# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  Template to setup cognito as part of bootstrap
Parameters:
  AdminEmailParameter:
    Type: String
    Description: "Enter system admin email address"
  SystemAdminRoleNameParameter:
    Type: String
    Description: "Enter the role name for system admin"
  AdminUserPoolCallbackURLParameter: 
    Type: String
    Description: "Enter Admin Management userpool call back url"
Resources:
  CognitoUserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: PooledTenant-MLaaSUserPool
      AutoVerifiedAttributes:
        - "email"
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
      Schema:
        - AttributeDataType: "String"
          Name: email
          Required: True
          Mutable: True
        - AttributeDataType: "String"
          Name: tenantId          
        - AttributeDataType: "String"
          Name: userRole
          Required: False
          Mutable: True        
  CognitoUserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
      ClientName: MLaaSClient
      ExplicitAuthFlows: 
        - ALLOW_CUSTOM_AUTH
        - ALLOW_USER_PASSWORD_AUTH
        - ALLOW_USER_SRP_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH
      GenerateSecret: false
      UserPoolId: !Ref CognitoUserPool
      AllowedOAuthFlowsUserPoolClient: True
      AllowedOAuthFlows:
        - implicit
      SupportedIdentityProviders:
        - COGNITO
      CallbackURLs:
        - !Join ["",["https://","example.com", "/"]]
      AllowedOAuthScopes:
        - email
        - openid
        - profile
      WriteAttributes:
        - "email"
        - "custom:tenantId"
        - "custom:userRole"        
  CognitoUserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      Domain: !Join ["-", [pooledtenant-mlaas,!Ref "AWS::AccountId"]]
      UserPoolId: !Ref CognitoUserPool

  CognitoOperationUsersUserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: OperationUsers-MLaaSUserPool
      AutoVerifiedAttributes:
        - "email"
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
      AdminCreateUserConfig:      
        InviteMessageTemplate:
          EmailMessage: !Join 
            - "" 
            - - "Login into admin UI application at " 
              - "https://"
              - !Ref AdminUserPoolCallbackURLParameter 
              - "/" 
              - " with username {username} and temporary password {####}"
          EmailSubject: !Join 
            - ""
            - - "Your temporary password for admin UI application"  
      Schema:
        - AttributeDataType: "String"
          Name: email
          Required: True
          Mutable: True
        - AttributeDataType: "String"
          Name: tenantId        
        - AttributeDataType: "String"
          Name: userRole
          Required: False
          Mutable: True  
  CognitoOperationUsersUserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
      ClientName: MLaaSOperationUsersPoolClient
      GenerateSecret: false
      UserPoolId: !Ref CognitoOperationUsersUserPool
      AllowedOAuthFlowsUserPoolClient: True
      AllowedOAuthFlows:
        - code
        - implicit
      SupportedIdentityProviders:
        - COGNITO
      CallbackURLs:
        - !Join ["",["https://", !Ref AdminUserPoolCallbackURLParameter, "/"]]
      LogoutURLs:  
        - !Join ["",["https://", !Ref AdminUserPoolCallbackURLParameter, "/"]]
      AllowedOAuthScopes:
        - email
        - openid
        - profile
      WriteAttributes:
        - "email"
        - "custom:tenantId"
        - "custom:userRole"
  CognitoOperationUsersUserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      Domain: !Join ["-", [operationsusers-mlaas,!Ref "AWS::AccountId"]]
      UserPoolId: !Ref CognitoOperationUsersUserPool
  CognitoAdminUserGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties:
      GroupName: SystemAdmins
      Description: Admin user group
      Precedence: 0
      UserPoolId: !Ref CognitoOperationUsersUserPool
  CognitoAdminUser:
    Type: AWS::Cognito::UserPoolUser
    Properties:
      Username: admin
      DesiredDeliveryMediums:
        - EMAIL
      ForceAliasCreation: true
      UserAttributes:
        - Name: email
          Value: !Ref AdminEmailParameter
        - Name: custom:tenantId
          Value: system_admins
        - Name: custom:userRole
          Value: !Ref SystemAdminRoleNameParameter
      UserPoolId: !Ref CognitoOperationUsersUserPool
  CognitoAddUserToGroup:
      Type: AWS::Cognito::UserPoolUserToGroupAttachment
      Properties:
        GroupName: !Ref CognitoAdminUserGroup
        Username: !Ref CognitoAdminUser
        UserPoolId: !Ref CognitoOperationUsersUserPool
        
Outputs:
  CognitoUserPoolId:
    Value: !Ref CognitoUserPool
  CognitoUserPoolClientId:
    Value: !Ref CognitoUserPoolClient
  CognitoOperationUsersUserPoolId:
    Value: !Ref CognitoOperationUsersUserPool
  CognitoOperationUsersUserPoolClientId:
    Value: !Ref CognitoOperationUsersUserPoolClient
  CognitoOperationUsersUserPoolProviderURL:
    Value: !GetAtt CognitoOperationUsersUserPool.ProviderURL
  CognitoAdminUserGroupName:
    Value: !Ref CognitoAdminUserGroup