Cognito 身份池 Auth/Unauth 角色的 Terraform 定义
Terraform Definition of Cognito Identity Pool Auth/Unauth Roles
我一直在尝试创建一个 terraform 脚本来创建具有 linked auth 和 unauth 角色的 cognito 用户池和身份池,但我找不到这样做的好例子。这是我目前所拥有的:
cognito.tf:
resource "aws_cognito_user_pool" "pool" {
name = "Sample User Pool"
admin_create_user_config {
allow_admin_create_user_only = false
}
/* More stuff here, not included*/
}
resource "aws_cognito_user_pool_client" "client" {
name = "client"
user_pool_id = "${aws_cognito_user_pool.pool.id}"
generate_secret = true
explicit_auth_flows = ["ADMIN_NO_SRP_AUTH"]
}
resource "aws_cognito_identity_pool" "main" {
identity_pool_name = "SampleIdentityPool"
allow_unauthenticated_identities = false
cognito_identity_providers {
client_id = "${aws_cognito_user_pool_client.id}"
provider_name = ""
server_side_token_check = true
}
}
所以,我想为此添加一个 auth 角色和一个 unauth 角色,但我仍在努力思考如何在 terraform 中定义和 link IAM 角色,但这是我到目前为止:
resource "aws_cognito_identity_pool_roles_attachment" "main" {
identity_pool_id = "${aws_cognito_identity_pool.main.id}"
roles {
"authenticated" = <<EOF
{
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = ["cognito-identity.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "cognito-identity.amazonaws.com:aud"
values = ["${aws_cognito_identity_pool.main.id}"]
}
condition {
test = "ForAnyValue:StringLike"
variable = "cognito-identity.amazonaws.com:amr"
values = ["authenticated"]
}
}
EOF
"unauthenticated" = <<EOF
{
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = ["cognito-identity.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "cognito-identity.amazonaws.com:aud"
values = ["${aws_cognito_identity_pool.main.id}"]
}
}
EOF
}
}
然而,这不起作用。它正确地创建了池和客户端,但没有将任何内容附加到 auth/unauth 角色。我不知道我错过了什么,除了使用 AWS 控制台之外,我找不到任何如何正确执行此操作的示例。在 terraform 中正确解决这个问题的任何帮助将不胜感激!
折腾了几天,终于弄明白了。我只是对“担任角色政策”和“政策”感到困惑。一旦我解决了这个问题,它就奏效了。这是(大致)我现在拥有的。我会把它放在这里,希望它能让第一次尝试解决这个问题的人免去很多痛苦。
对于用户池:
resource "aws_cognito_user_pool" "pool" {
name = "Sample Pool"
/* ... Lots more attributes */
}
对于用户池客户端:
resource "aws_cognito_user_pool_client" "client" {
name = "client"
user_pool_id = aws_cognito_user_pool.pool.id
generate_secret = true
explicit_auth_flows = ["ADMIN_NO_SRP_AUTH"]
}
对于身份池:
resource "aws_cognito_identity_pool" "main" {
identity_pool_name = "SampleIdentities"
allow_unauthenticated_identities = false
cognito_identity_providers {
client_id = aws_cognito_user_pool_client.client.id
provider_name = aws_cognito_user_pool.pool.endpoint
server_side_token_check = true
}
}
将角色附加到身份池:
resource "aws_cognito_identity_pool_roles_attachment" "main" {
identity_pool_id = aws_cognito_identity_pool.main.id
roles = {
authenticated = aws_iam_role.auth_iam_role.arn
unauthenticated = aws_iam_role.unauth_iam_role.arn
}
}
最后,角色和政策:
resource "aws_iam_role" "auth_iam_role" {
name = "auth_iam_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role" "unauth_iam_role" {
name = "unauth_iam_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "web_iam_unauth_role_policy" {
name = "web_iam_unauth_role_policy"
role = aws_iam_role.unauth_iam_role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Action": "*",
"Effect": "Deny",
"Resource": "*"
}
]
}
EOF
}
注意:针对更新的 terraform 语言更改进行了编辑,不再需要引用周围的“${...}”
我一直在尝试创建一个 terraform 脚本来创建具有 linked auth 和 unauth 角色的 cognito 用户池和身份池,但我找不到这样做的好例子。这是我目前所拥有的:
cognito.tf:
resource "aws_cognito_user_pool" "pool" {
name = "Sample User Pool"
admin_create_user_config {
allow_admin_create_user_only = false
}
/* More stuff here, not included*/
}
resource "aws_cognito_user_pool_client" "client" {
name = "client"
user_pool_id = "${aws_cognito_user_pool.pool.id}"
generate_secret = true
explicit_auth_flows = ["ADMIN_NO_SRP_AUTH"]
}
resource "aws_cognito_identity_pool" "main" {
identity_pool_name = "SampleIdentityPool"
allow_unauthenticated_identities = false
cognito_identity_providers {
client_id = "${aws_cognito_user_pool_client.id}"
provider_name = ""
server_side_token_check = true
}
}
所以,我想为此添加一个 auth 角色和一个 unauth 角色,但我仍在努力思考如何在 terraform 中定义和 link IAM 角色,但这是我到目前为止:
resource "aws_cognito_identity_pool_roles_attachment" "main" {
identity_pool_id = "${aws_cognito_identity_pool.main.id}"
roles {
"authenticated" = <<EOF
{
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = ["cognito-identity.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "cognito-identity.amazonaws.com:aud"
values = ["${aws_cognito_identity_pool.main.id}"]
}
condition {
test = "ForAnyValue:StringLike"
variable = "cognito-identity.amazonaws.com:amr"
values = ["authenticated"]
}
}
EOF
"unauthenticated" = <<EOF
{
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = ["cognito-identity.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "cognito-identity.amazonaws.com:aud"
values = ["${aws_cognito_identity_pool.main.id}"]
}
}
EOF
}
}
然而,这不起作用。它正确地创建了池和客户端,但没有将任何内容附加到 auth/unauth 角色。我不知道我错过了什么,除了使用 AWS 控制台之外,我找不到任何如何正确执行此操作的示例。在 terraform 中正确解决这个问题的任何帮助将不胜感激!
折腾了几天,终于弄明白了。我只是对“担任角色政策”和“政策”感到困惑。一旦我解决了这个问题,它就奏效了。这是(大致)我现在拥有的。我会把它放在这里,希望它能让第一次尝试解决这个问题的人免去很多痛苦。
对于用户池:
resource "aws_cognito_user_pool" "pool" {
name = "Sample Pool"
/* ... Lots more attributes */
}
对于用户池客户端:
resource "aws_cognito_user_pool_client" "client" {
name = "client"
user_pool_id = aws_cognito_user_pool.pool.id
generate_secret = true
explicit_auth_flows = ["ADMIN_NO_SRP_AUTH"]
}
对于身份池:
resource "aws_cognito_identity_pool" "main" {
identity_pool_name = "SampleIdentities"
allow_unauthenticated_identities = false
cognito_identity_providers {
client_id = aws_cognito_user_pool_client.client.id
provider_name = aws_cognito_user_pool.pool.endpoint
server_side_token_check = true
}
}
将角色附加到身份池:
resource "aws_cognito_identity_pool_roles_attachment" "main" {
identity_pool_id = aws_cognito_identity_pool.main.id
roles = {
authenticated = aws_iam_role.auth_iam_role.arn
unauthenticated = aws_iam_role.unauth_iam_role.arn
}
}
最后,角色和政策:
resource "aws_iam_role" "auth_iam_role" {
name = "auth_iam_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role" "unauth_iam_role" {
name = "unauth_iam_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "web_iam_unauth_role_policy" {
name = "web_iam_unauth_role_policy"
role = aws_iam_role.unauth_iam_role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Action": "*",
"Effect": "Deny",
"Resource": "*"
}
]
}
EOF
}
注意:针对更新的 terraform 语言更改进行了编辑,不再需要引用周围的“${...}”