A Terraform module for deploying and managing Cognito User Pools on Amazon Web Services (AWS).
This module supports Terraform v0.14, v0.13 as well as v0.12.20 and above and is compatible with the terraform AWS provider v3 as well as v2.54 and above.
We, Mineiros, offer professional support for this module.
- Module Features
- Getting Started
- Module Argument Reference
- Module Attributes Reference
- External Documentation
- Module Versioning
- About Mineiros
- Reporting Issues
- Contributing
- Makefile Targets
- License
In contrast to the plain cognito_user_pool
resource this module has a more secure level of default settings.
While all settings can be customized as needed, best practices are pre-configured.
- Default Security Settings:
Per default, only administrators are allowed to create user profiles by
setting
allow_admin_create_user_only
totrue
. This module comes with a strong default password policy.
Standard Cognito Features: Create a Cognito User Pool with pre-configured best practices. Create Cognito User Pool Clients. Create a Cognito User Pool Domain.
- Features not yet implemented:
cognito_user_group
cognito_resource_server
Most basic usage just setting required arguments:
module "terraform-aws-cognito-user-pool" {
source = "mineiros-io/cognito-user-pool/aws"
version = "~> 0.4.0"
name = "application-userpool"
}
Advanced usage as found in examples/complete/main.tf setting all required and optional arguments to their default values.
See variables.tf and examples/ for details and use-cases.
-
module_enabled
: (Optionalbool
)Specifies whether resources in the module will be created. Default is
true
. -
module_depends_on
: (Optionallist(any)
)A list of dependencies. Any object can be assigned to this list to define a hidden external dependency. Default is
[]
.
-
name
: (Requiredstring
, Forces new resource)The name of the user pool.
-
advanced_security_mode
: (Optionalstring
)The mode for advanced security, must be one of
OFF
,AUDIT
orENFORCED
. Additional pricing applies for Amazon Cognito advanced security features. For details see https://aws.amazon.com/cognito/pricing/. Default isOFF
. -
alias_attributes
: (Optionalset(string)
)Attributes supported as an alias for this user pool. Possible values:
phone_number
,email
, orpreferred_username
. Conflicts withusername_attributes
. Default is["email", "preferred_username",]
ifusername_attributes
is not set. -
username_attributes
: (Optionalset(string)
)Specifies whether
email
addresse orphone_number
can be specified as usernames when a user signs up. Conflicts withalias_attributes
. Default is to usealias_attributes
. -
allow_admin_create_user_only
: (Optionalbool
)Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app. Default is
true
. -
invite_email_subject
: (Optionalstring
)The message template for email messages. Default is
"Your verification code"
. -
invite_email_message
: (Optionalstring
)The message template for email messages. Must contain
{username}
and{####}
placeholders, for username and temporary password, respectively. Default is"Your username is {username} and your temporary password is '{####}'"
. -
invite_sms_message
: (Optionalstring
)The message template for SMS messages. Must contain
{username}
and{####}
placeholders, for username and temporary password, respectively. Default is"Your username is {username} and your temporary password is '{####}'."
. -
auto_verified_attributes
: (Optionalset(string)
)The attributes to be auto-verified. Possible values:
email
,phone_number
. Default is["email"]
. -
user_device_tracking
: (Optionalstring
)Configure tracking of user devices. Set to
OFF
to disable tracking,ALWAYS
to track all devices orUSER_OPT_IN
to only track when user opts in. Default isUSER_OPT_IN
. -
challenge_required_on_new_device
: (Optionalbool
) Indicates whether a challenge is required on a new device. Only applicable to a new device. Only applied whenuser_device_tracking
in enabled. Default istrue
. -
enable_username_case_sensitivity
: (Optionalbool
)Specifies whether username case sensitivity will be applied to all users in the user pool through Cognito APIs. Default is
false
. -
email_sending_account
: (Optionalstring
)The email delivery method to use.
COGNITO_DEFAULT
for the default email functionality built into Cognito orDEVELOPER
to use your Amazon SES configuration. Default is"COGNITO_DEFAULT"
. -
email_reply_to_address
: (Optionalstring
)The REPLY-TO email address. Default is
null
. -
email_source_arn
: (Optionalstring
)The ARN of the email source. Default is
null
.
-
email_from_address
: (Optionalstring
)Sender’s email address or sender’s name with their email address (e.g. 'john@smith.com' or 'John Smith john@smith.com'). Default is
null
.
