# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  Template to setup cognito as part of bootstrap
Parameters:
  AdminEmailParameter:
    Type: String
    Description: "Enter system admin email address"
  SystemAdminRoleNameParameter:
    Type: String
    Description: "Enter the role name for system admin"
  AdminUserPoolCallbackURLParameter: 
    Type: String
    Description: "Enter Admin Management userpool call back url"  
Resources:  
  CognitoUserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: PooledTenant-ServerlessSaaSUserPool
      AutoVerifiedAttributes:
        - "email"
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
      AdminCreateUserConfig:      
        InviteMessageTemplate:
          EmailMessage: !Join 
            - "" 
            - - "Thanks for signing up. "
              - "You username is {username} and temporary password is {####}"
          EmailSubject: !Join 
            - "" 
            - - "Your temporary password for tenant UI application"
      Schema:
        - AttributeDataType: "String"
          Name: email
          Required: True
          Mutable: True
        - AttributeDataType: "String"
          Name: tenantId          
        - AttributeDataType: "String"
          Name: userRole
          Required: False
          Mutable: True        
  CognitoUserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
      ClientName: ServerlessSaaSClient
      GenerateSecret: false
      UserPoolId: !Ref CognitoUserPool
      AllowedOAuthFlowsUserPoolClient: True
      AllowedOAuthFlows:
        - code
        - implicit
      SupportedIdentityProviders:
        - COGNITO
      CallbackURLs:
        - https://example.com
      LogoutURLs:
        - https://example.com
      AllowedOAuthScopes:
        - email
        - openid
        - profile
      WriteAttributes:
        - "email"
        - "custom:tenantId"
        - "custom:userRole"        
  CognitoUserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      Domain: !Join ["-", [pooledtenant-serverlesssaas,!Ref "AWS::AccountId"]]
      UserPoolId: !Ref CognitoUserPool
  CognitoOperationUsersUserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: OperationUsers-ServerlessSaaSUserPool
      AutoVerifiedAttributes:
        - "email"
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
      AdminCreateUserConfig:      
        InviteMessageTemplate:
          EmailMessage: !Join 
            - "" 
            - - "Login into admin UI application at " 
              - "https://"
              - !Ref AdminUserPoolCallbackURLParameter 
              - "/" 
              - " with username {username} and temporary password {####}"
          EmailSubject: !Join 
            - ""
            - - "Your temporary password for admin UI application"  
      Schema:
        - AttributeDataType: "String"
          Name: email
          Required: True
          Mutable: True
        - AttributeDataType: "String"
          Name: tenantId        
        - AttributeDataType: "String"
          Name: userRole
          Required: False
          Mutable: True
  CognitoOperationUsersUserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
      ClientName: ServerlessSaaSOperationUsersPoolClient
      GenerateSecret: false
      UserPoolId: !Ref CognitoOperationUsersUserPool
      AllowedOAuthFlowsUserPoolClient: True
      AllowedOAuthFlows:
        - code
        - implicit
      SupportedIdentityProviders:
        - COGNITO
      CallbackURLs:
        - !Join ["",["https://", !Ref AdminUserPoolCallbackURLParameter, "/"]]
      LogoutURLs:  
        - !Join ["",["https://", !Ref AdminUserPoolCallbackURLParameter, "/"]]
      AllowedOAuthScopes:
        - email
        - openid
        - profile
      WriteAttributes:
        - "email"
        - "custom:tenantId"
        - "custom:userRole"        
  CognitoOperationUsersUserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      Domain: !Join ["-", [operationsusers-serverlesssaas,!Ref "AWS::AccountId"]]
      UserPoolId: !Ref CognitoOperationUsersUserPool
  CognitoAdminUserGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties:
      GroupName: SystemAdmins
      Description: Admin user group
      Precedence: 0
      UserPoolId: !Ref CognitoOperationUsersUserPool
  CognitoAdminUser:
    Type: AWS::Cognito::UserPoolUser
    Properties:
      Username: admin
      DesiredDeliveryMediums:
        - EMAIL
      ForceAliasCreation: true
      UserAttributes:
        - Name: email
          Value: !Ref AdminEmailParameter
        - Name: custom:tenantId
          Value: system_admins
        - Name: custom:userRole
          Value: !Ref SystemAdminRoleNameParameter
      UserPoolId: !Ref CognitoOperationUsersUserPool
  CognitoAddUserToGroup:
      Type: AWS::Cognito::UserPoolUserToGroupAttachment
      Properties:
        GroupName: !Ref CognitoAdminUserGroup
        Username: !Ref CognitoAdminUser
        UserPoolId: !Ref CognitoOperationUsersUserPool
        
Outputs:  
  CognitoUserPoolId:
    Value: !Ref CognitoUserPool
  CognitoUserPoolClientId:
    Value: !Ref CognitoUserPoolClient
  CognitoOperationUsersUserPoolId:
    Value: !Ref CognitoOperationUsersUserPool
  CognitoOperationUsersUserPoolClientId:
    Value: !Ref CognitoOperationUsersUserPoolClient
  CognitoOperationUsersUserPoolProviderURL:
    Value: !GetAtt CognitoOperationUsersUserPool.ProviderURL
  CognitoAdminUserGroupName:
    Value: !Ref CognitoAdminUserGroup