Skip to content
/ terraform-aws-cloudfront-auth Public

This module will build a website that is protected by an OpenId compatible authentication provider. It will provision a private S3 bucket, Cloudfront, and deploy a customized Lambda function using Lambda@Edge

License

GPL-3.0 license
4 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

vainkop/terraform-aws-cloudfront-auth

BranchesTags

Repository files navigation

Terraform CloudFront Auth

Version: v1.0.0 License: GPL v3

Introduction

This module will build a website that is protected by an OpenId-compatible authentication provider. It will provision a private S3 bucket, Cloudfront, and deploy a customized Lambda function using Lambda@Edge.

Currently only OKTA is supported, but can easily be extended to support others (Google/Microsoft/GitHub/Auth0/Centrify).

Based on

This project uses the nodejs code from Widen for the Lambda function. Their repository includes a build.js script that interactively prompts for configuration items (client_id, client_secret, etc.) and builds the lambda zip file. This does not lend itself well to automation; this repository replaces that logic with build.tf and local-exec resources create the archive.

The Scale Factory team created the (now hibernating) terraform-cloudfront-auth project to allow passing environment variables to the Widen build.js script. Their project still requires executing the nodejs script, which does not work for environments where those dependencies are not available, such as a Terraform Cloud runner.

Caveats

The archive_file data source is used in this project. Terraform will always generate a plan to modify resources, even when a terraform apply will make no changes. This will generate false positives when terraform plan is run periodically to check for configuration drift.

Usage

An example is included in the example/ directory.

Inputs

Name Description Type Default Required
region AWS Region. string n/a yes
hostname Hostname of the managed website. string n/a yes
client_id OKTA client_id. string n/a yes
client_secret OKTA client_secret. string n/a yes
redirect_uri AWS redirect_uri. string n/a yes
base_url OKTA base_url. string n/a yes
acm_cert_arn ARN of AWS Certificate Manager certificate for website. string n/a yes
route53_zone_name AWS Route53 zone name. string n/a yes

Outputs

Name Description
cloudfront_distribution CloudFront distribution
lambda_function Lambda function
s3_bucket S3 bucket

License

This project is licensed under the GNU GPLv3. Please use and change to suit your needs.

This repository includes the source from Widen's cloudfront-auth project and its dependencies, compliant with the project's license.

About

This module will build a website that is protected by an OpenId compatible authentication provider. It will provision a private S3 bucket, Cloudfront, and deploy a customized Lambda function using Lambda@Edge

Resources

Readme

License

GPL-3.0 license
Activity

Stars

4 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases 1

v1.0.0 Latest
Apr 21, 2021

Packages

No packages published

Languages