cognito classic flow

simplified flow has a strict session policy which prohibits sts:
AssumeRole!

https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html

tf/cognito_identify.tf

@@ -1,6 +1,7 @@
 resource "aws_cognito_identity_pool" "pool" {
   identity_pool_name               = var.name_prefix
   allow_unauthenticated_identities = true
+  allow_classic_flow               = true
 
   cognito_identity_providers {
     client_id               = aws_cognito_user_pool_client.identity.id
@@ -9,10 +10,10 @@ resource "aws_cognito_identity_pool" "pool" {
   }
 }
 
-resource "aws_cognito_identity_pool_roles_attachment" "user_role_attachment" {
-  identity_pool_id = aws_cognito_identity_pool.pool.id
-  roles = {
-    "authenticated"   = "${aws_iam_role.authenticated.arn}"
-    "unauthenticated" = "${aws_iam_role.unauthenticated.arn}"
-  }
-}
+#resource "aws_cognito_identity_pool_roles_attachment" "user_role_attachment" {
+#  identity_pool_id = aws_cognito_identity_pool.pool.id
+#  roles = {
+#    "authenticated"   = "${aws_iam_role.authenticated.arn}"
+#    "unauthenticated" = "${aws_iam_role.unauthenticated.arn}"
+#  }
+#}

tf/iam_authenticated.tf

@@ -1,11 +1,10 @@
-resource "aws_iam_role" "authenticated" {
+resource "aws_iam_role" "authenticated-stage1" {
   name                 = "${var.iam_role_prefix}CognitoUser"
   description          = "${var.iam_role_prefix}CognitoUser"
-  assume_role_policy   = data.aws_iam_policy_document.authenticated-trust.json
+  assume_role_policy   = data.aws_iam_policy_document.authenticated-stage1-trust.json
   max_session_duration = 43200
 }
-
-data "aws_iam_policy_document" "authenticated-trust" {
+data "aws_iam_policy_document" "authenticated-stage1-trust" {
   statement {
     effect  = "Allow"
     actions = ["sts:AssumeRoleWithWebIdentity"]
@@ -28,16 +27,62 @@ data "aws_iam_policy_document" "authenticated-trust" {
   }
 }
 
+resource "aws_iam_role_policy" "authenticated-stage1" {
+  role   = aws_iam_role.authenticated-stage1.name
+  policy = data.aws_iam_policy_document.authenticated-stage1.json
+}
+data "aws_iam_policy_document" "authenticated-stage1" {
+  statement {
+    effect    = "Allow"
+    actions   = ["sts:AssumeRole", "sts:TagSession"]
+    resources = [aws_iam_role.authenticated-stage2.arn]
+
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "aws:TagKeys"
+      values   = ["RkSignageUserSub"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestTag/RkSignageUserSub"
+      values   = ["$${cognito-identity.amazonaws.com:sub}"]
+    }
+  }
+}
+
+########
+
+resource "aws_iam_role" "authenticated-stage2" {
+  name                 = "${var.iam_role_prefix}BrowserUser"
+  description          = "${var.iam_role_prefix}BrowserUser"
+  assume_role_policy   = data.aws_iam_policy_document.authenticated-stage2-trust.json
+  max_session_duration = 3600
+}
+data "aws_iam_policy_document" "authenticated-stage2-trust" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole", "sts:TagSession"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.id}:root",
+        // aws_iam_role.authenticated-stage1.arn,
+        // "arn:aws:iam::${data.aws_caller_identity.current.id}:role/${var.iam_role_prefix}CognitoUser"
+      ]
+    }
+  }
+}
+
 resource "aws_iam_role_policy" "authenticated-unauth" {
-  role   = aws_iam_role.authenticated.name
+  role   = aws_iam_role.authenticated-stage2.name
   policy = data.aws_iam_policy_document.unauthenticated.json
 }
 
