initial release

README.md

@@ -1,2 +1,42 @@
-# tf-cognito
-Terraform AWS Cognito module
+# Terraform AWS Cognito module
+
+## About:
+
+Creates a basic AWS Cognito setup with a mandatory 8 character long password policy and dynamic schema support.
+
+Please note the variable ```ignore_changes``` in the ```./main.tf``` file is used to prevent re-deployments from occurring. 
+
+## How to use:
+
+```terraform
+module "cognito" {
+  source = "../../modules/cognito"
+
+  namespace         = var.namespace
+  resource_tag_name = var.resource_tag_name
+  region            = var.region
+
+  cognito_identity_pool_name     = var.cognito_identity_pool_name
+  cognito_identity_pool_provider = var.cognito_identity_pool_provider
+
+  schema_map = [
+    {
+      name                = "email"
+      attribute_data_type = "String"
+      mutable             = false
+      required            = true
+    },
+    {
+      name                = "phone_number"
+      attribute_data_type = "String"
+      mutable             = false
+      required            = true
+    }
+  ]
+}
+```
+
+## Changelog
+
+### v1.0
+ - Initial release

main.tf

@@ -0,0 +1,83 @@
+locals {
+  resource_name = "${var.namespace}-${var.resource_tag_name}"
+}
+
+# -----------------------------------------------------------------------------
+# Resource: Cognito
+# Remarks: Set for Schema String and Number attribute constraints to prevent redeployment (!)
+# https://github.com/terraform-providers/terraform-provider-aws/issues/7502
+# https://www.terraform.io/docs/providers/aws/r/cognito_user_pool.html#schema-attributes
+# -----------------------------------------------------------------------------
+
+resource "aws_cognito_user_pool" "_" {
+  name                     = "${local.resource_name}-${var.cognito_identity_pool_name}"
+  alias_attributes         = var.alias_attributes
+  auto_verified_attributes = var.auto_verified_attributes
+
+  admin_create_user_config {
+    allow_admin_create_user_only = false
+  }
+
+  password_policy {
+    minimum_length    = 8
+    require_uppercase = true
+    require_lowercase = true
+    require_numbers   = true
+    require_symbols   = true
+  }
+
+  dynamic "schema" {
+    for_each = var.schema_map
+
+    content {
+      name                = schema.value.name
+      attribute_data_type = schema.value.attribute_data_type
+      mutable             = schema.value.mutable
+      required            = schema.value.required
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [ schema ]
+  }
+
+  tags = {
+    Environment = var.namespace
+    Name        = var.resource_tag_name
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Domain is required for email link to function:
+# https://forums.aws.amazon.com/thread.jspa?threadID=262811
+# -----------------------------------------------------------------------------
+resource "aws_cognito_user_pool_domain" "_" {
+  domain       = local.resource_name
+  user_pool_id = aws_cognito_user_pool._.id
+}
+
+resource "aws_cognito_user_pool_client" "_" {
+  name = "${local.resource_name}-client"
+
+  user_pool_id    = aws_cognito_user_pool._.id
+  generate_secret = false
+
+  explicit_auth_flows = [
+    "ADMIN_NO_SRP_AUTH",
+    "USER_PASSWORD_AUTH",
+  ]
+}
+
+resource "aws_cognito_identity_pool" "_" {
+  identity_pool_name      = var.cognito_identity_pool_name
+  developer_provider_name = var.cognito_identity_pool_provider
+
+  allow_unauthenticated_identities = false
+
+  cognito_identity_providers {
+    client_id               = aws_cognito_user_pool_client._.id
+    server_side_token_check = true
+
+    provider_name = "cognito-idp.${var.region}.amazonaws.com/${aws_cognito_user_pool._.id}"
+  }
+}

outputs.tf

@@ -0,0 +1,19 @@
+# -----------------------------------------------------------------------------
+# Outputs: Cognito
+# -----------------------------------------------------------------------------
+
+output "cognito_user_pool_id" {
+  value = "${aws_cognito_user_pool._.id}"
+}
+
+output "cognito_user_pool_arn" {
+  value = "${aws_cognito_user_pool._.arn}"
+}
+
+output "cognito_user_pool_client_id" {
+  value = "${aws_cognito_user_pool_client._.id}"
+}
+
+output "cognito_identity_pool_id" {
+  value = "${aws_cognito_identity_pool._.id}"
+}

variables.tf

@@ -0,0 +1,50 @@
+# -----------------------------------------------------------------------------
+# Variables: General
+# -----------------------------------------------------------------------------
+
+variable "namespace" {
+  description = "AWS resource namespace/prefix"
+}
+
+variable "region" {
+  description = "AWS region"
+}
+
+variable "resource_tag_name" {
+  description = "Resource tag name for cost tracking"
+}
+
+# -----------------------------------------------------------------------------
+# Variables: Cognito & S3
+# -----------------------------------------------------------------------------
+
+variable "cognito_identity_pool_name" {
+  description = "Cognito identity pool name"
+}
+
+variable "cognito_identity_pool_provider" {
+  description = "Cognito identity pool provider"
+}
+
+variable "alias_attributes" {
+  type = list(string)
+  default = ["email"]
+  description = "(Optional) Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username. Conflicts with username_attributes. "
+}
+
+variable "auto_verified_attributes" {
+  type = list
+  default = ["email"]
+  description = "(Optional) The attributes to be auto-verified. Possible values: email, phone_number. "
+}
+
+variable "schema_map" {
+  type = list(object({
+    name                = string
+    attribute_data_type = string
+    mutable             = bool
+    required            = bool
+  }))
+  default = []
+  description = "Creates 1 or more Schema blocks"
+}

versions.tf

@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}