Created
July 28, 2021 07:24
-
-
Save 0mmadawn/22b10db21c4449f1d29afbe334377817 to your computer and use it in GitHub Desktop.
sample terraform file for creating AWS Cognito (MFA)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "aws" { | |
| default = { | |
| sms_role_ext_id = "cognito-test-sms-role-external-id" | |
| } | |
| } | |
| # IAM role for cognito sms | |
| resource "aws_iam_role" "cognito_test_sms" { | |
| name = "CognitoTest_SMS" | |
| description = "role for applicant cognito, send sms" | |
| assume_role_policy = jsonencode( | |
| { | |
| Statement = [ | |
| { | |
| Condition = { | |
| StringEquals = { | |
| "sts:ExternalId" = "${var.aws.sms_role_ext_id}" | |
| } | |
| } | |
| Action = "sts:AssumeRole" | |
| Effect = "Allow" | |
| Principal = { | |
| Service = "cognito-idp.amazonaws.com" | |
| } | |
| }, | |
| ] | |
| Version = "2012-10-17" | |
| } | |
| ) | |
| inline_policy { | |
| name = "cognito_sms" | |
| policy = jsonencode( | |
| { | |
| Statement = [ | |
| { | |
| Action = [ | |
| "sns:publish", | |
| ] | |
| Effect = "Allow" | |
| Resource = [ | |
| "*", | |
| ] | |
| }, | |
| ] | |
| Version = "2012-10-17" | |
| } | |
| ) | |
| } | |
| force_detach_policies = false | |
| max_session_duration = 3600 | |
| path = "/service-role/" | |
| } | |
| # user pool | |
| resource "aws_cognito_user_pool" "cognito_test_user_pool" { | |
| name = "cognito-test-user-pool" | |
| auto_verified_attributes = [ "email" ] | |
| # for mfa | |
| mfa_configuration = "ON" | |
| sms_authentication_message = " 認証コードは {####} です。" | |
| sms_configuration { | |
| external_id = "${var.aws.sms_role_ext_id}" | |
| sns_caller_arn = aws_iam_role.cognito_test_sms.arn | |
| } | |
| account_recovery_setting { | |
| recovery_mechanism { | |
| name = "admin_only" | |
| priority = 1 | |
| } | |
| } | |
| admin_create_user_config { | |
| allow_admin_create_user_only = true | |
| invite_message_template { | |
| email_message = " ユーザー名は {username}、仮パスワードは {####} です。" | |
| email_subject = " 仮パスワード" | |
| sms_message = " ユーザー名は {username}、仮パスワードは {####} です。" | |
| } | |
| } | |
| email_configuration { | |
| email_sending_account = "COGNITO_DEFAULT" | |
| } | |
| password_policy { | |
| minimum_length = 8 | |
| require_lowercase = true | |
| require_numbers = true | |
| require_symbols = true | |
| require_uppercase = true | |
| temporary_password_validity_days = 7 | |
| } | |
| schema { | |
| attribute_data_type = "String" | |
| developer_only_attribute = false | |
| mutable = true | |
| name = "email" | |
| required = true | |
| string_attribute_constraints { | |
| max_length = "2048" | |
| min_length = "0" | |
| } | |
| } | |
| username_configuration { | |
| case_sensitive = false | |
| } | |
| verification_message_template { | |
| default_email_option = "CONFIRM_WITH_CODE" | |
| email_message = " 検証コードは {####} です。" | |
| email_subject = " 検証コード" | |
| sms_message = " 検証コードは {####} です。" | |
| } | |
| } | |
| # client | |
| resource "aws_cognito_user_pool_client" "cognito_test_client" { | |
| name = "cognito-test-user-pool-client" | |
| access_token_validity = 5 | |
| allowed_oauth_flows_user_pool_client = false | |
| explicit_auth_flows = [ | |
| "ALLOW_ADMIN_USER_PASSWORD_AUTH", | |
| "ALLOW_REFRESH_TOKEN_AUTH", | |
| "ALLOW_USER_SRP_AUTH", | |
| "ALLOW_USER_PASSWORD_AUTH" | |
| ] | |
| id_token_validity = 5 | |
| prevent_user_existence_errors = "ENABLED" | |
| read_attributes = [ | |
| "address", | |
| "birthdate", | |
| "email", | |
| "email_verified", | |
| "family_name", | |
| "gender", | |
| "given_name", | |
| "locale", | |
| "middle_name", | |
| "name", | |
| "nickname", | |
| "phone_number", | |
| "phone_number_verified", | |
| "picture", | |
| "preferred_username", | |
| "profile", | |
| "updated_at", | |
| "website", | |
| "zoneinfo", | |
| ] | |
