AWSTemplateFormatVersion: "2010-09-09" Parameters: S3BucketAssets: Type: String Description: You can update this value if you have changed the original code CognitoUserPoolId: Type: String Description: UserPool Id to be modified CognitoCustomerPortalClientId: Type: String Description: Customer App Client Id to be modified CallbackLogOutCustomerURL: Type: String Description: "CallBackURL and LogOutURL for Customer App Client Settings" CognitoAgentPortalClientId: Type: String Description: Agent App Client Id to be modified CallbackLogOutAgentURL: Type: String Description: "CallBackURL and LogOutURL for Agent App Client Settings" Resources: IAMRoleLambdaCFNCognito: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: sts:AssumeRole Principal: Service: lambda.amazonaws.com Policies: - PolicyName: WriteCloudWatchLogs PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: arn:aws:logs:*:*:* - PolicyName: UpdateUserPoolClient PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: cognito-idp:UpdateUserPoolClient Resource: arn:aws:cognito-idp:*:*:userpool/* - PolicyName: ManageUserPoolDomain PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: cognito-idp:CreateUserPoolDomain Resource: arn:aws:cognito-idp:*:*:userpool/* - Effect: Allow Action: cognito-idp:DeleteUserPoolDomain Resource: arn:aws:cognito-idp:*:*:userpool/* - Effect: Allow Action: cognito-idp:DescribeUserPoolDomain Resource: arn:aws:cognito-idp:*:*:userpool/* - PolicyName: InvokeLambdaFunction PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: lambda:InvokeFunction Resource: arn:aws:lambda:*:*:function:* LambdaCustomResourceSendResponse: Type: AWS::Lambda::Function Properties: Runtime: nodejs14.x Code: S3Bucket: !Ref S3BucketAssets S3Key: lambda-functions/customResourceResponse.zip Handler: index.handler Role: Fn::GetAtt: - IAMRoleLambdaCFNCognito - Arn LambdaCustomResourceUserPoolAppClientSettings: Type: AWS::Lambda::Function Properties: Environment: Variables: "LAMBDA_SEND_FUNCTION": !Ref LambdaCustomResourceSendResponse Runtime: nodejs14.x Code: S3Bucket: !Ref S3BucketAssets S3Key: lambda-functions/cognitoUserPoolClientSettings.zip Handler: CloudFormationCognitoUserPoolClientSettings.handler Role: Fn::GetAtt: - IAMRoleLambdaCFNCognito - Arn CustomResourceAppClientSettingsCustomer: Type: Custom::CognitoUserPoolClientSettings Properties: ServiceToken: Fn::GetAtt: - LambdaCustomResourceUserPoolAppClientSettings - Arn UserPoolId: !Ref CognitoUserPoolId UserPoolClientId: !Ref CognitoCustomerPortalClientId SupportedIdentityProviders: - COGNITO CallbackURL: !Sub "https://${CallbackLogOutCustomerURL}" LogoutURL: !Sub "https://${CallbackLogOutCustomerURL}" AllowedOAuthFlowsUserPoolClient: true AllowedOAuthFlows: - implicit AllowedOAuthScopes: - aws.cognito.signin.user.admin - phone - email - openid - profile CustomResourceAppClientSettingsAgent: Type: Custom::CognitoUserPoolClientSettings Properties: ServiceToken: Fn::GetAtt: - LambdaCustomResourceUserPoolAppClientSettings - Arn UserPoolId: !Ref CognitoUserPoolId UserPoolClientId: !Ref CognitoAgentPortalClientId SupportedIdentityProviders: - COGNITO CallbackURL: !Sub "https://${CallbackLogOutAgentURL}" LogoutURL: !Sub "https://${CallbackLogOutAgentURL}" AllowedOAuthFlowsUserPoolClient: true AllowedOAuthFlows: - implicit AllowedOAuthScopes: - aws.cognito.signin.user.admin - phone - email - openid - profile