diff --git a/main.tf b/main.tf index 5ff4950..bb801cd 100644 --- a/main.tf +++ b/main.tf @@ -12,27 +12,53 @@ resource "aws_cognito_user_pool" "pool" { email_verification_subject = "${var.email_verification_subject}" email_verification_message = "${var.email_verification_message}" + admin_create_user_config { + allow_admin_create_user_only = "${var.allow_admin_create_user_only}" + } + password_policy { - minimum_length = "${lookup(var.password_policy, "minimum_length")}" - require_lowercase = "${lookup(var.password_policy, "require_lowercase")}" - require_numbers = "${lookup(var.password_policy, "require_numbers")}" - require_symbols = "${lookup(var.password_policy, "require_symbols")}" - require_uppercase = "${lookup(var.password_policy, "require_uppercase")}" + minimum_length = "${var.password_policy_minimum_length}" + require_lowercase = "${var.password_policy_require_lowercase}" + require_numbers = "${var.password_policy_require_numbers}" + require_symbols = "${var.password_policy_require_symbols}" + require_uppercase = "${var.password_policy_require_uppercase}" } lambda_config { - create_auth_challenge = "${lookup(var.lambda_config, "create_auth_challenge")}" - custom_message = "${lookup(var.lambda_config, "custom_message")}" - define_auth_challenge = "${lookup(var.lambda_config, "define_auth_challenge")}" - post_authentication = "${lookup(var.lambda_config, "post_authentication")}" - post_confirmation = "${lookup(var.lambda_config, "post_confirmation")}" - pre_authentication = "${lookup(var.lambda_config, "pre_authentication")}" - pre_sign_up = "${lookup(var.lambda_config, "pre_sign_up")}" - pre_token_generation = "${lookup(var.lambda_config, "pre_token_generation")}" - user_migration = "${lookup(var.lambda_config, "user_migration")}" - verify_auth_challenge_response = "${lookup(var.lambda_config, "verify_auth_challenge_response")}" + create_auth_challenge = "${var.lambda_config_create_auth_challenge}" + custom_message = "${var.lambda_config_custom_message}" + define_auth_challenge = "${var.lambda_config_define_auth_challenge}" + post_authentication = "${var.lambda_config_post_authentication}" + post_confirmation = "${var.lambda_config_post_confirmation}" + pre_authentication = "${var.lambda_config_pre_authentication}" + pre_sign_up = "${var.lambda_config_pre_sign_up}" + pre_token_generation = "${var.lambda_config_pre_token_generation}" + user_migration = "${var.lambda_config_user_migration}" + verify_auth_challenge_response = "${var.lambda_config_verify_auth_challenge_response}" } + username_attributes = "${var.username_attributes}" + + auto_verified_attributes = "${var.auto_verified_attributes}" + tags = "${var.tags}" } + +resource "aws_cognito_user_pool_client" "client" { + + name = "${module.label.id}" + user_pool_id = "${aws_cognito_user_pool.pool.id}" + allowed_oauth_flows = "${var.allowed_oauth_flows}" + allowed_oauth_scopes = "${var.allowed_oauth_scopes}" + callback_urls = "${var.callback_urls}" + logout_urls = "${var.logout_urls}" + supported_identity_providers = "${var.supported_identity_providers}" + refresh_token_validity = "${var.refresh_token_validity}" + +} + +resource "aws_cognito_user_pool_domain" "domain" { + domain = "${var.domain}" + user_pool_id = "${aws_cognito_user_pool.pool.id}" +} diff --git a/outputs.tf b/outputs.tf index e69de29..c65c787 100644 --- a/outputs.tf +++ b/outputs.tf @@ -0,0 +1,54 @@ +output "userpool_id" { + value = "${aws_cognito_user_pool.pool.id}" + description = "The id of the user pool" +} + +output "userpool_arn" { + value = "${aws_cognito_user_pool.pool.arn}" + description = "The ARN of the user pool" +} + +output "userpool_endpoint" { + value = "${aws_cognito_user_pool.pool.endpoint}" + description = "The endpoint name of the user pool. Example format: cognito-idp.REGION.amazonaws.com/xxx_yyyyy" +} + +output "userpool_creation_date" { + value = "${aws_cognito_user_pool.pool.creation_date}" + description = "The date the user pool was created" +} + +output "userpool_last_modified_date" { + value = "${aws_cognito_user_pool.pool.last_modified_date}" + description = "The date the user pool was last modified" +} + +output "userpool_client_id" { + value = "${aws_cognito_user_pool_client.client.id}" + description = "The id of the user pool client" +} + +output "userpool_client_secret" { + value = "${aws_cognito_user_pool_client.client.client_secret}" + description = "The client secret of the user pool client" +} + +output "aws_account_id" { + value = "${aws_cognito_user_pool_domain.domain.aws_account_id}" + description = "The AWS account ID for the user pool owner" +} + +output "cloudfront_distribution_arn" { + value = "${aws_cognito_user_pool_domain.domain.cloudfront_distribution_arn}" + description = "The ARN of the CloudFront distribution" +} + +output "s3_bucket" { + value = "${aws_cognito_user_pool_domain.domain.s3_bucket}" + description = "The S3 bucket where the static files for this domain are stored" +} + +output "version" { + value = "${aws_cognito_user_pool_domain.domain.version}" + description = "The app version" +} diff --git a/variables.tf b/variables.tf index 5b8b210..57b77e3 100644 --- a/variables.tf +++ b/variables.tf @@ -29,31 +29,131 @@ variable "email_verification_message" { description = "Message of verification E-mail" } -variable "password_policy" { - type = "map" - default = { - "minimum_length" = 8 - "require_lowercase" = false - "require_numbers" = true - "require_symbols" =false - "require_uppercase" =true - } - description = "Password Policy for Cognito User Pool" -} - -variable "lambda_config" { - type = "map" - default = { - "create_auth_challenge" = "" - "custom_message" = "" - "define_auth_challenge" = "" - "post_authentication" = "" - "post_confirmation" = "" - "pre_authentication" = "" - "pre_sign_up" = "" - "pre_token_generation" = "" - "user_migration" = "" - "verify_auth_challenge_response" = "" - } - description = "A container for the AWS Lambda triggers associated with the user pool" +variable "username_attributes" { + type = "list" + default = ["email"] + description = "Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up" +} + +variable "auto_verified_attributes" { + type = "list" + default = ["email"] + description = "The attributes to be auto-verified. Possible values: email, phone_number" +} + +variable "allow_admin_create_user_only" { + default = false + description = "Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app" +} + +variable "password_policy_minimum_length" { + default = 8 + description = "The minimum length of the password policy that you have set" +} + +variable "password_policy_require_lowercase" { + default = false + description = "Whether you have required users to use at least one lowercase letter in their password" +} + +variable "password_policy_require_numbers" { + default = false + description = "Whether you have required users to use at least one number in their password" +} + +variable "password_policy_require_symbols" { + default = false + description = "Whether you have required users to use at least one symbol in their password" +} + +variable "password_policy_require_uppercase" { + default = false + description = "Whether you have required users to use at least one uppercase letter in their password" +} + +variable "lambda_config_create_auth_challenge" { + default = "" + description = "The ARN of the lambda creating an authentication challenge" +} + +variable "lambda_config_custom_message" { + default = "" + description = "A custom Message AWS Lambda trigger" +} + +variable "lambda_config_define_auth_challenge" { + default = "" + description = "Defines the authentication challenge" +} + +variable "lambda_config_post_authentication" { + default = "" + description = "A post-authentication AWS Lambda trigger" +} + +variable "lambda_config_post_confirmation" { + default = "" + description = "A post-confirmation AWS Lambda trigger" +} + +variable "lambda_config_pre_authentication" { + default = "" + description = "A pre-authentication AWS Lambda trigger" +} + +variable "lambda_config_pre_sign_up" { + default = "" + description = "A pre-registration AWS Lambda trigger" +} + +variable "lambda_config_pre_token_generation" { + default = "" + description = "Allow to customize identity token claims before token generation" +} + +variable "lambda_config_user_migration" { + default = "" + description = "The user migration Lambda config type" +} + +variable "lambda_config_verify_auth_challenge_response" { + default = "" + description = "Verifies the authentication challenge response" +} + +variable "allowed_oauth_flows" { + default = ["code", "implicit"] + description = "List of allowed OAuth flows (code, implicit, client_credentials)" +} + +variable "allowed_oauth_scopes" { + default = ["phone", "email", "openid", "profile", "aws.cognito.signin.user.admin"] + description = "List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin)" +} + +variable "callback_urls" { + type = "list" + default = [] + description = "List of allowed callback URLs for the identity providers" +} + +variable "logout_urls" { + type = "list" + default = [] + description = "List of allowed logout URLs for the identity providers" +} + +variable "supported_identity_providers" { + type = "list" + default = ["COGNITO"] + description = "List of provider names for the identity providers that are supported on this client" +} + +variable "refresh_token_validity" { + default = 30 + description = "The time limit in days refresh tokens are valid for" +} + +variable "domain" { + description = "The domain string" }