-
mfa_configuration
: (Optionalstring
)Multi-Factor Authentication (MFA) configuration for the User Pool. Valid values:
ON
,OFF
orOPTIONAL
.ON
andOPTIONAL
require at least one ofsms_configuration
orsoftware_token_mfa_configuration
to be configured. Default is"OPTIONAL"
. -
password_minimum_length
: (Optionalnumber
)The minimum length of the password policy that you have set. Default is
20
. -
password_require_lowercase
: (Optionalbool
)Whether you have required users to use at least one lowercase letter in their password. Default is
true
. -
password_require_numbers
: (Optionalbool
)Whether you have required users to use at least one number in their password. Default is
true
. -
password_require_symbols
: (Optionalbool
)Whether you have required users to use at least one symbol in their password. Default is
true
. -
password_require_uppercase
: (Optionalbool
)Whether you have required users to use at least one uppercase letter in their password. Default is
true
. -
temporary_password_validity_days
: (Optionalnumber
)In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign in during this time, their password will need to be reset by an administrator. Default is
1
. -
allow_software_mfa_token
: (Optionalbool
)Boolean whether to enable software token Multi-Factor Authentication (MFA) tokens, such as Time-Based One-Time Password (TOTP). To disable software token MFA when
sms_configuration
is not present, themfa_configuration
argument must be set toOFF
and thesoftware_token_mfa_configuration
configuration block must be fully removed. Default istrue
. -
sms_authentication_message
: (Optionalstring
)A string representing the SMS authentication message. The message must contain the
{####}
placeholder, which will be replaced with the authentication code. Default is"Your temporary password is {####}."
. -
lambda_create_auth_challenge
: (Optionalstring
)The ARN of an AWS Lambda creating an authentication challenge. Default is
null
. -
lambda_custom_message
: (Optionalstring
)The ARN of a custom message AWS Lambda trigger. Default is
null
. -
lambda_define_auth_challenge
: (Optionalstring
)The ARN of an AWS Lambda that defines the authentication challenge. Default is
null
. -
lambda_post_authentication
: (Optionalstring
)The ARN of an AWS Lambda that defines the authentication challenge. Default is
null
. -
lambda_post_confirmation
: (Optionalstring
)The ARN of a post-confirmation AWS Lambda trigger. Default is
null
. -
lambda_pre_authentication
: (Optionalstring
)The ARN of a pre-authentication AWS Lambda trigger. Default is
null
. -
lambda_pre_sign_up
: (Optionalstring
)The ARN of a pre-registration AWS Lambda trigger. Default is
null
. -
lambda_pre_token_generation
: (Optionalstring
)The ARN of an AWS Lambda that allows customization of identity token claims before token generation. Default is
null
. -
lambda_user_migration
: (Optionalstring
)The ARN of he user migration AWS Lambda config type. Default is
null
. -
lambda_verify_auth_challenge_response
: (Optionalstring
)The ARN of an AWS Lambda that verifies the authentication challenge response. Default is
true
. -
schema_attributes
: (Optionalany
)A list of schema attributes of a user pool. You can add a maximum um 25 custom attributes. Please note that only default attributes can be marked as required. Also an attribute cannot be switched between required and not required after a user pool has been created. For details please see the attributes docs. Default is
[]
.Example:
schema_attributes = [ { name = "gender", # overwrites the default attribute 'gender' type = "String" required = true # required can only be set for default attributes }, { name = "alternative_name" type = "String" min_length = 0, max_length = 2048 }, { name = "friends_count" type = "Number" min_value = 0, max_value = 100 }, { name = "is_active" type = "Boolean" }, { name = "last_seen" type = "DateTime" } ]
-
sms_configuration
: (Optionalobject({external_id = string, sns_caller_arn = string})
)The
sms_configuration
with theexternal_id
parameter used in IAM role trust relationships and thesns_caller_arn
parameter to set the ARN of the Amazon SNS caller. This is usually the IAM role that you have given AWS Cognito permission to assume. Default isnull
. -
default_email_option
: (Optionalstring
)The default email option. Must be either
CONFIRM_WITH_CODE
orCONFIRM_WITH_LINK
. Default is"CONFIRM_WITH_CODE"
. -
email_message
: (Optionalstring
)The email message template. Must contain the
{####}
placeholder. Default is"Your verification code is {####}."
. -
email_message_by_link
: (Optionalstring
)The email message template for sending a confirmation link to the user, it must contain the
{##Click Here##}
placeholder. Default is"Please click the link below to verify your email address. {##Verify Email##}."
. -
email_subject
: (Optionalstring
)The subject line for the email message template. Default is
"Your Verification Code"
. -
email_subject_by_link
: (Optionalstring
)The subject line for the email message template for sending a confirmation link to the user. Default is
"Your Verifiction Link"
. -
sms_message
: (Optionalstring
)The SMS message template. Must contain the
{####}
placeholder, which will be replaced with the verification code. Can also contain the{username}
placeholder which will be replaced with the username. Default is"Your verification code is {####}."
. -
tags
: (Optionalmap(string)
)A mapping of tags to assign to the resource. Default is
{}
.Example:
tags = { CreatedAt = "2020-02-07", Alice = "Bob" }
-
domain
: (Optionalstring
)The domain name that should be used. Can be set to a FQDN or prefix. If no FQDN and
certificate_arn
are set, the domain prefix will be used for the sign-up and sign-in pages that are hosted by Amazon Cognito, e.g.https://{YOUR_PREFIX}.auth.eu-west-1.amazoncognito.com
. The prefix must be unique across the selected AWS Region. Domain names can only contain lower-case letters, numbers, and hyphens.Default is not to use a custom domain.
