AWSTemplateFormatVersion: '2010-09-09' Parameters: env: Type: String authRoleName: Type: String unauthRoleName: Type: String authRoleArn: Type: String unauthRoleArn: Type: String identityPoolName: Type: String allowUnauthenticatedIdentities: Type: String thirdPartyAuth: Type: String lambdaLogPolicy: Type: String openIdLambdaRoleName: Type: String openIdRolePolicy: Type: String openIdLambdaIAMPolicy: Type: String openIdLogPolicy: Type: String userPoolName: Type: String autoVerifiedAttributes: Type: CommaDelimitedList mfaConfiguration: Type: String mfaTypes: Type: CommaDelimitedList roleName: Type: String roleExternalId: Type: String policyName: Type: String smsAuthenticationMessage: Type: String smsVerificationMessage: Type: String emailVerificationSubject: Type: String emailVerificationMessage: Type: String defaultPasswordPolicy: Type: String passwordPolicyMinLength: Type: Number passwordPolicyCharacters: Type: CommaDelimitedList requiredAttributes: Type: CommaDelimitedList userpoolClientName: Type: String userpoolClientGenerateSecret: Type: String userpoolClientRefreshTokenValidity: Type: Number userpoolClientReadAttributes: Type: CommaDelimitedList mfaLambdaRole: Type: String mfaLambdaLogPolicy: Type: String mfaPassRolePolicy: Type: String mfaLambdaIAMPolicy: Type: String userpoolClientLambdaRole: Type: String userpoolClientLogPolicy: Type: String userpoolClientLambdaPolicy: Type: String userpoolClientSetAttributes: Type: String useDefault: Type: String resourceName: Type: String authSelections: Type: String Conditions: ShouldNotCreateEnvResources: Fn::Equals: - Ref: env - NONE Resources: SNSRole: Type: AWS::IAM::Role Properties: RoleName: Fn::If: - ShouldNotCreateEnvResources - Ref: roleName - Fn::Join: - '' - - Ref: roleName - '-' - Ref: env AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Sid: '' Effect: Allow Principal: Service: cognito-idp.amazonaws.com Action: - sts:AssumeRole Condition: StringEquals: sts:ExternalId: Ref: roleExternalId Policies: - PolicyName: Ref: policyName PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sns:Publish Resource: '*' UserPool: Type: AWS::Cognito::UserPool UpdateReplacePolicy: Retain Properties: UserPoolName: Fn::If: - ShouldNotCreateEnvResources - Ref: userPoolName - Fn::Join: - '' - - Ref: userPoolName - '-' - Ref: env Schema: - Name: email Required: 'true' Mutable: 'true' AutoVerifiedAttributes: Ref: autoVerifiedAttributes EmailVerificationMessage: Ref: emailVerificationMessage EmailVerificationSubject: Ref: emailVerificationSubject Policies: PasswordPolicy: MinimumLength: Ref: passwordPolicyMinLength RequireLowercase: 'true' RequireNumbers: 'true' RequireSymbols: 'true' RequireUppercase: 'true' MfaConfiguration: Ref: mfaConfiguration SmsVerificationMessage: Ref: smsVerificationMessage SmsConfiguration: SnsCallerArn: Fn::GetAtt: - SNSRole - Arn ExternalId: Ref: roleExternalId UserPoolClientWeb: Type: AWS::Cognito::UserPoolClient Properties: ClientName: cognito81d9f49f_app_clientWeb RefreshTokenValidity: Ref: userpoolClientRefreshTokenValidity UserPoolId: Ref: UserPool DependsOn: UserPool UserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: ClientName: Ref: userpoolClientName GenerateSecret: Ref: userpoolClientGenerateSecret RefreshTokenValidity: Ref: userpoolClientRefreshTokenValidity UserPoolId: Ref: UserPool DependsOn: UserPool UserPoolClientRole: Type: AWS::IAM::Role Properties: RoleName: Fn::If: - ShouldNotCreateEnvResources - Ref: userpoolClientLambdaRole - Fn::Join: - '' - - Ref: userpoolClientLambdaRole - '-' - Ref: env AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole DependsOn: