Add separate listener rules for authentication type OIDC and `COGNI…

…TO` (#16)
cloudposse · Apr 26, 2019 · 5fa2031 · 5fa2031
1 parent 0158ee7
commit 5fa2031
Show file tree

Hide file tree

Showing 4 changed files with 135 additions and 49 deletions.
diff --git a/README.md b/README.md
@@ -86,7 +86,7 @@ Available targets:
 | attributes | Additional attributes, e.g. `1` | list | `<list>` | no |
 | authenticated_hosts | Authenticated hosts to match in Hosts header | list | `<list>` | no |
 | authenticated_listener_arns | A list of authenticated ALB listener ARNs to attach ALB listener rules to | list | `<list>` | no |
-| authenticated_listener_arns_count | The number of authenticated ARNs in `unauthenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
+| authenticated_listener_arns_count | The number of authenticated ARNs in `authenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
 | authenticated_paths | Authenticated path pattern to match (a maximum of 1 can be defined) | list | `<list>` | no |
 | authenticated_priority | The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `unauthenticated_priority` since a listener can't have multiple rules with the same priority | string | `300` | no |
 | authentication_cognito_user_pool_arn | Cognito User Pool ARN | string | `` | no |
@@ -98,7 +98,7 @@ Available targets:
 | authentication_oidc_issuer | OIDC Issuer | string | `` | no |
 | authentication_oidc_token_endpoint | OIDC Token Endpoint | string | `` | no |
 | authentication_oidc_user_info_endpoint | OIDC User Info Endpoint | string | `` | no |
-| authentication_type | Authentication type. Supported values are `COGNITO`, `OIDC`, `NONE` | string | `NONE` | no |
+| authentication_type | Authentication type. Supported values are `COGNITO` and `OIDC` | string | `` | no |
 | delimiter | Delimiter to be used between `namespace`, `name`, `stage` and `attributes` | string | `-` | no |
 | deregistration_delay | The amount of time to wait in seconds while deregistering target | string | `15` | no |
 | health_check_healthy_threshold | The number of consecutive health checks successes required before healthy | string | `2` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -5,7 +5,7 @@
 | attributes | Additional attributes, e.g. `1` | list | `<list>` | no |
 | authenticated_hosts | Authenticated hosts to match in Hosts header | list | `<list>` | no |
 | authenticated_listener_arns | A list of authenticated ALB listener ARNs to attach ALB listener rules to | list | `<list>` | no |
-| authenticated_listener_arns_count | The number of authenticated ARNs in `unauthenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
+| authenticated_listener_arns_count | The number of authenticated ARNs in `authenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
 | authenticated_paths | Authenticated path pattern to match (a maximum of 1 can be defined) | list | `<list>` | no |
 | authenticated_priority | The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `unauthenticated_priority` since a listener can't have multiple rules with the same priority | string | `300` | no |
 | authentication_cognito_user_pool_arn | Cognito User Pool ARN | string | `` | no |
@@ -17,7 +17,7 @@
 | authentication_oidc_issuer | OIDC Issuer | string | `` | no |
 | authentication_oidc_token_endpoint | OIDC Token Endpoint | string | `` | no |
 | authentication_oidc_user_info_endpoint | OIDC User Info Endpoint | string | `` | no |
-| authentication_type | Authentication type. Supported values are `COGNITO`, `OIDC`, `NONE` | string | `NONE` | no |
+| authentication_type | Authentication type. Supported values are `COGNITO` and `OIDC` | string | `` | no |
 | delimiter | Delimiter to be used between `namespace`, `name`, `stage` and `attributes` | string | `-` | no |
 | deregistration_delay | The amount of time to wait in seconds while deregistering target | string | `15` | no |
 | health_check_healthy_threshold | The number of consecutive health checks successes required before healthy | string | `2` | no |

diff --git a/main.tf b/main.tf
@@ -18,39 +18,6 @@ module "default_label" {
   tags       = "${var.tags}"
 }
 
