##############THE ROLE FOR EACH GROUPresource "aws_iam_role" "iam_role_auth_pro

1. ##############THE ROLE FOR EACH GROUP
2. resource "aws_iam_role" "iam_role_auth_prod" {
3. name = "auth-kibana-prod-${terraform.workspace}"
4. assume_role_policy = <<EOF
5. {
6. "Version": "2012-10-17",
7. "Statement": [
8. {
9. "Effect": "Allow",
10. "Principal": {
11. "Federated": "cognito-identity.amazonaws.com"
12. },
13. "Action": "sts:AssumeRoleWithWebIdentity"
14. }
15. ]
16. }
17. EOF
18. }
19. resource "aws_iam_role" "iam_role_auth_dev" {
20. name = "auth-kibana-dev-${terraform.workspace}"
21. assume_role_policy = <<EOF
22. {
23. "Version": "2012-10-17",
24. "Statement": [
25. {
26. "Effect": "Allow",
27. "Principal": {
28. "Federated": "cognito-identity.amazonaws.com"
29. },
30. "Action": "sts:AssumeRoleWithWebIdentity"
31. }
32. ]
33. }
34. EOF
35. }
36. ################## USER GROUPS WITH ATTACHED ROLES
37. resource "aws_cognito_user_group" "cognito_user_group_auth_prod" {
38. name = "auth-kibana-prod-${terraform.workspace}"
39. user_pool_id = "${aws_cognito_user_pool.kibana.id}"
40. description = "Managed by Terraform"
41. precedence = 1
42. role_arn = "${aws_iam_role.iam_role_auth_prod.arn}"
43. }
44. resource "aws_cognito_user_group" "cognito_user_group_auth_dev" {
45. name = "auth-kibana-dev-${terraform.workspace}"
46. user_pool_id = "${aws_cognito_user_pool.kibana.id}"
47. description = "Managed by Terraform"
48. precedence = 1
49. role_arn = "${aws_iam_role.iam_role_auth_dev.arn}"
50. }
51. ######### CREATE USERPOOL AND IDENTITY POOL
52. resource "aws_cognito_user_pool" "kibana" {
53. name = "kibana user pool"
54. auto_verified_attributes = ["email"]
55. admin_create_user_config = {
56. allow_admin_create_user_only = true
57. }
58. schema {
59. attribute_data_type = "String"
60. name = "email"
61. required = true
62. }
63. lifecycle {
64. ignore_changes = [
65. "schema",
66. ]
67. }
68. alias_attributes = ["email"]
69. }
70. resource "aws_cognito_user_pool_domain" "kibana" {
71. domain = "glabs-kibana"
72. user_pool_id = "${aws_cognito_user_pool.kibana.id}"
73. lifecycle {
74. ignore_changes = [
75. "user_pool_id",
76. ]
77. }
78. }
79. resource "aws_cognito_identity_pool" "kibana" {
80. identity_pool_name = "kibana pool"
81. allow_unauthenticated_identities = false
82. lifecycle {
83. ignore_changes = [
84. "cognito_identity_providers",
85. ]
86. }
87. }