advanced_security_mode |
Mode for advanced security, must be one of OFF, AUDIT or ENFORCED. |
string |
"OFF" |
no |
alias_attributes |
Attributes supported as an alias for this user pool. Valid values: phone_number, email, or preferred_username. Conflicts with username_attributes. |
list(any) |
[] |
no |
allow_software_mfa_token |
(Optional) Boolean whether to enable software token Multi-Factor (MFA) tokens, such as Time-based One-Time Password (TOTP). To disable software token MFA when 'sms_configuration' is not present, the 'mfa_configuration' argument must be set to OFF and the 'software_token_mfa_configuration' configuration block must be fully removed. |
bool |
true |
no |
allow_unauthenticated_identities |
Whether the identity pool supports unauthenticated logins or not. |
bool |
false |
no |
auto_verified_attributes |
Attributes to be auto-verified. Valid values: email, phone_number. |
list(any) |
[ "email" ] |
no |
case_sensitive |
Whether username case sensitivity will be applied for all users in the user pool through Cognito APIs. |
bool |
true |
no |
client_access_token_validity |
(Optional) Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. This value will be overridden if you have entered a value in 'default_client_token_validity_units'. |
number |
null |
no |
client_allowed_oauth_flows |
(Optional) List of allowed OAuth flows. Possible flows are 'code', 'implicit', and 'client_credentials'. |
list(string) |
null |
no |
client_allowed_oauth_flows_user_pool_client |
(Optional) Whether the client is allowed to follow the OAuth protocol when interacting with Cognito User Pools. |
bool |
null |
no |
client_allowed_oauth_scopes |
(Optional) List of allowed OAuth scopes. Possible values are 'phone', 'email', 'openid', 'profile', and 'aws.cognito.signin.user.admin'. |
list(string) |
null |
no |
client_callback_urls |
(Optional) List of allowed callback URLs for the identity providers. |
list(string) |
null |
no |
client_default_redirect_uri |
(Optional) The default redirect URI. Must be in the list of callback URLs. |
string |
null |
no |
client_enable_token_revocation |
(Optional) Enables or disables token revocation. |
bool |
null |
no |
client_explicit_auth_flows |
(Optional) List of authentication flows. Possible values are 'ADMIN_NO_SRP_AUTH', 'CUSTOM_AUTH_FLOW_ONLY', 'USER_PASSWORD_AUTH', 'ALLOW_ADMIN_USER_PASSWORD_AUTH', 'ALLOW_CUSTOM_AUTH', 'ALLOW_USER_PASSWORD_AUTH', 'ALLOW_USER_SRP_AUTH', and 'ALLOW_REFRESH_TOKEN_AUTH'. |
list(string) |
null |
no |
client_generate_secret |
Should an application secret be generated |
bool |
true |
no |
client_id_token_validity |
(Optional) Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. This value will be overridden if you have entered a value in 'default_client_token_validity_units'. |
number |
null |
no |
client_logout_urls |
(Optional) List of allowed logout URLs for the identity providers. |
list(string) |
null |
no |
client_name |
The name of the application client |
string |
null |
no |
client_prevent_user_existence_errors |
(Optional) Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the Cognito User Pool. When set to 'ENABLED' and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to 'LEGACY', those APIs will return a 'UserNotFoundException' exception if the user does not exist in the Cognito User Pool. |
string |
null |
no |
client_read_attributes |
(Optional) List of Cognito User Pool attributes the application client can read from. |
list(string) |
[ "address", "birthdate", "email", "email_verified", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "phone_number_verified", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo" ] |
no |
client_refresh_token_validity |
(Optional) The time limit in days refresh tokens are valid for. |
number |
30 |
no |
client_supported_identity_providers |
(Optional) List of provider names for the identity providers that are supported on this client. |
list(string) |
null |
no |
client_token_validity_units |
(Optional) Configuration block for units in which the validity times are represented in. |
any |
null |
no |
client_write_attributes |
(Optional) List of Cognito User Pool attributes the application client can write to. |
list(string) |
[ "address", "birthdate", "email", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo" ] |
no |
clients |
A container with the clients definitions |
any |
[] |
no |
desired_delivery_mediums |
A list of mediums to the welcome message will be sent through. Allowed values are EMAIL and SMS . If it's provided, make sure you have also specified email attribute for the EMAIL medium and phone_number for the SMS . More than one value can be specified. |
list(string) |
[ "EMAIL" ] |
no |
domain |
Cognito User Pool domain |
string |
null |
no |
domain_certificate_arn |
The ARN of an ISSUED ACM certificate in us-east-1 for a custom domain |
string |
null |
no |
email_message |
n/a |
string |
"" |
no |
email_subject |
The name of the email subject |
string |
"Sign up for <project_name>." |
no |
enabled |
Flag to control the cognito creation. |
bool |
true |
no |
environment |
Environment (e.g. prod , dev , staging ). |
string |
"" |
no |
label_order |
Label order, e.g. name ,application . |
list(any) |
[] |
no |
lambda_create_auth_challenge |
(Optional) The ARN of an AWS Lambda creating an authentication challenge. |
string |
null |
no |
lambda_custom_message |
(Optional) The ARN of a custom message AWS Lambda trigger. |
string |
null |
no |
lambda_define_auth_challenge |
(Optional) The ARN of an AWS Lambda that defines the authentication challenge. |
string |
null |
no |
lambda_post_authentication |
(Optional) The ARN of a post-authentication AWS Lambda trigger. |
string |
null |
no |
lambda_post_confirmation |
(Optional) The ARN of a post-confirmation AWS Lambda trigger. |
string |
null |
no |
lambda_pre_authentication |
(Optional) The ARN of a pre-authentication AWS Lambda trigger. |
string |
null |
no |
lambda_pre_sign_up |
(Optional) The ARN of a pre-registration AWS Lambda trigger. |
string |
null |
no |
lambda_pre_token_generation |
(Optional) The ARN of an AWS Lambda that allows customization of identity token claims before token generation. |
string |
null |
no |
lambda_user_migration |
(Optional) The ARN of the user migration AWS Lambda config type. |
string |
null |
no |
lambda_verify_auth_challenge_response |
(Optional) The ARN of an AWS Lambda that verifies the authentication challenge response. |
string |
null |
no |
managedby |
ManagedBy, eg 'CloudDrove' |
string |
"hello@clouddrove.com" |
no |
mfa_configuration |
Multi-Factor Authentication (MFA) configuration for the User Pool. Defaults of OFF. Valid values are OFF, ON and OPTIONAL. |
string |
"OFF" |
no |
minimum_length |
(Optional) The minimum length of the password policy that you have set. |
number |
12 |
no |
module_depends_on |
(Optional) A list of external resources the module depends_on. |
any |
[] |
no |
name |
Name (e.g. app or cluster ). |
string |
"" |
no |
repository |
Terraform current module repo |
string |
"https://github.com/clouddrove/terraform-aws-cognito" |
no |
require_lowercase |
(Optional) Whether you have required users to use at least one lowercase letter in their password. |
bool |
true |
no |
require_numbers |
Whether you have required users to use at least one number in their password. |
bool |
true |
no |
require_symbols |
Whether you have required users to use at least one symbol in their password. |
bool |
true |
no |
require_uppercase |
Whether you have required users to use at least one uppercase letter in their password. |
bool |
true |
no |
resource_servers |
A list of Resource Server configuration. |
list(any) |
[] |
no |
schema_attributes |
(Optional) A list of schema attributes of a user pool. You can add a maximum of 25 custom attributes. |
any |
[] |
no |
sms_authentication_message |
String representing the SMS authentication message. The Message must contain the {####} placeholder, which will be replaced with the code. |
string |
"Your username is {username}. Sign up at {####}" |
no |
temporary_password_validity_days |
(Optional) In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator. |
number |
1 |
no |
user_group_description |
The description of the user group |
string |
null |
no |
user_group_name |
The name of the user group |
string |
null |
no |
user_group_precedence |
The precedence of the user group |
number |
null |
no |
user_group_role_arn |
The ARN of the IAM role to be associated with the user group |
string |
null |
no |
user_groups |
A container with the user_groups definitions |
list(any) |
[] |
no |
username_attributes |
Whether email addresses or phone numbers can be specified as usernames when a user signs up. Conflicts with alias_attributes. |
list(any) |
[ "email" ] |
no |
users |
Dynamic list of Cognito Users to create (email) |
map( object({ email = string }) ) |
{} |
no |