feat: pass the authentication scopes through unaltered (#45)

Author: jhosteny

.github/mergify.yml

@@ -56,3 +56,10 @@ pull_request_rules:
       changes_requested: true
       approved: true
       message: "This Pull Request has been updated, so we're dismissing all reviews."
+
+- name: "close Pull Requests without files changed"
+  conditions:
+    - "#files=0"
+  actions:
+    close:
+      message: "This pull request has been automatically closed by Mergify because there are no longer any changes."

.github/workflows/auto-format.yml

@@ -6,7 +6,7 @@ on:
 jobs:
   auto-format:
     runs-on: ubuntu-latest
-    container: cloudposse/build-harness:slim-latest
+    container: cloudposse/build-harness:latest
     steps:
     # Checkout the pull request branch
     #  "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using
@@ -29,6 +29,8 @@ jobs:
     - name: Auto Format
       if: github.event.pull_request.state == 'open'
       shell: bash
+      env:
+        GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
       run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host
 
     # Commit changes (if any) to the PR branch

README.md

@@ -229,9 +229,9 @@ Available targets:
 
 | Name |
 |------|
-| [aws_lb_listener_rule](https://registry.terraform.io/providers/hashicorp/aws/2.42/docs/resources/lb_listener_rule) |
-| [aws_lb_target_group](https://registry.terraform.io/providers/hashicorp/aws/2.42/docs/data-sources/lb_target_group) |
-| [aws_lb_target_group](https://registry.terraform.io/providers/hashicorp/aws/2.42/docs/resources/lb_target_group) |
+| [aws_lb_listener_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) |
+| [aws_lb_target_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb_target_group) |
+| [aws_lb_target_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) |
 
 ## Inputs
 
@@ -243,15 +243,15 @@ Available targets:
 | authenticated\_listener\_arns | A list of authenticated ALB listener ARNs to attach ALB listener rules to | `list(string)` | `[]` | no |
 | authenticated\_paths | Authenticated path pattern to match (a maximum of 1 can be defined) | `list(string)` | `[]` | no |
 | authenticated\_priority | The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `unauthenticated_priority` since a listener can't have multiple rules with the same priority | `number` | `0` | no |
-| authentication\_cognito\_scope | Cognito scope | `list(string)` | `[]` | no |
+| authentication\_cognito\_scope | Cognito scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) | `string` | `null` | no |
 | authentication\_cognito\_user\_pool\_arn | Cognito User Pool ARN | `string` | `""` | no |
 | authentication\_cognito\_user\_pool\_client\_id | Cognito User Pool Client ID | `string` | `""` | no |
 | authentication\_cognito\_user\_pool\_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | `string` | `""` | no |
 | authentication\_oidc\_authorization\_endpoint | OIDC Authorization Endpoint | `string` | `""` | no |
 | authentication\_oidc\_client\_id | OIDC Client ID | `string` | `""` | no |
 | authentication\_oidc\_client\_secret | OIDC Client Secret | `string` | `""` | no |
 | authentication\_oidc\_issuer | OIDC Issuer | `string` | `""` | no |
-| authentication\_oidc\_scope | OIDC scope | `list(string)` | `[]` | no |
+| authentication\_oidc\_scope | OIDC scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims, and https://developers.google.com/identity/protocols/oauth2/openid-connect#scope-param for an example set of scopes when using Google as the IdP) | `string` | `null` | no |
 | authentication\_oidc\_token\_endpoint | OIDC Token Endpoint | `string` | `""` | no |
 | authentication\_oidc\_user\_info\_endpoint | OIDC User Info Endpoint | `string` | `""` | no |
 | authentication\_type | Authentication type. Supported values are `COGNITO` and `OIDC` | `string` | `""` | no |

docs/terraform.md

@@ -25,9 +25,9 @@
 
 | Name |
 |------|
-| [aws_lb_listener_rule](https://registry.terraform.io/providers/hashicorp/aws/2.42/docs/resources/lb_listener_rule) |
-| [aws_lb_target_group](https://registry.terraform.io/providers/hashicorp/aws/2.42/docs/data-sources/lb_target_group) |
-| [aws_lb_target_group](https://registry.terraform.io/providers/hashicorp/aws/2.42/docs/resources/lb_target_group) |
+| [aws_lb_listener_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) |
+| [aws_lb_target_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb_target_group) |
+| [aws_lb_target_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) |
 
