ALBにCognitoで認証をかける (Terraform)
ポイント
ALB -> Cognitoへのport 443での通信が許可されていること (ALBからCognitoへ問い合わせが発生するため)
ALBのSGでegress 443 anywhereでとりあえずOK
以下適宜変数は読み替え
code:hcl
# admin console user pool
module "aws_cognito_user_pool_admin_console" {
source = "lgallard/cognito-user-pool/aws"
user_pool_name = "${var.project}-admin-console-pool-${var.environment}"
domain = "my-project"
admin_create_user_config = {
email_message = <<EOF
{username} さん, あなたの仮パスワードは {####} です
EOF
}
password_policy = {
minimum_length = 8
require_lowercase = false
require_numbers = false
require_symbols = false
require_uppercase = false
temporary_password_validity_days = 30
}
recovery_mechanisms = [
{
name = "verified_email"
priority = 1
},
{
name = "verified_phone_number"
priority = 2
}
]
clients = [
{
name = "manager-users"
allowed_oauth_flows_user_pool_client = true
default_redirect_uri = "https://<ALBのDNS or ALBに貼られているCNAME>/oauth2/idpresponse" generate_secret = true
}
]
tags = {
Environment = var.environment
Terraform = true
}
}
# alb rule
resource "aws_lb_listener_rule" "admin_console" {
listener_arn = aws_lb_listener.web.arn
priority = 100
action {
type = "authenticate-cognito"
authenticate_cognito {
user_pool_arn = module.aws_cognito_user_pool_manager_console.arn
user_pool_client_id = module.aws_cognito_user_pool_manager_console.client_ids0 user_pool_domain = "my-project.auth.<your_region>.amazoncognito.com"
}
}
action {
type = "forward"
target_group_arn = aws_lb_target_group.web.arn
}
condition {
path_pattern {
}
}
}
UserPoolへのユーザ登録時に仮パスワードが送信される
ユーザの管理はUserPool上から行う (パスワードリセット/Disable等)