Skip to content

Commit

Permalink
Merge pull request #31 from NHSDigital/aiva2/CCM-5950_CognitoCustomAuth
Browse files Browse the repository at this point in the history 
Aiva2/ccm 5950 cognito custom auth
  • Loading branch information
@aidenvaines-bjss
aidenvaines-bjss authored Aug 16, 2024
2 parents bddd4f9 + e545746 commit 2da6efc
Show file tree
Hide file tree
Showing 11 changed files with 94 additions and 7 deletions.
3 changes: 3 additions & 0 deletions infrastructure/terraform/.gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ components/**/backend_tfscaffold.tf
**/work/*
**/*tfstate.lock.info

# NHS Notify Build context
bootstrap

# Scaffold Plugin Cache
plugin-cache/*

Expand Down
8 changes: 8 additions & 0 deletions infrastructure/terraform/components/acct/route_53_record_root.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Record to support Cognito Hosted UIs per https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html
resource "aws_route53_record" "root" {
name = ""
zone_id = aws_route53_zone.main.id
type = "A"
ttl = 300
records = ["127.0.0.1"]
}
16 changes: 16 additions & 0 deletions infrastructure/terraform/components/iam/acm_certificate_cognito.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
resource "aws_acm_certificate" "cognito" {
provider = aws.us-east-1

domain_name = local.auth_domain_name
validation_method = "DNS"

lifecycle {
create_before_destroy = true
}
}

resource "aws_acm_certificate_validation" "cognito" {
provider = aws.us-east-1

certificate_arn = aws_acm_certificate.cognito.arn
}
10 changes: 5 additions & 5 deletions infrastructure/terraform/components/iam/amplify_app.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ resource "aws_amplify_app" "main" {
]

environment_variables = {
USER_POOL_ID = aws_cognito_user_pool.main.id
# HOSTED_LOGIN_DOMAIN = "auth.${local.root_domain_name}"
NOTIFY_GROUP = var.group
NOTIFY_ENVIRONMENT = var.environment
NOTIFY_DOMAIN_NAME = local.root_domain_name
USER_POOL_ID = aws_cognito_user_pool.main.id
HOSTED_LOGIN_DOMAIN = local.auth_domain_name
NOTIFY_GROUP = var.group
NOTIFY_ENVIRONMENT = var.environment
NOTIFY_DOMAIN_NAME = local.root_domain_name
}
}
4 changes: 2 additions & 2 deletions infrastructure/terraform/components/iam/cognito_user_pool_client.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ resource "aws_cognito_user_pool_client" "main" {
callback_urls = flatten([
var.cognito_user_pool_additional_callback_urls,
[
"https://${local.csi}.${local.acct.dns_zone["name"]}/auth/",
"https://${local.csi}.${aws_amplify_app.main.id}.amplifyapp.com/auth/"
"https://${var.environment}.${local.acct.dns_zone["name"]}/auth/",
"https://${aws_amplify_app.main.default_domain}/auth/"
]
])

Expand Down
8 changes: 8 additions & 0 deletions infrastructure/terraform/components/iam/cognito_user_pool_domain.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,11 @@ resource "aws_cognito_user_pool_domain" "main" {
user_pool_id = aws_cognito_user_pool.main.id
domain = local.csi
}

resource "aws_cognito_user_pool_domain" "custom" {
user_pool_id = aws_cognito_user_pool.main.id
certificate_arn = aws_acm_certificate.cognito.arn
domain = local.auth_domain_name

depends_on = [aws_route53_record.root]
}
1 change: 1 addition & 0 deletions infrastructure/terraform/components/iam/locals.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
locals {
root_domain_name = "${var.environment}.${local.acct.dns_zone["name"]}"
auth_domain_name = "auth.${local.root_domain_name}"
}
25 changes: 25 additions & 0 deletions infrastructure/terraform/components/iam/route53_record_cognito.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
resource "aws_route53_record" "cognito_alias" {
name = aws_cognito_user_pool_domain.custom.domain
zone_id = local.acct.dns_zone["id"]
type = "A"

alias {
evaluate_target_health = false

name = aws_cognito_user_pool_domain.main.cloudfront_distribution
zone_id = aws_cognito_user_pool_domain.main.cloudfront_distribution_zone_id
}
}

resource "aws_route53_record" "cognito_ipv6_alias" {
name = aws_cognito_user_pool_domain.custom.domain
zone_id = local.acct.dns_zone["id"]
type = "AAAA"

alias {
evaluate_target_health = false

name = aws_cognito_user_pool_domain.main.cloudfront_distribution
zone_id = aws_cognito_user_pool_domain.main.cloudfront_distribution_zone_id
}
}
17 changes: 17 additions & 0 deletions infrastructure/terraform/components/iam/route53_record_cognito_acm_validation.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
resource "aws_route53_record" "cognito_acm_validation" {
for_each = {
for dvo in aws_acm_certificate.cognito.domain_validation_options :
dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}

allow_overwrite = true
name = each.value.name
records = [each.value.record]
type = each.value.type
zone_id = local.acct.dns_zone["id"]
ttl = 60
}
8 changes: 8 additions & 0 deletions infrastructure/terraform/components/iam/route53_record_root.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Record to support Cognito Hosted UIs per https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html
resource "aws_route53_record" "root" {
name = local.root_domain_name
zone_id = local.acct.dns_zone["id"]
type = "A"
ttl = 300
records = ["127.0.0.1"]
}
1 change: 1 addition & 0 deletions infrastructure/terraform/etc/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
*.tfvars

0 comments on commit 2da6efc

Please sign in to comment.