diff --git a/main.tf b/main.tf index 833d2a3..69a8950 100755 --- a/main.tf +++ b/main.tf @@ -138,10 +138,10 @@ resource "aws_cognito_user_pool" "this" { } dynamic "sms_configuration" { - for_each = coalesce(var.sms_config.sns_caller_arn, "__UNSET__") != "__UNSET__" ? [true] : [] + for_each = var.sms_config.enabled ? [true] : [] content { external_id = var.sms_config.external_id - sns_caller_arn = var.sms_config.sns_caller_arn + sns_caller_arn = coalesce(var.sms_config.sns_caller_arn, aws_iam_role.sms.arn) } } @@ -161,3 +161,52 @@ resource "aws_cognito_user_pool" "this" { tags = module.cognito_userpool_label.tags } + +# ---------------------------------------------------------------------- iam --- + +module "cognito_userpool_sms_label" { + source = "cloudposse/label/null" + version = "0.25.0" + + attattributes = "sms" + context = module.cognito_userpool_label.context +} + +resource "random_uuid" "sms_role_external_id" {} + +data "aws_iam_policy_document" "sms" { + statement { + effect = "Allow" + + actions = [ + "sns:publish", + ] + + resources = [ + "*", + ] + } +} + +resource "aws_iam_role" "sms" { + count = local.enabled ? 1 : 0 + + name = module.component.id + description = "" + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [{ + Effect = "Allow" + Principal = { "Service" : "cognito-idp.amazonaws.com" } + Action = ["sts:AssumeRole", "sts:TagSession"] + condition = { "StringEquals" = { "sts:ExternalId" = random_uuid.sms_role_external_id.result } } + }] + }) + + inline_policy { + name = "access" + policy = data.aws_iam_policy_document.sms.json + } + + tags = module.cognito_userpool_sms_label.tags +} diff --git a/variables.tf b/variables.tf index 2f6490c..f6650f4 100755 --- a/variables.tf +++ b/variables.tf @@ -154,6 +154,7 @@ variable "recovery_mechanisms" { variable "sms_config" { type = object({ + enabled = optional(bool, false) external_id = optional(string, "") sns_caller_arn = optional(string, "") })