# ---------------------------------------------------------------------------
# Amazon Cognito
# ---------------------------------------------------------------------------
resource "aws_cognito_user_pool" "this" {
name = var.name
alias_attributes = var.alias_attributes
auto_verified_attributes = var.auto_verified_attributes
password_policy {
minimum_length = var.password_minimum_length
require_lowercase = var.password_require_lowercase
require_numbers = var.password_require_numbers
require_symbols = var.password_require_symbols
require_uppercase = var.password_require_uppercase
temporary_password_validity_days = var.temporary_password_validity_days
}
dynamic "schema" {
for_each = var.schema_attributes
iterator = attribute
content {
name = attribute.value.name
required = try(attribute.value.required, false)
attribute_data_type = attribute.value.type
developer_only_attribute = try(attribute.value.developer_only_attribute, false)
mutable = try(attribute.value.mutable, true)
dynamic "number_attribute_constraints" {
for_each = attribute.value.type == "Number" ? [true] : []
content {
min_value = lookup(attribute.value, "min_value", null)
max_value = lookup(attribute.value, "max_value", null)
}
}
dynamic "string_attribute_constraints" {
for_each = attribute.value.type == "String" ? [true] : []
content {
min_length = lookup(attribute.value, "min_length", 0)
max_length = lookup(attribute.value, "max_length", 2048)
}
}
}
}
username_configuration {
case_sensitive = var.enable_username_case_sensitivity
}
verification_message_template {
default_email_option = "CONFIRM_WITH_CODE"
}
dynamic "account_recovery_setting" {
for_each = length(var.account_recovery_mechanisms) > 0 ? [true] : []
content {
dynamic "recovery_mechanism" {
for_each = var.account_recovery_mechanisms
iterator = recovery
content {
name = recovery.value.name
priority = recovery.value.priority
}
}
}
}
email_configuration {
email_sending_account = "COGNITO_DEFAULT"
}
# auto_verified_attributes = ["email"]
}
resource "aws_cognito_user_pool_client" "this" {
name = var.client_name
user_pool_id = aws_cognito_user_pool.this.id
callback_urls = ["https://${var.redirect_url}"]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_flows = ["code"]
allowed_oauth_scopes = ["email", "openid", "phone"]
supported_identity_providers = ["COGNITO"]
id_token_validity = "60"
access_token_validity = "60"
explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"]
prevent_user_existence_errors = "ENABLED"
read_attributes = ["address", "birthdate", "email", "email_verified", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "phone_number_verified", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo"]
write_attributes = ["address", "birthdate", "email", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo"]
token_validity_units {
access_token = "minutes"
id_token = "minutes"
refresh_token = "days"
}
}
resource "aws_cognito_user_pool_domain" "this" {
domain = var.domain
user_pool_id = aws_cognito_user_pool.this.id
# certificate_arn = var.certificate_arn
}