From 53980c4673135568035bfded57e290327dec6be8 Mon Sep 17 00:00:00 2001 From: tylerthome Date: Tue, 8 Oct 2024 02:19:45 -0700 Subject: [PATCH] user pool rbac for admin --- terraform-incubator/home-unite-us/dev/iam.tf | 71 ++++++++++++++ terraform-incubator/home-unite-us/dev/main.tf | 92 ++++++++++++++++++- 2 files changed, 162 insertions(+), 1 deletion(-) diff --git a/terraform-incubator/home-unite-us/dev/iam.tf b/terraform-incubator/home-unite-us/dev/iam.tf index afbf320..6c039ab 100644 --- a/terraform-incubator/home-unite-us/dev/iam.tf +++ b/terraform-incubator/home-unite-us/dev/iam.tf @@ -52,6 +52,77 @@ resource "aws_iam_policy" "homeuniteus_manage_ecr" { "ecr:PutImage" ], Resource = aws_ecr_repository.this.arn + }, + { + Sid = "ManageHomeUniteUsCognito", + Effect = "Allow", + Action = [ + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:BatchGetImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:PutImage" + ], + Resource = aws_ecr_repository.this.arn + }, + { + Effect = "Allow", + Action = [ + "cognito-identity:*", + "cognito-idp:*", + "cognito-sync:*", + "iam:ListRoles", + "iam:ListOpenIdConnectProviders", + "iam:GetRole", + "iam:ListSAMLProviders", + "iam:GetSAMLProvider", + "kinesis:ListStreams", + "lambda:GetPolicy", + "lambda:ListFunctions", + "sns:GetSMSSandboxAccountStatus", + "sns:ListPlatformApplications", + "ses:ListIdentities", + "ses:GetIdentityVerificationAttributes", + "mobiletargeting:GetApps", + "acm:ListCertificates" + ], + Resource = [ + aws_cognito_user_pool.homeuniteus.arn, + aws_cognito_user_pool_client.homeuniteus.arn + ] + }, + { + Effect = "Allow", + Action = "iam:CreateServiceLinkedRole", + Resource = [ + aws_cognito_user_pool.homeuniteus.arn, + aws_cognito_user_pool_client.homeuniteus.arn + ], + Condition = { + StringEquals = { + "iam:AWSServiceName" = [ + "cognito-idp.amazonaws.com", + "email.cognito-idp.amazonaws.com" + ] + } + } + }, + { + Effect = "Allow", + Action = [ + "iam:DeleteServiceLinkedRole", + "iam:GetServiceLinkedRoleDeletionStatus" + ], + Resource = [ + "arn:aws:iam::*:role/aws-service-role/cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdp*", + "arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*" + ] } # , # { diff --git a/terraform-incubator/home-unite-us/dev/main.tf b/terraform-incubator/home-unite-us/dev/main.tf index 278a3a1..5616735 100644 --- a/terraform-incubator/home-unite-us/dev/main.tf +++ b/terraform-incubator/home-unite-us/dev/main.tf @@ -105,7 +105,7 @@ resource "aws_iam_role" "cognito_idp" { }) } -resource "aws_iam_role_policy" "main" { +resource "aws_iam_role_policy" "cognito_sns" { name = "homeuniteus-cognito-idp" role = aws_iam_role.cognito_idp.id @@ -184,4 +184,94 @@ resource "aws_cognito_user_pool" "homeuniteus" { verification_message_template { default_email_option = "CONFIRM_WITH_CODE" } +} + +resource "aws_cognito_user_pool_client" "homeuniteus" { + access_token_validity = 30 + allowed_oauth_flows = ["code"] + allowed_oauth_flows_user_pool_client = true + allowed_oauth_scopes = [ + "aws.cognito.signin.user.admin", + "email", + "openid", + "phone", + "profile" + ] + auth_session_validity = 3 + callback_urls = [ + "http://localhost:4040/signin", + "http://localhost:4040/signup", + "http://localhost:4040/signup/coordinator", + "http://localhost:4040/signup/host", + "https://dev.homeunite.us/signin", + "https://dev.homeunite.us/signup", + "https://dev.homeunite.us/signup/coordinator", + "https://dev.homeunite.us/signup/host" + ] + default_redirect_uri = null + enable_propagate_additional_user_context_data = false + enable_token_revocation = true + explicit_auth_flows = [ + "ALLOW_ADMIN_USER_PASSWORD_AUTH", + "ALLOW_CUSTOM_AUTH", + "ALLOW_REFRESH_TOKEN_AUTH", + "ALLOW_USER_PASSWORD_AUTH", + "ALLOW_USER_SRP_AUTH" + ] + generate_secret = null + id_token_validity = 60 + logout_urls = [] + name = "homeuniteus" + prevent_user_existence_errors = "ENABLED" + read_attributes = [ + "address", + "birthdate", + "email", + "email_verified", + "family_name", + "gender", + "given_name", + "locale", + "middle_name", + "name", + "nickname", + "phone_number", + "phone_number_verified", + "picture", + "preferred_username", + "profile", + "updated_at", + "website", + "zoneinfo" + ] + refresh_token_validity = 30 + supported_identity_providers = [ + "COGNITO", + "Google" + ] + user_pool_id = aws_cognito_user_pool.homeuniteus.id + write_attributes = [ + "address", + "birthdate", + "email", + "family_name", + "gender", + "given_name", + "locale", + "middle_name", + "name", + "nickname", + "phone_number", + "picture", + "preferred_username", + "profile", + "updated_at", + "website", + "zoneinfo" + ] + token_validity_units { + access_token = "minutes" + id_token = "minutes" + refresh_token = "days" + } } \ No newline at end of file