListBucket
+                Resource:
+                  - arn:aws:s3:::sso-dashboard.configuration-prod
+              - Effect: Allow
+                Action:
+                  - s3:ListObjects*
+                  - s3:PutObject
+                Resource:
+                  - arn:aws:s3:::sso-dashboard.configuration-prod/nlx
+                  - arn:aws:s3:::sso-dashboard.configuration-prod/nlx/*
+  GitHubActionsAuth0CustomLockUserAccessKey:
+    Type: AWS::IAM::AccessKey
+    Properties:
+      Serial: 20200612
+      Status: Active
+      UserName: !Ref GitHubActionsAuth0CustomLockUser
+Outputs:
+  GitHubActionsAuth0CustomLockUserName:
+    Description: The Username of the GitHubActionsAuth0CustomLockUser
+    Value: !Ref GitHubActionsAuth0CustomLockUser
+  GitHubActionsAuth0CustomLockUserAccessKeyId:
+    Description: The AWS API Access Key ID of the GitHubActionsAuth0CustomLockUser
+    Value: !Ref GitHubActionsAuth0CustomLockUserAccessKey
+  GitHubActionsAuth0CustomLockUserSecretAccessKey:
+    Description: The AWS API Access Key Secret Key of the GitHubActionsAuth0CustomLockUser
+    Value: !GetAtt GitHubActionsAuth0CustomLockUserAccessKey.SecretAccessKey

ci/cloudformation/production.yml

@@ -30,7 +30,7 @@
     "vinyl-source-stream": "^2.0.0"
   },
   "dependencies": {
-    "auth0-js": "^9.13.2",
+    "auth0-js": "^9.13.3",
     "promise-polyfill": "^8.1.3",
     "url-search-params-polyfill": "^4.0.1",
     "whatwg-fetch": "^2.0.4"