-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathmain.tf
116 lines (99 loc) · 3.32 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
locals {
# See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html#cfn-route53-aliastarget-hostedzoneid
cloudfront_zone_id = "Z2FDTNDATAQYW2"
}
data "aws_route53_zone" "selected" {
zone_id = var.zone_id
}
resource "aws_cognito_user_pool" "saml" {
name = var.name
alias_attributes = ["email"]
schema {
name = "email"
attribute_data_type = "String"
required = true
// Required to be mutable for any attribute that comes from a SAML IDP.
mutable = true
// These are just the defaults, but if you don't include them then you
// trigger:
// https://github.com/hashicorp/terraform-provider-aws/issues/3891
// https://github.com/hashicorp/terraform-provider-aws/issues/4227
string_attribute_constraints {
min_length = 0
max_length = 2048
}
}
}
resource "aws_cognito_user_pool_client" "saml" {
name = var.name
user_pool_id = aws_cognito_user_pool.saml.id
supported_identity_providers = [aws_cognito_identity_provider.saml.provider_name]
callback_urls = toset(concat(
[
"https://${var.dns_name}",
"https://${var.dns_name}/oauth2/idpresponse",
"https://${var.dns_name}/saml2/idpresponse",
],
sort(flatten([for dns_name in var.relying_party_dns_names :
[
"https://${dns_name}/",
"https://${dns_name}/oauth2/idpresponse",
"https://${dns_name}/saml2/idpresponse",
]
]))
))
allowed_oauth_flows_user_pool_client = true
allowed_oauth_flows = ["code"]
allowed_oauth_scopes = ["openid"]
generate_secret = true
}
module "auth_domain_certificate" {
source = "trussworks/acm-cert/aws"
domain_name = var.dns_name
zone_id = data.aws_route53_zone.selected.id
environment = var.environment
providers = {
aws = aws.us-east-1
}
}
resource "aws_cognito_user_pool_domain" "saml" {
domain = var.dns_name
user_pool_id = aws_cognito_user_pool.saml.id
certificate_arn = module.auth_domain_certificate.acm_arn
}
resource "aws_route53_record" "cognito_auth" {
name = var.dns_name
zone_id = var.zone_id
type = "A"
alias {
name = aws_cognito_user_pool_domain.saml.cloudfront_distribution_arn
zone_id = local.cloudfront_zone_id
evaluate_target_health = false
}
}
resource "aws_route53_record" "cognito_auth_ipv6" {
name = var.dns_name
zone_id = var.zone_id
type = "AAAA"
alias {
name = aws_cognito_user_pool_domain.saml.cloudfront_distribution_arn
zone_id = local.cloudfront_zone_id
evaluate_target_health = false
}
}
resource "aws_cognito_identity_provider" "saml" {
user_pool_id = aws_cognito_user_pool.saml.id
provider_name = var.name
provider_type = "SAML"
provider_details = {
MetadataFile = var.saml_metadata_file_content
// AWS actually computes this value automatically from the MetadataFile,
// but if we don't specify it, terraform always thinks this resource has
// changed:
// https://github.com/terraform-providers/terraform-provider-aws/issues/4831
SSORedirectBindingURI = var.saml_metadata_sso_redirect_binding_uri
}
attribute_mapping = {
email = "email"
}
}