From 6049d680d8a3a39020cc0fea47058c28da093a7b Mon Sep 17 00:00:00 2001 From: tylerthome Date: Wed, 16 Oct 2024 22:43:39 -0700 Subject: [PATCH] managed clientid for google oauth --- .../home-unite-us/dev/cognito.tf | 32 +++++++++++++------ 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/terraform-incubator/home-unite-us/dev/cognito.tf b/terraform-incubator/home-unite-us/dev/cognito.tf index 4a4371f..046c040 100644 --- a/terraform-incubator/home-unite-us/dev/cognito.tf +++ b/terraform-incubator/home-unite-us/dev/cognito.tf @@ -181,16 +181,16 @@ resource "aws_cognito_user_pool_domain" "homeuniteus" { } -### TODO: discuss secrets injection and Google integration with devops team -# resource "aws_cognito_identity_provider" "example_provider" { +# ### TODO: discuss secrets injection and Google integration with devops team +# resource "aws_cognito_identity_provider" "google_client" { # user_pool_id = aws_cognito_user_pool.example.id # provider_name = "Google" # provider_type = "Google" # provider_details = { -# authorize_scopes = "email" +# authorize_scopes = "email profile openid" # client_id = "your client_id" -# client_secret = "your client_secret" + # client_secret = data.aws_secretsmanager_secret_version.google_client.secret_string # } # attribute_mapping = { @@ -334,12 +334,8 @@ resource "aws_secretsmanager_secret_policy" "cognito_client" { } -resource "aws_secretsmanager_secret" "google_client" { - name = "homeuniteus-google-client" -} - -data "aws_iam_policy_document" "google_client" { +data "aws_iam_policy_document" "admin_manage_secrets" { statement { sid = "EnableAdminUserToManageTheSecret" effect = "Allow" @@ -354,8 +350,24 @@ data "aws_iam_policy_document" "google_client" { } } +resource "aws_secretsmanager_secret" "google_client_id" { + name = "homeuniteus-google-clientid" +} resource "aws_secretsmanager_secret_policy" "google_client" { secret_arn = aws_secretsmanager_secret.google_client.arn - policy = data.aws_iam_policy_document.google_client.json + policy = data.aws_iam_policy_document.admin_manage_secrets.json +} + +data "aws_secretsmanager_secret_version" "google_client" { + secret_id = aws_secretsmanager_secret.google_client.id +} + +resource "aws_secretsmanager_secret" "google_secret" { + name = "homeuniteus-google-secret" +} + +resource "aws_secretsmanager_secret_policy" "google_secret" { + secret_arn = aws_secretsmanager_secret.google_secret.arn + policy = data.aws_iam_policy_document.admin_manage_secrets.json }