AWSTemplateFormatVersion: '2010-09-09' Parameters: env: Type: String authRoleArn: Type: String unauthRoleArn: Type: String identityPoolName: Type: String allowUnauthenticatedIdentities: Type: String resourceNameTruncated: Type: String userPoolName: Type: String autoVerifiedAttributes: Type: CommaDelimitedList mfaConfiguration: Type: String mfaTypes: Type: CommaDelimitedList smsAuthenticationMessage: Type: String smsVerificationMessage: Type: String emailVerificationSubject: Type: String emailVerificationMessage: Type: String defaultPasswordPolicy: Type: String passwordPolicyMinLength: Type: Number passwordPolicyCharacters: Type: CommaDelimitedList requiredAttributes: Type: CommaDelimitedList aliasAttributes: Type: CommaDelimitedList userpoolClientGenerateSecret: Type: String userpoolClientRefreshTokenValidity: Type: String userpoolClientWriteAttributes: Type: CommaDelimitedList userpoolClientReadAttributes: Type: CommaDelimitedList userpoolClientLambdaRole: Type: String userpoolClientSetAttributes: Type: String sharedId: Type: String resourceName: Type: String authSelections: Type: String useDefault: Type: String triggers: Type: String userPoolGroupList: Type: CommaDelimitedList serviceName: Type: String usernameCaseSensitive: Type: String parentStack: Type: String breakCircularDependency: Type: String permissions: Type: CommaDelimitedList dependsOn: Type: CommaDelimitedList thirdPartyAuth: Type: String userPoolGroups: Type: String adminQueries: Type: String hostedUI: Type: String authProviders: Type: CommaDelimitedList Conditions: ShouldNotCreateEnvResources: Fn::Equals: - Ref: env - NONE ShouldOutputAppClientSecrets: Fn::Equals: - Ref: userpoolClientGenerateSecret - true Resources: SNSRole: Type: AWS::IAM::Role Properties: RoleName: Fn::If: - ShouldNotCreateEnvResources - wavele5ebb6a53_sns-role - Fn::Join: - '' - - sns - 5ebb6a53 - Fn::Select: - 3 - Fn::Split: - '-' - Ref: AWS::StackName - '-' - Ref: env AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Sid: '' Effect: Allow Principal: Service: cognito-idp.amazonaws.com Action: - sts:AssumeRole Condition: StringEquals: sts:ExternalId: wavele5ebb6a53_role_external_id Policies: - PolicyName: wavele5ebb6a53-sns-policy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sns:Publish Resource: '*' UserPool: Type: AWS::Cognito::UserPool UpdateReplacePolicy: Retain Properties: UserPoolName: Fn::If: - ShouldNotCreateEnvResources - Ref: userPoolName - Fn::Join: - '' - - Ref: userPoolName - '-' - Ref: env UsernameConfiguration: CaseSensitive: false Schema: - Name: email Required: true Mutable: true AutoVerifiedAttributes: - email EmailVerificationMessage: Ref: emailVerificationMessage EmailVerificationSubject: Ref: emailVerificationSubject Policies: PasswordPolicy: MinimumLength: Ref: passwordPolicyMinLength RequireLowercase: false RequireNumbers: false RequireSymbols: false RequireUppercase: false AliasAttributes: Ref: aliasAttributes MfaConfiguration: Ref: mfaConfiguration SmsVerificationMessage: Ref: smsVerificationMessage SmsAuthenticationMessage: Ref: smsAuthenticationMessage SmsConfiguration: SnsCallerArn: Fn::GetAtt: - SNSRole - Arn ExternalId: wavele5ebb6a53_role_external_id UserPoolClientWeb: Type: AWS::Cognito::UserPoolClient Properties: ClientName: wavele5ebb6a53_app_clientWeb RefreshTokenValidity: Ref: userpoolClientRefreshTokenValidity UserPoolId: Ref: UserPool DependsOn: UserPool UserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: ClientName: wavele5ebb6a53_app_client GenerateSecret: Ref: userpoolClientGenerateSecret RefreshTokenValidity: Ref: userpoolClientRefreshTokenValidity UserPoolId: Ref: UserPool DependsOn: UserPool UserPoolClientRole: Type: AWS::IAM::Role Properties: RoleName: