Description: > MediaSearch Solution - Finder stack (v0.3.2) Resources: ##Create Cognito Userpool for Authentication UserPool: Type: 'AWS::Cognito::UserPool' Properties: AliasAttributes: - email AutoVerifiedAttributes: - email UsernameConfiguration: CaseSensitive: false AdminCreateUserConfig: AllowAdminCreateUserOnly: true InviteMessageTemplate: EmailMessage: "
Hello {username},\n
Welcome to Finder App! Your temporary password is:\n
{####}
\n
When the CloudFormation stack is COMPLETE, use the MediaSearchFinderURL in the Outputs tab of the CloudFormation stack to login using {username} as username, set your permanent password, and start searching!\n
Good luck!\n"
EmailSubject: "Welcome to Finder Web App"
Admins:
Type: 'AWS::Cognito::UserPoolGroup'
Condition: EnableAuth
Properties:
GroupName: 'Admins'
UserPoolId: !Ref UserPool
AdminUser:
Type: 'AWS::Cognito::UserPoolUser'
Condition: EnableAuth
Properties:
DesiredDeliveryMediums:
- EMAIL
UserAttributes:
- Name: 'email'
Value: !Ref AdminEmail
Username: 'Admin'
UserPoolId: !Ref UserPool
AdminToAdmins:
Type: 'AWS::Cognito::UserPoolUserToGroupAttachment'
Condition: EnableAuth
Properties:
GroupName: !Ref Admins
Username: !Ref AdminUser
UserPoolId: !Ref UserPool
##Create Cognito IdentityPool for Authorization and associate the UserPool client with it
IdentityPool:
Type: 'AWS::Cognito::IdentityPool'
Properties:
AllowClassicFlow: false
AllowUnauthenticatedIdentities: true
CognitoIdentityProviders:
- ClientId: !Ref UserPoolClient
ProviderName: !Sub
- 'cognito-idp.${region}.amazonaws.com/${client}'
- region: !Ref 'AWS::Region'
client: !Ref UserPool
UserPoolClient:
Type: 'AWS::Cognito::UserPoolClient'
Properties:
UserPoolId: !Ref UserPool
##Attach Auth/UnAuth roles for to ID Pool
IdentityPoolRoleAttachment:
Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
'authenticated': !GetAtt IDPoolAuthRole.Arn
'unauthenticated': !GetAtt IDPoolUnauthRole.Arn
##Role to be used as Media role for the Identity Pool
IDPoolAuthRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: 'sts:AssumeRoleWithWebIdentity'
Condition:
StringEquals:
'cognito-identity.amazonaws.com:aud': !Ref IdentityPool
'ForAnyValue:StringLike':
'cognito-identity.amazonaws.com:amr': authenticated
- Effect: Allow
Principal:
Service: amplify.amazonaws.com
Action: sts:AssumeRole
##Role to be used as Unauth role for the Identity Pool
IDPoolUnauthRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: 'sts:AssumeRoleWithWebIdentity'
Condition:
StringEquals:
'cognito-identity.amazonaws.com:aud': !Ref IdentityPool
'ForAnyValue:StringLike':
'cognito-identity.amazonaws.com:amr': unauthenticated
- Effect: Allow
Principal:
Service: amplify.amazonaws.com
Action: sts:AssumeRole
## Role to be used by the repository
MediaRepositoryAssumeRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: 'sts:AssumeRoleWithWebIdentity'
Condition:
StringEquals:
'cognito-identity.amazonaws.com:aud': !Ref IdentityPool
'ForAnyValue:StringLike':
'cognito-identity.amazonaws.com:amr': authenticated
- Effect: Allow
Principal:
Service: amplify.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Resource:
- !GetAtt
- Repository
- Arn
Action:
- 'codecommit:GitPull'
PolicyName: MediaRepositoryExecutionPolicy
##The role to be assumed by the application using sts_assume_role
MediaAppCredsRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: 'sts:AssumeRoleWithWebIdentity'
Condition:
StringEquals:
'cognito-identity.amazonaws.com:aud': !Ref IdentityPool
'ForAnyValue:StringLike':
'cognito-identity.amazonaws.com:amr': authenticated
- Effect: Allow
Principal:
Service: amplify.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
AWS:
- !GetAtt IDPoolAuthRole.Arn
- !Join
- ''
- - 'arn:aws:sts::'
- !Ref 'AWS::AccountId'
- ':assumed-role/'
- !Ref IDPoolAuthRole
- '/CognitoIdentityCredentials'
- !GetAtt IDPoolAuthRole.Arn
- !Join
- ''
- - 'arn:aws:sts::'
- !Ref 'AWS::AccountId'
- ':assumed-role/'
- !Ref IDPoolUnauthRole
- '/CognitoIdentityCredentials'
Action: 'sts:AssumeRole'
Policies:
- PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Resource: !Sub
- 'arn:aws:kendra:${region}:${account}:index/${index}'
- region: !Ref 'AWS::Region'
account: !Ref 'AWS::AccountId'
index: !Ref KendraIndexId
Action:
- 'kendra:DescribeIndex'
- 'kendra:SubmitFeedback'
- 'kendra:ListDataSources'
- 'kendra:Query'
- Effect: Allow
Resource: !Split
- ','
- !Sub
- 'arn:aws:s3:::${inner}/*'
- inner: !Join
- '/*,arn:aws:s3:::'
- !Ref MediaBucketNames
Action:
- 's3:GetObject'
PolicyName: AWSMediaAppCredsPolicy
##Create CodeCommit Repository for the code of the application
Repository:
Type: 'AWS::CodeCommit::Repository'
Properties:
Code:
BranchName: main
S3:
Bucket: '