From ef56d6769f0edd35c964d1f5b170634b29951b6e Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Sat, 10 Apr 2021 12:17:11 -0300 Subject: [PATCH 1/5] Update complete example to include temporary_password_validity_days in password_policy block --- examples/complete/main.tf | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 9cc0b49..ee026f5 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -44,11 +44,13 @@ module "aws_cognito_user_pool_complete_example" { } password_policy = { - minimum_length = 10 - require_lowercase = false - require_numbers = true - require_symbols = true - require_uppercase = true + minimum_length = 10 + require_lowercase = false + require_numbers = true + require_symbols = true + require_uppercase = true + temporary_password_validity_days = 120 + } user_pool_add_ons = { From 962690c28e9b8fa7f71e68435fd7433a36f2ee94 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Sat, 10 Apr 2021 12:37:31 -0300 Subject: [PATCH 2/5] Add acess_token and id_token validitiy --- client.tf | 16 ++++++++++++++++ variables.tf | 30 ++++++++++++++++++++++++------ 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/client.tf b/client.tf index c3b337f..1109c2b 100644 --- a/client.tf +++ b/client.tf @@ -10,11 +10,23 @@ resource "aws_cognito_user_pool_client" "client" { logout_urls = lookup(element(local.clients, count.index), "logout_urls", null) name = lookup(element(local.clients, count.index), "name", null) read_attributes = lookup(element(local.clients, count.index), "read_attributes", null) + access_token_validity = lookup(element(local.clients, count.index), "access_token_validity", null) + id_token_validity = lookup(element(local.clients, count.index), "id_token_validity", null) refresh_token_validity = lookup(element(local.clients, count.index), "refresh_token_validity", null) supported_identity_providers = lookup(element(local.clients, count.index), "supported_identity_providers", null) prevent_user_existence_errors = lookup(element(local.clients, count.index), "prevent_user_existence_errors", null) write_attributes = lookup(element(local.clients, count.index), "write_attributes", null) user_pool_id = aws_cognito_user_pool.pool[0].id + + # token_validity_units + dynamic "token_validity_units" { + for_each = lookup(element(local.clients, count.index), "token_validity_units", null) + content { + access_token = lookup(token_validity_units.value, "access_token") + id_token = lookup(token_validity_units.value, "id_token") + refresh_token = lookup(token_validity_units.value, "refresh_token") + } + } } locals { @@ -30,6 +42,8 @@ locals { logout_urls = var.client_logout_urls name = var.client_name read_attributes = var.client_read_attributes + access_token_validity = var.client_access_token_validity + id_token_validity = var.client_id_token_validity refresh_token_validity = var.client_refresh_token_validity supported_identity_providers = var.client_supported_identity_providers prevent_user_existence_errors = var.client_prevent_user_existence_errors @@ -49,6 +63,8 @@ locals { logout_urls = lookup(e, "logout_urls", null) name = lookup(e, "name", null) read_attributes = lookup(e, "read_attributes", null) + access_token_validity = lookup(e, "access_token_validity", null) + id_token_validity = lookup(e, "id_token_validity", null) refresh_token_validity = lookup(e, "refresh_token_validity", null) supported_identity_providers = lookup(e, "supported_identity_providers", null) prevent_user_existence_errors = lookup(e, "prevent_user_existence_errors", null) diff --git a/variables.tf b/variables.tf index c22d4d5..73aa353 100644 --- a/variables.tf +++ b/variables.tf @@ -453,12 +453,6 @@ variable "client_read_attributes" { default = [] } -variable "client_refresh_token_validity" { - description = "The time limit in days refresh tokens are valid for" - type = number - default = 30 -} - variable "client_prevent_user_existence_errors" { description = "Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool." type = string @@ -477,6 +471,30 @@ variable "client_write_attributes" { default = [] } +variable "client_access_token_validity" { + description = "Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. This value will be overridden if you have entered a value in `token_validity_units`." + type = number + default = 60 +} + +variable "client_id_token_validity" { + description = "Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. This value will be overridden if you have entered a value in `token_validity_units`." + type = number + default = 60 +} + +variable "client_refresh_token_validity" { + description = "The time limit in days refresh tokens are valid for" + type = number + default = 30 +} + +variable "client_token_validity_units" { + description = "Configuration block for units in which the validity times are represented in. Valid values for the following arguments are: `seconds`, `minutes`, `hours` or `days`." + type = any + default = {} +} + # # aws_cognito_user_group # From 3cb9d7c0ddd8e28d9b5d1da922b418a981c21a19 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Sat, 10 Apr 2021 13:23:25 -0300 Subject: [PATCH 3/5] Add token_validity_units --- client.tf | 10 ++++++---- variables.tf | 13 +++++++++---- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/client.tf b/client.tf index 1109c2b..3b05fe9 100644 --- a/client.tf +++ b/client.tf @@ -20,11 +20,11 @@ resource "aws_cognito_user_pool_client" "client" { # token_validity_units dynamic "token_validity_units" { - for_each = lookup(element(local.clients, count.index), "token_validity_units", null) + for_each = length(lookup(element(local.clients, count.index), "token_validity_units", {})) == 0 ? [] : [lookup(element(local.clients, count.index), "token_validity_units")] content { - access_token = lookup(token_validity_units.value, "access_token") - id_token = lookup(token_validity_units.value, "id_token") - refresh_token = lookup(token_validity_units.value, "refresh_token") + access_token = lookup(token_validity_units.value, "access_token", null) + id_token = lookup(token_validity_units.value, "id_token", null) + refresh_token = lookup(token_validity_units.value, "refresh_token", null) } } } @@ -44,6 +44,7 @@ locals { read_attributes = var.client_read_attributes access_token_validity = var.client_access_token_validity id_token_validity = var.client_id_token_validity + token_validity_units = var.client_token_validity_units refresh_token_validity = var.client_refresh_token_validity supported_identity_providers = var.client_supported_identity_providers prevent_user_existence_errors = var.client_prevent_user_existence_errors @@ -66,6 +67,7 @@ locals { access_token_validity = lookup(e, "access_token_validity", null) id_token_validity = lookup(e, "id_token_validity", null) refresh_token_validity = lookup(e, "refresh_token_validity", null) + token_validity_units = lookup(e, "token_validity_units", {}) supported_identity_providers = lookup(e, "supported_identity_providers", null) prevent_user_existence_errors = lookup(e, "prevent_user_existence_errors", null) write_attributes = lookup(e, "write_attributes", null) diff --git a/variables.tf b/variables.tf index 73aa353..58fdd67 100644 --- a/variables.tf +++ b/variables.tf @@ -389,7 +389,7 @@ variable "domain_certificate_arn" { # variable "clients" { description = "A container with the clients definitions" - type = list + type = any default = [] } @@ -478,13 +478,13 @@ variable "client_access_token_validity" { } variable "client_id_token_validity" { - description = "Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. This value will be overridden if you have entered a value in `token_validity_units`." + description = "Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. Must be between 5 minutes and 1 day. Cannot be greater than refresh token expiration. This value will be overridden if you have entered a value in `token_validity_units`." type = number default = 60 } variable "client_refresh_token_validity" { - description = "The time limit in days refresh tokens are valid for" + description = "The time limit in days refresh tokens are valid for. Must be between 60 minutes and 3650 days. This value will be overridden if you have entered a value in `token_validity_units`" type = number default = 30 } @@ -492,7 +492,12 @@ variable "client_refresh_token_validity" { variable "client_token_validity_units" { description = "Configuration block for units in which the validity times are represented in. Valid values for the following arguments are: `seconds`, `minutes`, `hours` or `days`." type = any - default = {} + default = { + access_token = "hours" + id_token = "hours" + refresh_token = "days" + } + } # From 73b17bdef146d370de80fad7b80c0dee8a6304f2 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Sat, 10 Apr 2021 13:25:08 -0300 Subject: [PATCH 4/5] Update README --- README.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fec5a2a..d264436 100644 --- a/README.md +++ b/README.md @@ -133,7 +133,6 @@ module "aws_cognito_user_pool_complete" { } ``` - ## Requirements | Name | Version | @@ -147,6 +146,20 @@ module "aws_cognito_user_pool_complete" { |------|---------| | aws | >= 2.54.0 | +## Modules + +No Modules. + +## Resources + +| Name | +|------| +| [aws_cognito_resource_server](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_resource_server) | +| [aws_cognito_user_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_group) | +| [aws_cognito_user_pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool) | +| [aws_cognito_user_pool_client](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_client) | +| [aws_cognito_user_pool_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_domain) | + ## Inputs | Name | Description | Type | Default | Required | @@ -158,6 +171,7 @@ module "aws_cognito_user_pool_complete" { | admin\_create\_user\_config\_sms\_message | - The message template for SMS messages. Must contain `{username}` and `{####}` placeholders, for username and temporary password, respectively | `string` | `"Your username is {username} and temporary password is `{####}`"` | no | | alias\_attributes | Attributes supported as an alias for this user pool. Possible values: phone\_number, email, or preferred\_username. Conflicts with `username_attributes` | `list` | `null` | no | | auto\_verified\_attributes | The attributes to be auto-verified. Possible values: email, phone\_number | `list` | `[]` | no | +| client\_access\_token\_validity | Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. This value will be overridden if you have entered a value in `token_validity_units`. | `number` | `60` | no | | client\_allowed\_oauth\_flows | The name of the application client | `list` | `[]` | no | | client\_allowed\_oauth\_flows\_user\_pool\_client | Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools | `bool` | `true` | no | | client\_allowed\_oauth\_scopes | List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin) | `list` | `[]` | no | @@ -165,14 +179,16 @@ module "aws_cognito_user_pool_complete" { | client\_default\_redirect\_uri | The default redirect URI. Must be in the list of callback URLs | `string` | `""` | no | | client\_explicit\_auth\_flows | List of authentication flows (ADMIN\_NO\_SRP\_AUTH, CUSTOM\_AUTH\_FLOW\_ONLY, USER\_PASSWORD\_AUTH) | `list` | `[]` | no | | client\_generate\_secret | Should an application secret be generated | `bool` | `true` | no | +| client\_id\_token\_validity | Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. Must be between 5 minutes and 1 day. Cannot be greater than refresh token expiration. This value will be overridden if you have entered a value in `token_validity_units`. | `number` | `60` | no | | client\_logout\_urls | List of allowed logout URLs for the identity providers | `list` | `[]` | no | | client\_name | The name of the application client | `string` | `null` | no | | client\_prevent\_user\_existence\_errors | Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool. | `string` | `""` | no | | client\_read\_attributes | List of user pool attributes the application client can read from | `list` | `[]` | no | -| client\_refresh\_token\_validity | The time limit in days refresh tokens are valid for | `number` | `30` | no | +| client\_refresh\_token\_validity | The time limit in days refresh tokens are valid for. Must be between 60 minutes and 3650 days. This value will be overridden if you have entered a value in `token_validity_units` | `number` | `30` | no | | client\_supported\_identity\_providers | List of provider names for the identity providers that are supported on this client | `list` | `[]` | no | +| client\_token\_validity\_units | Configuration block for units in which the validity times are represented in. Valid values for the following arguments are: `seconds`, `minutes`, `hours` or `days`. | `any` | 
