Skip to content

Commit

Permalink
Merge pull request #280 from opendatacube/enhance-cognito
Browse files Browse the repository at this point in the history
cognito userpool configuration enhancements
  • Loading branch information
NikitaGandhi authored Feb 4, 2022
2 parents d50e9be + 12b8352 commit eb02a8b
Show file tree
Hide file tree
Showing 3 changed files with 125 additions and 63 deletions.
59 changes: 32 additions & 27 deletions cognito/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,24 +80,26 @@ module "cognito_auth" {
}
# Optional configuration to add additional attributes - standard and/or custom
additional_attributes = {
"gender" = {
"attribute_name" = "gender"
"attribute_data_type" = "String"
"mutable" = false
"required" = true
"min_length" = 1
"max_length" = 10
schema_additional_attributes = [
{
attribute_name = "gender"
attribute_data_type = "String"
developer_only_attribute = false,
mutable = false
required = true
min_value = 1
max_value = 10
},
"organisation" = {
"attribute_name" = "organisation"
"attribute_data_type" = "String"
"mutable" = false
"required" = false
"min_length" = 0
"max_length" = 256
{
attribute_name = "organisation"
attribute_data_type = "String"
developer_only_attribute = false,
mutable = true
required = false
min_value = 0
max_value = 2048
},
}
]
# Default tags + resource labels
owner = "odc-owner"
Expand Down Expand Up @@ -127,25 +129,28 @@ module "cognito_auth" {
### Inputs
| Name | Description | Type | Default | Required |
| ------ | ------------- | :----: | :-----: | :-----: |
| owner | The owner of the environment | string | | yes |
| namespace | The unique namespace for the environment, which could be your organization name or abbreviation, e.g. 'odc' | string | | yes |
| environment | The name of the environment - e.g. dev, stage | string | | yes |
| app_clients | Map of Cognito user pool app clients | map | | yes |
| admin_create_user_config | The configuration for AdminCreateUser requests | map | {} | no |
| owner | The owner of the environment | string | | Yes |
| namespace | The unique namespace for the environment, which could be your organization name or abbreviation, e.g. 'odc' | string | | Yes |
| environment | The name of the environment - e.g. dev, stage | string | | Yes |
| app_clients | Map of Cognito user pool app clients | map | | Yes |
| admin_create_user_config | The configuration for AdminCreateUser requests | map | {} | No |
| admin_create_user_config_allow_admin_create_user_only | Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app | bool | false | No |
| admin_create_user_config_unused_account_validity_days | The user account expiration limit, in days, after which the account is no longer usable | number | 0 | No |
| admin_create_user_config_email_message | The message template for email messages. Must contain `{username}` and `{####}` placeholders, for username and temporary password, respectively | string | null | No |
| admin_create_user_config_email_subject | The subject line for email messages | string | null | No |
| admin_create_user_config_sms_message | The message template for SMS messages. Must contain `{username}` and `{####}` placeholders, for username and temporary password, respectively | string | null | No |
| auto_verify | Set to true to allow the user account to be auto verified. False - admin will need to verify | bool | | yes |
| additional_attributes | The configuration for adding additional standard or custom attributes | map | {} | no |
| enable_pinpoint | Set to true to enable pinpoint analytics on all user-pools | bool | false | no |
| alias_attributes | (Optional) Attributes supported as an alias for this user pool. Possible values: 'phone_number', 'email', or 'preferred_username'. Conflicts with username_attributes | set(string) | null | No |
| username_attributes | (Optional) Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up. Conflicts with alias_attributes | set(string) | null | No |
| enable_username_case_sensitivity | (Optional) Specifies whether username case sensitivity will be applied for all users in the user pool through Cognito APIs | bool | null | No |
| schema_additional_attributes | (Optional) A list of schema attributes of a user pool. You can add a maximum of 25 custom attributes | any | [] | No |
| enable_pinpoint | Set to true to enable pinpoint analytics on all user-pools | bool | false | No |
| email_verification_message | A string representing the email verification message | string | null | No |
| email_verification_subject | A string representing the email verification subject | string | null | No |
| user_groups | Cognito user groups | map | {} | no |
| user_pool_name | Map of Cognito user pool name | string | | yes |
| user_pool_domain | Cognito user pool domain | string | | yes |
| tags | Additional tags - e.g. `map('StackName','XYZ')` | map(string) | {} | no |
| user_groups | Cognito user groups | map | {} | No |
| user_pool_name | Map of Cognito user pool name | string | | Yes |
| user_pool_domain | Cognito user pool domain | string | | Yes |
| tags | Additional tags - e.g. `map('StackName','XYZ')` | map(string) | {} | No |

### Outputs
| Name | Description | Sensitive |
Expand Down
89 changes: 57 additions & 32 deletions cognito/cognito_auth.tf
Original file line number Diff line number Diff line change
@@ -1,9 +1,34 @@
# ======================================
# COGNITO

locals {
alias_attributes = var.alias_attributes == null && var.username_attributes == null ? ["email"] : null

# admin_create_user_config
# If no admin_create_user_config list is provided, build a admin_create_user_config using the default values
admin_create_user_config_default = {
allow_admin_create_user_only = lookup(var.admin_create_user_config, "allow_admin_create_user_only", null) == null ? var.admin_create_user_config_allow_admin_create_user_only : lookup(var.admin_create_user_config, "allow_admin_create_user_only")
email_message = lookup(var.admin_create_user_config, "email_message", null) == null ? (var.email_verification_message == "" || var.email_verification_message == null ? var.admin_create_user_config_email_message : var.email_verification_message) : lookup(var.admin_create_user_config, "email_message")
email_subject = lookup(var.admin_create_user_config, "email_subject", null) == null ? (var.email_verification_subject == "" || var.email_verification_subject == null ? var.admin_create_user_config_email_subject : var.email_verification_subject) : lookup(var.admin_create_user_config, "email_subject")
sms_message = lookup(var.admin_create_user_config, "sms_message", null) == null ? var.admin_create_user_config_sms_message : lookup(var.admin_create_user_config, "sms_message")

