/terraform-aws-lambda-at-edge-cognito-authentication

Terraform module to create a Lambda@Edge for fronting a Cloudfront Distribution with authentication through Cognito user pools.

Primary LanguageHCLOtherNOASSERTION

terraform-aws-lambda-at-edge-cognito-authentication

This terraform module creates a Lambda@Edge Lambda to be used within a viewer policy of a CloudFront Distribution to enforce Cognito Authentication through a configured Cognito User Pool.

How it Works

Sequence Diagram

Requirements

  • Terraform version >= 1.0.X
  • NodeJS + NPM (compatible with NodeJS 18.X.X)
    • Used for npm ci dependency installation for Lambda@Edge Bundle.
  • Terraform AWS Provider in us-east-1
    • Requirement for CloudFront + Lambda@Edge runtime.
  • Existing Cognito User Pool and User Pool Client.

Usage

To use this module, source it into one your Terraform project like so:

data "aws_cognito_user_pools" "user_pool" {
  name     = "my_cognito_pool_name"
}

resource "aws_cognito_user_pool_client" "cognito_client" {
  ...
}

module "cloudfront_cognito_auth_lambda" {
  source    = "git::https://github.com/disney/terraform-aws-lambda-at-edge-cognito-authentication.git?ref=<version-ref>"
  name                                      = "my-application"
  cognito_user_pool_name                    = data.aws_cognito_user_pools.user_pool.name
  cognito_user_pool_region                  = "us-east-1"
  cognito_user_pool_id                      = aws_cognito_user_pool_client.cognito_client.user_pool_id
  cognito_user_pool_app_client_id           = aws_cognito_user_pool_client.cognito_client.id

  tags = { foo = "bar" }
}

You can use the output of this module to pass as a rule on your CloudFront distribution cache on viewer-requests (typically on an S3 Bucket Origin with an OAI).

resource "aws_cloudfront_distribution" "my_cloudfront_distribution" {
  ...

  ordered_cache_behavior {
    ...
    lambda_function_association {
      event_type   = "viewer-request"
      lambda_arn   = module.cloudfront_cognito_auth_lambda.qualified_arn
    }
  }
}

Lambda@Edge Destroy Issue

Note that if a destroy action is performed on this terraform module, terraform is unable to delete the Lambda@Edge that was published as a part of this infrastructure (This is noted by this issue on the Terraform provider). It will only be removed from the terraform state as the skip_destroy flag is set to true.

In order to properly delete this resource, it should be manually cleaned up, instructions here.

Requirements

Name Version
terraform ~> 1.0
aws >= 4.57

Providers

Name Version
archive 2.4.0
aws 5.26.0
null 3.2.2

Modules

No modules.

Resources

Name Type
aws_iam_role.lambda_at_edge resource
aws_kms_key.ssm_kms_key resource
aws_lambda_function.cloudfront_auth_edge resource
aws_ssm_parameter.lambda_configuration_parameters resource
null_resource.install_lambda_dependencies resource
archive_file.lambda_edge_bundle data source
aws_caller_identity.current data source
aws_iam_policy_document.allow_lambda_service_assume data source
aws_region.current data source

Inputs

Name Description Type Default Required
cognito_additional_settings Map of any to configure any additional cognito@edge parameters not handled by this module. any {} no
cognito_cookie_expiration_days Number of days to keep the cognito cookie valid. number 7 no
cognito_disable_cookie_domain Sets domain attribute in cookies, defaults to false. bool false no
cognito_log_level Logging level. Default: 'silent' string "silent" no
cognito_redirect_path Optional path to redirect to after a successful cognito login. string "" no
cognito_user_pool_app_client_id Cognito User Pool App Client ID for the targeted user pool. string n/a yes
cognito_user_pool_app_client_secret Cognito User Pool App Client Secret for the targeted user pool. NOTE: This is currently not compatible with AppSync applications. string null no
cognito_user_pool_domain Optional: Full Domain of the Cognito User Pool to utilize. Mutually exclusive with 'cognito_user_pool_name'. string "" no
cognito_user_pool_id Cognito User Pool ID for the targeted user pool. string n/a yes
cognito_user_pool_name Name of the Cognito User Pool to utilize. Required if 'cognito_user_pool_domain' is not set. string "" no
cognito_user_pool_region AWS region where the cognito user pool was created. string "us-west-2" no
lambda_runtime Lambda runtime to utilize for Lambda@Edge. string "nodejs20.x" no
lambda_timeout Amount of timeout in seconds to set on for Lambda@Edge. number 5 no
name Name to prefix on all infrastructure created by this module. string n/a yes
tags Map of tags to attach to all AWS resources created by this module. map(string) {} no

Outputs

Name Description
arn ARN for the Lambda@Edge created by this module.
qualified_arn Qualified ARN for the Lambda@Edge created by this module.