# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: "2010-09-09" Transform: AWS::Serverless-2016-10-31 Description: > Template to setup cognito as part of bootstrap Parameters: AdminEmailParameter: Type: String Description: "Enter system admin email address" SystemAdminRoleNameParameter: Type: String Description: "Enter the role name for system admin" AdminUserPoolCallbackURLParameter: Type: String Description: "Enter Admin Management userpool call back url" Resources: CognitoUserPool: Type: "AWS::Cognito::UserPool" Properties: UserPoolName: PooledTenant-ServerlessSaaSUserPool AutoVerifiedAttributes: - "email" AccountRecoverySetting: RecoveryMechanisms: - Name: verified_email Priority: 1 AdminCreateUserConfig: InviteMessageTemplate: EmailMessage: !Join - "" - - "Thanks for signing up. " - "You username is {username} and temporary password is {####}" EmailSubject: !Join - "" - - "Your temporary password for tenant UI application" Schema: - AttributeDataType: "String" Name: email Required: True Mutable: True - AttributeDataType: "String" Name: tenantId - AttributeDataType: "String" Name: userRole Required: False Mutable: True CognitoUserPoolClient: Type: "AWS::Cognito::UserPoolClient" Properties: ClientName: ServerlessSaaSClient GenerateSecret: false UserPoolId: !Ref CognitoUserPool AllowedOAuthFlowsUserPoolClient: True AllowedOAuthFlows: - code - implicit SupportedIdentityProviders: - COGNITO CallbackURLs: - https://example.com LogoutURLs: - https://example.com AllowedOAuthScopes: - email - openid - profile WriteAttributes: - "email" - "custom:tenantId" - "custom:userRole" CognitoUserPoolDomain: Type: AWS::Cognito::UserPoolDomain Properties: Domain: !Join ["-", [pooledtenant-serverlesssaas,!Ref "AWS::AccountId"]] UserPoolId: !Ref CognitoUserPool CognitoOperationUsersUserPool: Type: "AWS::Cognito::UserPool" Properties: UserPoolName: OperationUsers-ServerlessSaaSUserPool AutoVerifiedAttributes: - "email" AccountRecoverySetting: RecoveryMechanisms: - Name: verified_email Priority: 1 AdminCreateUserConfig: InviteMessageTemplate: EmailMessage: !Join - "" - - "Login into admin UI application at " - "https://" - !Ref AdminUserPoolCallbackURLParameter - "/" - " with username {username} and temporary password {####}" EmailSubject: !Join - "" - - "Your temporary password for admin UI application" Schema: - AttributeDataType: "String" Name: email Required: True Mutable: True - AttributeDataType: "String" Name: tenantId - AttributeDataType: "String" Name: userRole Required: False Mutable: True CognitoOperationUsersUserPoolClient: Type: "AWS::Cognito::UserPoolClient" Properties: ClientName: ServerlessSaaSOperationUsersPoolClient GenerateSecret: false UserPoolId: !Ref CognitoOperationUsersUserPool AllowedOAuthFlowsUserPoolClient: True AllowedOAuthFlows: - code - implicit SupportedIdentityProviders: - COGNITO CallbackURLs: - !Join ["",["https://", !Ref AdminUserPoolCallbackURLParameter, "/"]] LogoutURLs: - !Join ["",["https://", !Ref AdminUserPoolCallbackURLParameter, "/"]] AllowedOAuthScopes: - email - openid - profile WriteAttributes: - "email" - "custom:tenantId" - "custom:userRole" CognitoOperationUsersUserPoolDomain: Type: AWS::Cognito::UserPoolDomain Properties: Domain: !Join ["-", [operationsusers-serverlesssaas,!Ref "AWS::AccountId"]] UserPoolId: !Ref CognitoOperationUsersUserPool CognitoAdminUserGroup: Type: AWS::Cognito::UserPoolGroup Properties: GroupName: SystemAdmins Description: Admin user group Precedence: 0 UserPoolId: !Ref CognitoOperationUsersUserPool CognitoAdminUser: Type: AWS::Cognito::UserPoolUser Properties: Username: admin DesiredDeliveryMediums: - EMAIL ForceAliasCreation: true UserAttributes: - Name: email Value: !Ref AdminEmailParameter - Name: custom:tenantId Value: system_admins - Name: custom:userRole Value: !Ref SystemAdminRoleNameParameter UserPoolId: !Ref CognitoOperationUsersUserPool CognitoAddUserToGroup: Type: AWS::Cognito::UserPoolUserToGroupAttachment Properties: GroupName: !Ref CognitoAdminUserGroup Username: !Ref CognitoAdminUser UserPoolId: !Ref CognitoOperationUsersUserPool Outputs: CognitoUserPoolId: Value: !Ref CognitoUserPool CognitoUserPoolClientId: Value: !Ref CognitoUserPoolClient CognitoOperationUsersUserPoolId: Value: !Ref CognitoOperationUsersUserPool CognitoOperationUsersUserPoolClientId: Value: !Ref CognitoOperationUsersUserPoolClient CognitoOperationUsersUserPoolProviderURL: Value: !GetAtt CognitoOperationUsersUserPool.ProviderURL CognitoAdminUserGroupName: Value: !Ref CognitoAdminUserGroup