jp/AWS Cognito with ALB

## AWS Cognito with ALB
resource "aws_lb_listener" "monitoring" {
  load_balancer_arn = "${aws_lb.monitoring.arn}"
  port              = "${var.alb_listener_port}"
  protocol          = "HTTPS"
  certificate_arn   = "${aws_iam_server_certificate.cert.arn}"

  default_action {
    type = "fixed-response"

    fixed_response {
      content_type = "text/plain"
      message_body = "Potato server"
      status_code  = "403"
    }
  }
}

resource "aws_lb_listener_rule" "authentication" {
  listener_arn = "${aws_lb_listener.monitoring.arn}"
  priority     = 10

  action {
    type = "authenticate-cognito"

    authenticate_cognito {
      user_pool_arn              = "${aws_cognito_user_pool.pool.arn}"
      user_pool_client_id        = "${aws_cognito_user_pool_client.client.id}"
      user_pool_domain           = "${aws_cognito_user_pool_domain.domain.domain}"
      on_unauthenticated_request = "authenticate"
      session_timeout            = "86400"
    }
  }

  action {
    type             = "forward"
    target_group_arn = "${aws_alb_target_group.nginx.arn}"
  }

  condition {
    field  = "path-pattern"
    values = ["/*"]
  }
}

# Cognito pool

resource "aws_cognito_user_pool" "pool" {
  name = "mypool"
}

resource "aws_cognito_user_pool_client" "client" {
  name                                 = "client"
  user_pool_id                         = "${aws_cognito_user_pool.pool.id}"
  generate_secret                      = true
  allowed_oauth_flows_user_pool_client = true
  allowed_oauth_flows                  = ["implicit", "code"]
  supported_identity_providers         = ["COGNITO"]

  callback_urls = [
    "https://${aws_lb.monitoring.dns_name}/oauth2/idpresponse",
    "https://${var.alb_fqdn}/oauth2/idpresponse",
  ]

  allowed_oauth_scopes = ["openid", "aws.cognito.signin.user.admin"]
}

resource "aws_cognito_user_pool_domain" "domain" {
  domain       = "auth-r6-dev"
  user_pool_id = "${aws_cognito_user_pool.pool.id}"
}
	resource "aws_lb_listener" "monitoring" {
	load_balancer_arn = "${aws_lb.monitoring.arn}"
	port = "${var.alb_listener_port}"
	protocol = "HTTPS"
	certificate_arn = "${aws_iam_server_certificate.cert.arn}"

	default_action {
	type = "fixed-response"

	fixed_response {
	content_type = "text/plain"
	message_body = "Potato server"
	status_code = "403"
	}
	}
	}

	resource "aws_lb_listener_rule" "authentication" {
	listener_arn = "${aws_lb_listener.monitoring.arn}"
	priority = 10

	action {
	type = "authenticate-cognito"

	authenticate_cognito {
	user_pool_arn = "${aws_cognito_user_pool.pool.arn}"
	user_pool_client_id = "${aws_cognito_user_pool_client.client.id}"
	user_pool_domain = "${aws_cognito_user_pool_domain.domain.domain}"
	on_unauthenticated_request = "authenticate"
	session_timeout = "86400"
	}
	}

	action {
	type = "forward"
	target_group_arn = "${aws_alb_target_group.nginx.arn}"
	}

	condition {
	field = "path-pattern"
	values = ["/*"]
	}
	}

	# Cognito pool

	resource "aws_cognito_user_pool" "pool" {
	name = "mypool"
	}

	resource "aws_cognito_user_pool_client" "client" {
	name = "client"
	user_pool_id = "${aws_cognito_user_pool.pool.id}"
	generate_secret = true
	allowed_oauth_flows_user_pool_client = true
	allowed_oauth_flows = ["implicit", "code"]
	supported_identity_providers = ["COGNITO"]

	callback_urls = [
	"https://${aws_lb.monitoring.dns_name}/oauth2/idpresponse",
	"https://${var.alb_fqdn}/oauth2/idpresponse",
	]

	allowed_oauth_scopes = ["openid", "aws.cognito.signin.user.admin"]
	}

	resource "aws_cognito_user_pool_domain" "domain" {
	domain = "auth-r6-dev"
	user_pool_id = "${aws_cognito_user_pool.pool.id}"
	}