Merge pull request #51 from mineiros-io/soerenmartius/add-support-for-token_validity_units

Add support for token validity units

Author: mariux

CHANGELOG.md

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.8.0]
+
+### BREAKING
+
+- Minimum version of the aws provider has been bumped to `3.32.0` to enable 
+  support for `token_validity_units`
+
+### Added
+
+- Add support `token_validity_units`
+
 ## [0.7.0]
 
 ### Added
@@ -123,11 +134,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- markdown-link-check-disable -->
 
-[unreleased]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.7.0...HEAD
-[0.7.0]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.6.0...v0.7.0
+[unreleased]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.8.0...HEAD
+[0.8.0]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.7.0...v0.8.0
 
 <!-- markdown-link-check-enable -->
 
+[0.7.0]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.6.0...v0.7.0
 [0.6.0]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.5.0...v0.6.0
 [0.5.0]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.4.1...v0.5.0
 [0.4.1]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.4.0...v0.4.1

README.md

@@ -67,7 +67,7 @@ Most basic usage just setting required arguments:
 ```hcl
 module "terraform-aws-cognito-user-pool" {
   source  = "mineiros-io/cognito-user-pool/aws"
-  version = "~> 0.7.0"
+  version = "~> 0.8.0"
 
   name = "application-userpool"
 }
@@ -456,6 +456,10 @@ for details and use-cases.
   default_client_write_attributes                     = null
   default_client_explicit_auth_flows                  = null
   default_client_prevent_user_existence_errors        = null
+  default_client_access_token_validity                = null
+  default_client_id_token_validity                    = null
+  default_client_token_validity_units                 = null
+  default_client_enable_token_revocation              = null
   ```
 
 - **`default_client_callback_urls`**: *(Optional `list(string)`)*
@@ -510,6 +514,24 @@ for details and use-cases.
 
   Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the Cognito User Pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs will return a `UserNotFoundException` exception if the user does not exist in the Cognito User Pool.
 
+- **`default_client_access_token_validity`**: *(Optional `number`)*
+
+  Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. 
+  This value will be overridden if you have entered a value in 'default_client_token_validity_units'.
+  
+- **`default_client_id_token_validity`**: *(Optional `number`)*
+
+  Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. 
+  This value will be overridden if you have entered a value in 'default_client_token_validity_units'.
+
+- **`default_client_token_validity_units`**: *(Optional `any`)*
+
+  Configuration block for units in which the validity times are represented in.
+
+- **`default_client_enable_token_revocation`**: *(Optional `bool`)*
+
+  Enables or disables token revocation.
+
 ## Module Attributes Reference
 
 The following attributes are exported by the module:

examples/complete/README.md

@@ -12,7 +12,7 @@ shows how to deploy a Cognito User Pool with custom settings.
 ```hcl
 module "cognito_user_pool" {
   source  = "mineiros-io/cognito-user-pool/aws"
-  version = "~> 0.7.0"
+  version = "~> 0.8.0"
 
   name = "complete-example-userpool"
 

examples/complete/main.tf

@@ -17,7 +17,7 @@ provider "aws" {
 
 module "cognito_user_pool" {
   source  = "mineiros-io/cognito-user-pool/aws"
-  version = "~> 0.7.0"
+  version = "~> 0.8.0"
 
   name = "complete-example-userpool"
 

examples/user-pool-with-default-settings/README.md

@@ -13,7 +13,7 @@ defined in the [variables.tf] file of this module.
 ```hcl
 module "cognito_user_pool" {
   source  = "mineiros-io/cognito-user-pool/aws"
-  version = "~> 0.7.0"
+  version = "~> 0.8.0"
 
   name = "example-userpool"
 }

examples/user-pool-with-default-settings/main.tf

@@ -18,7 +18,7 @@ provider "aws" {
 
 module "cognito_user_pool" {
   source  = "mineiros-io/cognito-user-pool/aws"
-  version = "~> 0.7.0"
+  version = "~> 0.8.0"
 
   name = "example-userpool"
 }

main.tf

@@ -202,6 +202,10 @@ locals {
       supported_identity_providers         = lookup(client, "supported_identity_providers", var.default_client_supported_identity_providers)
       prevent_user_existence_errors        = lookup(client, "prevent_user_existence_errors", var.default_client_prevent_user_existence_errors)
       write_attributes                     = lookup(client, "write_attributes", var.default_client_write_attributes)
+      access_token_validity                = lookup(client, "access_token_validity", var.default_client_access_token_validity)
+      id_token_validity                    = lookup(client, "id_token_validity", var.default_client_id_token_validity)
+      token_validity_units                 = lookup(client, "token_validity_units", var.default_client_token_validity_units)
+      enable_token_revocation              = lookup(client, "enable_token_revocation", var.default_client_enable_token_revocation)
     }
   }
 }
@@ -225,8 +229,20 @@ resource "aws_cognito_user_pool_client" "client" {
   prevent_user_existence_errors        = each.value.prevent_user_existence_errors
   user_pool_id                         = aws_cognito_user_pool.user_pool[0].id
   write_attributes                     = each.value.write_attributes
-}
+  access_token_validity                = each.value.access_token_validity
+  id_token_validity                    = each.value.id_token_validity
+
+  dynamic "token_validity_units" {
+    for_each = length(each.value.token_validity_units) > 0 ? [true] : []
 
+    content {
+      refresh_token = each.value.token_validity_units.refresh_token
+      access_token  = each.value.token_validity_units.access_token
+      id_token      = each.value.token_validity_units.id_token
+    }
+  }
+  enable_token_revocation = each.value.enable_token_revocation
+}
 resource "aws_cognito_user_pool_domain" "domain" {
   count = var.module_enabled && var.domain != null ? 1 : 0
 

variables.tf

@@ -160,6 +160,38 @@ variable "default_client_write_attributes" {
   default     = null
 }
 
+variable "default_client_access_token_validity" {
+  description = "(Optional) Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. This value will be overridden if you have entered a value in 'default_client_token_validity_units'."
+  type        = number
+  default     = null
+}
+
+variable "default_client_id_token_validity" {
+  description = "(Optional) Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. This value will be overridden if you have entered a value in 'default_client_token_validity_units'."
+  type        = number
+  default     = null
+}
+
+variable "default_client_token_validity_units" {
+  description = "(Optional) Configuration block for units in which the validity times are represented in."
+  type        = any
+  default     = null
+}
+
+# Example:
+#
+# default_client_token_validity_units = {
+#   refresh_token = "days"
+#   access_token  = "minutes"
+#   id_token      = "minutes"
+# }
+
+variable "default_client_enable_token_revocation" {
+  description = "(Optional) Enables or disables token revocation."
+  type        = bool
+  default     = null
+}
+
 variable "invite_email_subject" {
   type        = string
   description = "(Optional) The subject for email messages."

versions.tf

@@ -6,6 +6,6 @@ terraform {
   required_version = ">= 0.12.20, < 2.0"
 
   required_providers {
-    aws = ">= 3.19, < 4.0"
+    aws = ">= 3.32, < 4.0"
   }
 }