# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  Example stack that shows how to reuse the serverless application with a pre-existing User Pool and Client.
  The pre-existing User Pool Arn and Client ID can be provided to the Auth@Edge application through parameters.

  In this example we're creating the User Pool and Client, and the Auth@Edge application in the same stack in the same region.
  You could instead also use a pre-existing User Pool and Client from a different stack and region.

Parameters:
  EnableSPAMode:
    Type: String
    Description: Set to 'false' to disable SPA-specific features (i.e. when deploying a static site that won't interact with logout/refresh)
    Default: "true"
    AllowedValues:
      - "true"
      - "false"
  OAuthScopes:
    Type: CommaDelimitedList
    Description: The OAuth scopes to request the User Pool to add to the access token JWT
    Default: "phone, email, profile, openid, aws.cognito.signin.user.admin"

Conditions:
  GenerateClientSecret: !Equals
    - EnableSPAMode
    - "false"

Resources:
  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Ref AWS::StackName
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: true
      UsernameAttributes:
        - email
  UserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      UserPoolId: !Ref UserPool
      PreventUserExistenceErrors: ENABLED
      GenerateSecret: !If
        - GenerateClientSecret
        - true
        - false
      AllowedOAuthScopes: !Ref OAuthScopes
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthFlows:
        - code
      SupportedIdentityProviders:
        - COGNITO
      CallbackURLs:
        # The following sentinel value will be replaced by Auth@Edge with the CloudFront domain name (if you let Auth@Edge create the CloudFront distribution)
        - https://example.com/will-be-replaced
      LogoutURLs:
        # The following sentinel value will be replaced by Auth@Edge with the CloudFront domain name (if you let Auth@Edge create the CloudFront distribution)
        - https://example.com/will-be-replaced
  UserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      Domain: !Sub
        - "auth-${StackIdSuffix}"
        - StackIdSuffix: !Select
            - 2
            - !Split
              - "/"
              - !Ref AWS::StackId
      UserPoolId: !Ref UserPool
  MyLambdaEdgeProtectedSpaSetup:
    Type: AWS::Serverless::Application
    DependsOn: UserPoolDomain
    Properties:
      Location:
        ApplicationId: arn:aws:serverlessrepo:us-east-1:520945424137:applications/cloudfront-authorization-at-edge
        SemanticVersion: 2.1.6
      Parameters:
        UserPoolArn: !GetAtt UserPool.Arn
        UserPoolClientId: !Ref UserPoolClient
        EnableSPAMode: !Ref EnableSPAMode
        CreateCloudFrontDistribution: true
        OAuthScopes: !Join
          - ","
          - !Ref OAuthScopes
Outputs:
  WebsiteUrl:
    Description: URL of the CloudFront distribution that serves your SPA from S3
    Value: !GetAtt MyLambdaEdgeProtectedSpaSetup.Outputs.WebsiteUrl