-
certificate_arn
: (Optionalstring
)The ARN of an ISSUED ACM certificate in us-east-1 for a custom domain. Default is not to use a custom domain.
-
clients
: (Optionallist(client)
)A list of objects with the clients definitions. Default is
[]
.Example:
A list of clients that follow the normal schema defined by the provider. For details please see Terraform AWS Cognito User Pool Client Docs.
clients = [ { name = "android-mobile-client" read_attributes = ["email", "email_verified", "preferred_username"] allowed_oauth_scopes = ["email", "openid"] allowed_oauth_flows = ["implicit"] callback_urls = ["https://mineiros.io/callback", "https://mineiros.io/anothercallback"] default_redirect_uri = "https://mineiros.io/callback" generate_secret = true } ]
The following variables can be used for setting default settings among various clients defined through the clients
variable. This helps you to quickly issue several clients that implement the same settings, e.g. like so:
clients = [
{ name = "ios" },
{ name = "android" },
{ name = "web" },
]
default_client_read_attributes = ["email", "email_verified", "preferred_username"]
default_client_allowed_oauth_scopes = ["email", "openid"]
default_client_allowed_oauth_flows = ["implicit"]
default_client_callback_urls = ["https://mineiros.io/callback", "https://mineiros.io/anothercallback"]
default_client_default_redirect_uri = "https://mineiros.io/callback"
default_client_generate_secret = true
default_client_refresh_token_validity = 45
default_client_supported_identity_providers = null
default_client_logout_urls = null
default_client_allowed_oauth_flows_user_pool_client = null
default_client_write_attributes = null
default_client_explicit_auth_flows = null
default_client_prevent_user_existence_errors = null
-
default_client_callback_urls
: (Optionallist(string)
)List of allowed callback URLs for the identity providers.
-
default_client_default_redirect_uri
: (Optionalstring
)The default redirect URI. Must be in the list of callback URLs.
-
default_client_read_attributes
: (Optionallist(string)
)List of Cognito User Pool attributes the application client can read from.
-
default_client_refresh_token_validity
: (Optionalnumber
)The time limit in days refresh tokens are valid for.
-
default_client_supported_identity_providers
: (Optionallist(string)
)List of provider names for the identity providers that are supported on this client.
-
default_client_allowed_oauth_scopes
: (Optionallist(string)
)List of allowed OAuth scopes. Possible values are
phone
,email
,openid
,profile
, andaws.cognito.signin.user.admin
. -
default_client_logout_urls
: (Optionallist(string)
)List of allowed logout URLs for the identity providers.
-
default_client_allowed_oauth_flows_user_pool_client
: (Optionalbool
)Whether the client is allowed to follow the OAuth protocol when interacting with Cognito User Pools.
-
default_client_generate_secret
: (Optionalbool
)Boolean flag for generating an application secret.
-
default_client_allowed_oauth_flows
: (Optionallist(string)
)List of allowed OAuth flows. Possible flows are
code
,implicit
, andclient_credentials
. -
default_client_write_attributes
: (Optionallist(string)
)List of Cognito User Pool attributes the application client can write to.
-
default_client_explicit_auth_flows
: (Optionallist(string)
)List of authentication flows. Possible values are
ADMIN_NO_SRP_AUTH
,CUSTOM_AUTH_FLOW_ONLY
,USER_PASSWORD_AUTH
,ALLOW_ADMIN_USER_PASSWORD_AUTH
,ALLOW_CUSTOM_AUTH
,ALLOW_USER_PASSWORD_AUTH
,ALLOW_USER_SRP_AUTH
, andALLOW_REFRESH_TOKEN_AUTH
. -
default_client_prevent_user_existence_errors
: (Optionalstring
)Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the Cognito User Pool. When set to
ENABLED
and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set toLEGACY
, those APIs will return aUserNotFoundException
exception if the user does not exist in the Cognito User Pool.
The following attributes are exported by the module:
user_pool
: Thecognito_user_pool
object.clients
: A map ofcognito_user_pool_client
objects. The map is keyed by thename
of the created clients. Client secrets are filtered out of this map and are available through theclient_secrets
output variable and flagged as sensitive.client_secrets
: A sensitive map of client secrets for all createdcognito_user_pool_client
resources. The map is keyed by thename
of the created clients.
- AWS Documentation:
- Terraform AWS Provider Documentation:
This Module follows the principles of Semantic Versioning (SemVer).
Given a version number MAJOR.MINOR.PATCH
, we increment the:
MAJOR
version when we make incompatible changes,MINOR
version when we add functionality in a backwards compatible manner, andPATCH
version when we make backwards compatible bug fixes.
- Backwards compatibility in versions
0.0.z
is not guaranteed whenz
is increased. (Initial development) - Backwards compatibility in versions
0.y.z
is not guaranteed wheny
is increased. (Pre-release)
Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.
Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.
We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at hello@mineiros.io or join our Community Slack channel.
We use GitHub Issues to track community reported issues and missing features.
Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.
This repository comes with a handy Makefile.
Run make help
to see details on each available target.
This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.
Copyright © 2020 Mineiros GmbH