├── .gitignore
└── 2024-08-23-cognito
    ├── variables.tf
    ├── README.md
    └── main.tf


/.gitignore:
--------------------------------------------------------------------------------
1 | .terraform.tfstate*
2 | 


--------------------------------------------------------------------------------
/2024-08-23-cognito/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "region" {
 2 |   description = "Which AWS region to use"
 3 |   type        = string
 4 |   default     = "us-east-2"
 5 | }
 6 | 
 7 | variable "user_mail_address" {
 8 |   description = "Email address of the user you'll be signing up for Tailscale with"
 9 |   type        = string
10 |   default     = "me@example.com"
11 | }


--------------------------------------------------------------------------------
/2024-08-23-cognito/README.md:
--------------------------------------------------------------------------------
1 | [2024-08-23 - Using Tailscale with Cognito on your own domain (for free!)](https://mwinters.net/blog/techblah-using-tailscale-with-cognito-on-your-own-domain-for-free/)
2 | 
3 | **Usage:**
4 | 1) Edit variables.tf to set `user_mail_address` and possibly `region` if you prefer a different one.
5 | 1) `terraform init` and `terraform plan` and `terraform apply`.  The temporary password will be emailed to you, and the login URL will be provided as a terraform output.
6 | 1) Continue from Step 4 in the blog post!
7 | 
8 | *Note:* The first time you run this, the `login_url` output may be be missing the initial domain, thanks to eventual consistency at AWS.  Just run `terraform apply` again to get the correct url.


--------------------------------------------------------------------------------
/2024-08-23-cognito/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     aws = {
 4 |       source  = "hashicorp/aws"
 5 |       version = "~> 5.84"
 6 |     }
 7 |   }
 8 |   required_version = ">= 1.2.0"
 9 | }
10 | provider "aws" {
11 |   region  = var.region
12 | }
13 | 
14 | 
15 | 
16 | resource "aws_cognito_user_pool" "pool" {
17 |   name = split("@", var.user_mail_address)[1]
18 |   user_pool_tier = "LITE"
19 |   username_attributes = ["email"]
20 | }
21 | 
22 | resource "aws_cognito_user_pool_domain" "main" {
23 |   domain       = "${lower(split("_", aws_cognito_user_pool.pool.id)[1])}mw" # so my millions of followers don't clash
24 |   user_pool_id = aws_cognito_user_pool.pool.id
25 | }
26 | 
27 | resource "aws_cognito_user_pool_client" "client" {
28 |   name = "Tailscale"
29 |   user_pool_id = aws_cognito_user_pool.pool.id
30 |   callback_urls                        = ["https://login.tailscale.com/a/oauth_response"]
31 |   allowed_oauth_flows_user_pool_client = true
32 |   allowed_oauth_flows                  = ["code"]
33 |   allowed_oauth_scopes                 = ["email", "openid", "profile"]
34 |   supported_identity_providers         = ["COGNITO"]
35 |   prevent_user_existence_errors = "ENABLED"
36 | }
37 | 
38 | resource "aws_cognito_user" "user" {
39 |   user_pool_id = aws_cognito_user_pool.pool.id
40 |   username = var.user_mail_address
41 |   attributes = {
42 |     email          = var.user_mail_address
43 |     email_verified = true
44 |   }
45 | }
46 | 
47 | 
48 | output "login_url" {
49 |     description = "Cognito login URL"
50 |     value = "https://${aws_cognito_user_pool.pool.domain}.auth.${var.region}.amazoncognito.com/login?client_id=${aws_cognito_user_pool_client.client.id}&response_type=code&scope=email+openid+profile&redirect_uri=https%3A%2F%2Flogin.tailscale.com%2Fa%2Foauth_response"
51 | }
52 | 


--------------------------------------------------------------------------------