Created
July 28, 2021 07:24
-
-
Save 0mmadawn/22b10db21c4449f1d29afbe334377817 to your computer and use it in GitHub Desktop.
sample terraform file for creating AWS Cognito (MFA)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "aws" { | |
default = { | |
sms_role_ext_id = "cognito-test-sms-role-external-id" | |
} | |
} | |
# IAM role for cognito sms | |
resource "aws_iam_role" "cognito_test_sms" { | |
name = "CognitoTest_SMS" | |
description = "role for applicant cognito, send sms" | |
assume_role_policy = jsonencode( | |
{ | |
Statement = [ | |
{ | |
Condition = { | |
StringEquals = { | |
"sts:ExternalId" = "${var.aws.sms_role_ext_id}" | |
} | |
} | |
Action = "sts:AssumeRole" | |
Effect = "Allow" | |
Principal = { | |
Service = "cognito-idp.amazonaws.com" | |
} | |
}, | |
] | |
Version = "2012-10-17" | |
} | |
) | |
inline_policy { | |
name = "cognito_sms" | |
policy = jsonencode( | |
{ | |
Statement = [ | |
{ | |
Action = [ | |
"sns:publish", | |
] | |
Effect = "Allow" | |
Resource = [ | |
"*", | |
] | |
}, | |
] | |
Version = "2012-10-17" | |
} | |
) | |
} | |
force_detach_policies = false | |
max_session_duration = 3600 | |
path = "/service-role/" | |
} | |
# user pool | |
resource "aws_cognito_user_pool" "cognito_test_user_pool" { | |
name = "cognito-test-user-pool" | |
auto_verified_attributes = [ "email" ] | |
# for mfa | |
mfa_configuration = "ON" | |
sms_authentication_message = " 認証コードは {####} です。" | |
sms_configuration { | |
external_id = "${var.aws.sms_role_ext_id}" | |
sns_caller_arn = aws_iam_role.cognito_test_sms.arn | |
} | |
account_recovery_setting { | |
recovery_mechanism { | |
name = "admin_only" | |
priority = 1 | |
} | |
} | |
admin_create_user_config { | |
allow_admin_create_user_only = true | |
invite_message_template { | |
email_message = " ユーザー名は {username}、仮パスワードは {####} です。" | |
email_subject = " 仮パスワード" | |
sms_message = " ユーザー名は {username}、仮パスワードは {####} です。" | |
} | |
} | |
email_configuration { | |
email_sending_account = "COGNITO_DEFAULT" | |
} | |
password_policy { | |
minimum_length = 8 | |
require_lowercase = true | |
require_numbers = true | |
require_symbols = true | |
require_uppercase = true | |
temporary_password_validity_days = 7 | |
} | |
schema { | |
attribute_data_type = "String" | |
developer_only_attribute = false | |
mutable = true | |
name = "email" | |
required = true | |
string_attribute_constraints { | |
max_length = "2048" | |
min_length = "0" | |
} | |
} | |
username_configuration { | |
case_sensitive = false | |
} | |
verification_message_template { | |
default_email_option = "CONFIRM_WITH_CODE" | |
email_message = " 検証コードは {####} です。" | |
email_subject = " 検証コード" | |
sms_message = " 検証コードは {####} です。" | |
} | |
} | |
# client | |
resource "aws_cognito_user_pool_client" "cognito_test_client" { | |
name = "cognito-test-user-pool-client" | |
access_token_validity = 5 | |
allowed_oauth_flows_user_pool_client = false | |
explicit_auth_flows = [ | |
"ALLOW_ADMIN_USER_PASSWORD_AUTH", | |
"ALLOW_REFRESH_TOKEN_AUTH", | |
"ALLOW_USER_SRP_AUTH", | |
"ALLOW_USER_PASSWORD_AUTH" | |
] | |
id_token_validity = 5 | |
prevent_user_existence_errors = "ENABLED" | |
read_attributes = [ | |
"address", | |
"birthdate", | |
"email", | |
"email_verified", | |
"family_name", | |
"gender", | |
"given_name", | |
"locale", | |
"middle_name", | |
"name", | |
"nickname", | |
"phone_number", | |
"phone_number_verified", | |
"picture", | |
"preferred_username", | |
"profile", | |
"updated_at", | |
"website", | |
"zoneinfo", | |
] | |