}

admin_create_user_config = [local.admin_create_user_config_default]

token_validity_units_default = {
access_token = "minutes"
id_token = "minutes"
refresh_token = "days"
}
allowed_oauth_scopes_default = ["email", "aws.cognito.signin.user.admin", "openid"]
allowed_oauth_flows_default = ["code"]
}

resource "aws_cognito_user_pool" "pool" {
name = var.user_pool_name
alias_attributes = ["email"]
alias_attributes = var.alias_attributes != null ? var.alias_attributes : local.alias_attributes
username_attributes = var.username_attributes
auto_verified_attributes = var.auto_verify ? ["email"] : null

schema {
Expand All @@ -28,22 +53,45 @@ resource "aws_cognito_user_pool" "pool" {
}
}

dynamic "username_configuration" {
for_each = var.enable_username_case_sensitivity != null ? [true] : []
content {
case_sensitive = var.enable_username_case_sensitivity
}
}

# Limitations:
# - standard attributes can only be selected during the pool creation and cannot be changed
# - standard attributes cannot be switched between required and not required after a user pool has been created
# - custom attributes can be defined as a string or a number only
# - custom attributes can't be set to required
# - custom attributes can't be removed or changed once added to the user pool
dynamic "schema" {
for_each = var.additional_attributes
for_each = var.schema_additional_attributes
iterator = attribute
content {
name = schema.value.attribute_name
attribute_data_type = schema.value.attribute_data_type
mutable = schema.value.mutable
required = schema.value.required
string_attribute_constraints {
min_length = schema.value.min_length
max_length = schema.value.max_length
name = attribute.value.attribute_name
attribute_data_type = attribute.value.attribute_data_type
developer_only_attribute = try(attribute.value.developer_only_attribute, false)
mutable = try(attribute.value.mutable, true)
required = try(attribute.value.required, false)

dynamic "number_attribute_constraints" {
for_each = attribute.value.attribute_data_type == "Number" ? [true] : []

content {
min_value = lookup(attribute.value, "min_value", null)
max_value = lookup(attribute.value, "max_value", null)
}
}

dynamic "string_attribute_constraints" {
for_each = attribute.value.attribute_data_type == "String" ? [true] : []

content {
min_length = lookup(attribute.value, "min_length", 0)
max_length = lookup(attribute.value, "max_length", 2048)
}
}
}
}
Expand Down Expand Up @@ -90,29 +138,6 @@ resource "aws_cognito_user_pool" "pool" {
)
}

locals {

# admin_create_user_config
# If no admin_create_user_config list is provided, build a admin_create_user_config using the default values
admin_create_user_config_default = {
allow_admin_create_user_only = lookup(var.admin_create_user_config, "allow_admin_create_user_only", null) == null ? var.admin_create_user_config_allow_admin_create_user_only : lookup(var.admin_create_user_config, "allow_admin_create_user_only")
email_message = lookup(var.admin_create_user_config, "email_message", null) == null ? (var.email_verification_message == "" || var.email_verification_message == null ? var.admin_create_user_config_email_message : var.email_verification_message) : lookup(var.admin_create_user_config, "email_message")
email_subject = lookup(var.admin_create_user_config, "email_subject", null) == null ? (var.email_verification_subject == "" || var.email_verification_subject == null ? var.admin_create_user_config_email_subject : var.email_verification_subject) : lookup(var.admin_create_user_config, "email_subject")
sms_message = lookup(var.admin_create_user_config, "sms_message", null) == null ? var.admin_create_user_config_sms_message : lookup(var.admin_create_user_config, "sms_message")

}

admin_create_user_config = [local.admin_create_user_config_default]

token_validity_units_default = {
access_token = "minutes"
id_token = "minutes"
refresh_token = "days"
}
allowed_oauth_scopes_default = ["email", "aws.cognito.signin.user.admin", "openid"]
allowed_oauth_flows_default = ["code"]
}

resource "aws_cognito_user_pool_client" "clients" {
for_each = var.app_clients
name = each.key
Expand Down
40 changes: 36 additions & 4 deletions cognito/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,24 @@ variable "auto_verify" {
type = bool
}

variable "alias_attributes" {
type = set(string)
description = "(Optional) Attributes supported as an alias for this user pool. Possible values: 'phone_number', 'email', or 'preferred_username'. Conflicts with username_attributes."
default = null
}

variable "username_attributes" {
type = set(string)
description = "(Optional) Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up. Conflicts with alias_attributes."
default = null
}

variable "enable_username_case_sensitivity" {
type = bool
description = "(Optional) Specifies whether username case sensitivity will be applied for all users in the user pool through Cognito APIs."
default = null
}

#--------------------------------------------------------------
# Tags
#--------------------------------------------------------------
Expand Down Expand Up @@ -104,8 +122,22 @@ variable "tags" {
default = {}
}

variable "additional_attributes" {
description = "The configuration for adding additional standard or custom attributes"
type = map(any)
default = {}
variable "schema_additional_attributes" {
description = "(Optional) A list of schema attributes of a user pool. You can add a maximum of 25 custom attributes."
type = any
default = []
#
# Example:
#
# schema_additional_attributes = [
# {
# attribute_name = "alternative_name"
# attribute_data_type = "String"
# developer_only_attribute = false,
# mutable = true,
# required = false,
# min_length = 0,
# max_length = 2048
# },
# ]
}

0 comments on commit eb02a8b

Please sign in to comment.