-locals {
-  supported_authentication_actions = {
-    "COGNITO" = {
-      type = "authenticate-cognito"
-
-      authenticate_cognito = [{
-        user_pool_arn       = "${var.authentication_cognito_user_pool_arn}"
-        user_pool_client_id = "${var.authentication_cognito_user_pool_client_id}"
-        user_pool_domain    = "${var.authentication_cognito_user_pool_domain}"
-      }]
-    }
-
-    "OIDC" = {
-      type = "authenticate-oidc"
-
-      authenticate_oidc = [{
-        client_id              = "${var.authentication_oidc_client_id}"
-        client_secret          = "${var.authentication_oidc_client_secret}"
-        issuer                 = "${var.authentication_oidc_issuer}"
-        authorization_endpoint = "${var.authentication_oidc_authorization_endpoint}"
-        token_endpoint         = "${var.authentication_oidc_token_endpoint}"
-        user_info_endpoint     = "${var.authentication_oidc_user_info_endpoint}"
-      }]
-    }
-
-    "NONE" = {
-      type = "none"
-    }
-  }
-
-  authentication_action = "${local.supported_authentication_actions[var.authentication_type]}"
-}
-
 resource "aws_lb_target_group" "default" {
   count       = "${local.target_group_enabled == "true" ? 1 : 0}"
   name        = "${module.default_label.id}"
@@ -93,13 +60,51 @@ resource "aws_lb_listener_rule" "unauthenticated_paths" {
   }
 }
 
-resource "aws_lb_listener_rule" "authenticated_paths" {
-  count        = "${length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) == 0 ? var.authenticated_listener_arns_count : 0}"
+resource "aws_lb_listener_rule" "authenticated_paths_oidc" {
+  count        = "${var.authentication_type == "OIDC" && length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) == 0 ? var.authenticated_listener_arns_count : 0}"
+  listener_arn = "${var.authenticated_listener_arns[count.index]}"
+  priority     = "${var.authenticated_priority + count.index}"
+
+  action = [
+    {
+      type = "authenticate-oidc"
+
+      authenticate_oidc {
+        client_id              = "${var.authentication_oidc_client_id}"
+        client_secret          = "${var.authentication_oidc_client_secret}"
+        issuer                 = "${var.authentication_oidc_issuer}"
+        authorization_endpoint = "${var.authentication_oidc_authorization_endpoint}"
+        token_endpoint         = "${var.authentication_oidc_token_endpoint}"
+        user_info_endpoint     = "${var.authentication_oidc_user_info_endpoint}"
+      }
+    },
+    {
+      type             = "forward"
+      target_group_arn = "${local.target_group_arn}"
+    },
+  ]
+
+  condition {
+    field  = "path-pattern"
+    values = ["${var.authenticated_paths}"]
+  }
+}
+
+resource "aws_lb_listener_rule" "authenticated_paths_cognito" {
+  count        = "${var.authentication_type == "COGNITO" && length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) == 0 ? var.authenticated_listener_arns_count : 0}"
   listener_arn = "${var.authenticated_listener_arns[count.index]}"
   priority     = "${var.authenticated_priority + count.index}"
 
   action = [
-    "${local.authentication_action}",
+    {
+      type = "authenticate-cognito"
+
+      authenticate_cognito {
+        user_pool_arn       = "${var.authentication_cognito_user_pool_arn}"
+        user_pool_client_id = "${var.authentication_cognito_user_pool_client_id}"
+        user_pool_domain    = "${var.authentication_cognito_user_pool_domain}"
+      }
+    },
     {
       type             = "forward"
       target_group_arn = "${local.target_group_arn}"
@@ -130,13 +135,51 @@ resource "aws_lb_listener_rule" "unauthenticated_hosts" {
   }
 }
 
-resource "aws_lb_listener_rule" "authenticated_hosts" {
-  count        = "${length(var.authenticated_hosts) > 0 && length(var.authenticated_paths) == 0 ? var.authenticated_listener_arns_count : 0}"
+resource "aws_lb_listener_rule" "authenticated_hosts_oidc" {
+  count        = "${var.authentication_type == "OIDC" && length(var.authenticated_hosts) > 0 && length(var.authenticated_paths) == 0 ? var.authenticated_listener_arns_count : 0}"
+  listener_arn = "${var.authenticated_listener_arns[count.index]}"
+  priority     = "${var.authenticated_priority + count.index}"
+
+  action = [
+    {
+      type = "authenticate-oidc"
+
+      authenticate_oidc {
+        client_id              = "${var.authentication_oidc_client_id}"
+        client_secret          = "${var.authentication_oidc_client_secret}"
+        issuer                 = "${var.authentication_oidc_issuer}"
+        authorization_endpoint = "${var.authentication_oidc_authorization_endpoint}"
+        token_endpoint         = "${var.authentication_oidc_token_endpoint}"
+        user_info_endpoint     = "${var.authentication_oidc_user_info_endpoint}"
+      }
+    },
+    {
+      type             = "forward"
+      target_group_arn = "${local.target_group_arn}"
+    },
+  ]
+
+  condition {
+    field  = "host-header"
+    values = ["${var.authenticated_hosts}"]
+  }
+}
+
+resource "aws_lb_listener_rule" "authenticated_hosts_cognito" {
+  count        = "${var.authentication_type == "COGNITO" && length(var.authenticated_hosts) > 0 && length(var.authenticated_paths) == 0 ? var.authenticated_listener_arns_count : 0}"
   listener_arn = "${var.authenticated_listener_arns[count.index]}"
   priority     = "${var.authenticated_priority + count.index}"
 
