user pool rbac for admin

terraform-incubator/home-unite-us/dev/iam.tf

@@ -52,6 +52,77 @@ resource "aws_iam_policy" "homeuniteus_manage_ecr" {
                   "ecr:PutImage"
           ],
           Resource =  aws_ecr_repository.this.arn          
+        },
+        {
+          Sid = "ManageHomeUniteUsCognito",
+          Effect = "Allow",
+          Action = [
+                  "ecr:BatchCheckLayerAvailability",
+                  "ecr:GetDownloadUrlForLayer",
+                  "ecr:GetRepositoryPolicy",
+                  "ecr:DescribeRepositories",
+                  "ecr:ListImages",
+                  "ecr:DescribeImages",
+                  "ecr:BatchGetImage",
+                  "ecr:InitiateLayerUpload",
+                  "ecr:UploadLayerPart",
+                  "ecr:CompleteLayerUpload",
+                  "ecr:PutImage"
+          ],
+          Resource =  aws_ecr_repository.this.arn          
+        },
+        {
+          Effect = "Allow",
+          Action = [
+            "cognito-identity:*",
+            "cognito-idp:*",
+            "cognito-sync:*",
+            "iam:ListRoles",
+            "iam:ListOpenIdConnectProviders",
+            "iam:GetRole",
+            "iam:ListSAMLProviders",
+            "iam:GetSAMLProvider",
+            "kinesis:ListStreams",
+            "lambda:GetPolicy",
+            "lambda:ListFunctions",
+            "sns:GetSMSSandboxAccountStatus",
+            "sns:ListPlatformApplications",
+            "ses:ListIdentities",
+            "ses:GetIdentityVerificationAttributes",
+            "mobiletargeting:GetApps",
+            "acm:ListCertificates"
+          ],
+          Resource = [
+            aws_cognito_user_pool.homeuniteus.arn,
+            aws_cognito_user_pool_client.homeuniteus.arn
+          ]
+        },
+        {
+          Effect = "Allow",
+          Action = "iam:CreateServiceLinkedRole",
+          Resource = [
+            aws_cognito_user_pool.homeuniteus.arn,
+            aws_cognito_user_pool_client.homeuniteus.arn
+          ],
+          Condition = {
+            StringEquals = {
+              "iam:AWSServiceName" = [
+                "cognito-idp.amazonaws.com",
+                "email.cognito-idp.amazonaws.com"
+              ]
+            }
+          }
+        },
+        {
+          Effect = "Allow",
+          Action = [
+            "iam:DeleteServiceLinkedRole",
+            "iam:GetServiceLinkedRoleDeletionStatus"
+          ],
+          Resource = [
+            "arn:aws:iam::*:role/aws-service-role/cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdp*",
+            "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*"
+          ]
         }
         # ,
         # {

terraform-incubator/home-unite-us/dev/main.tf

@@ -105,7 +105,7 @@ resource "aws_iam_role" "cognito_idp" {
   })
 }
 
-resource "aws_iam_role_policy" "main" {
+resource "aws_iam_role_policy" "cognito_sns" {
   name = "homeuniteus-cognito-idp"
   role = aws_iam_role.cognito_idp.id
 
@@ -184,4 +184,94 @@ resource "aws_cognito_user_pool" "homeuniteus" {
   verification_message_template {
     default_email_option  = "CONFIRM_WITH_CODE"
   }
+}
+
+resource "aws_cognito_user_pool_client" "homeuniteus" {
+  access_token_validity                         = 30
+  allowed_oauth_flows                           = ["code"]
+  allowed_oauth_flows_user_pool_client          = true
+  allowed_oauth_scopes                          = [
+    "aws.cognito.signin.user.admin", 
+    "email", 
+    "openid", 
+    "phone", 
+    "profile"
+  ]
+  auth_session_validity                         = 3
+  callback_urls                                 = [
+    "http://localhost:4040/signin", 
+    "http://localhost:4040/signup", 
+    "http://localhost:4040/signup/coordinator", 
+    "http://localhost:4040/signup/host", 
+    "https://dev.homeunite.us/signin", 
+    "https://dev.homeunite.us/signup", 
+    "https://dev.homeunite.us/signup/coordinator", 
+    "https://dev.homeunite.us/signup/host"
+  ]
+  default_redirect_uri                          = null
+  enable_propagate_additional_user_context_data = false
+  enable_token_revocation                       = true
+  explicit_auth_flows                           = [
+    "ALLOW_ADMIN_USER_PASSWORD_AUTH", 
+    "ALLOW_CUSTOM_AUTH", 
+    "ALLOW_REFRESH_TOKEN_AUTH", 
+    "ALLOW_USER_PASSWORD_AUTH", 
+    "ALLOW_USER_SRP_AUTH"
+  ]
+  generate_secret                               = null
+  id_token_validity                             = 60
+  logout_urls                                   = []
+  name                                          = "homeuniteus"
+  prevent_user_existence_errors                 = "ENABLED"
+  read_attributes                               = [
+    "address", 
+    "birthdate", 
+    "email", 
+    "email_verified", 
+    "family_name", 
+    "gender", 
+    "given_name", 
+    "locale", 
+    "middle_name", 
+    "name", 
+    "nickname", 
+    "phone_number", 
+    "phone_number_verified", 
+    "picture", 
+    "preferred_username", 
+    "profile", 
+    "updated_at", 
+    "website", 
+    "zoneinfo"
+  ]
+  refresh_token_validity                        = 30
+  supported_identity_providers                  = [
+    "COGNITO", 
+    "Google"
+  ]
+  user_pool_id                                  = aws_cognito_user_pool.homeuniteus.id
+  write_attributes                              = [
+    "address", 
+    "birthdate", 
+    "email", 
+    "family_name", 
+    "gender", 
+    "given_name", 
+    "locale", 
+    "middle_name", 
+    "name", 
+    "nickname", 
+    "phone_number", 
+    "picture", 
+    "preferred_username", 
+    "profile", 
+    "updated_at", 
+    "website", 
+    "zoneinfo"
+  ]
+  token_validity_units {
+    access_token  = "minutes"
+    id_token      = "minutes"
+    refresh_token = "days"
+  }
 }