refresh_token_validity = 60 | |
user_pool_id = aws_cognito_user_pool.cognito_test_user_pool.id | |
write_attributes = [ | |
"address", | |
"birthdate", | |
"email", | |
"family_name", | |
"gender", | |
"given_name", | |
"locale", | |
"middle_name", | |
"name", | |
"nickname", | |
"phone_number", | |
"picture", | |
"preferred_username", | |
"profile", | |
"updated_at", | |
"website", | |
"zoneinfo", | |
] | |
token_validity_units { | |
access_token = "minutes" | |
id_token = "minutes" | |
refresh_token = "minutes" | |
} | |
} | |
# id pool | |
resource "aws_cognito_identity_pool" "cognito_test_identity_pool" { | |
identity_pool_name = "cognito-test-id-pool" | |
cognito_identity_providers { | |
client_id = aws_cognito_user_pool_client.cognito_test_client.id | |
provider_name = "cognito-idp.ap-northeast-1.amazonaws.com/${aws_cognito_user_pool.cognito_test_user_pool.id}" | |
server_side_token_check = false | |
} | |
} | |
# IAM role for Identity Auth OK | |
resource "aws_iam_role" "cognito_test_identity_authenticated" { | |
assume_role_policy = jsonencode( | |
{ | |
Statement = [ | |
{ | |
Action = "sts:AssumeRoleWithWebIdentity" | |
Condition = { | |
"ForAnyValue:StringLike" = { | |
"cognito-identity.amazonaws.com:amr" = "authenticated" | |
} | |
"StringEquals" = { | |
"cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.cognito_test_identity_pool.id | |
} | |
} | |
Effect = "Allow" | |
Principal = { | |
Federated = "cognito-identity.amazonaws.com" | |
} | |
}, | |
] | |
Version = "2012-10-17" | |
} | |
) | |
force_detach_policies = false | |
max_session_duration = 3600 | |
name = "CognitoTestIdentityPool_Authenticeted_Role" | |
path = "/" | |
inline_policy { | |
name = "oneClick_CognitoTestIdentityPool_Authenticeted_Role" | |
policy = jsonencode( | |
{ | |
Statement = [ | |
{ | |
Action = [ | |
"mobileanalytics:PutEvents", | |
"cognito-sync:*", | |
"cognito-identity:*", | |
] | |
Effect = "Allow" | |
Resource = [ | |
"*", | |
] | |
}, | |
] | |
Version = "2012-10-17" | |
} | |
) | |
} | |
} | |
# IAM role for Identity Auth NG | |
resource "aws_iam_role" "cognito_test_identity_unauthenticated" { | |
assume_role_policy = jsonencode( | |
{ | |
Statement = [ | |
{ | |
Action = "sts:AssumeRoleWithWebIdentity" | |
Condition = { | |
"ForAnyValue:StringLike" = { | |
"cognito-identity.amazonaws.com:amr" = "unauthenticated" | |
} | |
"StringEquals" = { | |
"cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.cognito_test_identity_pool.id | |
} | |
} | |
Effect = "Allow" | |
Principal = { | |
Federated = "cognito-identity.amazonaws.com" | |
} | |
}, | |
] | |
Version = "2012-10-17" | |
} | |
) | |
force_detach_policies = false | |
max_session_duration = 3600 | |
name = "CognitoTestIdentityPool_Anauthenticeted_Role" | |
path = "/" | |
inline_policy { | |
name = "oneClick_CognitoTestIdentityPool_Anauthenticeted_Role" | |
policy = jsonencode( | |
{ | |
Statement = [ | |
{ | |
Action = [ | |
"mobileanalytics:PutEvents", | |
"cognito-sync:*", | |
] | |
Effect = "Allow" | |
Resource = [ | |
"*", | |
] | |
}, | |
] | |
Version = "2012-10-17" | |
} | |
) | |
} | |
} | |
# Auth Role attachment (OK and NG) | |
resource "aws_cognito_identity_pool_roles_attachment" "cognito_test_identity_pool_role_attachment" { | |
identity_pool_id = aws_cognito_identity_pool.cognito_test_identity_pool.id | |
roles = { | |
"authenticated" = aws_iam_role.cognito_test_identity_authenticated.arn | |
"unauthenticated" = aws_iam_role.cognito_test_identity_unauthenticated.arn | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment