feat: mfa and cognito configured

cyberlabrs · Dec 28, 2023 · a6a1553 · a6a1553
1 parent 7ed468d
commit a6a1553
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 2 deletions.
diff --git a/cognito.tf b/cognito.tf
@@ -8,7 +8,7 @@ resource "aws_cognito_user_pool" "user_pool" {
   }
 
   auto_verified_attributes = ["email"]
-  mfa_configuration        = "OFF"
+  mfa_configuration        = var.mfa_configuration
   username_attributes      = ["email"]
 
   user_pool_add_ons {
@@ -30,6 +30,13 @@ resource "aws_cognito_user_pool" "user_pool" {
       priority = 1
     }
   }
+
+  dynamic "software_token_mfa_configuration" {
+    for_each = var.mfa_configuration == "ON" ? [1] : []
+    content {
+      enabled = true
+    }
+  }
 }
 
 resource "aws_cognito_user_pool_domain" "user_pool_domain" {
@@ -42,7 +49,7 @@ resource "aws_cognito_user_pool_domain" "user_pool_domain" {
 resource "aws_cognito_identity_pool" "identity_pool" {
   count                            = var.cognito_enabled ? 1 : 0
   identity_pool_name               = "${var.name}_identity_pool"
-  allow_unauthenticated_identities = true
+  allow_unauthenticated_identities = var.allow_unauthenticated_identities
 
   # AWS OpenSearch will maintain `cognito_identity_providers`, so ignore it
   lifecycle { ignore_changes = [cognito_identity_providers] }

diff --git a/cognito_iam.tf b/cognito_iam.tf
@@ -147,4 +147,13 @@ resource "aws_cognito_identity_pool_roles_attachment" "roles_attachment" {
     "authenticated"   = aws_iam_role.authenticated[0].arn,
     "unauthenticated" = aws_iam_role.unauthenticated[0].arn,
   }
+
+  dynamic "role_mapping" {
+    for_each = var.role_mapping
+    content {
+      ambiguous_role_resolution = try(role_mapping.value["ambiguous_role_resolution"], null)
+      identity_provider = try(role_mapping.value["identity_provider"],null)
+      type = try(role_mapping.value["type"], null)
+    }
+  }
 }
diff --git a/variables.tf b/variables.tf
@@ -265,4 +265,23 @@ variable "custom_es_cognito_role_name" {
   type        = string
   default     = null
   description = "Custom name for Opensearch Cognito role name"
+}
+
+
+variable "allow_unauthenticated_identities"{
+  type        = bool
+  description = "Allow unauthenticated identities on Cognito Identity Pool"
+  default     =  true
+}
+
+variable "role_mapping"{
+  type       =  any
+  description = "Custom role mapping for identity pool role attachment"
+  default    =  []
+}
+
+variable "mfa_configuration"{
+  type       = string
+  description = "Multi-Factor Authentication (MFA) configuration for the User Pool"
+  default  = "OFF"
 }