{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Root Stack for AWS Amplify CLI", "Parameters": { "DeploymentBucketName": { "Description": "Name of the common deployment bucket provided by the parent stack", "Type": "String", "Default": "DeploymentBucket" }, "AuthRoleName": { "Type": "String", "Default": "AuthRoleName" }, "UnauthRoleName": { "Type": "String", "Default": "UnauthRoleName" } }, "Resources": { "DeploymentBucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "BucketName": { "Ref": "DeploymentBucketName" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }, "VersioningConfiguration": { "Status": "Enabled" } } }, "AuthRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Ref": "AuthRoleName" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Deny", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity" } ] } } }, "UnauthRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Ref": "UnauthRoleName" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Deny", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity" } ] } } }, "authcognito81d9f49f": { "Type": "AWS::CloudFormation::Stack", "Properties": { "TemplateURL": "https://s3.amazonaws.com/amplify-awsamplifyreacttempl-lambdatest-164241-deployment/amplify-cfn-templates/auth/cognito81d9f49f-cloudformation-template.yml", "Parameters": { "identityPoolName": "cognito81d9f49f_identitypool_81d9f49f", "allowUnauthenticatedIdentities": false, "thirdPartyAuth": false, "lambdaLogPolicy": "cognito81d9f49f_lambda_log_policy", "openIdLambdaRoleName": "cognito81d9f49f_openid_lambda_role", "openIdRolePolicy": "cognito81d9f49f_openid_pass_role_policy", "openIdLambdaIAMPolicy": "cognito81d9f49f_openid_lambda_iam_policy", "openIdLogPolicy": "cognito81d9f49f_openid_lambda_log_policy", "userPoolName": "cognito81d9f49f_userpool_81d9f49f", "autoVerifiedAttributes": "email", "mfaConfiguration": "OFF", "mfaTypes": "SMS Text Message", "roleName": "cognito81d9f49f_sns-role", "roleExternalId": "cognito81d9f49f_role_external_id", "policyName": "cognito81d9f49f-sns-policy", "smsAuthenticationMessage": "Your authentication code is {####}", "smsVerificationMessage": "Your verification code is {####}", "emailVerificationSubject": "Your verification code", "emailVerificationMessage": "Your verification code is {####}", "defaultPasswordPolicy": false, "passwordPolicyMinLength": 8, "passwordPolicyCharacters": "Requires Lowercase,Requires Uppercase,Requires Numbers,Requires Symbols", "requiredAttributes": "email", "userpoolClientName": "cognito81d9f49f_app_client", "userpoolClientGenerateSecret": true, "userpoolClientRefreshTokenValidity": 30, "userpoolClientReadAttributes": "email", "mfaLambdaRole": "cognito81d9f49f_totp_lambda_role", "mfaLambdaLogPolicy": "cognito81d9f49f_totp_lambda_log_policy", "mfaPassRolePolicy": "cognito81d9f49f_totp_pass_role_policy", "mfaLambdaIAMPolicy": "cognito81d9f49f_totp_lambda_iam_policy", "userpoolClientLambdaRole": "cognito81d9f49f_userpoolclient_lambda_role", "userpoolClientLogPolicy": "cognito81d9f49f_userpoolclient_lambda_log_policy", "userpoolClientLambdaPolicy": "cognito81d9f49f_userpoolclient_lambda_iam_policy", "userpoolClientSetAttributes": false, "useDefault": "default", "resourceName": "cognito81d9f49f", "authSelections": "identityPoolAndUserPool", "authRoleName": { "Ref": "AuthRoleName" }, "unauthRoleName": { "Ref": "UnauthRoleName" }, "authRoleArn": { "Fn::GetAtt": [ "AuthRole", "Arn" ] }, "unauthRoleArn": { "Fn::GetAtt": [ "UnauthRole", "Arn" ] }, "env": "lambdatest" } } }, "functionamplifyiotlambda": { "Type": "AWS::CloudFormation::Stack", "Properties": { "TemplateURL": "https://s3.amazonaws.com/amplify-awsamplifyreacttempl-lambdatest-164241-deployment/amplify-cfn-templates/function/amplifyiotlambda-cloudformation-template.json", "Parameters": { "deploymentBucketName": "amplify-awsamplifyreacttempl-lambdatest-164241-deployment", "s3Key": "amplify-builds/amplifyiotlambda-79322f6b32366b595776-build.zip", "env": "lambdatest" } } }, "apiamplifyiotlambdaapi": { "Type": "AWS::CloudFormation::Stack", "Properties": { "TemplateURL": "https://s3.amazonaws.com/amplify-awsamplifyreacttempl-lambdatest-164241-deployment/amplify-cfn-templates/api/amplifyiotlambdaapi-cloudformation-template.json", "Parameters": { "authRoleName": { "Ref": "AuthRoleName" }, "unauthRoleName": { "Ref": "UnauthRoleName" }, "functionamplifyiotlambdaName": { "Fn::GetAtt": [ "functionamplifyiotlambda", "Outputs.Name" ] }, "functionamplifyiotlambdaArn": { "Fn::GetAtt": [ "functionamplifyiotlambda", "Outputs.Arn" ] }, "env": "lambdatest" } } }, "UpdateRolesWithIDPFunction": { "DependsOn": [ "AuthRole", "UnauthRole", "authcognito81d9f49f" ], "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": { "Fn::Join": [ "\n", [ "const response = require('cfn-response');", "const aws = require('aws-sdk');", "let responseData = {};", "exports.handler = function(event, context) {", " try {", " let authRoleName = event.ResourceProperties.authRoleName;", " let unauthRoleName = event.ResourceProperties.unauthRoleName;", " let idpId = event.ResourceProperties.idpId;", " let promises = [];", " let authParamsJson = { 'Version': '2012-10-17','Statement': [{'Effect': 'Allow','Principal': {'Federated': 'cognito-identity.amazonaws.com'},'Action': 'sts:AssumeRoleWithWebIdentity','Condition': {'StringEquals': {'cognito-identity.amazonaws.com:aud': idpId},'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'authenticated'}}}]};", " let unauthParamsJson = { 'Version': '2012-10-17','Statement': [{'Effect': 'Allow','Principal': {'Federated': 'cognito-identity.amazonaws.com'},'Action': 'sts:AssumeRoleWithWebIdentity','Condition': {'StringEquals': {'cognito-identity.amazonaws.com:aud': idpId},'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'unauthenticated'}}}]};", " if (event.RequestType == 'Delete') {", " delete authParamsJson.Statement[0].Condition;", " delete unauthParamsJson.Statement[0].Condition;", " let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};", " let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};", " const iam = new aws.IAM({ apiVersion: '2010-05-08', region: event.ResourceProperties.region});", " promises.push(iam.updateAssumeRolePolicy(authParams).promise());", " promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());", " Promise.all(promises)", " .then((res) => {", " console.log(\"delete response data\" + JSON.stringify(res));", " response.send(event, context, response.SUCCESS, {});", " });", " }", " if (event.RequestType == 'Update' || event.RequestType == 'Create') {", " const iam = new aws.IAM({ apiVersion: '2010-05-08', region: event.ResourceProperties.region});", " let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};", " let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};", " promises.push(iam.updateAssumeRolePolicy(authParams).promise());", " promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());", " Promise.all(promises)", " .then((res) => {", " console.log(\"createORupdate\" + res);", " console.log(\"response data\" + JSON.stringify(res));", " response.send(event, context, response.SUCCESS, {});", " });", " }", " } catch(err) {", " console.log(err.stack);", " responseData = {Error: err};", " response.send(event, context, response.FAILED, responseData);", " throw err;", " }", "};" ] ] } }, "Handler": "index.handler", "Runtime": "nodejs12.x", "Timeout": "300", "Role": { "Fn::GetAtt": [ "UpdateRolesWithIDPFunctionRole", "Arn" ] } } }, "UpdateRolesWithIDPFunctionOutputs": { "Type": "Custom::LambdaCallout", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "UpdateRolesWithIDPFunction", "Arn" ] }, "region": { "Ref": "AWS::Region" }, "idpId": { "Fn::GetAtt": [ "authcognito81d9f49f", "Outputs.IdentityPoolId" ] }, "authRoleName": { "Ref": "AuthRoleName" }, "unauthRoleName": { "Ref": "UnauthRoleName" } } }, "UpdateRolesWithIDPFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Join": [ "", [ { "Ref": "AuthRoleName" }, "-idp" ] ] }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Policies": [ { "PolicyName": "UpdateRolesWithIDPFunctionPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": "iam:UpdateAssumeRolePolicy", "Resource": { "Fn::GetAtt": [ "AuthRole", "Arn" ] } }, { "Effect": "Allow", "Action": "iam:UpdateAssumeRolePolicy", "Resource": { "Fn::GetAtt": [ "UnauthRole", "Arn" ] } } ] } } ] } } }, "Outputs": { "Region": { "Description": "CloudFormation provider root stack Region", "Value": { "Ref": "AWS::Region" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-Region" } } }, "StackName": { "Description": "CloudFormation provider root stack ID", "Value": { "Ref": "AWS::StackName" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-StackName" } } }, "StackId": { "Description": "CloudFormation provider root stack name", "Value": { "Ref": "AWS::StackId" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-StackId" } } }, "DeploymentBucketName": { "Description": "CloudFormation provider root stack deployment bucket name", "Value": { "Ref": "DeploymentBucketName" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-DeploymentBucketName" } } }, "AuthRoleArn": { "Value": { "Fn::GetAtt": [ "AuthRole", "Arn" ] } }, "UnauthRoleArn": { "Value": { "Fn::GetAtt": [ "UnauthRole", "Arn" ] } }, "AuthRoleName": { "Value": { "Ref": "AuthRole" } }, "UnauthRoleName": { "Value": { "Ref": "UnauthRole" } } } }