feat: Adds Cognito integration (#12)

GiamPy5 · web-flow · commit 9e9bb51e5526 · 2024-06-27T23:15:47.000+02:00
diff --git a/README.md b/README.md
@@ -79,10 +79,6 @@ Before using this module, ensure you have the following:
 - **Terraform installed** on your machine 🌐
 - Basic knowledge of **AWS services** and **Terraform** 📚
 
-## 📅 Roadmap
-
-- [ ] Implement Amazon Cognito authentication
-
 ## 📚 Module Documentation
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -136,9 +132,11 @@ Before using this module, ensure you have the following:
 | [aws_s3_bucket.directus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.directus_bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_secretsmanager_secret.cognito_client_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret.directus_admin_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret.directus_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret.directus_serviceuser_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret_version.cognito_client_secret_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_secretsmanager_secret_version.directus_admin_password_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_secretsmanager_secret_version.directus_secret_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_secretsmanager_secret_version.directus_serviceuser_secret_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
@@ -147,6 +145,7 @@ Before using this module, ensure you have the following:
 | [random_password.directus_admin_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_password.directus_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_cognito_user_pool_client.client](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cognito_user_pool_client) | data source |
 | [aws_iam_policy_document.cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -164,11 +163,17 @@ Before using this module, ensure you have the following:
 | <a name="input_application_name"></a> [application\_name](#input\_application\_name) | The name of the application | `string` | n/a | yes |
 | <a name="input_autoscaling"></a> [autoscaling](#input\_autoscaling) | Autoscaling Configuration | <pre>object({<br>    enable           = bool<br>    memory_threshold = number<br>    cpu_threshold    = number<br>    min_capacity     = number<br>    max_capacity     = number<br>  })</pre> | <pre>{<br>  "cpu_threshold": 60,<br>  "enable": false,<br>  "max_capacity": 3,<br>  "memory_threshold": 80,<br>  "min_capacity": 1<br>}</pre> | no |
 | <a name="input_cloudwatch_logs_stream_prefix"></a> [cloudwatch\_logs\_stream\_prefix](#input\_cloudwatch\_logs\_stream\_prefix) | The prefix of the CloudWatch Logs stream | `string` | `"directus"` | no |
+| <a name="input_cognito_allow_public_registration"></a> [cognito\_allow\_public\_registration](#input\_cognito\_allow\_public\_registration) | Whether to allow public registration in Directus through Cognito External Users | `bool` | `false` | no |
+| <a name="input_cognito_identifier_key"></a> [cognito\_identifier\_key](#input\_cognito\_identifier\_key) | The key of the Cognito identifier | `string` | `"email"` | no |
+| <a name="input_cognito_scopes"></a> [cognito\_scopes](#input\_cognito\_scopes) | The Cognito scopes | `list(string)` | <pre>[<br>  "email",<br>  "openid",<br>  "profile"<br>]</pre> | no |
+| <a name="input_cognito_user_pool_client_id"></a> [cognito\_user\_pool\_client\_id](#input\_cognito\_user\_pool\_client\_id) | The ID of the Cognito user pool client | `string` | `""` | no |
+| <a name="input_cognito_user_pool_id"></a> [cognito\_user\_pool\_id](#input\_cognito\_user\_pool\_id) | The ID of the Cognito user pool | `string` | `""` | no |
 | <a name="input_cpu"></a> [cpu](#input\_cpu) | The number of CPU units to reserve for the Directus service | `number` | `2048` | no |
 | <a name="input_create_cloudwatch_logs_group"></a> [create\_cloudwatch\_logs\_group](#input\_create\_cloudwatch\_logs\_group) | Whether to create a CloudWatch Logs group | `bool` | `false` | no |
 | <a name="input_create_s3_bucket"></a> [create\_s3\_bucket](#input\_create\_s3\_bucket) | Whether to create an S3 bucket | `bool` | `false` | no |
 | <a name="input_ecs_service_enable_execute_command"></a> [ecs\_service\_enable\_execute\_command](#input\_ecs\_service\_enable\_execute\_command) | Whether to enable ECS service execute command | `bool` | `false` | no |
 | <a name="input_enable_alb_access_logs"></a> [enable\_alb\_access\_logs](#input\_enable\_alb\_access\_logs) | Whether to enable access logs of the Load Balancer | `bool` | `false` | no |
+| <a name="input_enable_cognito_authentication"></a> [enable\_cognito\_authentication](#input\_enable\_cognito\_authentication) | Whether to enable Cognito authentication | `bool` | `false` | no |
 | <a name="input_enable_ecs_volume"></a> [enable\_ecs\_volume](#input\_enable\_ecs\_volume) | Whether to enable ECS volume | `bool` | `false` | no |
 | <a name="input_enable_kms_encryption"></a> [enable\_kms\_encryption](#input\_enable\_kms\_encryption) | Whether to enable KMS encryption | `bool` | `false` | no |
 | <a name="input_enable_s3_bucket_versioning"></a> [enable\_s3\_bucket\_versioning](#input\_enable\_s3\_bucket\_versioning) | Whether to enable S3 bucket versioning | `bool` | `true` | no |
diff --git a/examples/main.tf b/examples/main.tf
@@ -49,6 +49,11 @@ module "directus" {
   cpu    = 1024
   memory = 2048
 
