diff --git a/.gitignore b/.gitignore
index 8c4af55..7e8d90a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -63,4 +63,5 @@ terraform.tfstate*
ses/
ses.tf
backup/
-backup.tf
\ No newline at end of file
+backup.tf
+.vscode
diff --git a/terraform/modules/cognito/main.tf b/terraform/modules/cognito/main.tf
index c791fd3..90007a4 100644
--- a/terraform/modules/cognito/main.tf
+++ b/terraform/modules/cognito/main.tf
@@ -47,6 +47,10 @@ resource "aws_cognito_user_pool" "this" {
}
}
+ lambda_config {
+ pre_sign_up = var.lambda_pre_sign_up
+ }
+
username_configuration {
case_sensitive = var.enable_username_case_sensitivity
}
@@ -74,8 +78,6 @@ resource "aws_cognito_user_pool" "this" {
email_configuration {
email_sending_account = "COGNITO_DEFAULT"
}
-
- # auto_verified_attributes = ["email"]
}
resource "aws_cognito_user_pool_client" "this" {
@@ -88,16 +90,16 @@ resource "aws_cognito_user_pool_client" "this" {
allowed_oauth_flows = ["code"]
allowed_oauth_scopes = ["email", "openid", "phone"]
supported_identity_providers = ["COGNITO"]
- id_token_validity = "60"
- access_token_validity = "60"
+ id_token_validity = "1"
+ access_token_validity = "1"
explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"]
prevent_user_existence_errors = "ENABLED"
read_attributes = ["address", "birthdate", "email", "email_verified", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "phone_number_verified", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo"]
write_attributes = ["address", "birthdate", "email", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo"]
token_validity_units {
- access_token = "minutes"
- id_token = "minutes"
+ access_token = "days"
+ id_token = "days"
refresh_token = "days"
}
}
@@ -105,5 +107,12 @@ resource "aws_cognito_user_pool_client" "this" {
resource "aws_cognito_user_pool_domain" "this" {
domain = var.domain
user_pool_id = aws_cognito_user_pool.this.id
- # certificate_arn = var.certificate_arn
+}
+
+resource "aws_lambda_permission" "this" {
+ statement_id = "AllowExecutionFromUserPool"
+ action = "lambda:InvokeFunction"
+ function_name = var.lambda_function_name
+ principal = "cognito-idp.amazonaws.com"
+ source_arn = aws_cognito_user_pool.this.arn
}
diff --git a/terraform/modules/cognito/variables.tf b/terraform/modules/cognito/variables.tf
index 05ce26f..5af9915 100644
--- a/terraform/modules/cognito/variables.tf
+++ b/terraform/modules/cognito/variables.tf
@@ -3,22 +3,22 @@
variable "name" {
type = string
- description = "(Required) The name of the user pool."
+ description = "The name of the user pool."
}
variable "client_name" {
type = string
- description = "(Required) The name of the client user pool."
+ description = "The name of the client user pool."
}
variable "alias_attributes" {
type = set(string)
- description = "(Optional) Attributes supported as an alias for this user pool. Possible values: 'phone_number', 'email', or 'preferred_username'. Conflicts with username_attributes."
+ description = "Attributes supported as an alias for this user pool. Possible values: 'phone_number', 'email', or 'preferred_username'. Conflicts with username_attributes."
default = null
}
variable "domain" {
- description = "(Optional) Type a domain prefix to use for the sign-up and sign-in pages that are hosted by Amazon Cognito, e.g. 'https://{YOUR_PREFIX}.auth.eu-west-1.amazoncognito.com'. The prefix must be unique across the selected AWS Region. Domain names can only contain lower-case letters, numbers, and hyphens."
+ description = "Type a domain prefix to use for the sign-up and sign-in pages that are hosted by Amazon Cognito, e.g. 'https://{YOUR_PREFIX}.auth.eu-west-1.amazoncognito.com'. The prefix must be unique across the selected AWS Region. Domain names can only contain lower-case letters, numbers, and hyphens."
type = string
default = null
}
@@ -31,69 +31,78 @@ variable "redirect_url" {
variable "account_recovery_mechanisms" {
type = any
- description = "(Optional) A list of recovery_mechanisms which are defined by a `name` and its `priority`. Valid values for `name` are veri fied_email, verified_phone_number, and admin_only."
+ description = "A list of recovery_mechanisms which are defined by a `name` and its `priority`. Valid values for `name` are veri fied_email, verified_phone_number, and admin_only."
default = []
}
variable "enable_username_case_sensitivity" {
type = bool
- description = "(Optional) Specifies whether username case sensitivity will be applied for all users in the user pool through Cognito APIs."
