Created
January 2, 2020 09:14
-
-
Save phanviet/7a3575aca11862e32babda275efdad66 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: Cognito | |
| Parameters: | |
| AppName: | |
| Type: String | |
| Description: App name | |
| DeploymentBucket: | |
| Type: String | |
| Description: Deployment Bucket | |
| BaseTable: | |
| Type: String | |
| FacebookClientId: | |
| Type: String | |
| FacebookClientSecret: | |
| Type: String | |
| Resources: | |
| UserPool: | |
| Type: "AWS::Cognito::UserPool" | |
| Properties: | |
| UserPoolName: !Sub ${AppName}_userpool | |
| UsernameAttributes: ["email"] | |
| MfaConfiguration: "OFF" | |
| AutoVerifiedAttributes: ["email"] | |
| Policies: | |
| PasswordPolicy: | |
| MinimumLength: 6 | |
| Schema: | |
| - Name: email | |
| AttributeDataType: String | |
| Mutable: true | |
| Required: false | |
| LambdaConfig: | |
| PreSignUp: !GetAtt PreSignUpFunction.Arn | |
| PostConfirmation: !GetAtt PostConfirmationFunction.Arn | |
| UserPoolFacebookIdentityProvider: | |
| Type: AWS::Cognito::UserPoolIdentityProvider | |
| Properties: | |
| UserPoolId: !Ref UserPool | |
| ProviderName: Facebook | |
| ProviderType: Facebook | |
| ProviderDetails: | |
| client_id: !Ref FacebookClientId | |
| client_secret: !Ref FacebookClientSecret | |
| authorize_scopes: public_profile,email | |
| AttributeMapping: | |
| email: email | |
| UserPoolWebClient: | |
| Type: "AWS::Cognito::UserPoolClient" | |
| DependsOn: | |
| - UserPoolFacebookIdentityProvider | |
| Properties: | |
| ClientName: !Sub ${AppName}_web_client | |
| GenerateSecret: false | |
| UserPoolId: !Ref UserPool | |
| CallbackURLs: ["http://localhost:8080/"] | |
| SupportedIdentityProviders: ["Facebook"] | |
| AllowedOAuthFlows: ['code', 'implicit'] | |
| AllowedOAuthScopes: ['openid', 'email', 'phone'] | |
| UserPoolDrummerClient: | |
| Type: "AWS::Cognito::UserPoolClient" | |
| DependsOn: | |
| - UserPoolFacebookIdentityProvider | |
| Properties: | |
| ClientName: !Sub ${AppName}_drummer_client | |
| GenerateSecret: false | |
| UserPoolId: !Ref UserPool | |
| CallbackURLs: ["myapp://signedIn"] | |
| SupportedIdentityProviders: ["Facebook"] | |
| AllowedOAuthFlows: ['code', 'implicit'] | |
| AllowedOAuthScopes: ['openid', 'email', 'phone'] | |
| UserPoolDomain: | |
| Type: AWS::Cognito::UserPoolDomain | |
| Properties: | |
| UserPoolId: !Ref UserPool | |
| Domain: vp-practice-domain | |
| PostConfirmationFunction: | |
| Type: AWS::Lambda::Function | |
| Properties: | |
| FunctionName: !Sub ${AppName}PostConfirmation | |
| Handler: "index.handler" | |
| Runtime: "nodejs12.x" | |
| Role: !GetAtt PostConfirmationRole.Arn | |
| Environment: | |
| Variables: | |
| BaseTable: !Ref BaseTable | |
| Code: | |
| S3Bucket: !Ref DeploymentBucket | |
| S3Key: !Sub "lambdas/${AppName}PostConfirmation.zip" | |
| PreSignUpFunction: | |
| Type: AWS::Lambda::Function | |
| Properties: | |
| FunctionName: !Sub ${AppName}PreSignUp | |
| Handler: "index.handler" | |
| Runtime: "nodejs12.x" | |
| Role: !GetAtt PreSignUpRole.Arn | |
| Environment: | |
| Variables: | |
| BaseTable: !Ref BaseTable | |
| Code: | |
| S3Bucket: !Ref DeploymentBucket | |
| S3Key: !Sub "lambdas/${AppName}PreSignUp.zip" | |
| PostConfirmationRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: !Sub ${AppName}_post_confirmation | |
| AssumeRolePolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: | |
| - lambda.amazonaws.com | |
| Action: | |
| - sts:AssumeRole | |
| PreSignUpRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: !Sub ${AppName}_pre_signup | |
| AssumeRolePolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: | |
