AWSTemplateFormatVersion: 2010-09-09 Parameters: env: Type: String authRoleArn: Type: String unauthRoleArn: Type: String functionteamtasksf9538190PreSignupArn: Type: String Default: functionteamtasksf9538190PreSignupArn functionteamtasksf9538190PreSignupName: Type: String Default: functionteamtasksf9538190PreSignupName identityPoolName: Type: String allowUnauthenticatedIdentities: Type: String resourceNameTruncated: Type: String userPoolName: Type: String autoVerifiedAttributes: Type: CommaDelimitedList mfaConfiguration: Type: String mfaTypes: Type: CommaDelimitedList smsAuthenticationMessage: Type: String smsVerificationMessage: Type: String emailVerificationSubject: Type: String emailVerificationMessage: Type: String defaultPasswordPolicy: Type: String passwordPolicyMinLength: Type: Number passwordPolicyCharacters: Type: CommaDelimitedList requiredAttributes: Type: CommaDelimitedList userpoolClientGenerateSecret: Type: String userpoolClientRefreshTokenValidity: Type: Number userpoolClientWriteAttributes: Type: CommaDelimitedList userpoolClientReadAttributes: Type: CommaDelimitedList userpoolClientLambdaRole: Type: String userpoolClientSetAttributes: Type: String resourceName: Type: String authSelections: Type: String useDefault: Type: String usernameAttributes: Type: CommaDelimitedList triggers: Type: String parentStack: Type: String permissions: Type: CommaDelimitedList dependsOn: Type: CommaDelimitedList hostedUI: Type: String hostedUIDomainName: Type: String authProvidersUserPool: Type: CommaDelimitedList hostedUIProviderMeta: Type: String hostedUIProviderCreds: Type: String oAuthMetadata: Type: String Conditions: ShouldNotCreateEnvResources: !Equals [ !Ref env, NONE ] Resources: # BEGIN SNS ROLE RESOURCE SNSRole: # Created to allow the UserPool SMS Config to publish via the Simple Notification Service during MFA Process Type: AWS::IAM::Role Properties: RoleName: !If [ShouldNotCreateEnvResources, 'teamtaf9538190_sns-role', !Join ['',['teamtaf9538190_sns-role', '-', !Ref env]]] AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "" Effect: "Allow" Principal: Service: "cognito-idp.amazonaws.com" Action: - "sts:AssumeRole" Condition: StringEquals: sts:ExternalId: teamtaf9538190_role_external_id Policies: - PolicyName: teamtaf9538190-sns-policy PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "sns:Publish" Resource: "*" # BEGIN USER POOL RESOURCES UserPool: # Created upon user selection # Depends on SNS Role for Arn if MFA is enabled Type: AWS::Cognito::UserPool UpdateReplacePolicy: Retain Properties: UserPoolName: !If [ShouldNotCreateEnvResources, !Ref userPoolName, !Join ['',[!Ref userPoolName, '-', !Ref env]]] Schema: - Name: email Required: true Mutable: true LambdaConfig: PreSignUp: !Ref functionteamtasksf9538190PreSignupArn AutoVerifiedAttributes: !Ref autoVerifiedAttributes EmailVerificationMessage: !Ref emailVerificationMessage EmailVerificationSubject: !Ref emailVerificationSubject Policies: PasswordPolicy: MinimumLength: !Ref passwordPolicyMinLength RequireLowercase: false RequireNumbers: false RequireSymbols: false RequireUppercase: false UsernameAttributes: !Ref usernameAttributes MfaConfiguration: !Ref mfaConfiguration SmsVerificationMessage: !Ref smsVerificationMessage SmsConfiguration: SnsCallerArn: !GetAtt SNSRole.Arn ExternalId: teamtaf9538190_role_external_id UserPoolPreSignupLambdaInvokePermission: Type: "AWS::Lambda::Permission" DependsOn: UserPool Properties: Action: "lambda:invokeFunction" Principal: "cognito-idp.amazonaws.com" FunctionName: !Ref functionteamtasksf9538190PreSignupName SourceArn: !GetAtt UserPool.Arn # Updating lambda role with permissions to Cognito UserPoolClientWeb: # Created provide application access to user pool # Depends on UserPool for ID reference Type: "AWS::Cognito::UserPoolClient" Properties: ClientName: teamtaf9538190_app_clientWeb RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity UserPoolId: !Ref UserPool DependsOn: UserPool UserPoolClient: # Created provide application access to user pool # Depends on UserPool for ID reference Type: "AWS::Cognito::UserPoolClient" Properties: ClientName: teamtaf9538190_app_client GenerateSecret: !Ref userpoolClientGenerateSecret RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity UserPoolId: !Ref UserPool DependsOn: UserPool # BEGIN USER POOL LAMBDA RESOURCES UserPoolClientRole: # Created to execute Lambda which gets userpool app client config values Type: 'AWS::IAM::Role' Properties: RoleName: !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' DependsOn: UserPoolClient UserPoolClientLambda: # Lambda which gets userpool app client config values # Depends on UserPool for id # Depends on UserPoolClientRole for role ARN Type: 'AWS::Lambda::Function' Properties: Code: ZipFile: !Join - |+ - - 'const response = require(''cfn-response'');' - 'const aws = require(''aws-sdk'');' - 'const identity = new aws.CognitoIdentityServiceProvider();' - 'exports.handler = (event, context, callback) => {' - ' if (event.RequestType == ''Delete'') { ' - ' response.send(event, context, response.SUCCESS, {})' - ' }' - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {' - ' const params = {' - ' ClientId: event.ResourceProperties.clientId,' - ' UserPoolId: event.ResourceProperties.userpoolId' - ' };' - ' identity.describeUserPoolClient(params).promise()' - ' .then((res) => {' - ' response.send(event, context, response.SUCCESS, {''appSecret'': res.UserPoolClient.ClientSecret});' - ' })' - ' .catch((err) => {' - ' response.send(event, context, response.FAILED, {err});' - ' });' - ' }' - '};' Handler: index.handler Runtime: nodejs12.x Timeout: '300' Role: !GetAtt - UserPoolClientRole - Arn DependsOn: UserPoolClientRole UserPoolClientLambdaPolicy: # Sets userpool policy for the role that executes the Userpool Client Lambda # Depends on UserPool for Arn # Marked as depending on UserPoolClientRole for easier to understand CFN sequencing Type: 'AWS::IAM::Policy' Properties: PolicyName: teamtaf9538190_userpoolclient_lambda_iam_policy Roles: - !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'cognito-idp:DescribeUserPoolClient' Resource: !GetAtt UserPool.Arn DependsOn: UserPoolClientLambda UserPoolClientLogPolicy: # Sets log policy for the role that executes the Userpool Client Lambda # Depends on UserPool for Arn # Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing Type: 'AWS::IAM::Policy' Properties: PolicyName: teamtaf9538190_userpoolclient_lambda_log_policy Roles: - !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !Sub - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:* - { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref UserPoolClientLambda} DependsOn: UserPoolClientLambdaPolicy UserPoolClientInputs: # Values passed to Userpool client Lambda # Depends on UserPool for Id # Depends on UserPoolClient for Id # Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing Type: 'Custom::LambdaCallout' Properties: ServiceToken: !GetAtt UserPoolClientLambda.Arn clientId: !Ref UserPoolClient userpoolId: !Ref UserPool DependsOn: UserPoolClientLogPolicy HostedUICustomResource: Type: 'AWS::Lambda::Function' Properties: Code: ZipFile: !Join - |+ - - 'const response = require(''cfn-response'');' - 'const aws = require(''aws-sdk'');' - 'const identity = new aws.CognitoIdentityServiceProvider();' - 'exports.handler = (event, context, callback) => {' - ' const userPoolId = event.ResourceProperties.userPoolId;' - ' const inputDomainName = event.ResourceProperties.hostedUIDomainName;' - ' let deleteUserPoolDomain = (domainName) => {' - ' let params = { Domain: domainName, UserPoolId: userPoolId };' - ' return identity.deleteUserPoolDomain(params).promise();' - ' };' - ' if (event.RequestType == ''Delete'') {' - ' deleteUserPoolDomain(inputDomainName)' - ' .then(() => {response.send(event, context, response.SUCCESS, {})})' - ' .catch((err) => { console.log(err); response.send(event, context, response.FAILED, {err}) });' - ' }' - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {' - ' let