+  enable_cognito_authentication     = true
+  cognito_allow_public_registration = true
+  cognito_user_pool_id              = "user_pool_id"
+  cognito_user_pool_client_id       = "user_pool_client_id"
+
   ecs_service_enable_execute_command = true # Allows you to connect via CLI to the ECS Task Container (just like `docker exec`). It's disabled by default.
   enable_ses_emails_sending          = true
   enable_ecs_volume                  = false
@@ -72,7 +77,7 @@ module "directus" {
   redis_port = module.elasticache.cluster_cache_nodes[0].port
 
   create_s3_bucket = true # If you do not create an S3 bucket, you will need to provide an existing S3 bucket name
-  s3_bucket_name   = "terraform-aws-directus-${local.region}"
+  s3_bucket_name   = "${local.name}-${local.region}"
 
   enable_kms_encryption = true
   kms_key_id            = aws_kms_key.directus.id
@@ -160,7 +165,7 @@ module "rds" {
   source  = "terraform-aws-modules/rds/aws"
   version = "6.7.0"
 
-  identifier = "directus"
+  identifier = local.name
 
   engine               = "mysql"
   family               = "mysql8.0"
@@ -347,7 +352,7 @@ resource "aws_cloudfront_distribution" "cloudfront_distribution" {
     target_origin_id       = "lb.${local.application_domain_name}"
     viewer_protocol_policy = "redirect-to-https"
     forwarded_values {
-      headers      = []
+      headers      = ["Authorization"]
       query_string = true
       cookies {
         forward = "all"
diff --git a/main.tf b/main.tf
@@ -13,8 +13,12 @@ locals {
 
   s3_bucket_name = var.s3_bucket_name != "" ? var.s3_bucket_name : "${local.truncated_application_name}-${local.service_name}-bucket-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
 
+  cognito_issuer_url = var.enable_cognito_authentication ? "https://cognito-idp.${data.aws_region.current.name}.amazonaws.com/${var.cognito_user_pool_id}/.well-known/openid-configuration" : ""
+
   directus_port = 8055
 
+  openid_callback_url = "${local.public_url}/auth/login/cognito/callback"
+
   healthcheck_path = "/server/health"
 
   public_url = var.public_url != "" ? var.public_url : "http://${aws_lb.directus.dns_name}"
@@ -54,6 +58,16 @@ locals {
     var.enable_ses_emails_sending ? {
       EMAIL_TRANSPORT  = "ses"
       EMAIL_SES_REGION = data.aws_region.current.name
+    } : {},
+    var.enable_cognito_authentication ? {
+      AUTH_PROVIDERS                         = "cognito"
+      AUTH_COGNITO_DRIVER                    = "openid"
+      AUTH_COGNITO_ISSUER_URL                = local.cognito_issuer_url
+      AUTH_COGNITO_SCOPE                     = join(" ", var.cognito_scopes)
+      AUTH_COGNITO_CLIENT_ID                 = var.cognito_user_pool_client_id
+      AUTH_COGNITO_IDENTIFIER_KEY            = var.cognito_identifier_key
+      AUTH_COGNITO_ALLOW_PUBLIC_REGISTRATION = var.cognito_allow_public_registration ? "true" : "false"
+      AUTH_COGNITO_ICON                      = "aws"
     } : {}
   )
 
