diff --git a/README.md b/README.md index e4d3d21..a8a28de 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,42 @@ -# tf-cognito -Terraform AWS Cognito module +# Terraform AWS Cognito module + +## About: + +Creates a basic AWS Cognito setup with a mandatory 8 character long password policy and dynamic schema support. + +Please note the variable ```ignore_changes``` in the ```./main.tf``` file is used to prevent re-deployments from occurring. + +## How to use: + +```terraform +module "cognito" { + source = "../../modules/cognito" + + namespace = var.namespace + resource_tag_name = var.resource_tag_name + region = var.region + + cognito_identity_pool_name = var.cognito_identity_pool_name + cognito_identity_pool_provider = var.cognito_identity_pool_provider + + schema_map = [ + { + name = "email" + attribute_data_type = "String" + mutable = false + required = true + }, + { + name = "phone_number" + attribute_data_type = "String" + mutable = false + required = true + } + ] +} +``` + +## Changelog + +### v1.0 + - Initial release \ No newline at end of file diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..0ecd51c --- /dev/null +++ b/main.tf @@ -0,0 +1,83 @@ +locals { + resource_name = "${var.namespace}-${var.resource_tag_name}" +} + +# ----------------------------------------------------------------------------- +# Resource: Cognito +# Remarks: Set for Schema String and Number attribute constraints to prevent redeployment (!) +# https://github.com/terraform-providers/terraform-provider-aws/issues/7502 +# https://www.terraform.io/docs/providers/aws/r/cognito_user_pool.html#schema-attributes +# ----------------------------------------------------------------------------- + +resource "aws_cognito_user_pool" "_" { + name = "${local.resource_name}-${var.cognito_identity_pool_name}" + alias_attributes = var.alias_attributes + auto_verified_attributes = var.auto_verified_attributes + + admin_create_user_config { + allow_admin_create_user_only = false + } + + password_policy { + minimum_length = 8 + require_uppercase = true + require_lowercase = true + require_numbers = true + require_symbols = true + } + + dynamic "schema" { + for_each = var.schema_map + + content { + name = schema.value.name + attribute_data_type = schema.value.attribute_data_type + mutable = schema.value.mutable + required = schema.value.required + } + } + + lifecycle { + ignore_changes = [ schema ] + } + + tags = { + Environment = var.namespace + Name = var.resource_tag_name + } +} + +# ----------------------------------------------------------------------------- +# Domain is required for email link to function: +# https://forums.aws.amazon.com/thread.jspa?threadID=262811 +# ----------------------------------------------------------------------------- +resource "aws_cognito_user_pool_domain" "_" { + domain = local.resource_name + user_pool_id = aws_cognito_user_pool._.id +} + +resource "aws_cognito_user_pool_client" "_" { + name = "${local.resource_name}-client" + + user_pool_id = aws_cognito_user_pool._.id + generate_secret = false + + explicit_auth_flows = [ + "ADMIN_NO_SRP_AUTH", + "USER_PASSWORD_AUTH", + ] +} + +resource "aws_cognito_identity_pool" "_" { + identity_pool_name = var.cognito_identity_pool_name + developer_provider_name = var.cognito_identity_pool_provider + + allow_unauthenticated_identities = false + + cognito_identity_providers { + client_id = aws_cognito_user_pool_client._.id + server_side_token_check = true + + provider_name = "cognito-idp.${var.region}.amazonaws.com/${aws_cognito_user_pool._.id}" + } +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..5e64fcb --- /dev/null +++ b/outputs.tf @@ -0,0 +1,19 @@ +# ----------------------------------------------------------------------------- +# Outputs: Cognito +# ----------------------------------------------------------------------------- + +output "cognito_user_pool_id" { + value = "${aws_cognito_user_pool._.id}" +} + +output "cognito_user_pool_arn" { + value = "${aws_cognito_user_pool._.arn}" +} + +output "cognito_user_pool_client_id" { + value = "${aws_cognito_user_pool_client._.id}" +} + +output "cognito_identity_pool_id" { + value = "${aws_cognito_identity_pool._.id}" +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..46bbaab --- /dev/null +++ b/variables.tf @@ -0,0 +1,50 @@ +# ----------------------------------------------------------------------------- +# Variables: General +# ----------------------------------------------------------------------------- + +variable "namespace" { + description = "AWS resource namespace/prefix" +} + +variable "region" { + description = "AWS region" +} + +variable "resource_tag_name" { + description = "Resource tag name for cost tracking" +} + +# ----------------------------------------------------------------------------- +# Variables: Cognito & S3 +# ----------------------------------------------------------------------------- + +variable "cognito_identity_pool_name" { + description = "Cognito identity pool name" +} + +variable "cognito_identity_pool_provider" { + description = "Cognito identity pool provider" +} + +variable "alias_attributes" { + type = list(string) + default = ["email"] + description = "(Optional) Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username. Conflicts with username_attributes. " +} + +variable "auto_verified_attributes" { + type = list + default = ["email"] + description = "(Optional) The attributes to be auto-verified. Possible values: email, phone_number. " +} + +variable "schema_map" { + type = list(object({ + name = string + attribute_data_type = string + mutable = bool + required = bool + })) + default = [] + description = "Creates 1 or more Schema blocks" +} \ No newline at end of file diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +}