/terraform-aws-cloudfront-auth

Terraform module to build a website protected by OpenID authentication provider using a private S3 bucket fronted by Cloudfront and Lambda@Edge.

Primary LanguageJavaScriptGNU General Public License v3.0GPL-3.0

Terraform CloudFront Auth

Version: v1.0.2 License: GPL v3

Introduction

This module will build a website that is protected by an OpenId-compatible authentication provider. It will provision a private S3 bucket, Cloudfront, and deploy a customized Lambda function using Lambda@Edge.

Currently only OKTA is supported, but can easily be extended to support others (Google/Microsoft/GitHub/Auth0/Centrify).

Based on

This project uses the nodejs code from Widen for the Lambda function. Their repository includes a build.js script that interactively prompts for configuration items (client_id, client_secret, etc.) and builds the lambda zip file. This does not lend itself well to automation; this repository replaces that logic with build.tf and local-exec resources create the archive.

The Scale Factory team created the (now hibernating) terraform-cloudfront-auth project to allow passing environment variables to the Widen build.js script. Their project still requires executing the nodejs script, which does not work for environments where those dependencies are not available, such as a Terraform Cloud runner.

Caveats

The archive_file data source is used in this project. Terraform will always generate a plan to modify resources, even when a terraform apply will make no changes. This will generate false positives when terraform plan is run periodically to check for configuration drift.

Usage

data "aws_acm_certificate" "cert" {
  domain = "*.example.com"
}

module "cloudfront_okta" {
  source        = "oasys/cloudfront-auth/aws"
  version       = "1.0.2"
  hostname      = "www.example.com"
  acm_cert_arn  = data.aws_acm_certificate.cert.arn
  auth_provider = "OKTA"
  client_id     = okta_app_oauth.www.client_id
  client_secret = okta_app_oauth.www.client_secret
  redirect_uri  = "https://www.example.com/_callback"
  base_url      = "https://example.okta.com"
  deploy_arn    = var.deploy_arn
}

A more comprehensive example is included in the example/ directory.

Inputs

Name Description Type Default Required
acm_cert_arn ARN of AWS Certificate Manager certificate for website. string n/a yes
aliases List of any aliases (CNAMEs) for the website. list(string) [] no
always_rebuild Always create new lambda zip source directory. Useful for environments, such as Terraform Cloud, where the terraform runner does not preserve local disk contents. bool true no
auth_provider Authentication provider. Currently only 'OKTA' is supported. string "OKTA" no
base_url The base_url or Org URL of the authentication provider. string n/a yes
client_id The client_id from authentication provider. string n/a yes
client_secret The client_secret from authentication provider. string n/a yes
deploy_arn (Optional) IAM user to give permissions to update site (via s3 bucket). string null no
hostname Hostname of the managed website. string n/a yes
redirect_uri The URI to redirect users to after successful login. Defaults to /_callback on hostname. string null no
s3_bucket_name Name of website S3 bucket. Must be globally unique. Defaults to hostname. string null no
session_duration Length of time session will be valid. number 24 no
tags Common tags for created resources map(any) {} no

Outputs

Name Description
cloudfront_distribution CloudFront distribution
lambda_function Lambda function
s3_bucket S3 bucket

License

This project is licensed under the GNU GPLv3. Please use and change to suit your needs.

This repository includes the source from Widen's cloudfront-auth project and its dependencies, compliant with the project's license.