Improve the Cognito service in production, as a PDS SSO

[tloubrieu-jpl]

💡 Description

• [x] the invitation message should be updated so that it is not only for DUM but for the PDS Engineering node tools (including registry for examle).
• [x] the invitation message should contain a link to update the password
• [x] the link to update the password should forward to a valid URL (PDS Web Site, specific welcome web page ?)

⚔️ Parent Epic / Related Tickets

No response

[sjoshi-jpl]

Per discussion with @ramesh-maddegoda and @tloubrieu-jpl, following is the corse of action for this ticket in Prod :

1. We will have a single user pool in Production (the one that is already created for nucleus dum). This user pool will be re-used for all applications going forward and does not need to be renamed to a generic user pool since that will mean we'll need to re-create users and passwords.
2. We will have a generic API Gateway called pds-api-prod (right now there's one already created for nucleus dum) and then eventually we will merge nucleus dum configuration as part of that gateway.
3. Lambdas for nuclus and registry will remain separate.

[ramesh-maddegoda]

I created a Cognito App client to redirect users after password reset in PDS MCP Dev. Then configured invitation messages to use that client app. I did this in MCP Dev, before configuring this in PDS MCP Prod. Please see the screenshots below.

[tloubrieu-jpl]

Ramesh is updating the terraform, in the DUM repository.

[ramesh-maddegoda]

Created a pull request https://github.com/NASA-PDS/pds-mcp-infra/pull/10

[tloubrieu-jpl]

Everything is configured in the terraform script which needs to be run twice.

[nutjob4life]

Cognito is the recommended approach vs using AWS accounts for people outside JPL

Load balancer rules need to be troubleshooted

Redirection to Airflow UI isn't working; attempting fix (going to some Cognito URL) Small gap!