Skip to content

Commit

Permalink
feat: Resource Servers (#15)
Browse files Browse the repository at this point in the history
  • Loading branch information
@h1manshu98
h1manshu98 committed Oct 18, 2023
1 parent 8442f49 commit ceeb114
Show file tree
Hide file tree
Showing 4 changed files with 111 additions and 27 deletions.
78 changes: 60 additions & 18 deletions _example/example.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,27 +9,48 @@ module "cognito" {
environment = "test"
label_order = ["environment", "name"]

enabled = true
allow_admin_create_user_only = false
advanced_security_mode = "OFF"
domain = "test"
mfa_configuration = "ON"
allow_software_mfa_token = true
deletion_protection = "INACTIVE"
email_subject = "Sign up for <project_name>."
enabled = true
allow_admin_create_user_only = false
advanced_security_mode = "OFF"
domain = "clouddrove"
mfa_configuration = "ON"
allow_software_mfa_token = true
deletion_protection = "INACTIVE"
email_subject = "Sign up for <project_name>."

users = {
user01 = {
email = "test01@test.com"
}
user02 = {
email = "test02@test.com"
}
}
user01 = {
email = "test01@test.com"
}
user02 = {
email = "test02@test.com"
}
}

user_groups = [
{ name = "test_group"
description = "This is test group."
}
{
name = "test_group"
description = "This is test group."
}
]

resource_servers = [
{
name = "test-pool Resource"
identifier = "test-pool"
scope = [
{
scope_name = "read"
scope_description = "can read test-pool data"
},
{
scope_name = "write"
scope_description = "can add or change test-pool data"
}
]
}
]

clients = [
{
name = "test-client"
Expand All @@ -41,6 +62,27 @@ module "cognito" {
supported_identity_providers = ["COGNITO"]
allowed_oauth_scopes = ["email", "openid", "profile", "phone"]
allowed_oauth_flows = ["code"]
},
{
name = "test-client-2"
allowed_oauth_flows = ["code"]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_scopes = ["email", "openid", "phone", "test-pool/read", "test-pool/write"]
callback_urls = ["https://localhost:3000", "https://localhost:8080"]
explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"]
generate_secret = true
logout_urls = []
access_token_validity = 30
id_token_validity = 30
refresh_token_validity = 30
supported_identity_providers = ["COGNITO"]
prevent_user_existence_errors = "ENABLED"
enable_token_revocation = true
token_validity_units = {
access_token = "minutes"
id_token = "minutes"
refresh_token = "days"
}
}
]
}
33 changes: 27 additions & 6 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,8 @@ data "aws_iam_policy_document" "authenticated" {
}

module "unauth-role" {
source = "clouddrove/iam-role/aws"
version = "1.3.0"
source = "clouddrove/iam-role/aws"
version = "1.3.0"

name = format("%s-unauth-role", module.labels.id)
environment = var.environment
Expand Down Expand Up @@ -356,7 +356,6 @@ locals {
}



# --------------------------------------------------------------------------
# Cognito - Domain
# --------------------------------------------------------------------------
Expand All @@ -371,7 +370,7 @@ resource "aws_cognito_user_pool_domain" "domain" {
resource "aws_cognito_identity_pool" "identity_pool" {
count = var.enabled ? 1 : 0
identity_pool_name = format("%s_identity_pool", module.labels.id)
allow_unauthenticated_identities = false
allow_unauthenticated_identities = var.allow_unauthenticated_identities
lifecycle { ignore_changes = [cognito_identity_providers] }
}

Expand All @@ -380,7 +379,6 @@ resource "aws_cognito_identity_pool" "identity_pool" {
# Cognito - User Group
# --------------------------------------------------------------------------


resource "aws_cognito_user_group" "main" {
count = var.enabled ? length(local.groups) : 0
name = lookup(element(local.groups, count.index), "name")
Expand Down Expand Up @@ -423,7 +421,7 @@ resource "aws_cognito_user" "users" {

user_pool_id = aws_cognito_user_pool.user_pool.*.id[0]
username = each.value.email
desired_delivery_mediums = ["EMAIL"]
desired_delivery_mediums = var.desired_delivery_mediums

attributes = {
email = each.value.email
Expand All @@ -435,3 +433,26 @@ resource "aws_cognito_user" "users" {
}
}

# --------------------------------------------------------------------------
# Cognito - Resource Servers
# --------------------------------------------------------------------------
locals {
resource_servers = var.resource_servers == null ? [] : var.resource_servers
}

resource "aws_cognito_resource_server" "resource_servers" {
count = var.enabled ? length(local.resource_servers) : 0
name = lookup(element(local.resource_servers, count.index), "name")
identifier = lookup(element(local.resource_servers, count.index), "identifier")

#scope
dynamic "scope" {
for_each = lookup(element(local.resource_servers, count.index), "scope")
content {
scope_name = lookup(scope.value, "scope_name")
scope_description = lookup(scope.value, "scope_description")
}
}

user_pool_id = aws_cognito_user_pool.user_pool.*.id[0]
}
6 changes: 3 additions & 3 deletions outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
output "user_pool_id" {
value = aws_cognito_user_pool.user_pool.*.id[0]
value = aws_cognito_user_pool.user_pool.*.id[0]
description = "(Required) User pool the client belongs to."
}

output "name" {
value = aws_cognito_user_pool.user_pool.*.name[0]
value = aws_cognito_user_pool.user_pool.*.name[0]
description = "(Required) Name of the application client."
}

output "app_client_id" {
value = aws_cognito_user_pool_client.client.*.id[0]
value = aws_cognito_user_pool_client.client.*.id[0]
description = "ID of the user pool client."
}

Expand Down
21 changes: 21 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -406,6 +406,12 @@ variable "domain_certificate_arn" {
default = null
}

variable "allow_unauthenticated_identities" {
description = "Whether the identity pool supports unauthenticated logins or not."
type = bool
default = false
}

#########################################################################################################################################
### User Group
#########################################################################################################################################
Expand Down Expand Up @@ -454,6 +460,11 @@ variable "users" {
)
}

variable "desired_delivery_mediums" {
description = "A list of mediums to the welcome message will be sent through. Allowed values are `EMAIL` and `SMS`. If it's provided, make sure you have also specified `email` attribute for the `EMAIL` medium and `phone_number` for the `SMS`. More than one value can be specified."
type = list(string)
default = ["EMAIL"]
}

#########################################################################################################################################
### Deletion Protection
Expand All @@ -463,4 +474,14 @@ variable "deletion_protection" {
description = "When active, DeletionProtection prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. Valid values are `ACTIVE` and `INACTIVE`."
type = string
default = "INACTIVE"
}

#########################################################################################################################################
# Resource Server
#########################################################################################################################################

variable "resource_servers" {
description = "A list of Resource Server configuration."
type = list(any)
default = []
}

0 comments on commit ceeb114

Please sign in to comment.