AWSTemplateFormatVersion: "2010-09-09"

Parameters:
  MapName:
    Type: String

Resources:
  CognitoIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      AllowUnauthenticatedIdentities: true

  CognitoDefaultUnauthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action: sts:AssumeRoleWithWebIdentity
            Condition:
              StringEquals:
                cognito-identity.amazonaws.com:aud: !Ref CognitoIdentityPool
              ForAnyValue:StringLike:
                cognito-identity.amazonaws.com:amr: unauthenticated
            Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com

  CognitoDefaultUnauthenticatedPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CognitoDefaultUnauthenticatedPolicy
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - geo:GetMapGlyphs
              - geo:GetMapSprites
              - geo:GetMapStyleDescriptor
              - geo:GetMapTile
            Resource: !Sub arn:${AWS::Partition}:geo:${AWS::Region}:${AWS::AccountId}:map/${MapName}
      Roles:
        - !Ref CognitoDefaultUnauthenticatedRole

  CognitoDefaultAuthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRoleWithWebIdentity
            Condition:
              StringEquals:
                cognito-identity.amazonaws.com:aud: !Ref CognitoIdentityPool
              ForAnyValue:StringLike:
                cognito-identity.amazonaws.com:amr: authenticated
            Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
        Version: "2012-10-17"

  CognitoDefaultAuthenticatedPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CognitoDefaultUnauthenticatedPolicy
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - geo:GetMapGlyphs
              - geo:GetMapSprites
              - geo:GetMapStyleDescriptor
              - geo:GetMapTile
            Resource: !Sub arn:${AWS::Partition}:geo:${AWS::Region}:${AWS::AccountId}:map/${MapName}
      Roles:
        - !Ref CognitoDefaultAuthenticatedRole

  CognitoIdentityPoolRoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref CognitoIdentityPool
      Roles:
        unauthenticated: !GetAtt CognitoDefaultUnauthenticatedRole.Arn
        authenticated: !GetAtt CognitoDefaultAuthenticatedRole.Arn

Outputs:
  CognitoIdentityPool:
    Value: !Ref CognitoIdentityPool