From 912a036f9e4e46dfc43bf8e60bc1640533a1dd85 Mon Sep 17 00:00:00 2001 From: Adrian Grucza <46910040+apgrucza@users.noreply.github.com> Date: Wed, 8 Sep 2021 12:55:04 +1000 Subject: [PATCH] WTL-852 Add Terraform configuration (#22) --- .gitignore | 3 + README.md | 71 +++++++------------ infra/terraform/README.md | 68 ++++++++++++++++++ infra/terraform/examples/okta_native/main.tf | 13 ++++ .../examples/okta_native/providers.tf | 8 +++ infra/terraform/modules/_auth/main.tf | 50 +++++++++++++ infra/terraform/modules/_auth/outputs.tf | 4 ++ infra/terraform/modules/_auth/provider.tf | 10 +++ infra/terraform/modules/_auth/secrets.tf | 14 ++++ infra/terraform/modules/_auth/variables.tf | 24 +++++++ infra/terraform/modules/_lambda/iam.tf | 38 ++++++++++ infra/terraform/modules/_lambda/main.tf | 32 +++++++++ infra/terraform/modules/_lambda/outputs.tf | 4 ++ infra/terraform/modules/_lambda/provider.tf | 10 +++ infra/terraform/modules/_lambda/variables.tf | 32 +++++++++ infra/terraform/modules/okta_native/main.tf | 9 +++ .../terraform/modules/okta_native/outputs.tf | 4 ++ .../modules/okta_native/parameters.tf | 48 +++++++++++++ .../terraform/modules/okta_native/provider.tf | 10 +++ .../modules/okta_native/variables.tf | 60 ++++++++++++++++ 20 files changed, 468 insertions(+), 44 deletions(-) create mode 100644 infra/terraform/README.md create mode 100644 infra/terraform/examples/okta_native/main.tf create mode 100644 infra/terraform/examples/okta_native/providers.tf create mode 100644 infra/terraform/modules/_auth/main.tf create mode 100644 infra/terraform/modules/_auth/outputs.tf create mode 100644 infra/terraform/modules/_auth/provider.tf create mode 100644 infra/terraform/modules/_auth/secrets.tf create mode 100644 infra/terraform/modules/_auth/variables.tf create mode 100644 infra/terraform/modules/_lambda/iam.tf create mode 100644 infra/terraform/modules/_lambda/main.tf create mode 100644 infra/terraform/modules/_lambda/outputs.tf create mode 100644 infra/terraform/modules/_lambda/provider.tf create mode 100644 infra/terraform/modules/_lambda/variables.tf create mode 100644 infra/terraform/modules/okta_native/main.tf create mode 100644 infra/terraform/modules/okta_native/outputs.tf create mode 100644 infra/terraform/modules/okta_native/parameters.tf create mode 100644 infra/terraform/modules/okta_native/provider.tf create mode 100644 infra/terraform/modules/okta_native/variables.tf diff --git a/.gitignore b/.gitignore index f338ce2..916a63f 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,6 @@ tests/logs/* tests/config /distributions packaged.yaml +.terraform* +terraform.tfstate* +/infra/terraform/modules/_lambda/packages/* diff --git a/README.md b/README.md index 9c098f6..c42a3bc 100755 --- a/README.md +++ b/README.md @@ -30,16 +30,7 @@ The build script prompts you for the required configuration parameters, which ar A generic package retrieves its configuration at runtime from the [AWS Systems Manager](https://aws.amazon.com/systems-manager/) Parameter Store and [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). Currently, support for this type of package has been added for OKTA Native only. To disable all issued JWTs, rotate the key pair using the Secrets Manager console. -Generic packages are available for download from the Releases page of this GitHub repository. Or, to build a generic package yourself, execute: - -```bash -./build.sh package -``` - -The supported values of `package` are: - -* `okta_native` - builds a generic Lambda package for OKTA Native authentication -* `rotate_key_pair` - builds a Lambda package for rotating the RSA keys in AWS Secrets Manager +Generic packages are pre-built and available for download from the Releases page of this GitHub repository. [Terraform modules](./infra/terraform/README.md) are available for downloading and deploying generic packages and their configuration resources. ## Identity Provider Guides @@ -146,43 +137,15 @@ The supported values of `package` are: 1. Client Id from the application created in our previous step (can be found at the bottom of the general tab) 1. Base Url 1. This is named the 'Org URL' and can be found in the