 resource "aws_iam_role_policy" "authenticated" {
-  role   = aws_iam_role.authenticated.name
+  role   = aws_iam_role.authenticated-stage2.name
   policy = data.aws_iam_policy_document.authenticated.json
 }
-
 data "aws_iam_policy_document" "authenticated" {
   statement {
     effect  = "Allow"
@@ -73,12 +118,6 @@ data "aws_iam_policy_document" "authenticated" {
       ]
     }
   }
-  statement {
-    effect    = "Allow"
-    actions   = ["sts:AssumeRole"]
-    resources = [aws_iam_role.authenticated-mqtt.arn]
-  }
-
   #  statement {
   #    effect  = "Allow"
   #    actions = ["iot:*"]
@@ -87,14 +126,6 @@ data "aws_iam_policy_document" "authenticated" {
   #    ]
   #  }
 
-}
-resource "aws_iam_role_policy" "authenticated-iot" {
-  role   = aws_iam_role.authenticated.name
-  policy = data.aws_iam_policy_document.unauthenticated-iot.json
-}
-
-data "aws_iam_policy_document" "authenticated-iot" {
-
   #statement {
   #  effect    = "Allow"
   #  actions   = ["iot:connect"]
@@ -124,56 +155,3 @@ data "aws_iam_policy_document" "authenticated-iot" {
   }
 }
 
-
-resource "aws_iam_role" "authenticated-mqtt" {
-  name                 = "${var.iam_role_prefix}CognitoUserMqtt"
-  description          = "${var.iam_role_prefix}CognitoUserMqtt"
-  assume_role_policy   = data.aws_iam_policy_document.authenticated-mqtt-trust.json
-  max_session_duration = 43200
-}
-data "aws_iam_policy_document" "authenticated-mqtt-trust" {
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-    principals {
-      type = "AWS"
-      identifiers = [
-        "arn:aws:iam::${data.aws_caller_identity.current.id}:role/${var.iam_role_prefix}CognitoUser"
-      ]
-    }
-    condition {
-      test     = "ForAllValues:StringEquals"
-      variable = "aws:TagKeys"
-      values   = ["RkSignageUserSub"]
-    }
-
-  }
-  statement {
-    effect  = "Allow"
-    actions = ["sts:TagSession"]
-    principals {
-      type = "AWS"
-      identifiers = [
-        "arn:aws:iam::${data.aws_caller_identity.current.id}:role/${var.iam_role_prefix}CognitoUser"
-      ]
-    }
-    condition {
-      test     = "StringEquals"
-      variable = "aws:RequestTag/RkSignageUserSub"
-      values   = ["$${cognito-identity.amazonaws.com:sub}"]
-    }
-    condition {
-      test     = "ForAllValues:StringEquals"
-      variable = "aws:TagKeys"
-      values   = ["RkSignageUserSub"]
-    }
-  }
-}
-resource "aws_iam_role_policy" "authenticated-mqtt-iot" {
-  role   = aws_iam_role.authenticated-mqtt.name
-  policy = data.aws_iam_policy_document.authenticated-iot.json
-}
-resource "aws_iam_role_policy" "authenticated-unauth-mqtt-iot" {
-  role   = aws_iam_role.authenticated-mqtt.name
-  policy = data.aws_iam_policy_document.unauthenticated-iot.json
-}

tf/iam_unauthenticated.tf

@@ -1,11 +1,10 @@
-resource "aws_iam_role" "unauthenticated" {
+resource "aws_iam_role" "unauthenticated-stage1" {
   name                 = "${var.iam_role_prefix}CognitoGuest"
   description          = "${var.iam_role_prefix}CognitoGuest"
-  assume_role_policy   = data.aws_iam_policy_document.unauthenticated-trust.json
+  assume_role_policy   = data.aws_iam_policy_document.unauthenticated-stage1-trust.json
   max_session_duration = 43200
 }
-
-data "aws_iam_policy_document" "unauthenticated-trust" {
+data "aws_iam_policy_document" "unauthenticated-stage1-trust" {
   statement {
     effect  = "Allow"
     actions = ["sts:AssumeRoleWithWebIdentity"]
@@ -28,8 +27,60 @@ data "aws_iam_policy_document" "unauthenticated-trust" {
   }
 }
 
+resource "aws_iam_role_policy" "unauthenticated-stage1" {
+  role   = aws_iam_role.unauthenticated-stage1.name
+  policy = data.aws_iam_policy_document.unauthenticated-stage1.json
+}
+data "aws_iam_policy_document" "unauthenticated-stage1" {
+  statement {
+    effect    = "Allow"
+    actions   = ["sts:AssumeRole", "sts:TagSession"]
+    resources = [aws_iam_role.unauthenticated-stage2.arn]
+
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "aws:TagKeys"
+      values   = ["RkSignageUserSub"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestTag/RkSignageUserSub"
+      values   = ["$${cognito-identity.amazonaws.com:sub}"]
+    }
+  }
+}
+
+
+########
+
+
+
+
+resource "aws_iam_role" "unauthenticated-stage2" {
+  name                 = "${var.iam_role_prefix}BrowserGuest"
+  description          = "${var.iam_role_prefix}BrowserGuest"
+  assume_role_policy   = data.aws_iam_policy_document.unauthenticated-stage2-trust.json
+  max_session_duration = 43200
+}
+
+data "aws_iam_policy_document" "unauthenticated-stage2-trust" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole", "sts:TagSession"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.id}:root",
+        // aws_iam_role.authenticated-stage1.arn,
+        // "arn:aws:iam::${data.aws_caller_identity.current.id}:role/${var.iam_role_prefix}CognitoUser"
+      ]
+    }
+  }
+}
+
 resource "aws_iam_role_policy" "unauthenticated" {
-  role   = aws_iam_role.unauthenticated.name
+  role   = aws_iam_role.unauthenticated-stage2.name
   policy = data.aws_iam_policy_document.unauthenticated.json
 }
 
@@ -60,21 +111,12 @@ data "aws_iam_policy_document" "unauthenticated" {
       test     = "ForAllValues:StringLike"
       variable = "dynamodb:LeadingKeys"
       values = [
-        "*::kiosks:$${cognito-identity.amazonaws.com:sub}",
+        "*::kiosks:$${aws:PrincipalTag/RkSignageUserSub}",
       ]
     }
   }
-  statement {
-    effect    = "Allow"
-    actions   = ["sts:AssumeRole"]
-    resources = [aws_iam_role.unauthenticated-mqtt.arn]
-  }
-}
-resource "aws_iam_role_policy" "unauthenticated-iot" {
-  role   = aws_iam_role.unauthenticated.name
-  policy = data.aws_iam_policy_document.unauthenticated-iot.json
-}
-data "aws_iam_policy_document" "unauthenticated-iot" {
+
+
   statement {
     effect  = "Allow"
     actions = ["iot:Connect"]
@@ -111,51 +153,3 @@ data "aws_iam_policy_document" "unauthenticated-iot" {
     ]
   }
 }
-
-resource "aws_iam_role" "unauthenticated-mqtt" {
-  name                 = "${var.iam_role_prefix}CognitoGuestMqtt"
-  description          = "${var.iam_role_prefix}CognitoGuestMqtt"
-  assume_role_policy   = data.aws_iam_policy_document.unauthenticated-mqtt-trust.json
-  max_session_duration = 43200
-}
-data "aws_iam_policy_document" "unauthenticated-mqtt-trust" {
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-    principals {
-      type = "AWS"
-      identifiers = [
-        "arn:aws:iam::${data.aws_caller_identity.current.id}:role/${var.iam_role_prefix}CognitoGuest"
-      ]
-    }
-    condition {
-      test     = "ForAllValues:StringEquals"
-      variable = "aws:TagKeys"
-      values   = ["RkSignageUserSub"]
-    }
-  }
-  statement {
-    effect  = "Allow"
-    actions = ["sts:TagSession"]
-    principals {
-      type = "AWS"
-      identifiers = [
-        "arn:aws:iam::${data.aws_caller_identity.current.id}:role/${var.iam_role_prefix}CognitoGuest"
-      ]
-    }
-    condition {
-      test     = "StringEquals"
-      variable = "aws:RequestTag/RkSignageUserSub"
-      values   = ["$${cognito-identity.amazonaws.com:sub}"]
-    }
-    condition {
-      test     = "ForAllValues:StringEquals"
-      variable = "aws:TagKeys"
-      values   = ["RkSignageUserSub"]
-    }
-  }
-}
-resource "aws_iam_role_policy" "unauthenticated-mqtt-iot" {
-  role   = aws_iam_role.unauthenticated-mqtt.name
-  policy = data.aws_iam_policy_document.unauthenticated-iot.json
-}