| - lambda.amazonaws.com | |
| Action: | |
| - sts:AssumeRole | |
| PreSignUpPolicy: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyName: !Sub ${AppName}PreSignUp | |
| Roles: | |
| - !Ref PreSignUpRole | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - logs:CreateLogGroup | |
| - logs:CreateLogStream | |
| - logs:PutLogEvents | |
| Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${PreSignUpFunction}:log-stream:* | |
| - Effect: Allow | |
| Action: | |
| - cognito-idp:* | |
| Resource: !Sub arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${UserPool} | |
| PostConfirmationPolicy: | |
| Type: AWS::IAM::Policy | |
| Properties: | |
| PolicyName: !Sub ${AppName}PostConfirmation | |
| Roles: | |
| - !Ref PostConfirmationRole | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - logs:CreateLogGroup | |
| - logs:CreateLogStream | |
| - logs:PutLogEvents | |
| Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${PostConfirmationFunction}:log-stream:* | |
| - Effect: Allow | |
| Action: | |
| - dynamodb:PutItem | |
| Resource: | |
| - !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${BaseTable} | |
| - Effect: Allow | |
| Action: | |
| - cognito-idp:* | |
| Resource: !Sub arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${UserPool} | |
| LambdaPermission: | |
| Type: AWS::Lambda::Permission | |
| Properties: | |
| Action: lambda:invokeFunction | |
| FunctionName: !GetAtt PreSignUpFunction.Arn | |
| Principal: cognito-idp.amazonaws.com | |
| SourceArn: !GetAtt UserPool.Arn | |
| PostConfirmationLambdaPermission: | |
| Type: AWS::Lambda::Permission | |
| Properties: | |
| Action: lambda:invokeFunction | |
| FunctionName: !GetAtt PostConfirmationFunction.Arn | |
| Principal: cognito-idp.amazonaws.com | |
| SourceArn: !GetAtt UserPool.Arn | |
| IdentityPool: | |
| Type: AWS::Cognito::IdentityPool | |
| Properties: | |
| IdentityPoolName: practice_identity | |
| CognitoIdentityProviders: | |
| - ClientId: !Ref UserPoolWebClient | |
| ProviderName: !Sub "cognito-idp.${AWS::Region}.amazonaws.com/${UserPool}" | |
| SupportedLoginProviders: | |
| graph.facebook.com: !Ref FacebookClientId | |
| AllowUnauthenticatedIdentities: false | |
| AuthRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: !Sub ${AppName}-auth-role | |
| AssumeRolePolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Federated: cognito-identity.amazonaws.com | |
| Action: sts:AssumeRoleWithWebIdentity | |
| Condition: | |
| "ForAnyValue:StringLike": | |
| "cognito-identity.amazonaws.com:amr": "authenticated" | |
| UnAuthRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: !Sub ${AppName}-unauth-role | |
| AssumeRolePolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Federated: cognito-identity.amazonaws.com | |
| Action: sts:AssumeRoleWithWebIdentity | |
| Condition: | |
| "ForAnyValue:StringLike": | |
| "cognito-identity.amazonaws.com:amr": "unauthenticated" | |
| IdentityPoolRoleMap: | |
| Type: AWS::Cognito::IdentityPoolRoleAttachment | |
| Properties: | |
| IdentityPoolId: !Ref IdentityPool | |
| Roles: | |
| unauthenticated: !GetAtt UnAuthRole.Arn | |
| authenticated: !GetAtt AuthRole.Arn | |
| Outputs: | |
| UserPoolId: | |
| Description: User Pool Id | |
| Value: !Ref UserPool | |
| UserPoolArn: | |
| Description: User Pool ARN | |
| Value: !GetAtt UserPool.Arn | |
| IdentityPool: | |
| Value: !Ref IdentityPool | |
| UserPoolWebClient: | |
| Description: User Pool Web Client | |
| Value: !Ref UserPoolWebClient | |
| Export: | |
| Name: UserPoolWebClient |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment