feat: add Cognito auth for UI

CommanderK5 · CommanderK5 · commit 7d8bb67e120f · 2023-07-06T13:57:50.000+02:00
diff --git a/modules/ui/ec2.tf b/modules/ui/ec2.tf
@@ -120,6 +120,18 @@ resource "aws_lb_listener" "this" {
 
   certificate_arn = var.certificate_arn
 
+  dynamic "default_action" {
+    for_each = local.authenticate_cognito
+    content {
+      type = "authenticate-cognito"
+      authenticate_cognito {
+        user_pool_arn       = lookup(authenticate_cognito.value, "user_pool_arn", null)
+        user_pool_client_id = lookup(authenticate_cognito.value, "user_pool_client_id", null)
+        user_pool_domain    = lookup(authenticate_cognito.value, "user_pool_domain", null)
+      }
+    }
+  }
+
   default_action {
     type             = "forward"
     target_group_arn = aws_lb_target_group.ui_static.id
@@ -131,6 +143,18 @@ resource "aws_lb_listener_rule" "ui_backend" {
   listener_arn = aws_lb_listener.this.arn
   priority     = 1
 
+  dynamic "action" {
+    for_each = local.authenticate_cognito
+    content {
+      type = "authenticate-cognito"
+      authenticate_cognito {
+        user_pool_arn       = lookup(authenticate_cognito.value, "user_pool_arn", null)
+        user_pool_client_id = lookup(authenticate_cognito.value, "user_pool_client_id", null)
+        user_pool_domain    = lookup(authenticate_cognito.value, "user_pool_domain", null)
+      }
+    }
+  }
+
   action {
     type             = "forward"
     target_group_arn = aws_lb_target_group.ui_backend.arn
diff --git a/modules/ui/locals.tf b/modules/ui/locals.tf
@@ -37,4 +37,16 @@ locals {
     module.metaflow-common.default_metadata_service_container_image :
     var.ui_backend_container_image
   )
+
+  authenticate_cognito = var.authenticate_with_cognito ? [
+    {
+      type             = "authenticate-cognito"
+      target_group_arn = null
+      authenticate_cognito = {
+        user_pool_arn       = var.cognito.user_pool_arn
+        user_pool_client_id = var.cognito.user_pool_client_id
+        user_pool_domain    = var.cognito.user_pool_domain
+      }
+    }
+  ] : []
 }
diff --git a/modules/ui/variables.tf b/modules/ui/variables.tf
@@ -126,3 +126,19 @@ variable "alb_internal" {
   description = "Defines whether the ALB is internal"
   default     = false
 }
+
+variable "authenticate_with_cognito" {
+  type        = bool
+  description = "Enable ALB Cognito authentication"
+  default     = false
+}
+
+variable "cognito" {
+  type        = map(string)
+  description = "Cognito configuration"
+  default = {
+    user_pool_arn       = ""
+    user_pool_client_id = ""
+    user_pool_domain    = ""
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -176,3 +176,19 @@ variable "force_destroy_s3_bucket" {
   description = "Empty S3 bucket before destroying via terraform destroy"
   default     = false
 }
+
+variable "authenticate_with_cognito" {
+  type        = bool
+  description = "Enable Cognito authentication for the UI ALB"
+  default     = false
+}
+
+variable "cognito" {
+  type        = map(string)
+  description = "Cognito configuration"
+  default = {
+    user_pool_arn       = ""
+    user_pool_client_id = ""
+    user_pool_domain    = ""
+  }
+}