{
  "access_token": "hours",
  "id_token": "hours",
  "refresh_token": "days"
}
| no | | client\_write\_attributes | List of user pool attributes the application client can write to | `list` | `[]` | no | -| clients | A container with the clients definitions | `list` | `[]` | no | +| clients | A container with the clients definitions | `any` | `[]` | no | | device\_configuration | The configuration for the user pool's device tracking | `map` | `{}` | no | | device\_configuration\_challenge\_required\_on\_new\_device | Indicates whether a challenge is required on a new device. Only applicable to a new device | `bool` | `false` | no | | device\_configuration\_device\_only\_remembered\_on\_user\_prompt | If true, a device is only remembered on user prompt | `bool` | `false` | no | From 16e2e84ef43a6d360d9936a5e032b9def9207f5c Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Sat, 10 Apr 2021 13:31:39 -0300 Subject: [PATCH 5/5] Update README, Changelog & complete example --- CHANGELOG.md | 31 +++++++++++++++++++------------ examples/complete/main.tf | 12 +++++++++--- 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 243fe3f..8d56e48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,59 +1,66 @@ -## 0.9.4 (February 14, 2021) +## 0.10.0 (April 10, 2021) + +ENHANCEMENTS: + +* Add support for `access_token_validity`, `id_token_validity` and `token_validity_units` +* Update complete example with `access_token_validity`, `id_token_validity` and `token_validity_units` + +## 0.9.4 (February 14, 2021) FIX: * Update README to include schema changes know issue -## 0.9.3 (January 27, 2021) +## 0.9.3 (January 27, 2021) ENHANCEMENTS: * Update description for `enabled` variable -## 0.9.2 (January 27, 2021) +## 0.9.2 (January 27, 2021) ENHANCEMENTS: * Update conditional creation example -## 0.9.1 (January 27, 2021) +## 0.9.1 (January 27, 2021) FIX: * Set default value for enable variable to `true` -## 0.9.0 (January 24, 2021) +## 0.9.0 (January 24, 2021) ENHANCEMENTS: * Support conditional creation (thanks @Necromancerx) -## 0.8.0 (December 28, 2020) +## 0.8.0 (December 28, 2020) ENHANCEMENTS: * Add support for support `account_recovery_setting` -## 0.7.1 (December 11, 2020) +## 0.7.1 (December 11, 2020) FIX: * Ignore schema changes and prevent pool destruction -## 0.7.0 (November 25, 2020) +## 0.7.0 (November 25, 2020) ENHANCEMENTS: * Add `from_email_address` -## 0.6.2 (August 13, 2020) +## 0.6.2 (August 13, 2020) FIXES: * Update CHANGELOG -## 0.6.1 (August 13, 2020) +## 0.6.1 (August 13, 2020) ENHANCEMENTS: @@ -68,7 +75,7 @@ UPDATES: * Updated README and examples -## 0.5.0 (July 31, 2020) +## 0.5.0 (July 31, 2020) FIXES: @@ -81,7 +88,7 @@ ENHANCEMENTS: * Add support for `software_token_mfa_configuration` -## 0.3.3 (April 24, 2020) +## 0.3.3 (April 24, 2020) FIXES: diff --git a/examples/complete/main.tf b/examples/complete/main.tf index ee026f5..75eb3cc 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -149,9 +149,15 @@ module "aws_cognito_user_pool_complete_example" { logout_urls = [] name = "test1" read_attributes = ["email"] - refresh_token_validity = 30 supported_identity_providers = [] write_attributes = [] + id_token_validity = 1 + refresh_token_validity = 60 + token_validity_units = { + access_token = "hours" + id_token = "hours" + refresh_token = "days" + } }, { allowed_oauth_flows = [] @@ -164,9 +170,9 @@ module "aws_cognito_user_pool_complete_example" { logout_urls = [] name = "test2" read_attributes = [] - refresh_token_validity = 30 supported_identity_providers = [] write_attributes = [] + refresh_token_validity = 30 }, { allowed_oauth_flows = ["code", "implicit"] @@ -179,9 +185,9 @@ module "aws_cognito_user_pool_complete_example" { logout_urls = ["https://mydomain.com/logout"] name = "test3" read_attributes = ["email", "phone_number"] - refresh_token_validity = 60 supported_identity_providers = [] write_attributes = ["email", "gender", "locale", ] + refresh_token_validity = 30 } ]