resource "aws_cognito_user_pool_client" "grafana_prod" {
  name         = "grafana_prod"
  user_pool_id = aws_cognito_user_pool.main.id
  callback_urls = [
    "https://<grafana address>/login/generic_oauth"
  ]
  explicit_auth_flows = [
    "ALLOW_CUSTOM_AUTH",
    "ALLOW_REFRESH_TOKEN_AUTH",
    "ALLOW_USER_SRP_AUTH"
  ]
  generate_secret                      = true
  allowed_oauth_flows_user_pool_client = true
  allowed_oauth_flows                  = ["code"]
  allowed_oauth_scopes                 = ["email", "openid", "profile"]
  supported_identity_providers         = ["COGNITO"]
}

GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true
GF_AUTH_GENERIC_OAUTH_API_URL=https://<your domain>.auth.eu-west-1.amazoncognito.com/oauth2/userInfo
GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://<your domain>.auth.eu-west-1.amazoncognito.com/oauth2/authorize
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://<your domain>.auth.eu-west-1.amazoncognito.com/oauth2/token
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=<copy from aws console>
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=<copy from aws console>
GF_AUTH_GENERIC_OAUTH_ENABLED=true
GF_AUTH_GENERIC_OAUTH_NAME=GreatCognito
GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email