Skip to content

Instantly share code, notes, and snippets.

@cyrfer

cyrfer/auth.template.yml

Created September 21, 2020 01:14
Show Gist options
  • Save cyrfer/627e76728e1ac56f3b90be16ada4c2e0 to your computer and use it in GitHub Desktop.
Save cyrfer/627e76728e1ac56f3b90be16ada4c2e0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
auth.template.yml
AWSTemplateFormatVersion: 2010-09-09
Parameters:
env:
Type: String
authRoleArn:
Type: String
unauthRoleArn:
Type: String
functionscrubbed8e3a44d2CustomMessageArn:
Type: String
Default: functionscrubbed8e3a44d2CustomMessageArn
functionscrubbed8e3a44d2CustomMessageName:
Type: String
Default: functionscrubbed8e3a44d2CustomMessageName
identityPoolName:
Type: String
allowUnauthenticatedIdentities:
Type: String
resourceNameTruncated:
Type: String
userPoolName:
Type: String
autoVerifiedAttributes:
Type: CommaDelimitedList
mfaConfiguration:
Type: String
mfaTypes:
Type: CommaDelimitedList
smsAuthenticationMessage:
Type: String
smsVerificationMessage:
Type: String
emailVerificationSubject:
Type: String
emailVerificationMessage:
Type: String
defaultPasswordPolicy:
Type: String
passwordPolicyMinLength:
Type: Number
passwordPolicyCharacters:
Type: CommaDelimitedList
requiredAttributes:
Type: CommaDelimitedList
userpoolClientGenerateSecret:
Type: String
userpoolClientRefreshTokenValidity:
Type: Number
userpoolClientWriteAttributes:
Type: CommaDelimitedList
userpoolClientReadAttributes:
Type: CommaDelimitedList
userpoolClientLambdaRole:
Type: String
userpoolClientSetAttributes:
Type: String
sharedId:
Type: String
resourceName:
Type: String
authSelections:
Type: String
useDefault:
Type: String
hostedUI:
Type: String
usernameAttributes:
Type: CommaDelimitedList
triggers:
Type: String
hostedUIDomainName:
Type: String
authProvidersUserPool:
Type: CommaDelimitedList
hostedUIProviderMeta:
Type: String
hostedUIProviderCreds:
Type: String
oAuthMetadata:
Type: String
userPoolGroupList:
Type: CommaDelimitedList
verificationBucketName:
Type: String
parentStack:
Type: String
permissions:
Type: CommaDelimitedList
dependsOn:
Type: CommaDelimitedList
Conditions:
ShouldNotCreateEnvResources: !Equals [ !Ref env, NONE ]
Resources:
CustomMessageConfirmationBucket:
Type: AWS::S3::Bucket
DeletionPolicy: "Retain"
Properties:
BucketName: !If [ShouldNotCreateEnvResources, !Ref verificationBucketName, !Join ['',[!Ref verificationBucketName, '-', !Ref env]]]
AccessControl: "Private"
WebsiteConfiguration:
IndexDocument: "index.html"
ErrorDocument: "index.html"
CorsConfiguration:
CorsRules:
-
AllowedHeaders:
- "Authorization"
- "Content-Length"
AllowedMethods:
- "GET"
AllowedOrigins:
- "*"
MaxAge: 3000
# BEGIN SNS ROLE RESOURCE
SNSRole:
# Created to allow the UserPool SMS Config to publish via the Simple Notification Service during MFA Process
Type: AWS::IAM::Role
Properties:
RoleName: !If [ShouldNotCreateEnvResources, 'scrubbed8e3a44d2_sns-role', !Join ['',[ 'sns', '8e3a44d2', !Select [3, !Split ['-', !Ref 'AWS::StackName']], '-', !Ref env]]]
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
Service: "cognito-idp.amazonaws.com"
Action:
- "sts:AssumeRole"
Condition:
StringEquals:
sts:ExternalId: scrubbed8e3a44d2_role_external_id
Policies:
-
PolicyName: scrubbed8e3a44d2-sns-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "sns:Publish"
Resource: "*"
# BEGIN USER POOL RESOURCES
UserPool:
# Created upon user selection
# Depends on SNS Role for Arn if MFA is enabled
Type: AWS::Cognito::UserPool
UpdateReplacePolicy: Retain
Properties:
UserPoolName: !If [ShouldNotCreateEnvResources, !Ref userPoolName, !Join ['',[!Ref userPoolName, '-', !Ref env]]]
Schema:
-
Name: email
Required: true
Mutable: true
LambdaConfig:
CustomMessage: !Ref functionscrubbed8e3a44d2CustomMessageArn
AutoVerifiedAttributes: !Ref autoVerifiedAttributes
EmailVerificationMessage: !Ref emailVerificationMessage
EmailVerificationSubject: !Ref emailVerificationSubject
Policies:
PasswordPolicy:
MinimumLength: !Ref passwordPolicyMinLength
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
UsernameAttributes: !Ref usernameAttributes
MfaConfiguration: !Ref mfaConfiguration
SmsVerificationMessage: !Ref smsVerificationMessage
SmsConfiguration:
SnsCallerArn: !GetAtt SNSRole.Arn
ExternalId: scrubbed8e3a44d2_role_external_id
UserPoolCustomMessageLambdaInvokePermission:
Type: "AWS::Lambda::Permission"
DependsOn: UserPool
Properties:
Action: "lambda:invokeFunction"
Principal: "cognito-idp.amazonaws.com"
FunctionName: !Ref functionscrubbed8e3a44d2CustomMessageName
SourceArn: !GetAtt UserPool.Arn
# Updating lambda role with permissions to Cognito
UserPoolClientWeb:
# Created provide application access to user pool
# Depends on UserPool for ID reference
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: scrubbed8e3a44d2_app_clientWeb
RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity
UserPoolId: !Ref UserPool
DependsOn: UserPool
UserPoolClient:
# Created provide application access to user pool
# Depends on UserPool for ID reference
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: scrubbed8e3a44d2_app_client
GenerateSecret: !Ref userpoolClientGenerateSecret
RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity
UserPoolId: !Ref UserPool
DependsOn: UserPool
# BEGIN USER POOL LAMBDA RESOURCES
UserPoolClientRole:
# Created to execute Lambda which gets userpool app client config values
Type: 'AWS::IAM::Role'
Properties:
RoleName: !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',['upClientLambdaRole', '8e3a44d2', !Select [3, !Split ['-', !Ref 'AWS::StackName']], '-', !Ref env]]]
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
DependsOn: UserPoolClient
UserPoolClientLambda:
# Lambda which gets userpool app client config values
# Depends on UserPool for id
# Depends on UserPoolClientRole for role ARN
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- ' if (event.RequestType == ''Delete'') { '
- ' response.send(event, context, response.SUCCESS, {})'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' const params = {'
- ' ClientId: event.ResourceProperties.clientId,'
- ' UserPoolId: event.ResourceProperties.userpoolId'
- ' };'
- ' identity.describeUserPoolClient(params).promise()'
- ' .then((res) => {'
- ' response.send(event, context, response.SUCCESS, {''appSecret'': res.UserPoolClient.ClientSecret});'
- ' })'
- ' .catch((err) => {'
- ' response.send(event, context, response.FAILED, {err});'
- ' });'
- ' }'
- '};'
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: UserPoolClientRole
UserPoolClientLambdaPolicy:
# Sets userpool policy for the role that executes the Userpool Client Lambda
# Depends on UserPool for Arn
# Marked as depending on UserPoolClientRole for easier to understand CFN sequencing
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: scrubbed8e3a44d2_userpoolclient_lambda_iam_policy
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:DescribeUserPoolClient'
Resource: !GetAtt UserPool.Arn
DependsOn: UserPoolClientLambda
UserPoolClientLogPolicy:
# Sets log policy for the role that executes the Userpool Client Lambda
# Depends on UserPool for Arn
# Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: scrubbed8e3a44d2_userpoolclient_lambda_log_policy
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref UserPoolClientLambda}
DependsOn: UserPoolClientLambdaPolicy
UserPoolClientInputs:
# Values passed to Userpool client Lambda
# Depends on UserPool for Id
# Depends on UserPoolClient for Id
# Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt UserPoolClientLambda.Arn
clientId: !Ref UserPoolClient
userpoolId: !Ref UserPool
DependsOn: UserPoolClientLogPolicy