top right of the Dashboard tab. -1. Decide on whether you want to use a custom package or a generic package - * For a custom package: - 1. Execute `./build.sh` in the downloaded directory. NPM will run to download dependencies and an RSA key will be generated. - 1. Choose `OKTA Native` as the authorization method and enter the values for Base URL (Org URL), Client ID, PKCE Code Verifier Length, Redirect URI, and Session Duration - 1. Find the resulting `zip` file in your distribution folder - * For a generic package: - 1. Create the parameters below in the AWS Systems Manager Parameter Store in the `us-east-1` region. Replace `{name}` with the name that you will give the Lambda authentication function. - * `/{name}/base-url` (e.g. `https://my-org.okta.com/oauth2/default`) - * `/{name}/client-id` (from the OKTA application) - * `/{name}/domain-name` (e.g. `my-site.cloudfront.net`) - * `/{name}/callback-path` (e.g. `/callback`) - * `/{name}/session-duration` (in seconds) - * `/{name}/pkce-code-verifier-length` (from 43 to 128) - * `/{name}/scope` (e.g. `openid email`) - 1. Download the latest `okta_native_*.zip` asset from the Releases page -1. Upload the `zip` file using the AWS Lambda console and jump to the [configuration step](#configure-lambda-and-cloudfront) +1. To use the [generic package](#generic-packages), jump straight to [Terraform Modules for CloudFront Authentication](./infra/terraform/README.md). +1. Execute `./build.sh` in the downloaded directory. NPM will run to download dependencies and a RSA key will be generated. +1. Choose `OKTA Native` as the authorization method and enter the values for Base URL (Org URL), Client ID, PKCE Code Verifier Length, Redirect URI, and Session Duration +1. Upload the resulting `zip` file found in your distribution folder using the AWS Lambda console and jump to the [configuration step](#configure-lambda-and-cloudfront) ## Configure Lambda and CloudFront See [Manual Deployment](https://github.com/Widen/cloudfront-auth/wiki/Manual-Deployment) __*or*__ [AWS SAM Deployment](https://github.com/Widen/cloudfront-auth/wiki/AWS-SAM-Deployment) -If deploying a generic package, you also need to follow the steps below in the `us-east-1` region. In these steps, replace `{name}` with the name of the Lambda authentication function you created and `{account_id}` with the AWS Account ID number. - -1. Modify the role on the Lambda authentication function to include a policy that: - * allows the action `secretsmanager:GetSecretValue` on resource `arn:aws:secretsmanager:us-east-1:{account_id}:secret:{name}/*` - * allows the action `ssm:GetParametersByPath` on resource `arn:aws:ssm:us-east-1:{account_id}:parameter/{name}` -1. Execute `./build.sh rotate_key_pair` -1. Create a Lambda rotation function with the following configuration: - * Function code: Use the `rotate_key_pair.zip` file found in the distributions folder - * Runtime: **Node.js 14.x** or later - * Handler: `index.handler` - * Timeout: 30 sec -1. Modify the role on the Lambda rotation function to include a policy that: - * allows the action `secretsmanager:PutSecretValue` on resource `arn:aws:secretsmanager:us-east-1:{account_id}:secret:{name}/*` -1. Create a secret in AWS Secrets Manager named `{name}/key-pair` -1. Enable secret rotation on the secret and associate it with the Lambda rotation function - ## Authorization Method Examples * [Use Google Groups to authorize users](https://github.com/Widen/cloudfront-auth/wiki/Google-Groups-Setup) @@ -199,10 +162,30 @@ Detailed instructions on testing your function can be found [in the Wiki](https: ## Build Requirements -* [npm](https://www.npmjs.com/) ^5.6.0 -* [node](https://nodejs.org/en/) ^10.0 +* [npm](https://www.npmjs.com/) ^7.20.0 +* [node](https://nodejs.org/en/) ^14.0 * [openssl](https://www.openssl.org) +## Building Generic Packages + +If you need to build a generic package yourself, execute: + +```bash +./build.sh package +``` + +The supported values of `package` are: + +* `okta_native` - builds a generic Lambda package for OKTA Native authentication +* `rotate_key_pair` - builds a Lambda package for rotating the RSA keys in AWS Secrets