| refresh_token_validity = 60 | |
| user_pool_id = aws_cognito_user_pool.cognito_test_user_pool.id | |
| write_attributes = [ | |
| "address", | |
| "birthdate", | |
| "email", | |
| "family_name", | |
| "gender", | |
| "given_name", | |
| "locale", | |
| "middle_name", | |
| "name", | |
| "nickname", | |
| "phone_number", | |
| "picture", | |
| "preferred_username", | |
| "profile", | |
| "updated_at", | |
| "website", | |
| "zoneinfo", | |
| ] | |
| token_validity_units { | |
| access_token = "minutes" | |
| id_token = "minutes" | |
| refresh_token = "minutes" | |
| } | |
| } | |
| # id pool | |
| resource "aws_cognito_identity_pool" "cognito_test_identity_pool" { | |
| identity_pool_name = "cognito-test-id-pool" | |
| cognito_identity_providers { | |
| client_id = aws_cognito_user_pool_client.cognito_test_client.id | |
| provider_name = "cognito-idp.ap-northeast-1.amazonaws.com/${aws_cognito_user_pool.cognito_test_user_pool.id}" | |
| server_side_token_check = false | |
| } | |
| } | |
| # IAM role for Identity Auth OK | |
| resource "aws_iam_role" "cognito_test_identity_authenticated" { | |
| assume_role_policy = jsonencode( | |
| { | |
| Statement = [ | |
| { | |
| Action = "sts:AssumeRoleWithWebIdentity" | |
| Condition = { | |
| "ForAnyValue:StringLike" = { | |
| "cognito-identity.amazonaws.com:amr" = "authenticated" | |
| } | |
| "StringEquals" = { | |
| "cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.cognito_test_identity_pool.id | |
| } | |
| } | |
| Effect = "Allow" | |
| Principal = { | |
| Federated = "cognito-identity.amazonaws.com" | |
| } | |
| }, | |
| ] | |
| Version = "2012-10-17" | |
| } | |
| ) | |
| force_detach_policies = false | |
| max_session_duration = 3600 | |
| name = "CognitoTestIdentityPool_Authenticeted_Role" | |
| path = "/" | |
| inline_policy { | |
| name = "oneClick_CognitoTestIdentityPool_Authenticeted_Role" | |
| policy = jsonencode( | |
| { | |
| Statement = [ | |
| { | |
| Action = [ | |
| "mobileanalytics:PutEvents", | |
| "cognito-sync:*", | |
| "cognito-identity:*", | |
| ] | |
| Effect = "Allow" | |
| Resource = [ | |
| "*", | |
| ] | |
| }, | |
| ] | |
| Version = "2012-10-17" | |
| } | |
| ) | |
| } | |
| } | |
| # IAM role for Identity Auth NG | |
| resource "aws_iam_role" "cognito_test_identity_unauthenticated" { | |
| assume_role_policy = jsonencode( | |
| { | |
| Statement = [ | |
| { | |
| Action = "sts:AssumeRoleWithWebIdentity" | |
| Condition = { | |
| "ForAnyValue:StringLike" = { | |
| "cognito-identity.amazonaws.com:amr" = "unauthenticated" | |
| } | |
| "StringEquals" = { | |
| "cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.cognito_test_identity_pool.id | |
| } | |
| } | |
| Effect = "Allow" | |
| Principal = { | |
| Federated = "cognito-identity.amazonaws.com" | |
| } | |
| }, | |
| ] | |
| Version = "2012-10-17" | |
| } | |
| ) | |
| force_detach_policies = false | |
| max_session_duration = 3600 | |
| name = "CognitoTestIdentityPool_Anauthenticeted_Role" | |
| path = "/" | |
| inline_policy { | |
| name = "oneClick_CognitoTestIdentityPool_Anauthenticeted_Role" | |
| policy = jsonencode( | |
| { | |
| Statement = [ | |
| { | |
| Action = [ | |
| "mobileanalytics:PutEvents", | |
| "cognito-sync:*", | |
| ] | |
| Effect = "Allow" | |
| Resource = [ | |
| "*", | |
| ] | |
| }, | |
| ] | |
| Version = "2012-10-17" | |
| } | |
| ) | |
| } | |
| } | |
| # Auth Role attachment (OK and NG) | |
| resource "aws_cognito_identity_pool_roles_attachment" "cognito_test_identity_pool_role_attachment" { | |
| identity_pool_id = aws_cognito_identity_pool.cognito_test_identity_pool.id | |
| roles = { | |
| "authenticated" = aws_iam_role.cognito_test_identity_authenticated.arn | |
| "unauthenticated" = aws_iam_role.cognito_test_identity_unauthenticated.arn | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment