Resource: awsCognitoIdentityPoolRolesAttachment

Provides an AWS Cognito Identity Pool Roles Attachment.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsCognitoIdentityPoolMain =
  new aws.cognitoIdentityPool.CognitoIdentityPool(this, "main", {
    allowUnauthenticatedIdentities: false,
    identityPoolName: "identity pool",
    supportedLoginProviders: {
      "graph.facebook.com": "7346241598935555",
    },
  });
const dataAwsIamPolicyDocumentAuthenticated =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "authenticated",
    {
      statement: [
        {
          actions: ["sts:AssumeRoleWithWebIdentity"],
          condition: [
            {
              test: "StringEquals",
              values: [awsCognitoIdentityPoolMain.id],
              variable: "cognito-identity.amazonaws.com:aud",
            },
            {
              test: "ForAnyValue:StringLike",
              values: ["authenticated"],
              variable: "cognito-identity.amazonaws.com:amr",
            },
          ],
          effect: "Allow",
          principals: [
            {
              identifiers: ["cognito-identity.amazonaws.com"],
              type: "Federated",
            },
          ],
        },
      ],
    }
  );
const dataAwsIamPolicyDocumentAuthenticatedRolePolicy =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "authenticated_role_policy",
    {
      actions: [
        "mobileanalytics:PutEvents",
        "cognito-sync:*",
        "cognito-identity:*",
      ],
      effect: "Allow",
      resources: ["*"],
    }
  );
const awsIamRoleAuthenticated = new aws.iamRole.IamRole(
  this,
  "authenticated_3",
  {
    assumeRolePolicy: dataAwsIamPolicyDocumentAuthenticated.json,
    name: "cognito_authenticated",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRoleAuthenticated.overrideLogicalId("authenticated");
const awsIamRolePolicyAuthenticated = new aws.iamRolePolicy.IamRolePolicy(
  this,
  "authenticated_4",
  {
    name: "authenticated_policy",
    policy: dataAwsIamPolicyDocumentAuthenticatedRolePolicy.json,
    role: awsIamRoleAuthenticated.id,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyAuthenticated.overrideLogicalId("authenticated");
const awsCognitoIdentityPoolRolesAttachmentMain =
  new aws.cognitoIdentityPoolRolesAttachment.CognitoIdentityPoolRolesAttachment(
    this,
    "main_5",
    {
      identityPoolId: awsCognitoIdentityPoolMain.id,
      roleMapping: [
        {
          ambiguousRoleResolution: "AuthenticatedRole",
          identityProvider: "graph.facebook.com",
          mappingRule: [
            {
              claim: "isAdmin",
              matchType: "Equals",
              roleArn: awsIamRoleAuthenticated.arn,
              value: "paid",
            },
          ],
          type: "Rules",
        },
      ],
      roles: {
        authenticated: awsIamRoleAuthenticated.arn,
      },
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCognitoIdentityPoolRolesAttachmentMain.overrideLogicalId("main");

Argument Reference

The Cognito Identity Pool Roles Attachment argument layout is a structure composed of several sub-resources - these resources are laid out below.

identityPoolId (Required) - An identity pool ID in the format REGION_GUID.
roleMapping (Optional) - A List of Role Mapping.
roles (Required) - The map of roles associated with this pool. For a given role, the key will be either "authenticated" or "unauthenticated" and the value will be the Role ARN.

Role Mappings

identityProvider (Required) - A string identifying the identity provider, for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id". Depends on cognitoIdentityProviders set on awsCognitoIdentityPool resource or a awsCognitoIdentityProvider resource.
ambiguousRoleResolution (Optional) - Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type. required if you specify Token or Rules as the Type.
mappingRule (Optional) - The Rules Configuration to be used for mapping users to roles. You can specify up to 25 rules per identity provider. Rules are evaluated in order. The first one to match specifies the role.
type (Required) - The role mapping type.

Rules Configuration

claim (Required) - The claim name that must be present in the token, for example, "isAdmin" or "paid".
matchType (Required) - The match condition that specifies how closely the claim value in the IdP token must match Value.
roleArn (Required) - The role ARN.
value (Required) - A brief string that the claim must match, for example, "paid" or "yes".

Attributes Reference

In addition to all arguments above, the following attributes are exported:

id - The identity pool ID.

Import

Cognito Identity Pool Roles Attachment can be imported using the Identity Pool ID, e.g.,

$ terraform import aws_cognito_identity_pool_roles_attachment.example us-west-2:b64805ad-cb56-40ba-9ffc-f5d8207e6d42