forked from oasys/terraform-aws-cloudfront-auth
-
Notifications
You must be signed in to change notification settings - Fork 0
/
build.tf
88 lines (82 loc) · 2.84 KB
/
build.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# replace functionality of cloudfront-auth/build/build.js
# to allow running in environment without nodejs, such as terraform cloud
data "archive_file" "lambda" {
depends_on = [
null_resource.copy_files,
local_file.config,
local_file.private_key,
local_file.private_key,
]
type = "zip"
output_path = "${path.module}/lambda.zip"
source_dir = "${path.module}/lambda"
}
resource "null_resource" "copy_files" {
triggers = {
auth_provider = var.auth_provider
always_rebuild = var.always_rebuild ? timestamp() : false
}
provisioner "local-exec" {
command = "rm -rf ${path.module}/lambda && mkdir ${path.module}/lambda"
}
provisioner "local-exec" {
command = "cp -r ${path.module}/cloudfront-auth/node_modules ${path.module}/lambda/"
}
provisioner "local-exec" {
command = "cp ${path.module}/cloudfront-auth/nonce.js ${path.module}/lambda/"
}
provisioner "local-exec" {
command = "cp ${path.module}/cloudfront-auth/package.json ${path.module}/lambda/"
}
provisioner "local-exec" {
command = "cp ${path.module}/cloudfront-auth/package-lock.json ${path.module}/lambda/"
}
provisioner "local-exec" {
command = "cp ${path.module}/cloudfront-auth/authn/openid.index.js ${path.module}/lambda/index.js"
}
provisioner "local-exec" {
command = "cp ${path.module}/cloudfront-auth/authz/okta.js ${path.module}/lambda/auth.js"
}
}
resource "local_file" "private_key" {
depends_on = [null_resource.copy_files]
filename = "${path.module}/lambda/id_rsa"
sensitive_content = tls_private_key.keypair.private_key_pem
file_permission = "0600"
}
resource "local_file" "public_key" {
depends_on = [null_resource.copy_files]
filename = "${path.module}/lambda/id_rsa.pub"
content = tls_private_key.keypair.public_key_pem
file_permission = "0644"
}
resource "tls_private_key" "keypair" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "local_file" "config" {
filename = "${path.module}/lambda/config.json"
sensitive_content = null_resource.copy_files.id > 0 ? jsonencode({
"AUTH_REQUEST" : {
"client_id" : var.client_id,
"response_type" : "code",
"scope" : "openid email",
"redirect_uri" : local.redirect_uri
},
"TOKEN_REQUEST" : {
"client_id" : var.client_id,
"client_secret" : var.client_secret,
"redirect_uri" : local.redirect_uri,
"grant_type" : "authorization_code"
},
"DISTRIBUTION" : var.hostname,
"AUTHN" : var.auth_provider,
"PRIVATE_KEY" : tls_private_key.keypair.private_key_pem,
"PUBLIC_KEY" : tls_private_key.keypair.public_key_pem,
"DISCOVERY_DOCUMENT" : "${var.base_url}/.well-known/openid-configuration",
"SESSION_DURATION" : var.session_duration * 60 * 60,
"BASE_URL" : var.base_url,
"CALLBACK_PATH" : "/_callback",
"AUTHZ" : var.auth_provider
}) : ""
}