checkDomainAvailability = (domainName) => {' - ' let params = { Domain: domainName };' - ' return identity.describeUserPoolDomain(params).promise().then((res) => {' - ' if (res.DomainDescription && res.DomainDescription.UserPool) {' - ' return false;' - ' }' - ' return true;' - ' }).catch((err) => { return false; });' - ' };' - ' let createUserPoolDomain = (domainName) => {' - ' let params = { Domain: domainName, UserPoolId: userPoolId };' - ' return identity.createUserPoolDomain(params).promise();' - ' };' - ' identity.describeUserPool({UserPoolId: userPoolId }).promise().then((result) => {' - ' if (inputDomainName) {' - ' if (result.UserPool.Domain === inputDomainName) {' - ' return;' - ' } else {' - ' if (!result.UserPool.Domain) {' - ' return checkDomainAvailability(inputDomainName).then((isDomainAvailable) => {' - ' if (isDomainAvailable) {' - ' return createUserPoolDomain(inputDomainName);' - ' } else {' - ' throw new Error(''Domain not available'');' - ' }' - ' });' - ' } else {' - ' return checkDomainAvailability(inputDomainName).then((isDomainAvailable) => {' - ' if (isDomainAvailable) {' - ' return deleteUserPoolDomain(result.UserPool.Domain).then(() => createUserPoolDomain(inputDomainName));' - ' } else {' - ' throw new Error(''Domain not available'');' - ' }' - ' });' - ' }' - ' }' - ' } else {' - ' if (result.UserPool.Domain) {' - ' return deleteUserPoolDomain(result.UserPool.Domain);' - ' }' - ' }' - ' }).then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {' - ' console.log(err); response.send(event, context, response.FAILED, {err});' - ' });' - '}}' Handler: index.handler Runtime: nodejs12.x Timeout: '300' Role: !GetAtt - UserPoolClientRole - Arn DependsOn: UserPoolClientRole HostedUICustomResourcePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: !Join ['-',[!Ref UserPool, 'hostedUI']] Roles: - !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'cognito-idp:CreateUserPoolDomain' - 'cognito-idp:DescribeUserPool' - 'cognito-idp:DeleteUserPoolDomain' Resource: !GetAtt UserPool.Arn - Effect: Allow Action: - 'cognito-idp:DescribeUserPoolDomain' Resource: '*' DependsOn: HostedUICustomResource HostedUICustomResourceLogPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: !Join ['-',[!Ref UserPool, 'hostedUILogPolicy']] Roles: - !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !Sub - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:* - { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref HostedUICustomResource} DependsOn: HostedUICustomResourcePolicy HostedUICustomResourceInputs: Type: 'Custom::LambdaCallout' Properties: ServiceToken: !GetAtt HostedUICustomResource.Arn userPoolId: !Ref UserPool hostedUIDomainName: !If [ShouldNotCreateEnvResources, !Ref hostedUIDomainName, !Join ['-',[!Ref hostedUIDomainName, !Ref env]]] DependsOn: HostedUICustomResourceLogPolicy HostedUIProvidersCustomResource: Type: 'AWS::Lambda::Function' Properties: Code: ZipFile: !Join - |+ - - 'const response = require(''cfn-response'');' - 'const aws = require(''aws-sdk'');' - 'const identity = new aws.CognitoIdentityServiceProvider();' - 'exports.handler = (event, context, callback) => {' - 'try{' - ' const userPoolId = event.ResourceProperties.userPoolId;' - ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);' - ' let hostedUIProviderCreds = JSON.parse(event.ResourceProperties.hostedUIProviderCreds);' - ' if (event.RequestType == ''Delete'') {' - ' response.send(event, context, response.SUCCESS, {});' - ' }' - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {' - ' let getRequestParams = (providerName) => {' - ' let providerMetaIndex = hostedUIProviderMeta.findIndex((provider) => provider.ProviderName === providerName);' - ' let providerMeta = hostedUIProviderMeta[providerMetaIndex];' - ' let providerCredsIndex = hostedUIProviderCreds.findIndex((provider) => provider.ProviderName === providerName);' - ' let providerCreds = hostedUIProviderCreds[providerCredsIndex];' - ' let requestParams = {' - ' ProviderDetails: {' - ' ''client_id'': providerCreds.client_id,' - ' ''client_secret'': providerCreds.client_secret,' - ' ''authorize_scopes'': providerMeta.authorize_scopes' - ' },' - ' ProviderName: providerMeta.ProviderName,' - ' UserPoolId: userPoolId,' - ' AttributeMapping: providerMeta.AttributeMapping' - ' };' - ' return requestParams;' - ' };' - ' let createIdentityProvider = (providerName) => {' - ' let requestParams = getRequestParams(providerName);' - ' requestParams.ProviderType = requestParams.ProviderName;' - ' return identity.createIdentityProvider(requestParams).promise();' - ' };' - ' let updateIdentityProvider = (providerName) => {' - ' let requestParams = getRequestParams(providerName);' - ' return identity.updateIdentityProvider(requestParams).promise();' - ' };' - ' let deleteIdentityProvider = (providerName) => {' - ' let params = {ProviderName: providerName, UserPoolId: userPoolId};' - ' return identity.deleteIdentityProvider(params).promise();' - ' };' - ' let providerPromises = [];' - ' identity.listIdentityProviders({UserPoolId: userPoolId, MaxResults: 60}).promise()' - ' .then((result) => {' - ' let providerList = result.Providers.map(provider => provider.ProviderName);' - ' let providerListInParameters = hostedUIProviderMeta.map(provider => provider.ProviderName);' - ' hostedUIProviderMeta.forEach((providerMetadata) => {' - ' if(providerList.indexOf(providerMetadata.ProviderName) > -1) {' - ' providerPromises.push(updateIdentityProvider(providerMetadata.ProviderName));' - ' } else {' - ' providerPromises.push(createIdentityProvider(providerMetadata.ProviderName));' - ' }' - ' });' - ' providerList.forEach((provider) => {' - ' if(providerListInParameters.indexOf(provider) < 0) {' - ' providerPromises.push(deleteIdentityProvider(provider));' - ' }' - ' });' - ' return Promise.all(providerPromises);' - ' }).then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {' - ' console.log(err.stack); response.send(event, context, response.FAILED, {err})' - ' });' - ' } ' - ' } catch(err) { console.log(err.stack); response.send(event, context, response.FAILED, {err});};' - '} ' Handler: index.handler Runtime: nodejs12.x Timeout: '300' Role: !GetAtt - UserPoolClientRole - Arn DependsOn: UserPoolClientRole HostedUIProvidersCustomResourcePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: !Join ['-',[!Ref UserPool, 'hostedUIProvider']] Roles: - !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'cognito-idp:CreateIdentityProvider' - 'cognito-idp:UpdateIdentityProvider' - 'cognito-idp:ListIdentityProviders' - 'cognito-idp:DeleteIdentityProvider' Resource: !GetAtt UserPool.Arn DependsOn: HostedUIProvidersCustomResource HostedUIProvidersCustomResourceLogPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: !Join ['-',[!Ref UserPool, 'hostedUIProviderLogPolicy']] Roles: - !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !Sub - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:* - { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref HostedUIProvidersCustomResource} DependsOn: HostedUIProvidersCustomResourcePolicy HostedUIProvidersCustomResourceInputs: Type: 'Custom::LambdaCallout' Properties: ServiceToken: !GetAtt HostedUIProvidersCustomResource.Arn userPoolId: !Ref UserPool hostedUIProviderMeta: !Ref hostedUIProviderMeta hostedUIProviderCreds: !Ref hostedUIProviderCreds DependsOn: HostedUIProvidersCustomResourceLogPolicy OAuthCustomResource: Type: 'AWS::Lambda::Function' Properties: Code: ZipFile: !Join - |+ - - 'const response = require(''cfn-response'');' - 'const aws = require(''aws-sdk'');' - 'const identity = new aws.CognitoIdentityServiceProvider();' - 'exports.handler = (event, context, callback) => {' - 'try{' - ' const userPoolId = event.ResourceProperties.userPoolId;' - ' let webClientId = event.ResourceProperties.webClientId;' - ' let nativeClientId = event.ResourceProperties.nativeClientId;' - ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);' - ' let oAuthMetadata = JSON.parse(event.ResourceProperties.oAuthMetadata);' - ' let providerList = hostedUIProviderMeta.map(provider => provider.ProviderName);' - ' providerList.push(''COGNITO'');' - ' if (event.RequestType == ''Delete'') {' - ' response.send(event, context, response.SUCCESS, {});' - ' }' - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {' - ' let params = {' - ' UserPoolId: userPoolId,' - ' AllowedOAuthFlows: oAuthMetadata.AllowedOAuthFlows,' - ' AllowedOAuthFlowsUserPoolClient: true,' - ' AllowedOAuthScopes: oAuthMetadata.AllowedOAuthScopes,' - ' CallbackURLs: oAuthMetadata.CallbackURLs,' - ' LogoutURLs: oAuthMetadata.LogoutURLs,' - ' SupportedIdentityProviders: providerList' - ' };' - ' let updateUserPoolClientPromises = [];' - ' params.ClientId = webClientId;' - ' updateUserPoolClientPromises.push(identity.updateUserPoolClient(params).promise());' - ' params.ClientId = nativeClientId;' - ' updateUserPoolClientPromises.push(identity.updateUserPoolClient(params).promise());' - ' Promise.all(updateUserPoolClientPromises)' - ' .then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {' - ' console.log(err.stack); response.send(event, context, response.FAILED, {err});' - ' });' - ' }' - '} catch(err) { console.log(err.stack); response.send(event, context, response.FAILED, {err});};' - '}' Handler: index.handler Runtime: nodejs12.x Timeout: '300' Role: !GetAtt - UserPoolClientRole - Arn DependsOn: HostedUIProvidersCustomResourceInputs OAuthCustomResourcePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: !Join ['-',[!Ref UserPool, 'OAuth']] Roles: - !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'cognito-idp:UpdateUserPoolClient' Resource: !GetAtt UserPool.Arn DependsOn: OAuthCustomResource OAuthCustomResourceLogPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: !Join ['-',[!Ref UserPool, 'OAuthLogPolicy']] Roles: - !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !Sub - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:* - { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref OAuthCustomResource} DependsOn: OAuthCustomResourcePolicy OAuthCustomResourceInputs: Type: 'Custom::LambdaCallout' Properties: ServiceToken: !GetAtt OAuthCustomResource.Arn userPoolId: !Ref UserPool hostedUIProviderMeta: !Ref hostedUIProviderMeta oAuthMetadata: !Ref oAuthMetadata webClientId: !Ref 'UserPoolClientWeb' nativeClientId: !Ref 'UserPoolClient' DependsOn: OAuthCustomResourceLogPolicy # BEGIN IDENTITY POOL RESOURCES IdentityPool: # Always created Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: !If [ShouldNotCreateEnvResources, 'teamtasksf9538190_identitypool_e8f69cbc', !Join ['',['teamtasksf9538190_identitypool_e8f69cbc', '__', !Ref env]]] CognitoIdentityProviders: - ClientId: !Ref UserPoolClient ProviderName: !Sub - cognito-idp.${region}.amazonaws.com/${client} - { region: !Ref "AWS::Region", client: !Ref UserPool} - ClientId: !Ref UserPoolClientWeb ProviderName: !Sub - cognito-idp.${region}.amazonaws.com/${client} - { region: !Ref "AWS::Region", client: !Ref UserPool} AllowUnauthenticatedIdentities: !Ref allowUnauthenticatedIdentities DependsOn: UserPoolClientInputs IdentityPoolRoleMap: # Created to map Auth and Unauth roles to the identity pool # Depends on Identity Pool for ID ref Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: !Ref IdentityPool Roles: unauthenticated: !Ref unauthRoleArn authenticated: !Ref authRoleArn DependsOn: IdentityPool Outputs : IdentityPoolId: Value: !Ref 'IdentityPool' Description: Id for the identity pool IdentityPoolName: Value: !GetAtt IdentityPool.Name HostedUIDomain: Value: !If [ShouldNotCreateEnvResources, !Ref hostedUIDomainName, !Join ['-',[!Ref hostedUIDomainName, !Ref env]]] OAuthMetadata: Value: !Ref oAuthMetadata UserPoolId: Value: !Ref 'UserPool' Description: Id for the user pool UserPoolName: Value: !Ref userPoolName AppClientIDWeb: Value: !Ref 'UserPoolClientWeb' Description: The user pool app client id for web AppClientID: Value: !Ref 'UserPoolClient' Description: The user pool app client id AppClientSecret: Value: !GetAtt UserPoolClientInputs.appSecret