# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
AWSTemplateFormatVersion: '2010-09-09'
Description: 'sputnik - Cognito - Version %%VERSION%%'
Parameters:
AdministratorName:
Type: String
Description: Name of the sputnik administrator.
AdministratorEmail:
Type: String
Description: Email address for sputnik administrator.
AllowedPattern: "^[_A-Za-z0-9-\\+]+(\\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\\.[A-Za-z0-9]+)*(\\.[A-Za-z]{2,})$"
dataBucketArn:
Type: String
Description: ARN of the sputnik Data Bucket.
websiteURL:
Type: String
Description: sputnik Website URL.
fullName:
Type: String
Description: sputnik application name
Resources:
identityPoolAuthRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Sub "${identityPool}"
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": "authenticated"
Path: "/"
identityPoolAuthPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
Description: "Policy for the sputnik identity pool authorized identities."
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "mobileanalytics:PutEvents"
- "cognito-identity:*"
Resource: !Sub "arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${identityPool}"
-
Effect: "Allow"
Action:
- "iot:Connect"
- "iot:Subscribe"
- "iot:Publish"
- "iot:Receive"
- "iot:DescribeEndpoint"
- "iot:AttachPolicy"
- "iot:GetThingShadow"
- "iot:UpdateThingShadow"
- "iot:DeleteThingShadow"
Resource:
- "*"
-
Effect: "Allow"
Action:
# TODO BE MORE RESTRICTIVE
- "s3:*"
Resource:
- !Ref dataBucketArn
- !Join ["/", [!Ref dataBucketArn, "*"]]
Roles:
- !Ref identityPoolAuthRole
identityPoolUnauthRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Federated:
- "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Sub "${identityPool}"
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": "unauthenticated"
Path: "/"
identityPoolUnauthPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
Description: "Policy for the sputnik identity pool unauthorized identities."
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "mobileanalytics:PutEvents"
Resource: !Sub "arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${identityPool}"
-
Effect: "Allow"
Action:
- "iot:Connect"
- "iot:Subscribe"
- "iot:Publish"
- "iot:Receive"
- "iot:DescribeEndpoint"
- "iot:AttachPolicy"
Resource:
- "*"
Roles:
- !Ref identityPoolUnauthRole
websiteCognitoIoTPolicy:
Type: "AWS::IoT::Policy"
DeletionPolicy: Retain
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "iot:*"
Resource:
- "*"
userPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: "sputnik-pool"
AdminCreateUserConfig:
AllowAdminCreateUserOnly: True
InviteMessageTemplate:
EmailMessage:
!Sub |
You are invited to join sputnik. Your temporary password is as follows:
Password: {####}
id: {username}
Please sign in to sputnik dashboard with your email address and temporary password provided above at:
${websiteURL}
Contact ${AdministratorEmail} if you are experiencing issues.
EmailSubject: !Join [" ", ["Your", !Ref fullName, "login."]]
SMSMessage: "Your username is {username} and temporary password is {####}."
UnusedAccountValidityDays: 7
AliasAttributes:
- "email"
AutoVerifiedAttributes:
- "email"
EmailVerificationMessage: "Your sputnik dashboard verification code is {####}."
EmailVerificationSubject: "Your sputnik dashboard verification code"
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: True
RequireNumbers: True
RequireSymbols: False
RequireUppercase: True
Schema:
-
AttributeDataType: "String"
Name: "email"
Required: True
websiteCognitoClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: "sputnik-website"
GenerateSecret: False
WriteAttributes:
- "address"
- "email"
- "phone_number"
ReadAttributes:
- "name"
- "family_name"
- "given_name"
- "middle_name"
- "nickname"
- "preferred_username"
- "updated_at"
- "email"
- "email_verified"
- "address"
- "phone_number"
- "phone_number_verified"
RefreshTokenValidity: 1
UserPoolId: !Ref userPool
adminCognitoGroup:
Type: "AWS::Cognito::UserPoolGroup"
Properties:
Description: "Administrator group for managing sputnik web interface"
GroupName: "Administrators"
UserPoolId: !Ref userPool
memberCognitoGroup:
Type: "AWS::Cognito::UserPoolGroup"
Properties:
Description: "Member group for access to the sputnik web interface"
GroupName: "Members"
UserPoolId: !Ref userPool
adminCognitoUser:
Type: "AWS::Cognito::UserPoolUser"
Properties:
DesiredDeliveryMediums:
- EMAIL
ForceAliasCreation: True
UserAttributes:
-
Name: email
Value: !Ref AdministratorEmail
-
Name: nickname
Value: !Ref AdministratorName
-
Name: email_verified
Value: True
Username: !Join ["_", !Split [".", !Join ["_", !Split ["@", !Ref AdministratorEmail]]]]
UserPoolId: !Ref userPool
adminGroupAssignment:
Type: "AWS::Cognito::UserPoolUserToGroupAttachment"
Properties:
GroupName: !Ref adminCognitoGroup
Username: !Ref adminCognitoUser
UserPoolId: !Ref userPool
identityPool:
Type: "AWS::Cognito::IdentityPool"
Properties:
IdentityPoolName: "sputnik_identity_pool"
CognitoIdentityProviders:
- ClientId: !Ref websiteCognitoClient
ProviderName: !GetAtt userPool.ProviderName
AllowUnauthenticatedIdentities: true
identityPoolRoleAttachment:
Type: "AWS::Cognito::IdentityPoolRoleAttachment"
Properties:
IdentityPoolId: !Sub "${identityPool}"
Roles:
unauthenticated: !GetAtt identityPoolUnauthRole.Arn
authenticated: !GetAtt identityPoolAuthRole.Arn
Outputs:
websiteCognitoIoTPolicy:
Description: "IoT Policy to access resources"
Value: !Ref websiteCognitoIoTPolicy
userPoolArn:
Description: "sputnik User Pool"
Value: !GetAtt userPool.Arn
userPoolId:
Description: "sputnik User Pool ID"
Value: !Ref userPool
websiteCognitoClientId:
Description: "sputnik Website Cognito Client Id"
Value: !Ref websiteCognitoClient
identityPool:
Description: "sputnik Identity Pool"
Value: !Ref identityPool