Manager + +GitHub Actions automatically creates a new GitHub release when the repository owner pushes a tag that begins with `v`: + +```sh +git tag -a -m "Target AWS Lambda Node.js 14.x runtime" v3.0.0 +git push origin v3.0.0 +``` + ## Contributing All contributions are welcome. Please create an issue in order open up communication with the community. diff --git a/infra/terraform/README.md b/infra/terraform/README.md new file mode 100644 index 0000000..5a5d28c --- /dev/null +++ b/infra/terraform/README.md @@ -0,0 +1,68 @@ +# Terraform Modules for CloudFront Authentication + +This directory contains the _Terraform_ configuration for adding authentication to a CloudFront distribution. Currently only OKTA Native authentication is supported. + +## Usage + +The Terraform modules for each identity provider are in the [modules](./modules) directory. Refer to the [examples](./examples) directory for Terraform configuration that you can include in your project and adapt. Refer to the `variables.tf` file of the module to see all the available input variables. Below is an example for OKTA Native. + +1. Call the module in your Terraform configuration. CloudFront uses the `us-east-1` region, so you must pass a `us-east-1` provider to the module. + + ```hcl + module "cloudfront_auth_okta_native" { + source = "github.com/iress/cloudfront-auth//infra/terraform/modules/okta_native" + + # Lambda function version to deploy (see the Releases page of this GitHub repository) + release_version = "v3.0.0" + + name = "my-website-auth" + org_url = "https://my-org.okta.com/oauth2/default" + client_id = "Nf2qSD9wXKU9ph8an22T" + domain_name = "my-cloudfront-site.example.com" + + # aws.global_services is a us-east-1 provider + providers = { + aws = aws.global_services + } + } + ``` + +1. Add a [lambda_function_association](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#lambda_function_association) to your [aws_cloudfront_distribution](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html) resource: + + ```hcl + resource "aws_cloudfront_distribution" "distribution" { + # ... other configuration ... + + # lambda_function_association is also supported by ordered_cache_behavior + default_cache_behavior { + # ... other configuration ... + + lambda_function_association { + event_type = "viewer-request" + lambda_arn = module.cloudfront_auth_okta_native.auth_lambda_arn + include_body = false + } + } + } + ``` + +## Requirements + +This module requires [wget](https://www.gnu.org/software/wget/) to be installed on the machine or container that runs Terraform. + +## Logs + +Logs are written to CloudWatch. The table below shows where the logs can be found, where {name} is the value of the `name` input variable in the Terraform module. + +| Function | Log group name | Region | +|----------|----------------|--------| +| Authentication | /aws/lambda/us-east-1.{name} | The region closest to the user who made the request to the website +| Secret rotation | /aws/lambda/{name}-rotation | us-east-1 + +## Destroying + +The first time you run `terraform destroy` you may receive the following error: + +*Lambda was unable to delete arn:aws:lambda:us-east-1:553479592532:function:my-website-auth:1 because it is a replicated function. Please see our [documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-delete-replicas.html) for Deleting Lambda@Edge Functions and Replicas.* + +When this occurs, wait (up to a few hours) for CloudFront to delete the Lambda function replicas, then run `terraform destroy` again. diff --git a/infra/terraform/examples/okta_native/main.tf b/infra/terraform/examples/okta_native/main.tf new file mode 100644 index 0000000..95455f5 --- /dev/null +++ b/infra/terraform/examples/okta_native/main.tf @@ -0,0 +1,13 @@ +module "cloudfront_auth_okta_native" { + source = "github.com/iress/cloudfront-auth//infra/terraform/modules/okta_native" + + release_version = "v3.0.0" + name = "my-website-auth" + org_url = "https://my-org.okta.com/oauth2/default" + client_id = "Nf2qSD9wXKU9ph8an22T" + domain_name = "my-cloudfront-site.example.com" + + providers = { + aws = aws.global_services + } +} diff --git