Fn::If: - ShouldNotCreateEnvResources - Ref: userpoolClientLambdaRole - Fn::Join: - '' - - upClientLambdaRole - 5ebb6a53 - Fn::Select: - 3 - Fn::Split: - '-' - Ref: AWS::StackName - '-' - Ref: env AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole DependsOn: UserPoolClient UserPoolClientLambda: Type: AWS::Lambda::Function Properties: Code: ZipFile: Fn::Join: - '' - - const response = require('cfn-response'); - const aws = require('aws-sdk'); - const identity = new aws.CognitoIdentityServiceProvider(); - exports.handler = (event, context, callback) => { - ' if (event.RequestType == ''Delete'') { ' - ' response.send(event, context, response.SUCCESS, {})' - ' }' - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {' - ' const params = {' - ' ClientId: event.ResourceProperties.clientId,' - ' UserPoolId: event.ResourceProperties.userpoolId' - ' };' - ' identity.describeUserPoolClient(params).promise()' - ' .then((res) => {' - ' response.send(event, context, response.SUCCESS, {''appSecret'': res.UserPoolClient.ClientSecret});' - ' })' - ' .catch((err) => {' - ' response.send(event, context, response.FAILED, {err});' - ' });' - ' }' - '};' Handler: index.handler Runtime: nodejs12.x Timeout: 300 Role: Fn::GetAtt: - UserPoolClientRole - Arn DependsOn: UserPoolClientRole UserPoolClientLambdaPolicy: Type: AWS::IAM::Policy Properties: PolicyName: wavele5ebb6a53_userpoolclient_lambda_iam_policy Roles: - Ref: UserPoolClientRole PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - cognito-idp:DescribeUserPoolClient Resource: Fn::GetAtt: - UserPool - Arn DependsOn: UserPoolClientLambda UserPoolClientLogPolicy: Type: AWS::IAM::Policy Properties: PolicyName: wavele5ebb6a53_userpoolclient_lambda_log_policy Roles: - Ref: UserPoolClientRole PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: Fn::Sub: - >- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:* - region: Ref: AWS::Region account: Ref: AWS::AccountId lambda: Ref: UserPoolClientLambda DependsOn: UserPoolClientLambdaPolicy UserPoolClientInputs: Type: Custom::LambdaCallout Properties: ServiceToken: Fn::GetAtt: - UserPoolClientLambda - Arn clientId: Ref: UserPoolClient userpoolId: Ref: UserPool DependsOn: UserPoolClientLogPolicy IdentityPool: Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: Fn::If: - ShouldNotCreateEnvResources - wavelengthlatency5ebb6a53_identitypool_5ebb6a53 - Fn::Join: - '' - - wavelengthlatency5ebb6a53_identitypool_5ebb6a53 - __ - Ref: env CognitoIdentityProviders: - ClientId: Ref: UserPoolClient ProviderName: Fn::Sub: - cognito-idp.${region}.amazonaws.com/${client} - region: Ref: AWS::Region client: Ref: UserPool - ClientId: Ref: UserPoolClientWeb ProviderName: Fn::Sub: - cognito-idp.${region}.amazonaws.com/${client} - region: Ref: AWS::Region client: Ref: UserPool AllowUnauthenticatedIdentities: Ref: allowUnauthenticatedIdentities DependsOn: UserPoolClientInputs IdentityPoolRoleMap: Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: Ref: IdentityPool Roles: unauthenticated: Ref: unauthRoleArn authenticated: Ref: authRoleArn DependsOn: IdentityPool Outputs: IdentityPoolId: Value: Ref: IdentityPool Description: Id for the identity pool IdentityPoolName: Value: Fn::GetAtt: - IdentityPool - Name UserPoolId: Value: Ref: UserPool Description: Id for the user pool UserPoolArn: Value: Fn::GetAtt: - UserPool - Arn Description: Arn for the user pool UserPoolName: Value: Ref: userPoolName AppClientIDWeb: Value: Ref: UserPoolClientWeb Description: The user pool app client id for web AppClientID: Value: Ref: UserPoolClient Description: The user pool app client id AppClientSecret: Value: Fn::GetAtt: - UserPoolClientInputs - appSecret Condition: ShouldOutputAppClientSecrets