-
Notifications
You must be signed in to change notification settings - Fork 10
/
cognito.tf
73 lines (63 loc) · 2.44 KB
/
cognito.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
locals {
enable_domain_count = var.enable_dns && var.enable_certificates ? 1 : 0
}
resource "aws_cognito_user_pool" "admin_user_pool" {
name = "${module.labels.id}-admin-userpool"
username_attributes = ["email"]
}
resource "aws_cognito_user_pool_client" "user_pool_client" {
name = "${module.labels.id}-admin-userpool-client"
user_pool_id = aws_cognito_user_pool.admin_user_pool.id
allowed_oauth_flows = ["code", "implicit"]
callback_urls = ["http://localhost"]
default_redirect_uri = "http://localhost"
allowed_oauth_scopes = ["phone", "email", "openid", "profile", "aws.cognito.signin.user.admin"]
supported_identity_providers = ["COGNITO"]
}
resource "aws_cognito_user_pool_domain" "main" {
count = local.enable_domain_count
domain = format("%s-login.%s", module.labels.id, var.cognito_dns)
user_pool_id = aws_cognito_user_pool.admin_user_pool.id
certificate_arn = aws_acm_certificate.wildcard_cert_us[0].arn
}
resource "aws_route53_record" "auth_cognito_A_record" {
count = local.enable_domain_count
provider = aws.dns
name = aws_cognito_user_pool_domain.main[0].domain
type = "A"
zone_id = data.aws_route53_zone.primary[0].id
alias {
evaluate_target_health = false
name = aws_cognito_user_pool_domain.main[0].cloudfront_distribution_arn
# This zone_id is fixed
zone_id = "Z2FDTNDATAQYW2"
}
}
resource "aws_cognito_user_group" "settings_read" {
name = "settings-read"
user_pool_id = aws_cognito_user_pool.admin_user_pool.id
}
resource "aws_cognito_user_group" "settings_write" {
name = "settings-write"
user_pool_id = aws_cognito_user_pool.admin_user_pool.id
}
resource "aws_cognito_user_group" "otc_send" {
name = "otc-send"
user_pool_id = aws_cognito_user_pool.admin_user_pool.id
}
resource "aws_cognito_user_group" "qr_admin" {
name = "qr-admin"
user_pool_id = aws_cognito_user_pool.admin_user_pool.id
}
resource "aws_cognito_user_group" "qr_user" {
name = "qr-user"
user_pool_id = aws_cognito_user_pool.admin_user_pool.id
}
resource "aws_cognito_user_group" "manage_users" {
name = "manage-users"
user_pool_id = aws_cognito_user_pool.admin_user_pool.id
}
resource "aws_cognito_user_group" "dashboard-read" {
name = "dashboard-read"
user_pool_id = aws_cognito_user_pool.admin_user_pool.id
}