added cognito initial config

2020-09-12 15:04:39 +09:00
parent 41c9bdafaf
commit aa71a7a3cc
5 changed files with 125 additions and 12 deletions
--- a/infra/terraform/modules/catherine-fc/main/cognito.tf
+++ b/infra/terraform/modules/catherine-fc/main/cognito.tf
@@ -0,0 +1,23 @@
+resource "aws_cognito_user_pool" "catherine_fc_admin_cognito_pool" {
+  name = "catherine-fc-admin"
+
+  admin_create_user_config {
+    allow_admin_create_user_only = true
+  }
+}
+
+resource "aws_cognito_user_pool_client" "catherine_fc_admin_cognito_pool_client" {
+  name         = "catherine-fc-admin-client"
+  user_pool_id = aws_cognito_user_pool.catherine_fc_admin_cognito_pool.id
+  allowed_oauth_flows = ["code","implicit"]
+  allowed_oauth_scopes = ["email", "openid"]
+  callback_urls = ["https://www.catherine-fc.com","https://catherine-fc.com"]
+  allowed_oauth_flows_user_pool_client  = true
+  generate_secret     = true
+  explicit_auth_flows = ["USER_PASSWORD_AUTH"]
+}
+
+resource "aws_cognito_user_pool_domain" "catherine_fc_admin_cognito_pool_domain" {
+  domain       = "catherine-fc-admin-domain"
+  user_pool_id = aws_cognito_user_pool.catherine_fc_admin_cognito_pool.id
+}
--- a/infra/terraform/modules/catherine-fc/main/load-balancer.tf
+++ b/infra/terraform/modules/catherine-fc/main/load-balancer.tf
@@ -20,4 +20,58 @@ resource "aws_lb_listener" "catherine_fc_load_balancer_listener" {
    type             = "forward"
    target_group_arn = aws_lb_target_group.target_group_web.arn
  }
-}
+}
+
+resource "aws_lb_listener_rule" "catherine_fc_alb_listener_admin" {
+  listener_arn = aws_lb_listener.catherine_fc_load_balancer_listener.arn
+  priority     = 1
+  action {
+    type = "authenticate-cognito"
+
+    authenticate_cognito {
+      user_pool_arn       = aws_cognito_user_pool.catherine_fc_admin_cognito_pool.arn
+      user_pool_client_id = aws_cognito_user_pool_client.catherine_fc_admin_cognito_pool_client.id
+      user_pool_domain    = aws_cognito_user_pool_domain.catherine_fc_admin_cognito_pool_domain.domain
+      on_unauthenticated_request = "authenticate"
+      session_cookie_name = "CatherineFCAdmin"
+      session_timeout = 86400
+    }
+  }
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.target_group_web.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/admin*"]
+    }
+  }
+}
+
+resource "aws_lb_listener_rule" "catherine_fc_alb_listener_admin_api" {
+  listener_arn = aws_lb_listener.catherine_fc_load_balancer_listener.arn
+  priority     = 2
+  action {
+    type = "authenticate-cognito"
+
+    authenticate_cognito {
+      user_pool_arn       = aws_cognito_user_pool.catherine_fc_admin_cognito_pool.arn
+      user_pool_client_id = aws_cognito_user_pool_client.catherine_fc_admin_cognito_pool_client.id
+      user_pool_domain    = aws_cognito_user_pool_domain.catherine_fc_admin_cognito_pool_domain.domain
+      on_unauthenticated_request = "deny"
+      session_cookie_name = "CatherineFCAdmin"
+      session_timeout = 86400
+    }
+  }
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.target_group_web.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/api/admin*"]
+    }
+  }
+}