Skip to content

Clean up SSO role display in Slack alerts#113

Merged
Alexanderamiri merged 2 commits into
mainfrom
fix/sso-display-name
Mar 27, 2026
Merged

Clean up SSO role display in Slack alerts#113
Alexanderamiri merged 2 commits into
mainfrom
fix/sso-display-name

Conversation

@Alexanderamiri
Copy link
Copy Markdown
Member

@Alexanderamiri Alexanderamiri commented Mar 27, 2026

Summary

Parses AWSReservedSSO_{permission-set}_{hash} into just the permission set name.

Before: AWSReservedSSO_javabin-admin_009502fecd1db7fe (alexander.amiri@java.no)
After: javabin-admin (alexander.amiri@java.no)

Affects console login alerts and any other alert where the actor is an SSO user.

@Alexanderamiri
Add HTTPS support for aws.javabin.no via CloudFront + ACM
06ceebb 
Adds ACM certificate (us-east-1), CloudFront distribution, and IPv6
support for the SSO portal redirect. Both HTTP and HTTPS on
aws.javabin.no now redirect to javabin.awsapps.com/start.
@Alexanderamiri
Clean up SSO role display in Slack alerts
0358678 
Parse AWSReservedSSO_{permission-set}_{hash} into just the permission set
name. Console login alerts now show "javabin-admin (user@java.no)" instead
of "AWSReservedSSO_javabin-admin_009502fecd1db7fe (user@java.no)".
@Alexanderamiri Alexanderamiri requested a review from a team as a code owner March 27, 2026 00:11
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 27, 2026

Terraform Plan

🚧 Changes detected — Plan: 6 to add, 3 to change, 0 to destroy.

Plan output 
Acquiring state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # module.cost_analytics.aws_bcmdataexports_export.cur will be created
  + resource "aws_bcmdataexports_export" "cur" {
      + id       = (known after apply)
      + tags_all = {
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "repo"        = "javaBin/platform"
          + "service"     = "platform"
          + "team"        = "platform"
        }

      + export {
          + export_arn = (known after apply)
          + name       = "javabin-cur"

          + data_query {
              + query_statement      = "SELECT * FROM COST_AND_USAGE_REPORT"
              + table_configurations = {
                  + "COST_AND_USAGE_REPORT" = {
                      + "INCLUDE_MANUAL_DISCOUNT_COMPATIBILITY" = "FALSE"
                      + "INCLUDE_RESOURCES"                     = "TRUE"
                      + "INCLUDE_SPLIT_COST_ALLOCATION_DATA"    = "FALSE"
                      + "TIME_GRANULARITY"                      = "DAILY"
                    }
                }
            }

          + destination_configurations {
              + s3_destination {
                  + s3_bucket = "javabin-cur-553637109631"
                  + s3_prefix = "cur"
                  + s3_region = "eu-central-1"

                  + s3_output_configurations {
                      + compression = "PARQUET"
                      + format      = "PARQUET"
                      + output_type = "CUSTOM"
                      + overwrite   = "OVERWRITE_REPORT"
                    }
                }
            }

          + refresh_cadence {
              + frequency = "SYNCHRONOUS"
            }
        }
    }

  # module.dns.aws_acm_certificate.sso_redirect will be created
  + resource "aws_acm_certificate" "sso_redirect" {
      + arn                       = (known after apply)
      + domain_name               = "aws.javabin.no"
      + domain_validation_options = [
          + {
              + domain_name           = "aws.javabin.no"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
        ]
      + id                        = (known after apply)
      + key_algorithm             = (known after apply)
      + not_after                 = (known after apply)
      + not_before                = (known after apply)
      + pending_renewal           = (known after apply)
      + renewal_eligibility       = (known after apply)
      + renewal_summary           = (known after apply)
      + status                    = (known after apply)
      + subject_alternative_names = [
          + "aws.javabin.no",
        ]
      + tags                      = {
          + "Name" = "aws.javabin.no"
        }
      + tags_all                  = {
          + "Name"        = "aws.javabin.no"
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "repo"        = "javaBin/platform"
          + "service"     = "platform"
          + "team"        = "platform"
        }
      + type                      = (known after apply)
      + validation_emails         = (known after apply)
      + validation_method         = "DNS"
    }

  # module.dns.aws_acm_certificate_validation.sso_redirect will be created
  + resource "aws_acm_certificate_validation" "sso_redirect" {
      + certificate_arn         = (known after apply)
      + id                      = (known after apply)
      + validation_record_fqdns = (known after apply)
    }

  # module.dns.aws_cloudfront_distribution.sso_redirect will be created
  + resource "aws_cloudfront_distribution" "sso_redirect" {
      + aliases                         = [
          + "aws.javabin.no",
        ]
      + arn                             = (known after apply)
      + caller_reference                = (known after apply)
      + comment                         = "aws.javabin.no → SSO portal redirect"
      + continuous_deployment_policy_id = (known after apply)
      + domain_name                     = (known after apply)
      + enabled                         = true
      + etag                            = (known after apply)
      + hosted_zone_id                  = (known after apply)
      + http_version                    = "http2"
      + id                              = (known after apply)
      + in_progress_validation_batches  = (known after apply)
      + is_ipv6_enabled                 = true
      + last_modified_time              = (known after apply)
      + price_class                     = "PriceClass_100"
      + retain_on_delete                = false
      + staging                         = false
      + status                          = (known after apply)
      + tags                            = {
          + "Name" = "aws.javabin.no-redirect"
        }
      + tags_all                        = {
          + "Name"        = "aws.javabin.no-redirect"
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "repo"        = "javaBin/platform"
          + "service"     = "platform"
          + "team"        = "platform"
        }
      + trusted_key_groups              = (known after apply)
      + trusted_signers                 = (known after apply)
      + wait_for_deployment             = true

