AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::Serverless-2016-10-31 Parameters: DUOIntegrationKey: Type: String Description: DUO ikey (learn more about about generating these keys in DUO Web documentation https://duo.com/docs/duoweb) NoEcho: true DUOSecretKey: Type: String Description: DUO secret key NoEcho: true DUOAKey: Type: String Description: DUO akey (random string that you can generate for your application) NoEcho: true Resources: UserPool: Type: AWS::Cognito::UserPool Properties: AdminCreateUserConfig: AllowAdminCreateUserOnly: false UserPoolName: !Sub ${AWS::StackName}-UserPool AutoVerifiedAttributes: - email LambdaConfig: DefineAuthChallenge: !GetAtt DefineAuthChallenge.Arn CreateAuthChallenge: !GetAtt CreateAuthChallenge.Arn VerifyAuthChallengeResponse: !GetAtt VerifyAuthChallenge.Arn UserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: ClientName: my-app GenerateSecret: false UserPoolId: !Ref UserPool ExplicitAuthFlows: - ALLOW_CUSTOM_AUTH - ALLOW_REFRESH_TOKEN_AUTH - ALLOW_USER_SRP_AUTH WriteAttributes: - email - name ReadAttributes: - email - name LambdaExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - xray:PutTraceSegments - xray:PutTelemetryRecords Resource: - "*" DuoKeysSecret: Type: 'AWS::SecretsManager::Secret' Properties: Name: !Sub ${AWS::StackName}-duo-keys Description: Duo keys SecretString: Fn::Join: - '' - - '{"duo-ikey":"' - !Ref DUOIntegrationKey - '","duo-skey":"' - !Ref DUOSecretKey - '","duo-akey":"' - !Ref DUOAKey - '"}' DuoKeysSecretPolicy: Type: 'AWS::SecretsManager::ResourcePolicy' Properties: SecretId: !Ref DuoKeysSecret ResourcePolicy: Version: 2012-10-17 Statement: - Resource: '*' Action: 'secretsmanager:GetSecretValue' Effect: Allow Principal: AWS: !GetAtt LambdaExecutionRole.Arn DefineAuthChallenge: Type: AWS::Serverless::Function Properties: FunctionName: !Sub ${AWS::StackName}-DefineAuthChallenge Role: !GetAtt LambdaExecutionRole.Arn CodeUri: s3://duomfa-with-amazon-cognito/DefineAuthChallenge Handler: index.handler Runtime: nodejs12.x MemorySize: 1024 Timeout: 30 Tracing: Active DefineAuthChallengePermission: Type: AWS::Lambda::Permission Properties: FunctionName: !GetAtt DefineAuthChallenge.Arn Principal: cognito-idp.amazonaws.com Action: lambda:InvokeFunction SourceArn: !GetAtt UserPool.Arn CreateAuthChallenge: Type: AWS::Serverless::Function Properties: FunctionName: !Sub ${AWS::StackName}-CreateAuthChallenge Role: !GetAtt LambdaExecutionRole.Arn CodeUri: s3://duomfa-with-amazon-cognito/CreateAuthChallenge Handler: index.handler Runtime: nodejs12.x MemorySize: 1024 Timeout: 30 Tracing: Active Environment: Variables: DUO_SECRET: !Sub ${AWS::StackName}-duo-keys CreateAuthChallengePermission: Type: AWS::Lambda::Permission Properties: FunctionName: !GetAtt CreateAuthChallenge.Arn Principal: cognito-idp.amazonaws.com Action: lambda:InvokeFunction SourceArn: !GetAtt UserPool.Arn VerifyAuthChallenge: Type: AWS::Serverless::Function Properties: FunctionName: !Sub ${AWS::StackName}-VerifyAuthChallenge Role: !GetAtt LambdaExecutionRole.Arn CodeUri: s3://duomfa-with-amazon-cognito/VerifyAuthChallenge Handler: index.handler Runtime: nodejs12.x MemorySize: 1024 Timeout: 30 Tracing: Active Environment: Variables: DUO_SECRET: !Sub ${AWS::StackName}-duo-keys VerifyAuthChallengePermission: Type: AWS::Lambda::Permission Properties: FunctionName: !GetAtt VerifyAuthChallenge.Arn Principal: cognito-idp.amazonaws.com Action: lambda:InvokeFunction SourceArn: !GetAtt UserPool.Arn Outputs : UserPoolId: Value: !Ref 'UserPool' AppClientID: Value: !Ref 'UserPoolClient'