Merge pull request #60 from mineiros-io/soerenmartius/resource-server

Add support for resource server

Author: soerenmartius

CHANGELOG.md

@@ -7,9 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.9.1]
+
 ### Added
 
 - Add support for `module_tags`
+- Implement support for resource servers through the
+  `aws_cognito_resource_server` resource
 
 ## [0.9.0]
 
@@ -150,11 +154,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- markdown-link-check-disable -->
 
-[unreleased]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.9.0...HEAD
-[0.9.0]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.8.0...v0.9.0
+[unreleased]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.9.1...HEAD
+[0.9.1]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.9.0...v0.9.1
 
 <!-- markdown-link-check-enable -->
 
+[0.9.0]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.8.0...v0.9.0
 [0.8.0]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.7.0...v0.8.0
 [0.7.0]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.6.0...v0.7.0
 [0.6.0]: https://github.com/mineiros-io/terraform-aws-cognito-user-pool/compare/v0.5.0...v0.6.0

README.md

@@ -55,10 +55,10 @@ pre-configured.
   Create a Cognito User Pool with pre-configured best practices.
   Create Cognito User Pool Clients.
   Create a Cognito User Pool Domain.
+  Create Cognito User Pool Resource Servers as associated scopes.
 
 - *Features not yet implemented*:
   [`cognito_user_group`](https://www.terraform.io/docs/providers/aws/r/cognito_user_group.html)
-  [`cognito_resource_server`](https://www.terraform.io/docs/providers/aws/r/cognito_resource_server.html)
 
 ## Getting Started
 
@@ -424,6 +424,36 @@ for details and use-cases.
   The ARN of an ISSUED ACM certificate in us-east-1 for a custom domain.
   Default is not to use a custom domain.
 
+#### Cognito User Pool Resource Servers
+
+- **`resource_servers`**: *(Optional `list(resource_server)`)
+
+  A list of objects with resource server declarations.
+  Default is []
+
+  **Example:**
+
+  A resource server declaration with scopes. For details see the [Terraform AWS Cognito Resource Server Docs]
+
+  ```hcl
+  resource_servers = [
+    {
+      identifier = "https://api.resourceserver.com"
+      name       = "API"
+      scopes     = [
+        {
+          scope_name = "users:read"
+          scope_description = "Read user data"
+        },
+        {
+          scope_name = "users:write"
+          scope_description = "Write user data"
+        }
+      ]
+    }
+  ]
+  ```
+
 #### Cognito User Pool Clients
 
 - **`clients`**: *(Optional `list(client)`)*
@@ -660,3 +690,4 @@ Copyright © 2020 [Mineiros GmbH][homepage]
 [Cognito User Pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html
 [attributes docs]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
 [Terraform AWS Cognito User Pool Client Docs]: https://www.terraform.io/docs/providers/aws/r/cognito_user_pool_client.html
+[Terraform AWS Cognito Resource Server Docs]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_resource_server

main.tf

@@ -243,6 +243,10 @@ resource "aws_cognito_user_pool_client" "client" {
   }
 
   enable_token_revocation = each.value.enable_token_revocation
+
+  depends_on = [
+    aws_cognito_resource_server.resource_server
+  ]
 }
 
 resource "aws_cognito_user_pool_domain" "domain" {

resource-server.tf

@@ -0,0 +1,15 @@
+resource "aws_cognito_resource_server" "resource_server" {
+  for_each     = var.module_enabled ? { for resource in var.resource_servers : resource.identifier => resource } : {}
+  identifier   = each.value.identifier
+  name         = try(each.value.name, null)
+  user_pool_id = aws_cognito_user_pool.user_pool[0].id
+
+  dynamic "scope" {
+    for_each = try(each.value.scopes, [])
+
+    content {
+      scope_name        = scope.value.scope_name
+      scope_description = scope.value.scope_description
+    }
+  }
+}

test/unit-complete/main.tf

@@ -45,6 +45,23 @@ module "test" {
     }
   ]
 
+  resource_servers = [
+    {
+      identifier = "https://api.resourceserver.com"
+      name       = "API"
+      scopes = [
+        {
+          scope_name        = "users:read",
+          scope_description = "Read user data"
+        },
+        {
+          scope_name        = "users:write"
+          scope_description = "Write user data"
+        }
+      ]
+    }
+  ]
+
   # add most/all other optional arguments
 
   enable_username_case_sensitivity = false

variables.tf

@@ -45,6 +45,35 @@ variable "allow_admin_create_user_only" {
   default     = true
 }
 
+variable "resource_servers" {
+  description = "(Optional) A list of objects with resource server definitions."
+  type        = any
+
+  # Declare resource servers and associated custom scopes
+  # For details please see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_resource_server
+  #
+  # Example:
+  #
+  # resource_servers = [
+  #   {
+  #     identifier = "https://api.resourceserver.com"
+  #     name       = "API"
+  #     scopes     = [
+  #       {
+  #         scope_name        = "users:read"
+  #         scope_description = "Read user data"
+  #       },
+  #       {
+  #         scope_name        = "users:write"
+  #         scope_description = "Write user data"
+  #       }
+  #     ]
+  #   }
+  # ]
+
+  default = []
+}
+
 variable "clients" {
   description = "(Optional) A list of objects with the clients definitions."
   type        = any