This module will build a website that is protected by an OpenId-compatible authentication provider. It will provision a private S3 bucket, Cloudfront, and deploy a customized Lambda function using Lambda@Edge.
Currently only OKTA is supported, but can easily be extended to support others (Google/Microsoft/GitHub/Auth0/Centrify).
This project uses the nodejs code from Widen for the Lambda
function. Their repository includes a build.js
script that
interactively prompts for configuration items (client_id, client_secret,
etc.) and builds the lambda zip file. This does not lend itself well
to automation; this repository replaces that logic with build.tf
and
local-exec
resources create the archive.
The Scale Factory team created the (now hibernating)
terraform-cloudfront-auth
project to allow passing environment variables to the Widen build.js
script. Their project still requires executing the nodejs script,
which does not work for environments where those dependencies are not
available, such as a Terraform Cloud
runner.
The
archive_file
data source is used in this project. Terraform will always generate
a plan to modify resources, even when a terraform apply
will make no changes.
This will generate false positives when terraform plan
is run periodically
to check for configuration drift.
data "aws_acm_certificate" "cert" {
domain = "*.example.com"
}
module "cloudfront_okta" {
source = "oasys/cloudfront-auth/aws"
version = "1.0.2"
hostname = "www.example.com"
acm_cert_arn = data.aws_acm_certificate.cert.arn
auth_provider = "OKTA"
client_id = okta_app_oauth.www.client_id
client_secret = okta_app_oauth.www.client_secret
redirect_uri = "https://www.example.com/_callback"
base_url = "https://example.okta.com"
deploy_arn = var.deploy_arn
}
A more comprehensive example is included in the example/
directory.
Name | Description | Type | Default | Required |
---|---|---|---|---|
acm_cert_arn | ARN of AWS Certificate Manager certificate for website. | string |
n/a | yes |
aliases | List of any aliases (CNAMEs) for the website. | list(string) |
[] |
no |
always_rebuild | Always create new lambda zip source directory. Useful for environments, such as Terraform Cloud, where the terraform runner does not preserve local disk contents. | bool |
true |
no |
auth_provider | Authentication provider. Currently only 'OKTA' is supported. | string |
"OKTA" |
no |
base_url | The base_url or Org URL of the authentication provider. | string |
n/a | yes |
client_id | The client_id from authentication provider. | string |
n/a | yes |
client_secret | The client_secret from authentication provider. | string |
n/a | yes |
deploy_arn | (Optional) IAM user to give permissions to update site (via s3 bucket). | string |
null |
no |
hostname | Hostname of the managed website. | string |
n/a | yes |
redirect_uri | The URI to redirect users to after successful login. Defaults to /_callback on hostname. | string |
null |
no |
s3_bucket_name | Name of website S3 bucket. Must be globally unique. Defaults to hostname. | string |
null |
no |
session_duration | Length of time session will be valid. | number |
24 |
no |
tags | Common tags for created resources | map(any) |
{} |
no |
Name | Description |
---|---|
cloudfront_distribution | CloudFront distribution |
lambda_function | Lambda function |
s3_bucket | S3 bucket |
This project is licensed under the GNU GPLv3. Please use and change to suit your needs.
This repository includes the source from Widen's cloudfront-auth project and its dependencies, compliant with the project's license.