{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Root stack for the Amplify AWS CloudFormation provider", "Parameters": { "DeploymentBucketName": { "Description": "Name of the common deployment bucket provided by the parent stack", "Type": "String", "Default": "DeploymentBucket" }, "AuthRoleName": { "Type": "String", "Default": "AuthRoleName" }, "UnauthRoleName": { "Type": "String", "Default": "UnauthRoleName" } }, "Resources": { "DeploymentBucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "BucketName": { "Ref": "DeploymentBucketName" } } }, "AuthRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Ref": "AuthRoleName" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Deny", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity" } ] } } }, "UnauthRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Ref": "UnauthRoleName" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Deny", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity" } ] } } }, "authblog20122867524e2f": { "Type": "AWS::CloudFormation::Stack", "Properties": { "TemplateURL": "https://s3.amazonaws.com/amplify-blog201228-dev-201556-deployment/amplify-cfn-templates/auth/blog20122867524e2f-cloudformation-template.yml", "Parameters": { "identityPoolName": "blog20122867524e2f_identitypool_67524e2f", "allowUnauthenticatedIdentities": false, "resourceNameTruncated": "blog2067524e2f", "userPoolName": "blog20122867524e2f_userpool_67524e2f", "autoVerifiedAttributes": "email", "mfaConfiguration": "OFF", "mfaTypes": "SMS Text Message", "smsAuthenticationMessage": "Your authentication code is {####}", "smsVerificationMessage": "Your verification code is {####}", "emailVerificationSubject": "Your verification code", "emailVerificationMessage": "Your verification code is {####}", "defaultPasswordPolicy": false, "passwordPolicyMinLength": 8, "passwordPolicyCharacters": "", "requiredAttributes": "email", "userpoolClientGenerateSecret": true, "userpoolClientRefreshTokenValidity": 30, "userpoolClientWriteAttributes": "email", "userpoolClientReadAttributes": "email", "userpoolClientLambdaRole": "blog2067524e2f_userpoolclient_lambda_role", "userpoolClientSetAttributes": false, "sharedId": "67524e2f", "resourceName": "blog20122867524e2f", "authSelections": "identityPoolAndUserPool", "authRoleArn": { "Fn::GetAtt": [ "AuthRole", "Arn" ] }, "unauthRoleArn": { "Fn::GetAtt": [ "UnauthRole", "Arn" ] }, "useDefault": "default", "userPoolGroupList": "", "dependsOn": "", "env": "dev" } } }, "UpdateRolesWithIDPFunction": { "DependsOn": [ "AuthRole", "UnauthRole", "authblog20122867524e2f" ], "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": { "Fn::Join": [ "\n", [ "const response = require('cfn-response');", "const aws = require('aws-sdk');", "let responseData = {};", "exports.handler = function(event, context) {", " try {", " let authRoleName = event.ResourceProperties.authRoleName;", " let unauthRoleName = event.ResourceProperties.unauthRoleName;", " let idpId = event.ResourceProperties.idpId;", " let promises = [];", " let authParamsJson = { 'Version': '2012-10-17','Statement': [{'Effect': 'Allow','Principal': {'Federated': 'cognito-identity.amazonaws.com'},'Action': 'sts:AssumeRoleWithWebIdentity','Condition': {'StringEquals': {'cognito-identity.amazonaws.com:aud': idpId},'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'authenticated'}}}]};", " let unauthParamsJson = { 'Version': '2012-10-17','Statement': [{'Effect': 'Allow','Principal': {'Federated': 'cognito-identity.amazonaws.com'},'Action': 'sts:AssumeRoleWithWebIdentity','Condition': {'StringEquals': {'cognito-identity.amazonaws.com:aud': idpId},'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'unauthenticated'}}}]};", " if (event.RequestType == 'Delete') {", " delete authParamsJson.Statement[0].Condition;", " delete unauthParamsJson.Statement[0].Condition;", " let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};", " let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};", " const iam = new aws.IAM({ apiVersion: '2010-05-08', region: event.ResourceProperties.region});", " promises.push(iam.updateAssumeRolePolicy(authParams).promise());", " promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());", " Promise.all(promises)", " .then((res) => {", " console.log(\"delete response data\" + JSON.stringify(res));", " response.send(event, context, response.SUCCESS, {});", " });", " }", " if (event.RequestType == 'Update' || event.RequestType == 'Create') {", " const iam = new aws.IAM({ apiVersion: '2010-05-08', region: event.ResourceProperties.region});", " let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};", " let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};", " promises.push(iam.updateAssumeRolePolicy(authParams).promise());", " promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());", " Promise.all(promises)", " .then((res) => {", " console.log(\"createORupdate\" + res);", " console.log(\"response data\" + JSON.stringify(res));", " response.send(event, context, response.SUCCESS, {});", " });", " }", " } catch(err) {", " console.log(err.stack);", " responseData = {Error: err};", " response.send(event, context, response.FAILED, responseData);", " throw err;", " }", "};" ] ] } }, "Handler": "index.handler", "Runtime": "nodejs10.x", "Timeout": "300", "Role": { "Fn::GetAtt": [ "UpdateRolesWithIDPFunctionRole", "Arn" ] } } }, "UpdateRolesWithIDPFunctionOutputs": { "Type": "Custom::LambdaCallout", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "UpdateRolesWithIDPFunction", "Arn" ] }, "region": { "Ref": "AWS::Region" }, "idpId": { "Fn::GetAtt": [ "authblog20122867524e2f", "Outputs.IdentityPoolId" ] }, "authRoleName": { "Ref": "AuthRoleName" }, "unauthRoleName": { "Ref": "UnauthRoleName" } } }, "UpdateRolesWithIDPFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Join": [ "", [ { "Ref": "AuthRoleName" }, "-idp" ] ] }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Policies": [ { "PolicyName": "UpdateRolesWithIDPFunctionPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": "iam:UpdateAssumeRolePolicy", "Resource": { "Fn::GetAtt": [ "AuthRole", "Arn" ] } }, { "Effect": "Allow", "Action": "iam:UpdateAssumeRolePolicy", "Resource": { "Fn::GetAtt": [ "UnauthRole", "Arn" ] } } ] } } ] } } }, "Outputs": { "Region": { "Description": "CloudFormation provider root stack Region", "Value": { "Ref": "AWS::Region" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-Region" } } }, "StackName": { "Description": "CloudFormation provider root stack ID", "Value": { "Ref": "AWS::StackName" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-StackName" } } }, "StackId": { "Description": "CloudFormation provider root stack name", "Value": { "Ref": "AWS::StackId" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-StackId" } } }, "DeploymentBucketName": { "Description": "CloudFormation provider root stack deployment bucket name", "Value": { "Ref": "DeploymentBucketName" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-DeploymentBucketName" } } }, "AuthRoleArn": { "Value": { "Fn::GetAtt": [ "AuthRole", "Arn" ] } }, "UnauthRoleArn": { "Value": { "Fn::GetAtt": [ "UnauthRole", "Arn" ] } }, "AuthRoleName": { "Value": { "Ref": "AuthRole" } }, "UnauthRoleName": { "Value": { "Ref": "UnauthRole" } } } }