a/infra/terraform/examples/okta_native/providers.tf b/infra/terraform/examples/okta_native/providers.tf new file mode 100644 index 0000000..4b74313 --- /dev/null +++ b/infra/terraform/examples/okta_native/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_version = ">= 1.0.0" +} + +provider "aws" { + region = "us-east-1" + alias = "global_services" +} diff --git a/infra/terraform/modules/_auth/main.tf b/infra/terraform/modules/_auth/main.tf new file mode 100644 index 0000000..328c93b --- /dev/null +++ b/infra/terraform/modules/_auth/main.tf @@ -0,0 +1,50 @@ +data "aws_caller_identity" "current" {} + +data "aws_region" "current" {} + +data "aws_iam_policy_document" "auth" { + statement { + actions = ["ssm:GetParametersByPath"] + resources = ["arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${var.name}"] + } + + statement { + actions = ["secretsmanager:GetSecretValue"] + resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${var.name}/*"] + } +} + +data "aws_iam_policy_document" "rotation" { + statement { + actions = ["secretsmanager:PutSecretValue"] + resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${var.name}/*"] + } +} + +module "auth" { + source = "../_lambda" + + name = var.name + tags = var.tags + package_url = var.package_url + timeout = 5 + iam_policy_override_json = data.aws_iam_policy_document.auth.json + lambda_at_edge = true +} + +module "rotation" { + source = "../_lambda" + + name = "${var.name}-rotation" + tags = var.tags + package_url = "https://github.com/iress/cloudfront-auth/releases/download/${var.release_version}/rotate_key_pair.zip" + timeout = 30 + iam_policy_override_json = data.aws_iam_policy_document.rotation.json +} + +resource "aws_lambda_permission" "allow_secrets_manager" { + statement_id = "AllowExecutionFromSecretsManager" + action = "lambda:InvokeFunction" + function_name = module.rotation.lambda_arn + principal = "secretsmanager.amazonaws.com" +} diff --git a/infra/terraform/modules/_auth/outputs.tf b/infra/terraform/modules/_auth/outputs.tf new file mode 100644 index 0000000..12de4f7 --- /dev/null +++ b/infra/terraform/modules/_auth/outputs.tf @@ -0,0 +1,4 @@ +output "auth_lambda_arn" { + value = module.auth.lambda_arn + description = "The Amazon Resource Name (ARN) identifying the authentication Lambda Function Version" +} diff --git a/infra/terraform/modules/_auth/provider.tf b/infra/terraform/modules/_auth/provider.tf new file mode 100644 index 0000000..73a0d7d --- /dev/null +++ b/infra/terraform/modules/_auth/provider.tf @@ -0,0 +1,10 @@ +# Provider passed in should always be us-east-1 + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3" + } + } +} diff --git a/infra/terraform/modules/_auth/secrets.tf b/infra/terraform/modules/_auth/secrets.tf new file mode 100644 index 0000000..4302580 --- /dev/null +++ b/infra/terraform/modules/_auth/secrets.tf @@ -0,0 +1,14 @@ +resource "aws_secretsmanager_secret" "key_pair" { + name = "${var.name}/key-pair" + recovery_window_in_days = 0 + tags = var.tags +} + +resource "aws_secretsmanager_secret_rotation" "key_pair" { + secret_id = aws_secretsmanager_secret.key_pair.id + rotation_lambda_arn = module.rotation.lambda_arn + + rotation_rules { + automatically_after_days = var.key_pair_rotation_period_days + } +} diff --git a/infra/terraform/modules/_auth/variables.tf b/infra/terraform/modules/_auth/variables.tf new file mode 100644 index 0000000..7c196fc --- /dev/null +++ b/infra/terraform/modules/_auth/variables.tf @@ -0,0 +1,24 @@ +variable "release_version" { + description = "The name of the GitHub release version to deploy" + type = string +} + +variable "name" { + description = "A name for the AWS resources created by this module" + type = string +} + +variable "tags" { + description = "Tags to add to each resource" + type = map(string) +} + +variable "package_url" { + description = "The URL of the Lambda authentication function package" + type = string +} + +variable "key_pair_rotation_period_days" { + description = "The number of days between automatic scheduled rotations of the key pair" + type = number +} diff --git a/infra/terraform/modules/_lambda/iam.tf b/infra/terraform/modules/_lambda/iam.tf new