HostedUICustomResource:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- ' const userPoolId = event.ResourceProperties.userPoolId;'
- ' const inputDomainName = event.ResourceProperties.hostedUIDomainName;'
- ' let deleteUserPoolDomain = (domainName) => {'
- ' let params = { Domain: domainName, UserPoolId: userPoolId };'
- ' return identity.deleteUserPoolDomain(params).promise();'
- ' };'
- ' if (event.RequestType == ''Delete'') {'
- ' deleteUserPoolDomain(inputDomainName)'
- ' .then(() => {response.send(event, context, response.SUCCESS, {})})'
- ' .catch((err) => { console.log(err); response.send(event, context, response.FAILED, {err}) });'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' let checkDomainAvailability = (domainName) => {'
- ' let params = { Domain: domainName };'
- ' return identity.describeUserPoolDomain(params).promise().then((res) => {'
- ' if (res.DomainDescription && res.DomainDescription.UserPool) {'
- ' return false;'
- ' }'
- ' return true;'
- ' }).catch((err) => { return false; });'
- ' };'
- ' let createUserPoolDomain = (domainName) => {'
- ' let params = { Domain: domainName, UserPoolId: userPoolId };'
- ' return identity.createUserPoolDomain(params).promise();'
- ' };'
- ' identity.describeUserPool({UserPoolId: userPoolId }).promise().then((result) => {'
- ' if (inputDomainName) {'
- ' if (result.UserPool.Domain === inputDomainName) {'
- ' return;'
- ' } else {'
- ' if (!result.UserPool.Domain) {'
- ' return checkDomainAvailability(inputDomainName).then((isDomainAvailable) => {'
- ' if (isDomainAvailable) {'
- ' return createUserPoolDomain(inputDomainName);'
- ' } else {'
- ' throw new Error(''Domain not available'');'
- ' }'
- ' });'
- ' } else {'
- ' return checkDomainAvailability(inputDomainName).then((isDomainAvailable) => {'
- ' if (isDomainAvailable) {'
- ' return deleteUserPoolDomain(result.UserPool.Domain).then(() => createUserPoolDomain(inputDomainName));'
- ' } else {'
- ' throw new Error(''Domain not available'');'
- ' }'
- ' });'
- ' }'
- ' }'
- ' } else {'
- ' if (result.UserPool.Domain) {'
- ' return deleteUserPoolDomain(result.UserPool.Domain);'
- ' }'
- ' }'
- ' }).then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
- ' console.log(err); response.send(event, context, response.FAILED, {err});'
- ' });'
- '}}'
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: UserPoolClientRole
HostedUICustomResourcePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUI']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:CreateUserPoolDomain'
- 'cognito-idp:DescribeUserPool'
- 'cognito-idp:DeleteUserPoolDomain'
Resource: !GetAtt UserPool.Arn
- Effect: Allow
Action:
- 'cognito-idp:DescribeUserPoolDomain'
Resource: '*'
DependsOn: HostedUICustomResource
HostedUICustomResourceLogPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUILogPolicy']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref HostedUICustomResource}
DependsOn: HostedUICustomResourcePolicy
HostedUICustomResourceInputs:
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt HostedUICustomResource.Arn
userPoolId: !Ref UserPool
hostedUIDomainName: !If [ShouldNotCreateEnvResources, !Ref hostedUIDomainName, !Join ['-',[!Ref hostedUIDomainName, !Ref env]]]
DependsOn: HostedUICustomResourceLogPolicy
HostedUIProvidersCustomResource:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- 'try{'
- ' const userPoolId = event.ResourceProperties.userPoolId;'
- ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);'
- ' let hostedUIProviderCreds = JSON.parse(event.ResourceProperties.hostedUIProviderCreds);'
- ' if (event.RequestType == ''Delete'') {'
- ' response.send(event, context, response.SUCCESS, {});'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' let getRequestParams = (providerName) => {'
- ' let providerMetaIndex = hostedUIProviderMeta.findIndex((provider) => provider.ProviderName === providerName);'
- ' let providerMeta = hostedUIProviderMeta[providerMetaIndex];'
- ' let providerCredsIndex = hostedUIProviderCreds.findIndex((provider) => provider.ProviderName === providerName);'
- ' let providerCreds = hostedUIProviderCreds[providerCredsIndex];'
- ' let requestParams = {'
- ' ProviderDetails: {'
- ' ''client_id'': providerCreds.client_id,'
- ' ''client_secret'': providerCreds.client_secret,'
- ' ''authorize_scopes'': providerMeta.authorize_scopes'
- ' },'
- ' ProviderName: providerMeta.ProviderName,'
- ' UserPoolId: userPoolId,'
- ' AttributeMapping: providerMeta.AttributeMapping'
- ' };'
- ' return requestParams;'
- ' };'
- ' let createIdentityProvider = (providerName) => {'
- ' let requestParams = getRequestParams(providerName);'
- ' requestParams.ProviderType = requestParams.ProviderName;'
- ' return identity.createIdentityProvider(requestParams).promise();'
- ' };'
- ' let updateIdentityProvider = (providerName) => {'
- ' let requestParams = getRequestParams(providerName);'
- ' return identity.updateIdentityProvider(requestParams).promise();'
- ' };'
- ' let deleteIdentityProvider = (providerName) => {'
- ' let params = {ProviderName: providerName, UserPoolId: userPoolId};'
- ' return identity.deleteIdentityProvider(params).promise();'
- ' };'
- ' let providerPromises = [];'
- ' identity.listIdentityProviders({UserPoolId: userPoolId, MaxResults: 60}).promise()'
- ' .then((result) => {'
- ' let providerList = result.Providers.map(provider => provider.ProviderName);'
- ' let providerListInParameters = hostedUIProviderMeta.map(provider => provider.ProviderName);'
- ' hostedUIProviderMeta.forEach((providerMetadata) => {'
- ' if(providerList.indexOf(providerMetadata.ProviderName) > -1) {'
- ' providerPromises.push(updateIdentityProvider(providerMetadata.ProviderName));'
- ' } else {'
- ' providerPromises.push(createIdentityProvider(providerMetadata.ProviderName));'
- ' }'
- ' });'
- ' providerList.forEach((provider) => {'
- ' if(providerListInParameters.indexOf(provider) < 0) {'
- ' providerPromises.push(deleteIdentityProvider(provider));'
- ' }'
- ' });'
- ' return Promise.all(providerPromises);'
- ' }).then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
- ' console.log(err.stack); response.send(event, context, response.FAILED, {err})'
- ' });'
- ' } '
- ' } catch(err) { console.log(err.stack); response.send(event, context, response.FAILED, {err});};'
- '} '
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: UserPoolClientRole
HostedUIProvidersCustomResourcePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUIProvider']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:CreateIdentityProvider'
- 'cognito-idp:UpdateIdentityProvider'
- 'cognito-idp:ListIdentityProviders'
- 'cognito-idp:DeleteIdentityProvider'
Resource: !GetAtt UserPool.Arn
DependsOn: HostedUIProvidersCustomResource
HostedUIProvidersCustomResourceLogPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUIProviderLogPolicy']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref HostedUIProvidersCustomResource}
DependsOn: HostedUIProvidersCustomResourcePolicy
HostedUIProvidersCustomResourceInputs:
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt HostedUIProvidersCustomResource.Arn
userPoolId: !Ref UserPool
hostedUIProviderMeta: !Ref hostedUIProviderMeta
hostedUIProviderCreds: !Ref hostedUIProviderCreds
DependsOn: HostedUIProvidersCustomResourceLogPolicy
OAuthCustomResource:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- 'try{'
- ' const userPoolId = event.ResourceProperties.userPoolId;'
- ' let webClientId = event.ResourceProperties.webClientId;'
- ' let nativeClientId = event.ResourceProperties.nativeClientId;'
- ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);'
