generated from stackxcloud/template-terraform
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
158 lines (132 loc) · 5 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# --------------------------------------------------------------------------
# Locals - Tagging
# --------------------------------------------------------------------------
locals {
tags = merge(
var.tags,
{
"Module" = "terraform-aws-stackx-cognito"
"Github" = "https://github.com/ventx/terraform-aws-stackx-cognito"
}
)
}
# --------------------------------------------------------------------------
# Cognito - Identity Pool
# --------------------------------------------------------------------------
resource "aws_cognito_identity_pool" "main" {
identity_pool_name = substr(lower("${var.name}${var.static_unique_id != "" ? "-" : ""}${var.static_unique_id != "" ? var.static_unique_id : ""}"), 0, 63)
allow_unauthenticated_identities = false
dynamic "cognito_identity_providers" {
for_each = var.user_pool_clients
content {
client_id = aws_cognito_user_pool_client.client[cognito_identity_providers.key].id
provider_name = aws_cognito_user_pool.pool.endpoint
server_side_token_check = false
}
}
tags = local.tags
}
# --------------------------------------------------------------------------
# Cognito - User Pool
# --------------------------------------------------------------------------
resource "aws_cognito_user_pool" "pool" {
name = substr(lower("${var.name}${var.static_unique_id != "" ? "-" : ""}${var.static_unique_id != "" ? var.static_unique_id : ""}"), 0, 63)
username_attributes = ["email"]
schema {
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "email"
required = true
string_attribute_constraints {
max_length = "2048"
min_length = "0"
}
}
admin_create_user_config {
allow_admin_create_user_only = true
invite_message_template {
email_message = <<EOF
Hi,
<p>
A new account for <strong>${var.name}</strong> has been created for you.
</p>
<p></p>
<p>Username: {username}</p>
<p>Temporary password: {####}</p>
<p></p>
<p>Please login and change your password.</p>
<p>Have a nice day :)</p>
EOF
email_subject = "Sign up for stackX"
sms_message = "Your username is {username}. Sign up at {####} "
}
}
email_configuration {
email_sending_account = "COGNITO_DEFAULT"
}
lambda_config {
pre_sign_up = aws_lambda_function.pre_sign_up.arn
}
password_policy {
minimum_length = 18
require_lowercase = true
require_uppercase = true
require_numbers = false
require_symbols = false
temporary_password_validity_days = 2
}
username_configuration {
case_sensitive = true
}
tags = local.tags
}
# --------------------------------------------------------------------------
# Cognito - User Pool Domain (Amazon Cognito domain)
# --------------------------------------------------------------------------
resource "aws_cognito_user_pool_domain" "main" {
domain = replace(substr(lower(trimspace((replace(var.name, "aws", "swa")))), 0, 63), "_", "-")
user_pool_id = aws_cognito_user_pool.pool.id
}
# --------------------------------------------------------------------------
# Cognito - User Pool Client
# --------------------------------------------------------------------------
resource "aws_cognito_user_pool_client" "client" {
for_each = var.user_pool_clients
# TODO: set validations
#Length Constraints: Minimum length of 1. Maximum length of 128.
#Pattern: [\w\s+=,.@-]+
name = each.value.name
user_pool_id = aws_cognito_user_pool.pool.id
callback_urls = var.callback_urls
allowed_oauth_flows_user_pool_client = each.value.allowed_oauth_flows_user_pool_client
allowed_oauth_flows = each.value.allowed_oauth_flows
allowed_oauth_scopes = each.value.allowed_oauth_scopes
generate_secret = each.value.generate_secret
supported_identity_providers = each.value.supported_identity_providers
}
# --------------------------------------------------------------------------
# Cognito - User Group
# --------------------------------------------------------------------------
resource "aws_cognito_user_group" "users" {
for_each = var.user_groups
name = "users"
user_pool_id = aws_cognito_user_pool.pool.id
}
# --------------------------------------------------------------------------
# Cognito - Users
# --------------------------------------------------------------------------
resource "aws_cognito_user" "users" {
for_each = var.users
user_pool_id = aws_cognito_user_pool.pool.id
username = each.value.email
desired_delivery_mediums = ["EMAIL"]
attributes = {
email = each.value.email
email_verified = true
}
validation_data = {
email = each.value.email
}
depends_on = [aws_lambda_function.pre_sign_up, aws_lambda_permission.pre_sign_up]
}