[Issue #3133] Add auth env vars for login.gov OAuth (#3406)

## Summary Fixes #3133 ### Time to review: __5 mins__ ## Changes proposed Added all of the env vars to connect to login.gov Added secrets to parameter store for all envs ## Additional information I've previously tested the lower env values locally
HHS · Jan 6, 2025 · e1c1834 · e1c1834
1 parent 80c18be
commit e1c1834
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 1 deletion.
diff --git a/infra/api/app-config/dev.tf b/infra/api/app-config/dev.tf
@@ -29,5 +29,9 @@ module "dev_config" {
   # https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html#choosing-version
   search_engine_version = "OpenSearch_2.15"
 
-  service_override_extra_environment_variables = {}
+  service_override_extra_environment_variables = {
+
+    # Login.gov OAuth
+    ENABLE_AUTH_ENDPOINT = 1
+  }
 }
diff --git a/infra/api/app-config/env-config/environment-variables.tf b/infra/api/app-config/env-config/environment-variables.tf
@@ -8,6 +8,20 @@ locals {
     # WORKER_THREADS_COUNT    = 4
     # LOG_LEVEL               = "info"
     # DB_CONNECTION_POOL_SIZE = 5
+
+
+    # Login.gov OAuth
+    # Default values point to the IDP integration environment
+    # which all non-prod environments should use
+    ENABLE_AUTH_ENDPOINT     = 0
+    LOGIN_GOV_CLIENT_ID      = "urn:gov:gsa:openidconnect.profiles:sp:sso:hhs-${var.environment}-simpler-grants-gov"
+    LOGIN_GOV_ENDPOINT       = "https://idp.int.identitysandbox.gov/"
+    LOGIN_GOV_JWK_ENDPOINT   = "https://idp.int.identitysandbox.gov/api/openid_connect/certs"
+    LOGIN_GOV_AUTH_ENDPOINT  = "https://idp.int.identitysandbox.gov/openid_connect/authorize"
+    LOGIN_GOV_TOKEN_ENDPOINT = "https://idp.int.identitysandbox.gov/api/openid_connect/token"
+    LOGIN_FINAL_DESTINATION  = ""
+    API_JWT_ISSUER           = "simpler-grants-api-${var.environment}"
+    API_JWT_AUDIENCE         = "simpler-grants-api-${var.environment}"
   }
 
   # Configuration for secrets
@@ -24,5 +38,25 @@ locals {
       manage_method     = "manual"
       secret_store_name = "/api/${var.environment}/api-auth-token"
     }
+
+    LOGIN_GOV_CLIENT_ASSERTION_PRIVATE_KEY = {
+      manage_method     = "manual"
+      secret_store_name = "/api/${var.environment}/login-gov-client-assertion-private-key"
+    }
+
+    API_JWT_PRIVATE_KEY = {
+      manage_method     = "manual"
+      secret_store_name = "/api/${var.environment}/api-jwt-private-key"
+    }
+
+    API_JWT_PUBLIC_KEY = {
+      manage_method     = "manual"
+      secret_store_name = "/api/${var.environment}/api-jwt-public-key"
+    }
+
+    LOGIN_FINAL_DESTINATION = {
+      manage_method     = "manual"
+      secret_store_name = "/api/${var.environment}/frontend-login-redirect-url"
+    }
   }
 }
diff --git a/infra/api/app-config/prod.tf b/infra/api/app-config/prod.tf
@@ -46,5 +46,12 @@ module "prod_config" {
     # Set the opportunity search index to have more shards/replicas in prod
     LOAD_OPP_SEARCH_SHARD_COUNT   = 3
     LOAD_OPP_SEARCH_REPLICA_COUNT = 2
+
+    # Login.gov OAuth
+    ENABLE_AUTH_ENDPOINT     = 0
+    LOGIN_GOV_ENDPOINT       = "https://secure.login.gov/"
+    LOGIN_GOV_JWK_ENDPOINT   = "https://secure.login.gov/api/openid_connect/certs"
+    LOGIN_GOV_AUTH_ENDPOINT  = "https://secure.login.gov/openid_connect/authorize"
+    LOGIN_GOV_TOKEN_ENDPOINT = "https://secure.login.gov/api/openid_connect/token"
   }
 }
diff --git a/infra/api/app-config/staging.tf b/infra/api/app-config/staging.tf
@@ -30,5 +30,7 @@ module "staging_config" {
   search_engine_version = "OpenSearch_2.15"
 
   service_override_extra_environment_variables = {
+    # Login.gov OAuth
+    ENABLE_AUTH_ENDPOINT = 0
   }
 }