AWSTemplateFormatVersion: 2010-09-09 Parameters: env: Type: String authRoleName: Type: String unauthRoleName: Type: String authRoleArn: Type: String unauthRoleArn: Type: String identityPoolName: Type: String allowUnauthenticatedIdentities: Type: String thirdPartyAuth: Type: String lambdaLogPolicy: Type: String openIdLambdaRoleName: Type: String openIdRolePolicy: Type: String openIdLambdaIAMPolicy: Type: String openIdLogPolicy: Type: String userPoolName: Type: String autoVerifiedAttributes: Type: CommaDelimitedList mfaConfiguration: Type: String mfaTypes: Type: CommaDelimitedList roleName: Type: String roleExternalId: Type: String policyName: Type: String smsAuthenticationMessage: Type: String smsVerificationMessage: Type: String emailVerificationSubject: Type: String emailVerificationMessage: Type: String defaultPasswordPolicy: Type: String passwordPolicyMinLength: Type: Number passwordPolicyCharacters: Type: CommaDelimitedList requiredAttributes: Type: CommaDelimitedList userpoolClientName: Type: String userpoolClientGenerateSecret: Type: String userpoolClientRefreshTokenValidity: Type: Number userpoolClientReadAttributes: Type: CommaDelimitedList mfaLambdaRole: Type: String mfaLambdaLogPolicy: Type: String mfaPassRolePolicy: Type: String mfaLambdaIAMPolicy: Type: String userpoolClientLambdaRole: Type: String userpoolClientLogPolicy: Type: String userpoolClientLambdaPolicy: Type: String userpoolClientSetAttributes: Type: String useDefault: Type: String resourceName: Type: String authSelections: Type: String Conditions: ShouldNotCreateEnvResources: !Equals [ !Ref env, NONE ] Resources: # BEGIN SNS ROLE RESOURCE SNSRole: # Created to allow the UserPool SMS Config to publish via the Simple Notification Service during MFA Process Type: AWS::IAM::Role Properties: RoleName: !If [ShouldNotCreateEnvResources, !Ref roleName, !Join ['',[!Ref roleName, '-', !Ref env]]] AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "" Effect: "Allow" Principal: Service: "cognito-idp.amazonaws.com" Action: - "sts:AssumeRole" Condition: StringEquals: sts:ExternalId: !Ref roleExternalId Policies: - PolicyName: !Ref policyName PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "sns:Publish" Resource: "*" # BEGIN USER POOL RESOURCES UserPool: # Created upon user selection # Depends on SNS Role for Arn if MFA is enabled Type: AWS::Cognito::UserPool Properties: UserPoolName: !If [ShouldNotCreateEnvResources, !Ref userPoolName, !Join ['',[!Ref userPoolName, '-', !Ref env]]] Schema: - Name: email Required: true Mutable: true AutoVerifiedAttributes: !Ref autoVerifiedAttributes EmailVerificationMessage: !Ref emailVerificationMessage EmailVerificationSubject: !Ref emailVerificationSubject Policies: PasswordPolicy: MinimumLength: !Ref passwordPolicyMinLength RequireLowercase: true RequireNumbers: true RequireSymbols: true RequireUppercase: true MfaConfiguration: !Ref mfaConfiguration SmsVerificationMessage: !Ref smsVerificationMessage SmsConfiguration: SnsCallerArn: !GetAtt SNSRole.Arn ExternalId: !Ref roleExternalId UserPoolClientWeb: # Created provide application access to user pool # Depends on UserPool for ID reference Type: "AWS::Cognito::UserPoolClient" Properties: ClientName: cognitocf0c6096_app_clientWeb RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity UserPoolId: !Ref UserPool DependsOn: UserPool UserPoolClient: # Created provide application access to user pool # Depends on UserPool for ID reference Type: "AWS::Cognito::UserPoolClient" Properties: ClientName: !Ref userpoolClientName GenerateSecret: !Ref userpoolClientGenerateSecret RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity UserPoolId: !Ref UserPool DependsOn: UserPool # BEGIN USER POOL LAMBDA RESOURCES UserPoolClientRole: # Created to execute Lambda which gets userpool app client config values Type: 'AWS::IAM::Role' Properties: RoleName: !