Merge pull request #45 from lgallard/feature/access_token_validity

Feature/access token validity

CHANGELOG.md

@@ -1,59 +1,66 @@
-## 0.9.4  (February 14, 2021)
+## 0.10.0 (April 10, 2021)
+
+ENHANCEMENTS:
+
+* Add support for `access_token_validity`, `id_token_validity` and `token_validity_units`
+* Update complete example with `access_token_validity`, `id_token_validity` and `token_validity_units`
+
+## 0.9.4 (February 14, 2021)
 
 FIX:
 
 * Update README to include schema changes know issue
 
-## 0.9.3  (January 27, 2021)
+## 0.9.3 (January 27, 2021)
 
 ENHANCEMENTS:
 
 * Update description for `enabled` variable
 
 
-## 0.9.2  (January 27, 2021)
+## 0.9.2 (January 27, 2021)
 
 ENHANCEMENTS:
 
 * Update conditional creation example
 
-## 0.9.1  (January 27, 2021)
+## 0.9.1 (January 27, 2021)
 
 FIX:
 
 * Set default value for enable variable to `true`
 
-## 0.9.0  (January 24, 2021)
+## 0.9.0 (January 24, 2021)
 
 ENHANCEMENTS:
 
 * Support conditional creation (thanks @Necromancerx)
 
-## 0.8.0  (December 28, 2020)
+## 0.8.0 (December 28, 2020)
 
 ENHANCEMENTS:
 
 * Add support for support `account_recovery_setting`
 
-## 0.7.1  (December 11, 2020)
+## 0.7.1 (December 11, 2020)
 
 FIX:
 
 * Ignore schema changes and prevent pool destruction
 
-## 0.7.0  (November 25, 2020)
+## 0.7.0 (November 25, 2020)
 
 ENHANCEMENTS:
 
 * Add `from_email_address`
 
-## 0.6.2  (August 13, 2020)
+## 0.6.2 (August 13, 2020)
 
 FIXES:
 
 * Update CHANGELOG
 
-## 0.6.1  (August 13, 2020)
+## 0.6.1 (August 13, 2020)
 
 ENHANCEMENTS:
 
@@ -68,7 +75,7 @@ UPDATES:
 
 * Updated README and examples
 
-## 0.5.0  (July 31, 2020)
+## 0.5.0 (July 31, 2020)
 
 FIXES:
 
@@ -81,7 +88,7 @@ ENHANCEMENTS:
 
 * Add support for `software_token_mfa_configuration`
 
-## 0.3.3  (April 24, 2020)
+## 0.3.3 (April 24, 2020)
 
 FIXES:
 