@@ -64,16 +78,20 @@ locals {
       cpu       = var.cpu
       memory    = var.memory
       essential = true
-      secrets = concat([
-        { name : "SECRET", valueFrom : aws_secretsmanager_secret_version.directus_secret_version.arn },
-        { name : "ADMIN_PASSWORD", valueFrom : aws_secretsmanager_secret_version.directus_admin_password_version.arn },
-        { name : "DB_PASSWORD", valueFrom : "${var.rds_database_password_secrets_manager_arn}:password::" },
-        { name : "STORAGE_S3_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
-        { name : "STORAGE_S3_SECRET", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
+      secrets = concat(
+        [
+          { name : "SECRET", valueFrom : aws_secretsmanager_secret_version.directus_secret_version.arn },
+          { name : "ADMIN_PASSWORD", valueFrom : aws_secretsmanager_secret_version.directus_admin_password_version.arn },
+          { name : "DB_PASSWORD", valueFrom : "${var.rds_database_password_secrets_manager_arn}:password::" },
+          { name : "STORAGE_S3_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
+          { name : "STORAGE_S3_SECRET", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
         ],
         var.enable_ses_emails_sending ? [
           { name : "EMAIL_SES_CREDENTIALS__ACCESS_KEY_ID", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
           { name : "EMAIL_SES_CREDENTIALS__SECRET_ACCESS_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
+        ] : [],
+        var.enable_cognito_authentication ? [
+          { name : "AUTH_COGNITO_CLIENT_SECRET", valueFrom : aws_secretsmanager_secret_version.cognito_client_secret_version[0].arn }
       ] : [])
       environment = [for key, value in local.environment_vars : {
         name  = key
@@ -113,6 +131,37 @@ data "aws_region" "current" {}
 
 data "aws_caller_identity" "current" {}
 
+data "aws_cognito_user_pool_client" "client" {
+  count = var.enable_cognito_authentication ? 1 : 0
+
+  client_id    = var.cognito_user_pool_client_id
+  user_pool_id = var.cognito_user_pool_id
+}
+
+resource "aws_secretsmanager_secret" "cognito_client_secret" {
+  count = var.enable_cognito_authentication ? 1 : 0
+
+  name_prefix = "${var.application_name}-${local.service_name}-cognito-client-secret"
+
+  kms_key_id = var.kms_key_id
+
+  tags = var.tags
+}
+
+resource "aws_secretsmanager_secret_version" "cognito_client_secret_version" {
+  count = var.enable_cognito_authentication ? 1 : 0
+
+  secret_id     = aws_secretsmanager_secret.cognito_client_secret[0].id
+  secret_string = data.aws_cognito_user_pool_client.client[0].client_secret
+
+  lifecycle {
+    precondition {
+      condition     = contains(data.aws_cognito_user_pool_client.client[0].callback_urls, local.openid_callback_url)
+      error_message = "The Cognito user pool client \"${var.cognito_user_pool_client_id}\" callback URLs must contain \"${local.openid_callback_url}\""
+    }
+  }
+}
+
 resource "aws_s3_bucket" "directus" {
   count = var.create_s3_bucket ? 1 : 0
 
@@ -236,12 +285,14 @@ module "ecs" {
     "kms" : aws_iam_policy.kms_policy[0].arn
   } : {})
 
-  task_exec_secret_arns = [
+  task_exec_secret_arns = concat([
     aws_secretsmanager_secret.directus_secret.arn,
     aws_secretsmanager_secret.directus_admin_password.arn,
     aws_secretsmanager_secret.directus_serviceuser_secret.arn,
     var.rds_database_password_secrets_manager_arn
-  ]
+    ], var.enable_cognito_authentication ? [
+    aws_secretsmanager_secret.cognito_client_secret[0].arn
+  ] : [])
 
   cluster_configuration = {
     execute_command_configuration = {
diff --git a/variables.tf b/variables.tf
@@ -10,6 +10,41 @@ variable "public_url" {
   default     = ""
 }
 
+variable "enable_cognito_authentication" {
+  description = "Whether to enable Cognito authentication"
+  type        = bool
+  default     = false
+}
+
+variable "cognito_allow_public_registration" {
+  description = "Whether to allow public registration in Directus through Cognito External Users"
+  type        = bool
+  default     = false
+}
+
+variable "cognito_identifier_key" {
+  description = "The key of the Cognito identifier"
+  type        = string
+  default     = "email"
+}
+
+variable "cognito_scopes" {
+  description = "The Cognito scopes"
+  type        = list(string)
+  default     = ["email", "openid", "profile"]
+}
+variable "cognito_user_pool_id" {
+  description = "The ID of the Cognito user pool"
+  type        = string
+  default     = ""
+}
+
+variable "cognito_user_pool_client_id" {
+  description = "The ID of the Cognito user pool client"
+  type        = string
+  default     = ""
+}
+
 variable "load_balancer_allowed_cidr_blocks" {
   description = "The CIDR blocks allowed to access the Load Balancer"
   type        = list(string)