   action = [
-    "${local.authentication_action}",
+    {
+      type = "authenticate-cognito"
+
+      authenticate_cognito {
+        user_pool_arn       = "${var.authentication_cognito_user_pool_arn}"
+        user_pool_client_id = "${var.authentication_cognito_user_pool_client_id}"
+        user_pool_domain    = "${var.authentication_cognito_user_pool_domain}"
+      }
+    },
     {
       type             = "forward"
       target_group_arn = "${local.target_group_arn}"
@@ -172,13 +215,56 @@ resource "aws_lb_listener_rule" "unauthenticated_hosts_paths" {
   }
 }
 
-resource "aws_lb_listener_rule" "authenticated_hosts_paths" {
-  count        = "${length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) > 0 ? var.authenticated_listener_arns_count : 0}"
+resource "aws_lb_listener_rule" "authenticated_hosts_paths_oidc" {
+  count        = "${var.authentication_type == "OIDC" && length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) > 0 ? var.authenticated_listener_arns_count : 0}"
+  listener_arn = "${var.authenticated_listener_arns[count.index]}"
+  priority     = "${var.authenticated_priority + count.index}"
+
+  action = [
+    {
+      type = "authenticate-oidc"
+
+      authenticate_oidc {
+        client_id              = "${var.authentication_oidc_client_id}"
+        client_secret          = "${var.authentication_oidc_client_secret}"
+        issuer                 = "${var.authentication_oidc_issuer}"
+        authorization_endpoint = "${var.authentication_oidc_authorization_endpoint}"
+        token_endpoint         = "${var.authentication_oidc_token_endpoint}"
+        user_info_endpoint     = "${var.authentication_oidc_user_info_endpoint}"
+      }
+    },
+    {
+      type             = "forward"
+      target_group_arn = "${local.target_group_arn}"
+    },
+  ]
+
+  condition {
+    field  = "host-header"
+    values = ["${var.authenticated_hosts}"]
+  }
+
+  condition {
+    field  = "path-pattern"
+    values = ["${var.authenticated_paths}"]
+  }
+}
+
+resource "aws_lb_listener_rule" "authenticated_hosts_paths_cognito" {
+  count        = "${var.authentication_type == "COGNITO" && length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) > 0 ? var.authenticated_listener_arns_count : 0}"
   listener_arn = "${var.authenticated_listener_arns[count.index]}"
   priority     = "${var.authenticated_priority + count.index}"
 
   action = [
-    "${local.authentication_action}",
+    {
+      type = "authenticate-cognito"
+
+      authenticate_cognito {
+        user_pool_arn       = "${var.authentication_cognito_user_pool_arn}"
+        user_pool_client_id = "${var.authentication_cognito_user_pool_client_id}"
+        user_pool_domain    = "${var.authentication_cognito_user_pool_domain}"
+      }
+    },
     {
       type             = "forward"
       target_group_arn = "${local.target_group_arn}"

diff --git a/variables.tf b/variables.tf
@@ -58,7 +58,7 @@ variable "authenticated_listener_arns" {
 variable "authenticated_listener_arns_count" {
   type        = "string"
   default     = "0"
-  description = "The number of authenticated ARNs in `unauthenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed"
+  description = "The number of authenticated ARNs in `authenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed"
 }
 
 variable "deregistration_delay" {
@@ -163,8 +163,8 @@ variable "authenticated_paths" {
 
 variable "authentication_type" {
   type        = "string"
-  default     = "NONE"
-  description = "Authentication type. Supported values are `COGNITO`, `OIDC`, `NONE`"
+  default     = ""
+  description = "Authentication type. Supported values are `COGNITO` and `OIDC`"
 }
 
 variable "authentication_cognito_user_pool_arn" {