file mode 100644 index 0000000..59b3027 --- /dev/null +++ b/infra/terraform/modules/_lambda/iam.tf @@ -0,0 +1,38 @@ +data "aws_iam_policy_document" "assume_role" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = var.lambda_at_edge ? ["lambda.amazonaws.com", "edgelambda.amazonaws.com"] : ["lambda.amazonaws.com"] + } + } +} + +data "aws_iam_policy_document" "execution" { + override_json = var.iam_policy_override_json + + statement { + sid = "logs" + + actions = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + + resources = ["arn:aws:logs:*:*:*"] + } +} + +resource "aws_iam_role" "lambda" { + name = var.name + assume_role_policy = data.aws_iam_policy_document.assume_role.json + tags = var.tags +} + +resource "aws_iam_role_policy" "execution" { + name = var.name + role = aws_iam_role.lambda.id + policy = data.aws_iam_policy_document.execution.json +} diff --git a/infra/terraform/modules/_lambda/main.tf b/infra/terraform/modules/_lambda/main.tf new file mode 100644 index 0000000..b4b5823 --- /dev/null +++ b/infra/terraform/modules/_lambda/main.tf @@ -0,0 +1,32 @@ +locals { + package_directory = "${path.module}/packages" + package_filename = basename(var.package_url) +} + +# Always download the lambda package if it does not exist +resource "null_resource" "download" { + triggers = { + always_run = uuid() + } + + provisioner "local-exec" { + command = "test -f ${local.package_directory}/${local.package_filename} || (mkdir -p ${local.package_directory} && wget -P ${local.package_directory} ${var.package_url})" + } +} + +resource "aws_lambda_function" "main" { + filename = "${local.package_directory}/${local.package_filename}" + function_name = var.name + role = aws_iam_role.lambda.arn + handler = "index.handler" + source_code_hash = base64sha256(var.package_url) + runtime = "nodejs14.x" + timeout = var.timeout + publish = var.lambda_at_edge + tags = var.tags + + # Ensure the lambda function is created after the package is downloaded + depends_on = [ + null_resource.download + ] +} diff --git a/infra/terraform/modules/_lambda/outputs.tf b/infra/terraform/modules/_lambda/outputs.tf new file mode 100644 index 0000000..fdd03b9 --- /dev/null +++ b/infra/terraform/modules/_lambda/outputs.tf @@ -0,0 +1,4 @@ +output "lambda_arn" { + value = var.lambda_at_edge ? aws_lambda_function.main.qualified_arn : aws_lambda_function.main.arn + description = "The Amazon Resource Name (ARN) identifying the Lambda Function Version" +} diff --git a/infra/terraform/modules/_lambda/provider.tf b/infra/terraform/modules/_lambda/provider.tf new file mode 100644 index 0000000..73a0d7d --- /dev/null +++ b/infra/terraform/modules/_lambda/provider.tf @@ -0,0 +1,10 @@ +# Provider passed in should always be us-east-1 + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3" + } + } +} diff --git a/infra/terraform/modules/_lambda/variables.tf b/infra/terraform/modules/_lambda/variables.tf new file mode 100644 index 0000000..bf226d6 --- /dev/null +++ b/infra/terraform/modules/_lambda/variables.tf @@ -0,0 +1,32 @@ +variable "name" { + description = "A name for the AWS resources created by this module" + type = string +} + +variable "tags" { + description = "Tags to add to each resource" + type = map(string) +} + +variable "package_url" { + description = "The URL of the function's deployment package" + type = string +} + +variable "timeout" { + description = "The amount of time the Lambda function has to run in seconds" + type = number + default = 3 +} + +variable "iam_policy_override_json" { + description = "An IAM policy document to extend and/or override the default policy document" + type = string + default = null +} + +variable "lambda_at_edge" { + description = "Whether the function is to be used with Lambda@Edge" + type = bool + default = false +} diff --git a/infra/terraform/modules/okta_native/main.tf b/infra/terraform/modules/okta_native/main.tf new file mode 100644 index 0000000..5493b04 --- /dev/null +++ b/infra/terraform/modules/okta_native/main.tf @@ -0,0 +1,9 @@ +module "auth" { + source = "../_auth" + + release_version = var.release_version + name = var.name + tags = var.tags + package_url = "https://github.com/iress/cloudfront-auth/releases/download/${var.release_version}/okta_native.zip" + key_pair_rotation_period_days = var.key_pair_rotation_period_days +} diff --git a/infra/terraform/modules/okta_native/outputs.tf b/infra/terraform/modules/okta_native/outputs.tf new file mode 100644 index 0000000..e181587 --- /dev/null +++ b/infra/terraform/modules/okta_native/outputs.tf @@ -0,0 +1,4 @@ +output "auth_lambda_arn" { + value = module.auth.auth_lambda_arn + description = "The Amazon Resource Name (ARN) identifying the authentication Lambda Function Version" +} diff --git a/infra/terraform/modules/okta_native/parameters.tf b/infra/terraform/modules/okta_native/parameters.tf new file mode 100644 index 0000000..3f2e9c7 --- /dev/null +++ b/infra/terraform/modules/okta_native/parameters.tf @@ -0,0 +1,48 @@ +resource "aws_ssm_parameter" "base_url" { + name = "/${var.name}/base-url" + type = "String" + value = var.org_url + tags = var.tags +} + +resource "aws_ssm_parameter" "client_id" { + name = "/${var.name}/client-id" + type = "String" + value = var.client_id + tags = var.tags +} + +resource "aws_ssm_parameter" "domain_name" { + name = "/${var.name}/domain-name" + type = "String" + value = var.domain_name + tags = var.tags +} + +resource "aws_ssm_parameter" "callback_path" { + name = "/${var.name}/callback-path" + type = "String" + value = var.callback_path + tags = var.tags +} + +resource "aws_ssm_parameter" "session_duration" { + name = "/${var.name}/session-duration" + type = "String" + value = var.session_duration * 60 * 60 + tags = var.tags +} + +resource "aws_ssm_parameter" "pkce_code_verifier_length" { + name = "/${var.name}/pkce-code-verifier-length" + type = "String" + value = var.pkce_code_verifier_length + tags = var.tags +} + +resource "aws_ssm_parameter" "scope" { + name = "/${var.name}/scope" + type = "String" + value = var.scope + tags = var.tags +} diff --git a/infra/terraform/modules/okta_native/provider.tf b/infra/terraform/modules/okta_native/provider.tf new file mode 100644 index 0000000..73a0d7d --- /dev/null +++ b/infra/terraform/modules/okta_native/provider.tf @@ -0,0 +1,10 @@ +# Provider passed in should always be us-east-1 + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3" + } + } +} diff --git a/infra/terraform/modules/okta_native/variables.tf b/infra/terraform/modules/okta_native/variables.tf new file mode 100644 index 0000000..ab60f7d --- /dev/null +++ b/infra/terraform/modules/okta_native/variables.tf @@ -0,0 +1,60 @@ +variable "release_version" { + description = "The name of the GitHub release version to deploy" + type = string +} + +variable "name" { + description = "A name for the AWS resources created by this module" + type = string +} + +variable "tags" { + description = "Tags to add to each resource" + type = map(string) + default = {} +} + +variable "org_url" { + description = "The org URL for the Okta environment" + type = string +} + +variable "client_id" { + description = "Public identifier for the client (can be found in Okta Admin -> Applications)" + type = string +} + +variable "domain_name" { + description = "Domain name of the CloudFront distribution" + type = string +} + +variable "callback_path" { + description = "The path of the URI where Okta will send OAuth responses" + type = string + default = "/_callback" +} + +variable "session_duration" { + description = "The number of hours that the JWT is valid for" + type = number + default = 2 +} + +variable "pkce_code_verifier_length" { + description = "Length of the cryptographically random string that is used to correlate the authorization request to the token request (from 43 to 128)" + type = number + default = 96 +} + +variable "key_pair_rotation_period_days" { + description = "The number of days between automatic scheduled rotations of the key pair" + type = number + default = 7 +} + +variable "scope" { + description = "A space delimited list of OKTA scopes which are used by an application during authentication to authorize access to a user's details, openid is required for authentication requests and other scopes like email may also be included." + type = string + default = "openid email" +}