+ description = "Specifies whether username case sensitivity will be applied for all users in the user pool through Cognito APIs."
default = false
}
variable "password_minimum_length" {
type = number
- description = "(Optional) The minimum length of the password policy that you have set."
+ description = "The minimum length of the password policy that you have set."
default = 20
}
variable "password_require_lowercase" {
type = bool
- description = "(Optional) Whether you have required users to use at least one lowercase letter in their password."
+ description = "Whether you have required users to use at least one lowercase letter in their password."
default = true
}
variable "password_require_numbers" {
type = bool
- description = "(Optional) Whether you have required users to use at least one number in their password."
+ description = "Whether you have required users to use at least one number in their password."
default = true
}
variable "password_require_symbols" {
type = bool
- description = "(Optional) Whether you have required users to use at least one symbol in their password."
+ description = "Whether you have required users to use at least one symbol in their password."
default = true
}
variable "password_require_uppercase" {
type = bool
- description = "(Optional) Whether you have required users to use at least one uppercase letter in their password."
+ description = "Whether you have required users to use at least one uppercase letter in their password."
default = true
}
variable "temporary_password_validity_days" {
type = number
- description = "(Optional) In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator."
+ description = "In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator."
default = 1
}
variable "schema_attributes" {
- description = "(Optional) A list of schema attributes of a user pool. You can add a maximum of 25 custom attributes."
+ description = "A list of schema attributes of a user pool. You can add a maximum of 25 custom attributes."
type = any
default = []
}
variable "tags" {
type = map(string)
- description = "(Optional) A mapping of tags to assign to the resource."
+ description = "A mapping of tags to assign to the resource."
default = {}
}
variable "auto_verified_attributes" {
type = set(string)
- description = "(Optional) The attributes to be auto-verified. Possible values: 'email', 'phone_number'."
+ description = "The attributes to be auto-verified. Possible values: 'email', 'phone_number'."
default = [
"email"
]
}
+variable "lambda_pre_sign_up" {
+ type = string
+ description = "The ARN of a pre-registration AWS Lambda trigger."
+}
+
+variable "lambda_function_name" {
+ description = "Lambda name"
+ type = string
+}
diff --git a/terraform/organization/cloudfront.tf b/terraform/organization/cloudfront.tf
index f705fd4..dfcdac5 100644
--- a/terraform/organization/cloudfront.tf
+++ b/terraform/organization/cloudfront.tf
@@ -22,6 +22,7 @@ module "cloudfront" {
origin = {
api-gateway = {
domain_name = replace(replace(module.apigw.endpoint, "https://", ""), "/", "")
+ origin_path = "/api"
custom_origin_config = {
http_port = 80
@@ -37,7 +38,7 @@ module "cloudfront" {
http_port = 80
https_port = 443
origin_protocol_policy = "match-viewer"
- origin_ssl_protocols = ["TLSv1.2"]
+ origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
}
}
}
diff --git a/terraform/organization/cognito.tf b/terraform/organization/cognito.tf
index e531d10..9c867ad 100644
--- a/terraform/organization/cognito.tf
+++ b/terraform/organization/cognito.tf
@@ -1,6 +1,10 @@
module "cognito" {
source = "../modules/cognito"
+ depends_on = [
+ module.lambda
+ ]
+
providers = {
aws = aws.aws
}
@@ -12,7 +16,6 @@ module "cognito" {
alias_attributes = [
"email",
- # "phone_number",
"preferred_username",
]
@@ -46,4 +49,7 @@ module "cognito" {
required = true
}
]
+
+ lambda_pre_sign_up = module.lambda["lambdaTopicSNS"].function_arn
+ lambda_function_name = module.lambda["lambdaTopicSNS"].function_name
}
diff --git a/terraform/organization/datasources.tf b/terraform/organization/datasources.tf
index 12683c1..3bd9494 100644
--- a/terraform/organization/datasources.tf
+++ b/terraform/organization/datasources.tf
@@ -14,7 +14,6 @@ data "template_file" "userdata" {
template = file("${path.module}/html/index.html")
vars = {
ENDPOINT = "${module.apigw.endpoint}"
- token = ""
}
}
diff --git a/terraform/organization/html/index.html b/terraform/organization/html/index.html
index a0a8410..4bb4f8f 100644
--- a/terraform/organization/html/index.html
+++ b/terraform/organization/html/index.html
@@ -5,6 +5,7 @@
BSMSapp