      + default_cache_behavior {
          + allowed_methods        = [
              + "GET",
              + "HEAD",
            ]
          + cached_methods         = [
              + "GET",
              + "HEAD",
            ]
          + compress               = true
          + default_ttl            = 86400
          + max_ttl                = 86400
          + min_ttl                = 0
          + target_origin_id       = "s3-redirect"
          + trusted_key_groups     = (known after apply)
          + trusted_signers        = (known after apply)
          + viewer_protocol_policy = "redirect-to-https"

          + forwarded_values {
              + headers                 = (known after apply)
              + query_string            = false
              + query_string_cache_keys = (known after apply)

              + cookies {
                  + forward           = "none"
                  + whitelisted_names = (known after apply)
                }
            }
        }

      + origin {
          + connection_attempts = 3
          + connection_timeout  = 10
          + domain_name         = "aws.javabin.no.s3-website.eu-central-1.amazonaws.com"
          + origin_id           = "s3-redirect"

          + custom_origin_config {
              + http_port                = 80
              + https_port               = 443
              + origin_keepalive_timeout = 5
              + origin_protocol_policy   = "http-only"
              + origin_read_timeout      = 30
              + origin_ssl_protocols     = [
                  + "TLSv1.2",
                ]
            }
        }

      + restrictions {
          + geo_restriction {
              + locations        = (known after apply)
              + restriction_type = "none"
            }
        }

      + viewer_certificate {
          + acm_certificate_arn      = (known after apply)
          + minimum_protocol_version = "TLSv1.2_2021"
          + ssl_support_method       = "sni-only"
        }
    }

  # module.dns.aws_route53_record.sso_redirect will be updated in-place
  ~ resource "aws_route53_record" "sso_redirect" {
        id                               = "Z02029092SCAPZOF62LM0_aws.javabin.no_A"
        name                             = "aws.javabin.no"
        # (6 unchanged attributes hidden)

      ~ alias {
          ~ name                   = "s3-website.eu-central-1.amazonaws.com" -> (known after apply)
          ~ zone_id                = "Z21DNDUVLTQW6Q" -> (known after apply)
            # (1 unchanged attribute hidden)
        }
    }

  # module.dns.aws_route53_record.sso_redirect_aaaa will be created
  + resource "aws_route53_record" "sso_redirect_aaaa" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "aws.javabin.no"
      + type            = "AAAA"
      + zone_id         = "Z02029092SCAPZOF62LM0"

      + alias {
          + evaluate_target_health = false
          + name                   = (known after apply)
          + zone_id                = (known after apply)
        }
    }

  # module.dns.aws_route53_record.sso_redirect_cert_validation["aws.javabin.no"] will be created
  + resource "aws_route53_record" "sso_redirect_cert_validation" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = (known after apply)
      + records         = (known after apply)
      + ttl             = 300
      + type            = (known after apply)
      + zone_id         = "Z02029092SCAPZOF62LM0"
    }

  # module.lambdas.aws_lambda_function.securityhub_summary will be updated in-place
  ~ resource "aws_lambda_function" "securityhub_summary" {
        id                             = "javabin-securityhub-summary"
      ~ last_modified                  = "2026-03-26T22:16:24.000+0000" -> (known after apply)
      ~ source_code_hash               = "hm0y6nagoLKwh8EanEkF13bj4Tx83Yp2R+Kr2xGmvIs=" -> "HWyF0Gl/AH/wpVpYaK1xCytPrnnOXwka6pH0jZTGFr4="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.lambdas.aws_lambda_function.slack_alert will be updated in-place
  ~ resource "aws_lambda_function" "slack_alert" {
        id                             = "javabin-slack-alert"
      ~ last_modified                  = "2026-03-26T22:16:17.000+0000" -> (known after apply)
      ~ source_code_hash               = "hm0y6nagoLKwh8EanEkF13bj4Tx83Yp2R+Kr2xGmvIs=" -> "HWyF0Gl/AH/wpVpYaK1xCytPrnnOXwka6pH0jZTGFr4="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 6 to add, 3 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

LLM Review

Risk: 🟢 LOW

Plan adds new cost analytics export and SSO redirect infrastructure with routine Lambda code updates.

  • [routine] Lambda function code updates for securityhub_summary and slack_alert with new source code hashes - standard maintenance
  • [routine] New BCM Data Exports resource for Cost and Usage Report (CUR) export to existing S3 bucket - enables better cost visibility
  • [routine] ACM certificate creation for aws.javabin.no with DNS validation - standard TLS certificate provisioning
  • [routine] CloudFront distribution for aws.javabin.no SSO redirect with S3 origin - adds CDN layer for redirect service
  • 💰 [cost] New CloudFront distribution will incur data transfer and request charges; BCM Data Exports API usage will have minimal cost impact

@Alexanderamiri Alexanderamiri merged commit 682ca5f into main Mar 27, 2026
3 checks passed
@Alexanderamiri Alexanderamiri deleted the fix/sso-display-name branch March 27, 2026 00:13
Alexanderamiri added a commit that referenced this pull request May 9, 2026
@Alexanderamiri
Clean up SSO role display in Slack alerts (#113)
ff8f845 
## Summary

Parses `AWSReservedSSO_{permission-set}_{hash}` into just the permission
set name.

**Before:** `AWSReservedSSO_javabin-admin_009502fecd1db7fe
(alexander.amiri@java.no)`
**After:** `javabin-admin (alexander.amiri@java.no)`

Affects console login alerts and any other alert where the actor is an
SSO user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Alexanderamiri