{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "env": { "Type": "String" }, "authRoleName": { "Type": "String" }, "unauthRoleName": { "Type": "String" }, "authRoleArn": { "Type": "String" }, "unauthRoleArn": { "Type": "String" }, "allowUnauthenticatedIdentities": { "Type": "String" }, "userPoolName": { "Type": "String" }, "autoVerifiedAttributes": { "Type": "CommaDelimitedList" }, "mfaConfiguration": { "Type": "String" }, "roleName": { "Type": "String" }, "roleExternalId": { "Type": "String" }, "policyName": { "Type": "String" }, "smsVerificationMessage": { "Type": "String" }, "emailVerificationSubject": { "Type": "String" }, "emailVerificationMessage": { "Type": "String" }, "passwordPolicyMinLength": { "Type": "Number" }, "userpoolClientName": { "Type": "String" }, "userpoolClientGenerateSecret": { "Type": "String" }, "userpoolClientRefreshTokenValidity": { "Type": "Number" }, "userpoolClientLambdaRole": { "Type": "String" }, "userpoolClientLogPolicy": { "Type": "String" }, "userpoolClientLambdaPolicy": { "Type": "String" } }, "Conditions": { "ShouldNotCreateEnvResources": { "Fn::Equals": [ { "Ref": "env" }, "NONE" ] } }, "Resources": { "ComprehendAccess": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUsersToUseComprehend", "Effect": "Allow", "Action": [ "comprehend:DetectDominantLanguage", "comprehend:BatchDetectDominantLanguage", "comprehend:DetectEntities", "comprehend:BatchDetectEntities", "comprehend:DetectKeyPhrases", "comprehend:BatchDetectKeyPhrases", "comprehend:DetectSentiment", "comprehend:BatchDetectSentiment", "comprehend:DetectSyntax", "comprehend:BatchDetectSyntax", "comprehend:ClassifyDocument" ], "Resource": "*" } ] }, "Roles": [ { "Ref": "authRoleName" } ] } }, "LambdaExecution": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUsersToInvoke", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": "*" } ] }, "Roles": [ { "Ref": "authRoleName" } ] } }, "DynamoDBReadOnly": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUsersToUseDynamodb", "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:List*", "dynamodb:Describe*", "dynamodb:BatchGetItem" ], "Resource": "*" } ] }, "Roles": [ { "Ref": "authRoleName" } ] } }, "S3ReadOnly": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUsersToUseS3", "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "*" } ] }, "Roles": [ { "Ref": "authRoleName" } ] } }, "SNSRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::If": [ "ShouldNotCreateEnvResources", { "Ref": "roleName" }, { "Fn::Join": [ "", [ { "Ref": "roleName" }, "-", { "Ref": "env" } ] ] } ] }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "cognito-idp.amazonaws.com" }, "Action": [ "sts:AssumeRole" ], "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "roleExternalId" } } } } ] }, "Policies": [ { "PolicyName": { "Ref": "policyName" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "*" } ] } } ] } }, "UserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { "UserPoolName": { "Fn::If": [ "ShouldNotCreateEnvResources", { "Ref": "userPoolName" }, { "Fn::Join": [ "", [ { "Ref": "userPoolName" }, "-", { "Ref": "env" } ] ] } ] }, "Schema": [ { "Name": "email", "Required": true, "Mutable": true } ], "AutoVerifiedAttributes": { "Ref": "autoVerifiedAttributes" }, "EmailVerificationMessage": { "Ref": "emailVerificationMessage" }, "EmailVerificationSubject": { "Ref": "emailVerificationSubject" }, "Policies": { "PasswordPolicy": { "MinimumLength": { "Ref": "passwordPolicyMinLength" }, "RequireLowercase": true, "RequireNumbers": true, "RequireSymbols": true, "RequireUppercase": true } }, "MfaConfiguration": { "Ref": "mfaConfiguration" }, "SmsVerificationMessage": { "Ref": "smsVerificationMessage" }, "SmsConfiguration": { "SnsCallerArn": { "Fn::GetAtt": [ "SNSRole", "Arn" ] }, "ExternalId": { "Ref": "roleExternalId" } } } }, "UserPoolClientWeb": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { "ClientName": "cognitocf0c6096_app_clientWeb", "RefreshTokenValidity": { "Ref": "userpoolClientRefreshTokenValidity" }, "UserPoolId": { "Ref": "UserPool" } }, "DependsOn": "UserPool" }, "UserPoolClient": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { "ClientName": { "Ref": "userpoolClientName" }, "GenerateSecret": { "Ref": "userpoolClientGenerateSecret" }, "RefreshTokenValidity": { "Ref": "userpoolClientRefreshTokenValidity" }, "UserPoolId": { "Ref": "UserPool" } }, "DependsOn": "UserPool" }, "UserPoolClientRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::If": [ "ShouldNotCreateEnvResources", { "Ref": "userpoolClientLambdaRole" }, { "Fn::Join": [ "", [ { "Ref": "userpoolClientLambdaRole" }, "-", { "Ref": "env" } ] ] } ] }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] } }, "DependsOn": "UserPoolClient" }, "UserPoolClientLambda": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": { "Fn::Join": [ "", [ "const response = require('cfn-response');", "const aws = require('aws-sdk');", "const identity = new aws.CognitoIdentityServiceProvider();", "exports.handler = (event, context, callback) => {", " if (event.RequestType == 'Delete') { ", " response.send(event, context, response.SUCCESS, {})", " }", " if (event.RequestType == 'Update' || event.RequestType == 'Create') {", " const params = {", " ClientId: event.ResourceProperties.clientId,", " UserPoolId: event.ResourceProperties.userpoolId", " };", " identity.describeUserPoolClient(params).promise()", " .then((res) => {", " response.send(event, context, response.SUCCESS, {'appSecret': res.UserPoolClient.ClientSecret});", " })", " .catch((err) => {", " response.send(event, context, response.FAILURE, {err});", " });", " }", "};" ] ] } }, "Handler": "index.handler", "Runtime": "nodejs12.x", "Timeout": "300", "Role": { "Fn::GetAtt": [ "UserPoolClientRole", "Arn" ] } }, "DependsOn": "UserPoolClientRole" }, "UserPoolClientLambdaPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": { "Ref": "userpoolClientLambdaPolicy" }, "Roles": [ { "Fn::If": [ "ShouldNotCreateEnvResources", { "Ref": "userpoolClientLambdaRole" }, { "Fn::Join": [ "", [ { "Ref": "userpoolClientLambdaRole" }, "-", { "Ref": "env" } ] ] } ] } ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cognito-idp:DescribeUserPoolClient" ], "Resource": { "Fn::GetAtt": [ "UserPool", "Arn" ] } } ] } }, "DependsOn": "UserPoolClientLambda" }, "UserPoolClientLogPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": { "Ref": "userpoolClientLogPolicy" }, "Roles": [ { "Fn::If": [ "ShouldNotCreateEnvResources", { "Ref": "userpoolClientLambdaRole" }, { "Fn::Join": [ "", [ { "Ref": "userpoolClientLambdaRole" }, "-", { "Ref": "env" } ] ] } ] } ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": { "Fn::Sub": [ "arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*", { "region": { "Ref": "AWS::Region" }, "account": { "Ref": "AWS::AccountId" }, "lambda": { "Ref": "UserPoolClientLambda" } } ] } } ] } }, "DependsOn": "UserPoolClientLambdaPolicy" }, "UserPoolClientInputs": { "Type": "Custom::LambdaCallout", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "UserPoolClientLambda", "Arn" ] }, "clientId": { "Ref": "UserPoolClient" }, "userpoolId": { "Ref": "UserPool" } }, "DependsOn": "UserPoolClientLogPolicy" }, "IdentityPool": { "Type": "AWS::Cognito::IdentityPool", "Properties": { "IdentityPoolName": { "Fn::If": [ "ShouldNotCreateEnvResources", "cognitocf0c6096_identitypool_cf0c6096", { "Fn::Join": [ "", [ "cognitocf0c6096_identitypool_cf0c6096", "__", { "Ref": "env" } ] ] } ] }, "CognitoIdentityProviders": [ { "ClientId": { "Ref": "UserPoolClient" }, "ProviderName": { "Fn::Sub": [ "cognito-idp.${region}.amazonaws.com/${client}", { "region": { "Ref": "AWS::Region" }, "client": { "Ref": "UserPool" } } ] } }, { "ClientId": { "Ref": "UserPoolClientWeb" }, "ProviderName": { "Fn::Sub": [ "cognito-idp.${region}.amazonaws.com/${client}", { "region": { "Ref": "AWS::Region" }, "client": { "Ref": "UserPool" } } ] } } ], "AllowUnauthenticatedIdentities": { "Ref": "allowUnauthenticatedIdentities" } }, "DependsOn": "UserPoolClientInputs" }, "IdentityPoolRoleMap": { "Type": "AWS::Cognito::IdentityPoolRoleAttachment", "Properties": { "IdentityPoolId": { "Ref": "IdentityPool" }, "Roles": { "unauthenticated": { "Ref": "unauthRoleArn" }, "authenticated": { "Ref": "authRoleArn" } } }, "DependsOn": "IdentityPool" } }, "Outputs": { "IdentityPoolId": { "Value": { "Ref": "IdentityPool" }, "Description": "Id for the identity pool" }, "IdentityPoolName": { "Value": { "Fn::GetAtt": [ "IdentityPool", "Name" ] } }, "UserPoolId": { "Value": { "Ref": "UserPool" }, "Description": "Id for the user pool" }, "UserPoolName": { "Value": { "Ref": "userPoolName" } }, "AppClientIDWeb": { "Value": { "Ref": "UserPoolClientWeb" }, "Description": "The user pool app client id for web" }, "AppClientID": { "Value": { "Ref": "UserPoolClient" }, "Description": "The user pool app client id" }, "AppClientSecret": { "Value": { "Fn::GetAtt": [ "UserPoolClientInputs", "appSecret" ] } } } }