119 lines
4.1 KiB
HCL
119 lines
4.1 KiB
HCL
# ---------------------------------------------------------------------------
|
|
# Amazon Cognito
|
|
# ---------------------------------------------------------------------------
|
|
|
|
resource "aws_cognito_user_pool" "this" {
|
|
name = var.name
|
|
alias_attributes = var.alias_attributes
|
|
auto_verified_attributes = var.auto_verified_attributes
|
|
|
|
password_policy {
|
|
minimum_length = var.password_minimum_length
|
|
require_lowercase = var.password_require_lowercase
|
|
require_numbers = var.password_require_numbers
|
|
require_symbols = var.password_require_symbols
|
|
require_uppercase = var.password_require_uppercase
|
|
temporary_password_validity_days = var.temporary_password_validity_days
|
|
}
|
|
|
|
dynamic "schema" {
|
|
for_each = var.schema_attributes
|
|
iterator = attribute
|
|
|
|
content {
|
|
name = attribute.value.name
|
|
required = try(attribute.value.required, false)
|
|
attribute_data_type = attribute.value.type
|
|
developer_only_attribute = try(attribute.value.developer_only_attribute, false)
|
|
mutable = try(attribute.value.mutable, true)
|
|
|
|
dynamic "number_attribute_constraints" {
|
|
for_each = attribute.value.type == "Number" ? [true] : []
|
|
|
|
content {
|
|
min_value = lookup(attribute.value, "min_value", null)
|
|
max_value = lookup(attribute.value, "max_value", null)
|
|
}
|
|
}
|
|
|
|
dynamic "string_attribute_constraints" {
|
|
for_each = attribute.value.type == "String" ? [true] : []
|
|
|
|
content {
|
|
min_length = lookup(attribute.value, "min_length", 0)
|
|
max_length = lookup(attribute.value, "max_length", 2048)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
lambda_config {
|
|
pre_sign_up = var.lambda_pre_sign_up
|
|
}
|
|
|
|
username_configuration {
|
|
case_sensitive = var.enable_username_case_sensitivity
|
|
}
|
|
|
|
verification_message_template {
|
|
default_email_option = "CONFIRM_WITH_CODE"
|
|
}
|
|
|
|
dynamic "account_recovery_setting" {
|
|
for_each = length(var.account_recovery_mechanisms) > 0 ? [true] : []
|
|
|
|
content {
|
|
dynamic "recovery_mechanism" {
|
|
for_each = var.account_recovery_mechanisms
|
|
iterator = recovery
|
|
|
|
content {
|
|
name = recovery.value.name
|
|
priority = recovery.value.priority
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
email_configuration {
|
|
email_sending_account = "COGNITO_DEFAULT"
|
|
}
|
|
}
|
|
|
|
resource "aws_cognito_user_pool_client" "this" {
|
|
name = var.client_name
|
|
user_pool_id = aws_cognito_user_pool.this.id
|
|
|
|
callback_urls = ["https://${var.redirect_url}"]
|
|
|
|
allowed_oauth_flows_user_pool_client = true
|
|
allowed_oauth_flows = ["code"]
|
|
allowed_oauth_scopes = ["email", "openid", "phone"]
|
|
supported_identity_providers = ["COGNITO"]
|
|
id_token_validity = "1"
|
|
access_token_validity = "1"
|
|
explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"]
|
|
prevent_user_existence_errors = "ENABLED"
|
|
read_attributes = ["address", "birthdate", "email", "email_verified", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "phone_number_verified", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo"]
|
|
write_attributes = ["address", "birthdate", "email", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo"]
|
|
|
|
token_validity_units {
|
|
access_token = "days"
|
|
id_token = "days"
|
|
refresh_token = "days"
|
|
}
|
|
}
|
|
|
|
resource "aws_cognito_user_pool_domain" "this" {
|
|
domain = var.domain
|
|
user_pool_id = aws_cognito_user_pool.this.id
|
|
}
|
|
|
|
resource "aws_lambda_permission" "this" {
|
|
statement_id = "AllowExecutionFromUserPool"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = var.lambda_function_name
|
|
principal = "cognito-idp.amazonaws.com"
|
|
source_arn = aws_cognito_user_pool.this.arn
|
|
}
|