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' DependsOn: UserPoolClient UserPoolClientLambda: # Lambda which gets userpool app client config values # Depends on UserPool for id # Depends on UserPoolClientRole for role ARN Type: 'AWS::Lambda::Function' Properties: Code: ZipFile: !Join - |+ - - 'const response = require(''cfn-response'');' - 'const aws = require(''aws-sdk'');' - 'const identity = new aws.CognitoIdentityServiceProvider();' - 'exports.handler = (event, context, callback) => {' - ' if (event.RequestType == ''Delete'') { ' - ' response.send(event, context, response.SUCCESS, {})' - ' }' - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {' - ' const params = {' - ' ClientId: event.ResourceProperties.clientId,' - ' UserPoolId: event.ResourceProperties.userpoolId' - ' };' - ' identity.describeUserPoolClient(params).promise()' - ' .then((res) => {' - ' response.send(event, context, response.SUCCESS, {''appSecret'': res.UserPoolClient.ClientSecret});' - ' })' - ' .catch((err) => {' - ' response.send(event, context, response.FAILURE, {err});' - ' });' - ' }' - '};' Handler: index.handler Runtime: nodejs12.x Timeout: '300' Role: !GetAtt - UserPoolClientRole - Arn DependsOn: UserPoolClientRole UserPoolClientLambdaPolicy: # Sets userpool policy for the role that executes the Userpool Client Lambda # Depends on UserPool for Arn # Marked as depending on UserPoolClientRole for easier to understand CFN sequencing Type: 'AWS::IAM::Policy' Properties: PolicyName: !Ref userpoolClientLambdaPolicy Roles: - !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'cognito-idp:DescribeUserPoolClient' Resource: !GetAtt UserPool.Arn DependsOn: UserPoolClientLambda UserPoolClientLogPolicy: # Sets log policy for the role that executes the Userpool Client Lambda # Depends on UserPool for Arn # Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing Type: 'AWS::IAM::Policy' Properties: PolicyName: !Ref userpoolClientLogPolicy Roles: - !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',[!Ref userpoolClientLambdaRole, '-', !Ref env]]] PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !Sub - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:* - { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref UserPoolClientLambda} DependsOn: UserPoolClientLambdaPolicy UserPoolClientInputs: # Values passed to Userpool client Lambda # Depends on UserPool for Id # Depends on UserPoolClient for Id # Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing Type: 'Custom::LambdaCallout' Properties: ServiceToken: !GetAtt UserPoolClientLambda.Arn clientId: !Ref UserPoolClient userpoolId: !Ref UserPool DependsOn: UserPoolClientLogPolicy # BEGIN IDENTITY POOL RESOURCES IdentityPool: # Always created Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: !If [ShouldNotCreateEnvResources, 'cognitocf0c6096_identitypool_cf0c6096', !Join ['',['cognitocf0c6096_identitypool_cf0c6096', '__', !Ref env]]] CognitoIdentityProviders: - ClientId: !Ref UserPoolClient ProviderName: !Sub - cognito-idp.${region}.amazonaws.com/${client} - { region: !Ref "AWS::Region", client: !Ref UserPool} - ClientId: !Ref UserPoolClientWeb ProviderName: !Sub - cognito-idp.${region}.amazonaws.com/${client} - { region: !Ref "AWS::Region", client: !Ref UserPool} AllowUnauthenticatedIdentities: !Ref allowUnauthenticatedIdentities DependsOn: UserPoolClientInputs IdentityPoolRoleMap: # Created to map Auth and Unauth roles to the identity pool # Depends on Identity Pool for ID ref Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: !Ref IdentityPool Roles: unauthenticated: !Ref unauthRoleArn authenticated: !Ref authRoleArn DependsOn: IdentityPool Outputs : IdentityPoolId: Value: !Ref 'IdentityPool' Description: Id for the identity pool IdentityPoolName: Value: !GetAtt IdentityPool.Name UserPoolId: Value: !Ref 'UserPool' Description: Id for the user pool UserPoolName: Value: !Ref userPoolName AppClientIDWeb: Value: !Ref 'UserPoolClientWeb' Description: The user pool app client id for web AppClientID: Value: !Ref 'UserPoolClient' Description: The user pool app client id AppClientSecret: Value: !GetAtt UserPoolClientInputs.appSecret