README.md

@@ -133,7 +133,6 @@ module "aws_cognito_user_pool_complete" {
   }
 
 ```
-
 ## Requirements
 
 | Name | Version |
@@ -147,6 +146,20 @@ module "aws_cognito_user_pool_complete" {
 |------|---------|
 | aws | >= 2.54.0 |
 
+## Modules
+
+No Modules.
+
+## Resources
+
+| Name |
+|------|
+| [aws_cognito_resource_server](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_resource_server) |
+| [aws_cognito_user_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_group) |
+| [aws_cognito_user_pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool) |
+| [aws_cognito_user_pool_client](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_client) |
+| [aws_cognito_user_pool_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_domain) |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -158,21 +171,24 @@ module "aws_cognito_user_pool_complete" {
 | admin\_create\_user\_config\_sms\_message | - The message template for SMS messages. Must contain `{username}` and `{####}` placeholders, for username and temporary password, respectively | `string` | `"Your username is {username} and temporary password is `{####}`"` | no |
 | alias\_attributes | Attributes supported as an alias for this user pool. Possible values: phone\_number, email, or preferred\_username. Conflicts with `username_attributes` | `list` | `null` | no |
 | auto\_verified\_attributes | The attributes to be auto-verified. Possible values: email, phone\_number | `list` | `[]` | no |
+| client\_access\_token\_validity | Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. This value will be overridden if you have entered a value in `token_validity_units`. | `number` | `60` | no |
 | client\_allowed\_oauth\_flows | The name of the application client | `list` | `[]` | no |
 | client\_allowed\_oauth\_flows\_user\_pool\_client | Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools | `bool` | `true` | no |
 | client\_allowed\_oauth\_scopes | List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin) | `list` | `[]` | no |
 | client\_callback\_urls | List of allowed callback URLs for the identity providers | `list` | `[]` | no |
 | client\_default\_redirect\_uri | The default redirect URI. Must be in the list of callback URLs | `string` | `""` | no |
 | client\_explicit\_auth\_flows | List of authentication flows (ADMIN\_NO\_SRP\_AUTH, CUSTOM\_AUTH\_FLOW\_ONLY, USER\_PASSWORD\_AUTH) | `list` | `[]` | no |
 | client\_generate\_secret | Should an application secret be generated | `bool` | `true` | no |
+| client\_id\_token\_validity | Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. Must be between 5 minutes and 1 day. Cannot be greater than refresh token expiration. This value will be overridden if you have entered a value in `token_validity_units`. | `number` | `60` | no |
 | client\_logout\_urls | List of allowed logout URLs for the identity providers | `list` | `[]` | no |
 | client\_name | The name of the application client | `string` | `null` | no |
 | client\_prevent\_user\_existence\_errors | Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool. | `string` | `""` | no |
 | client\_read\_attributes | List of user pool attributes the application client can read from | `list` | `[]` | no |
-| client\_refresh\_token\_validity | The time limit in days refresh tokens are valid for | `number` | `30` | no |
+| client\_refresh\_token\_validity | The time limit in days refresh tokens are valid for. Must be between 60 minutes and 3650 days. This value will be overridden if you have entered a value in `token_validity_units` | `number` | `30` | no |
 | client\_supported\_identity\_providers | List of provider names for the identity providers that are supported on this client | `list` | `[]` | no |
+| client\_token\_validity\_units | Configuration block for units in which the validity times are represented in. Valid values for the following arguments are: `seconds`, `minutes`, `hours` or `days`. | `any` | <pre>{<br>  "access_token": "hours",<br>  "id_token": "hours",<br>  "refresh_token": "days"<br>}</pre> | no |
 | client\_write\_attributes | List of user pool attributes the application client can write to | `list` | `[]` | no |
-| clients | A container with the clients definitions | `list` | `[]` | no |
+| clients | A container with the clients definitions | `any` | `[]` | no |
 | device\_configuration | The configuration for the user pool's device tracking | `map` | `{}` | no |
 | device\_configuration\_challenge\_required\_on\_new\_device | Indicates whether a challenge is required on a new device. Only applicable to a new device | `bool` | `false` | no |
 | device\_configuration\_device\_only\_remembered\_on\_user\_prompt | If true, a device is only remembered on user prompt | `bool` | `false` | no |

client.tf

@@ -10,11 +10,23 @@ resource "aws_cognito_user_pool_client" "client" {
   logout_urls                          = lookup(element(local.clients, count.index), "logout_urls", null)
   name                                 = lookup(element(local.clients, count.index), "name", null)
   read_attributes                      = lookup(element(local.clients, count.index), "read_attributes", null)
+  access_token_validity                = lookup(element(local.clients, count.index), "access_token_validity", null)
+  id_token_validity                    = lookup(element(local.clients, count.index), "id_token_validity", null)
   refresh_token_validity               = lookup(element(local.clients, count.index), "refresh_token_validity", null)
   supported_identity_providers         = lookup(element(local.clients, count.index), "supported_identity_providers", null)
   prevent_user_existence_errors        = lookup(element(local.clients, count.index), "prevent_user_existence_errors", null)
   write_attributes                     = lookup(element(local.clients, count.index), "write_attributes", null)
   user_pool_id                         = aws_cognito_user_pool.pool[0].id
+
+  # token_validity_units
+  dynamic "token_validity_units" {
+    for_each = length(lookup(element(local.clients, count.index), "token_validity_units", {})) == 0 ? [] : [lookup(element(local.clients, count.index), "token_validity_units")]
+    content {
+      access_token  = lookup(token_validity_units.value, "access_token", null)
+      id_token      = lookup(token_validity_units.value, "id_token", null)
+      refresh_token = lookup(token_validity_units.value, "refresh_token", null)
+    }
+  }
 }
 
 locals {
@@ -30,6 +42,9 @@ locals {
       logout_urls                          = var.client_logout_urls
       name                                 = var.client_name
       read_attributes                      = var.client_read_attributes
+      access_token_validity                = var.client_access_token_validity
+      id_token_validity                    = var.client_id_token_validity
+      token_validity_units                 = var.client_token_validity_units
       refresh_token_validity               = var.client_refresh_token_validity
       supported_identity_providers         = var.client_supported_identity_providers
       prevent_user_existence_errors        = var.client_prevent_user_existence_errors
@@ -49,7 +64,10 @@ locals {
     logout_urls                          = lookup(e, "logout_urls", null)
     name                                 = lookup(e, "name", null)
     read_attributes                      = lookup(e, "read_attributes", null)
+    access_token_validity                = lookup(e, "access_token_validity", null)
+    id_token_validity                    = lookup(e, "id_token_validity", null)
     refresh_token_validity               = lookup(e, "refresh_token_validity", null)
+    token_validity_units                 = lookup(e, "token_validity_units", {})
     supported_identity_providers         = lookup(e, "supported_identity_providers", null)
     prevent_user_existence_errors        = lookup(e, "prevent_user_existence_errors", null)
     write_attributes                     = lookup(e, "write_attributes", null)

examples/complete/main.tf

@@ -44,11 +44,13 @@ module "aws_cognito_user_pool_complete_example" {
   }
 
   password_policy = {
-    minimum_length    = 10
-    require_lowercase = false
-    require_numbers   = true
-    require_symbols   = true
-    require_uppercase = true
+    minimum_length                   = 10
+    require_lowercase                = false
+    require_numbers                  = true
+    require_symbols                  = true
+    require_uppercase                = true
+    temporary_password_validity_days = 120
+
   }
 
   user_pool_add_ons = {
@@ -147,9 +149,15 @@ module "aws_cognito_user_pool_complete_example" {
       logout_urls                          = []
       name                                 = "test1"
       read_attributes                      = ["email"]
-      refresh_token_validity               = 30
       supported_identity_providers         = []
       write_attributes                     = []
+      id_token_validity                    = 1
+      refresh_token_validity               = 60
+      token_validity_units = {
+        access_token  = "hours"
+        id_token      = "hours"
+        refresh_token = "days"
+      }
     },
     {
       allowed_oauth_flows                  = []
@@ -162,9 +170,9 @@ module "aws_cognito_user_pool_complete_example" {
       logout_urls                          = []
       name                                 = "test2"
       read_attributes                      = []
-      refresh_token_validity               = 30
       supported_identity_providers         = []
       write_attributes                     = []
+      refresh_token_validity               = 30
     },
     {
       allowed_oauth_flows                  = ["code", "implicit"]
@@ -177,9 +185,9 @@ module "aws_cognito_user_pool_complete_example" {
       logout_urls                          = ["https://mydomain.com/logout"]
       name                                 = "test3"
       read_attributes                      = ["email", "phone_number"]
-      refresh_token_validity               = 60
       supported_identity_providers         = []
       write_attributes                     = ["email", "gender", "locale", ]
+      refresh_token_validity               = 30
     }
   ]
 

variables.tf

@@ -389,7 +389,7 @@ variable "domain_certificate_arn" {
 #
 variable "clients" {
   description = "A container with the clients definitions"
-  type        = list
+  type        = any
   default     = []
 }
 
@@ -453,12 +453,6 @@ variable "client_read_attributes" {
   default     = []
 }
 
-variable "client_refresh_token_validity" {
-  description = "The time limit in days refresh tokens are valid for"
-  type        = number
-  default     = 30
-}
-
 variable "client_prevent_user_existence_errors" {
   description = "Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool."
   type        = string
@@ -477,6 +471,35 @@ variable "client_write_attributes" {
   default     = []
 }
 
+variable "client_access_token_validity" {
+  description = "Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. This value will be overridden if you have entered a value in `token_validity_units`."
+  type        = number
+  default     = 60
+}
+
+variable "client_id_token_validity" {
+  description = "Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. Must be between 5 minutes and 1 day. Cannot be greater than refresh token expiration. This value will be overridden if you have entered a value in `token_validity_units`."
+  type        = number
+  default     = 60
+}
+
+variable "client_refresh_token_validity" {
+  description = "The time limit in days refresh tokens are valid for. Must be between 60 minutes and 3650 days. This value will be overridden if you have entered a value in `token_validity_units`"
+  type        = number
+  default     = 30
+}
+
+variable "client_token_validity_units" {
+  description = "Configuration block for units in which the validity times are represented in. Valid values for the following arguments are: `seconds`, `minutes`, `hours` or `days`."
+  type        = any
+  default = {
+    access_token  = "hours"
+    id_token      = "hours"
+    refresh_token = "days"
+  }
+
+}
+
 #
 # aws_cognito_user_group
 #