UserPoolClient UserPoolClientLambda: Type: AWS::Lambda::Function Properties: Code: ZipFile: Fn::Join: - '' - - const response = require('cfn-response'); - const aws = require('aws-sdk'); - const identity = new aws.CognitoIdentityServiceProvider(); - exports.handler = (event, context, callback) => { - ' if (event.RequestType == ''Delete'') { ' - ' response.send(event, context, response.SUCCESS, {})' - ' }' - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {' - ' const params = {' - ' ClientId: event.ResourceProperties.clientId,' - ' UserPoolId: event.ResourceProperties.userpoolId' - ' };' - ' identity.describeUserPoolClient(params).promise()' - ' .then((res) => {' - ' response.send(event, context, response.SUCCESS, {''appSecret'': res.UserPoolClient.ClientSecret});' - ' })' - ' .catch((err) => {' - ' response.send(event, context, response.FAILURE, {err});' - ' });' - ' }' - '};' Handler: index.handler Runtime: nodejs12.x Timeout: '300' Role: Fn::GetAtt: - UserPoolClientRole - Arn DependsOn: UserPoolClientRole UserPoolClientLambdaPolicy: Type: AWS::IAM::Policy Properties: PolicyName: Ref: userpoolClientLambdaPolicy Roles: - Fn::If: - ShouldNotCreateEnvResources - Ref: userpoolClientLambdaRole - Fn::Join: - '' - - Ref: userpoolClientLambdaRole - '-' - Ref: env PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - cognito-idp:DescribeUserPoolClient Resource: Fn::GetAtt: - UserPool - Arn DependsOn: UserPoolClientLambda UserPoolClientLogPolicy: Type: AWS::IAM::Policy Properties: PolicyName: Ref: userpoolClientLogPolicy Roles: - Fn::If: - ShouldNotCreateEnvResources - Ref: userpoolClientLambdaRole - Fn::Join: - '' - - Ref: userpoolClientLambdaRole - '-' - Ref: env PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: Fn::Sub: - >- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:* - region: Ref: AWS::Region account: Ref: AWS::AccountId lambda: Ref: UserPoolClientLambda DependsOn: UserPoolClientLambdaPolicy UserPoolClientInputs: Type: Custom::LambdaCallout Properties: ServiceToken: Fn::GetAtt: - UserPoolClientLambda - Arn clientId: Ref: UserPoolClient userpoolId: Ref: UserPool DependsOn: UserPoolClientLogPolicy IdentityPool: Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: Fn::If: - ShouldNotCreateEnvResources - cognito81d9f49f_identitypool_81d9f49f - Fn::Join: - '' - - cognito81d9f49f_identitypool_81d9f49f - __ - Ref: env CognitoIdentityProviders: - ClientId: Ref: UserPoolClient ProviderName: Fn::Sub: - cognito-idp.${region}.amazonaws.com/${client} - region: Ref: AWS::Region client: Ref: UserPool - ClientId: Ref: UserPoolClientWeb ProviderName: Fn::Sub: - cognito-idp.${region}.amazonaws.com/${client} - region: Ref: AWS::Region client: Ref: UserPool AllowUnauthenticatedIdentities: Ref: allowUnauthenticatedIdentities DependsOn: UserPoolClientInputs IdentityPoolRoleMap: Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: Ref: IdentityPool Roles: unauthenticated: Ref: unauthRoleArn authenticated: Ref: authRoleArn DependsOn: IdentityPool Outputs: IdentityPoolId: Value: Ref: IdentityPool Description: Id for the identity pool IdentityPoolName: Value: Fn::GetAtt: - IdentityPool - Name UserPoolId: Value: Ref: UserPool Description: Id for the user pool UserPoolName: Value: Ref: userPoolName AppClientIDWeb: Value: Ref: UserPoolClientWeb Description: The user pool app client id for web AppClientID: Value: Ref: UserPoolClient Description: The user pool app client id AppClientSecret: Value: Fn::GetAtt: - UserPoolClientInputs - appSecret Description: >- {"createdOn":"Mac","createdBy":"Amplify","createdWith":"7.6.5","stackType":"auth-Cognito","metadata":{}}