 ## Inputs
 
@@ -39,15 +39,15 @@
 | authenticated\_listener\_arns | A list of authenticated ALB listener ARNs to attach ALB listener rules to | `list(string)` | `[]` | no |
 | authenticated\_paths | Authenticated path pattern to match (a maximum of 1 can be defined) | `list(string)` | `[]` | no |
 | authenticated\_priority | The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `unauthenticated_priority` since a listener can't have multiple rules with the same priority | `number` | `0` | no |
-| authentication\_cognito\_scope | Cognito scope | `list(string)` | `[]` | no |
+| authentication\_cognito\_scope | Cognito scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) | `string` | `null` | no |
 | authentication\_cognito\_user\_pool\_arn | Cognito User Pool ARN | `string` | `""` | no |
 | authentication\_cognito\_user\_pool\_client\_id | Cognito User Pool Client ID | `string` | `""` | no |
 | authentication\_cognito\_user\_pool\_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | `string` | `""` | no |
 | authentication\_oidc\_authorization\_endpoint | OIDC Authorization Endpoint | `string` | `""` | no |
 | authentication\_oidc\_client\_id | OIDC Client ID | `string` | `""` | no |
 | authentication\_oidc\_client\_secret | OIDC Client Secret | `string` | `""` | no |
 | authentication\_oidc\_issuer | OIDC Issuer | `string` | `""` | no |
-| authentication\_oidc\_scope | OIDC scope | `list(string)` | `[]` | no |
+| authentication\_oidc\_scope | OIDC scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims, and https://developers.google.com/identity/protocols/oauth2/openid-connect#scope-param for an example set of scopes when using Google as the IdP) | `string` | `null` | no |
 | authentication\_oidc\_token\_endpoint | OIDC Token Endpoint | `string` | `""` | no |
 | authentication\_oidc\_user\_info\_endpoint | OIDC User Info Endpoint | `string` | `""` | no |
 | authentication\_type | Authentication type. Supported values are `COGNITO` and `OIDC` | `string` | `""` | no |

main.tf

@@ -1,7 +1,5 @@
 locals {
-  target_group_arn             = var.default_target_group_enabled ? join("", aws_lb_target_group.default.*.arn) : var.target_group_arn
-  authentication_oidc_scope    = length(var.authentication_oidc_scope) > 0 ? join("%20", [for scope in var.authentication_oidc_scope : urlencode(scope)]) : null
-  authentication_cognito_scope = length(var.authentication_cognito_scope) > 0 ? join("%20", [for scope in var.authentication_cognito_scope : urlencode(scope)]) : null
+  target_group_arn = var.default_target_group_enabled ? join("", aws_lb_target_group.default.*.arn) : var.target_group_arn
 }
 
 data "aws_lb_target_group" "default" {
@@ -92,7 +90,7 @@ resource "aws_lb_listener_rule" "authenticated_paths_oidc" {
       authorization_endpoint = var.authentication_oidc_authorization_endpoint
       token_endpoint         = var.authentication_oidc_token_endpoint
       user_info_endpoint     = var.authentication_oidc_user_info_endpoint
-      scope                  = local.authentication_oidc_scope
+      scope                  = var.authentication_oidc_scope
     }
   }
 
@@ -135,7 +133,7 @@ resource "aws_lb_listener_rule" "authenticated_paths_cognito" {
       user_pool_arn       = var.authentication_cognito_user_pool_arn
       user_pool_client_id = var.authentication_cognito_user_pool_client_id
       user_pool_domain    = var.authentication_cognito_user_pool_domain
-      scope               = local.authentication_cognito_scope
+      scope               = var.authentication_cognito_scope
     }
   }
 
@@ -199,7 +197,7 @@ resource "aws_lb_listener_rule" "authenticated_hosts_oidc" {
       authorization_endpoint = var.authentication_oidc_authorization_endpoint
       token_endpoint         = var.authentication_oidc_token_endpoint
       user_info_endpoint     = var.authentication_oidc_user_info_endpoint
-      scope                  = local.authentication_oidc_scope
+      scope                  = var.authentication_oidc_scope
     }
   }
 
@@ -228,7 +226,7 @@ resource "aws_lb_listener_rule" "authenticated_hosts_cognito" {
       user_pool_arn       = var.authentication_cognito_user_pool_arn
       user_pool_client_id = var.authentication_cognito_user_pool_client_id
       user_pool_domain    = var.authentication_cognito_user_pool_domain
-      scope               = local.authentication_cognito_scope
+      scope               = var.authentication_cognito_scope
     }
   }
 
@@ -298,7 +296,7 @@ resource "aws_lb_listener_rule" "authenticated_hosts_paths_oidc" {
       authorization_endpoint = var.authentication_oidc_authorization_endpoint
       token_endpoint         = var.authentication_oidc_token_endpoint
       user_info_endpoint     = var.authentication_oidc_user_info_endpoint
-      scope                  = local.authentication_oidc_scope
+      scope                  = var.authentication_oidc_scope
     }
   }
 
@@ -333,7 +331,7 @@ resource "aws_lb_listener_rule" "authenticated_hosts_paths_cognito" {
       user_pool_arn       = var.authentication_cognito_user_pool_arn
       user_pool_client_id = var.authentication_cognito_user_pool_client_id
       user_pool_domain    = var.authentication_cognito_user_pool_domain
-      scope               = local.authentication_cognito_scope
+      scope               = var.authentication_cognito_scope
     }
   }
 

variables.tf

@@ -181,9 +181,9 @@ variable "authentication_cognito_user_pool_domain" {
 }
 
 variable "authentication_cognito_scope" {
-  type        = list(string)
-  description = "Cognito scope"
-  default     = []
+  type        = string
+  description = "Cognito scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)"
+  default     = null
 }
 
 variable "authentication_oidc_client_id" {
@@ -223,9 +223,9 @@ variable "authentication_oidc_user_info_endpoint" {
 }
 
 variable "authentication_oidc_scope" {
-  type        = list(string)
-  description = "OIDC scope"
-  default     = []
+  type        = string
+  description = "OIDC scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims, and https://developers.google.com/identity/protocols/oauth2/openid-connect#scope-param for an example set of scopes when using Google as the IdP)"
+  default     = null
 }
 
 variable "slow_start" {