tf/iot.tf

@@ -2,11 +2,11 @@ data "aws_iot_endpoint" "current" {
   endpoint_type = "iot:Data-ATS"
 }
 
-resource "aws_iot_policy" "unauthenticated" {
-  name   = "${var.name_prefix}-unauthenticated"
-  policy = data.aws_iam_policy_document.unauthenticated-iot.json
-}
-resource "aws_iot_policy" "authenticated" {
-  name   = "${var.name_prefix}-authenticated"
-  policy = data.aws_iam_policy_document.authenticated-iot.json
-}
+#resource "aws_iot_policy" "unauthenticated" {
+#  name   = "${var.name_prefix}-unauthenticated"
+#  policy = data.aws_iam_policy_document.unauthenticated-iot.json
+#}
+#resource "aws_iot_policy" "authenticated" {
+#  name   = "${var.name_prefix}-authenticated"
+#  policy = data.aws_iam_policy_document.authenticated-iot.json
+#}

tf/outputs.tf

@@ -21,19 +21,25 @@ locals {
   frontend_config = {
     aws_region = data.aws_region.current.name
 
-    iot_endpoint                     = data.aws_iot_endpoint.current.endpoint_address
-    iot_topic_prefix                 = "${var.name_prefix}"
-    iot_iam_role_arn_unauthenticated = aws_iam_role.unauthenticated-mqtt.arn
-    iot_iam_role_arn_authenticated   = aws_iam_role.authenticated-mqtt.arn
+    iot_endpoint     = data.aws_iot_endpoint.current.endpoint_address
+    iot_topic_prefix = "${var.name_prefix}"
+
+    dynamodb_table_name = var.name_prefix
 
-    dynamodb_table_name     = var.name_prefix
-    identity_pool_id        = aws_cognito_identity_pool.pool.id
     user_pool_issuer        = "${aws_cognito_user_pool.pool.endpoint}"
     user_pool_authorize_url = "${local.cognito_url}/oauth2/authorize"
     user_pool_token_url     = "${local.cognito_url}/oauth2/token"
     user_pool_client_id     = aws_cognito_user_pool_client.identity.id
     user_pool_client_secret = aws_cognito_user_pool_client.identity.client_secret
-    tenant                  = "default"
+
+    identity_pool_id = aws_cognito_identity_pool.pool.id
+
+    iam_role_arn_unauthenticated_stage1 = aws_iam_role.unauthenticated-stage1.arn
+    iam_role_arn_unauthenticated_stage2 = aws_iam_role.unauthenticated-stage2.arn
+    iam_role_arn_authenticated_stage1   = aws_iam_role.authenticated-stage1.arn
+    iam_role_arn_authenticated_stage2   = aws_iam_role.authenticated-stage2.arn
+
+    tenant = "default"
   }
 
   captioner_medialive_settings = {