- ' let oAuthMetadata = JSON.parse(event.ResourceProperties.oAuthMetadata);'
- ' let providerList = hostedUIProviderMeta.map(provider => provider.ProviderName);'
- ' providerList.push(''COGNITO'');'
- ' if (event.RequestType == ''Delete'') {'
- ' response.send(event, context, response.SUCCESS, {});'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' let params = {'
- ' UserPoolId: userPoolId,'
- ' AllowedOAuthFlows: oAuthMetadata.AllowedOAuthFlows,'
- ' AllowedOAuthFlowsUserPoolClient: true,'
- ' AllowedOAuthScopes: oAuthMetadata.AllowedOAuthScopes,'
- ' CallbackURLs: oAuthMetadata.CallbackURLs,'
- ' LogoutURLs: oAuthMetadata.LogoutURLs,'
- ' SupportedIdentityProviders: providerList'
- ' };'
- ' let updateUserPoolClientPromises = [];'
- ' params.ClientId = webClientId;'
- ' updateUserPoolClientPromises.push(identity.updateUserPoolClient(params).promise());'
- ' params.ClientId = nativeClientId;'
- ' updateUserPoolClientPromises.push(identity.updateUserPoolClient(params).promise());'
- ' Promise.all(updateUserPoolClientPromises)'
- ' .then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
- ' console.log(err.stack); response.send(event, context, response.FAILED, {err});'
- ' });'
- ' }'
- '} catch(err) { console.log(err.stack); response.send(event, context, response.FAILED, {err});};'
- '}'
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: HostedUIProvidersCustomResourceInputs
OAuthCustomResourcePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'OAuth']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:UpdateUserPoolClient'
Resource: !GetAtt UserPool.Arn
DependsOn: OAuthCustomResource
OAuthCustomResourceLogPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'OAuthLogPolicy']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref OAuthCustomResource}
DependsOn: OAuthCustomResourcePolicy
OAuthCustomResourceInputs:
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt OAuthCustomResource.Arn
userPoolId: !Ref UserPool
hostedUIProviderMeta: !Ref hostedUIProviderMeta
oAuthMetadata: !Ref oAuthMetadata
webClientId: !Ref 'UserPoolClientWeb'
nativeClientId: !Ref 'UserPoolClient'
DependsOn: OAuthCustomResourceLogPolicy
# BEGIN IDENTITY POOL RESOURCES
IdentityPool:
# Always created
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: !If [ShouldNotCreateEnvResources, 'scrubbed8e3a44d2_identitypool_8e3a44d2', !Join ['',['scrubbed8e3a44d2_identitypool_8e3a44d2', '__', !Ref env]]]
CognitoIdentityProviders:
- ClientId: !Ref UserPoolClient
ProviderName: !Sub
- cognito-idp.${region}.amazonaws.com/${client}
- { region: !Ref "AWS::Region", client: !Ref UserPool}
- ClientId: !Ref UserPoolClientWeb
ProviderName: !Sub
- cognito-idp.${region}.amazonaws.com/${client}
- { region: !Ref "AWS::Region", client: !Ref UserPool}
AllowUnauthenticatedIdentities: !Ref allowUnauthenticatedIdentities
DependsOn: UserPoolClientInputs
IdentityPoolRoleMap:
# Created to map Auth and Unauth roles to the identity pool
# Depends on Identity Pool for ID ref
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
unauthenticated: !Ref unauthRoleArn
authenticated: !Ref authRoleArn
DependsOn: IdentityPool
Outputs :
IdentityPoolId:
Value: !Ref 'IdentityPool'
Description: Id for the identity pool
IdentityPoolName:
Value: !GetAtt IdentityPool.Name
HostedUIDomain:
Value: !If [ShouldNotCreateEnvResources, !Ref hostedUIDomainName, !Join ['-',[!Ref hostedUIDomainName, !Ref env]]]
OAuthMetadata:
Value: !Ref oAuthMetadata
UserPoolId:
Value: !Ref 'UserPool'
Description: Id for the user pool
UserPoolName:
Value: !Ref userPoolName
AppClientIDWeb:
Value: !Ref 'UserPoolClientWeb'
Description: The user pool app client id for web
AppClientID:
Value: !Ref 'UserPoolClient'
Description: The user pool app client id
AppClientSecret:
Value: !GetAtt UserPoolClientInputs.appSecret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment