AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Cognito user pool with hosted domain

Parameters:
  AppName:
    Type: String
    Description: Name of the application
  ClientDomains:
    Type: CommaDelimitedList
    Description: Array of domains allowed to use this UserPool
  AdminEmail:
    Type: String
    Description: Email address for administrator
  AddGroupsToScopes:
    Type: String
    AllowedValues:
      - 'true'
      - 'false'
    Default: 'false'

Conditions:
  ScopeGroups:
    !Equals [!Ref AddGroupsToScopes, 'true']

Resources:
  UserPool:
    Type: AWS::Cognito::UserPool 
    Properties: 
      UserPoolName: !Sub ${AppName}-UserPool 
      Policies: 
        PasswordPolicy: 
          MinimumLength: 8
      AutoVerifiedAttributes:
        - email
      UsernameAttributes: 
        - email
      Schema: 
        - AttributeDataType: String 
          Name: email 
          Required: false

  UserPoolClient:
    Type: AWS::Cognito::UserPoolClient 
    Properties: 
      UserPoolId: !Ref UserPool 
      ClientName: !Sub ${AppName}-UserPoolClient 
      GenerateSecret: false # set to false for web clients
      SupportedIdentityProviders:
        - COGNITO
      CallbackURLs: !Ref ClientDomains
      LogoutURLs: !Ref ClientDomains
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthFlows:
        - code
        - implicit #for testing with postman
      AllowedOAuthScopes:
        - email
        - openid
        - profile

  UserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties: 
      Domain: !Sub ${AppName}-${AWS::AccountId}
      UserPoolId: !Ref UserPool

  AdminUserGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties: 
      GroupName: Admins
      Description: Admin user group
      Precedence: 0
      UserPoolId: !Ref UserPool

  AdminUser:
    Type: AWS::Cognito::UserPoolUser
    Properties:
      Username: !Ref AdminEmail
      DesiredDeliveryMediums: 
        - EMAIL
      ForceAliasCreation: true
      UserAttributes: 
        - Name: email
          Value: !Ref AdminEmail
      UserPoolId: !Ref UserPool

  TriggerFunction:
    Type: AWS::Serverless::Function
    Condition: ScopeGroups
    Properties:
      Timeout: 5
      Handler: app.lambdaHandler
      Runtime: nodejs12.x
      CodeUri: src/
      Events:
        CognitoTrigger:
          Type: Cognito
          Properties:
            Trigger: PreTokenGeneration
            UserPool: !Ref UserPool
    

  AddUserToGroup:
    Type: AWS::Cognito::UserPoolUserToGroupAttachment
    Properties: 
      GroupName: !Ref AdminUserGroup
      Username: !Ref AdminUser
      UserPoolId: !Ref UserPool
    
Outputs:
    UserPoolId:
      Description: "User pool ID"
      Value: !Ref UserPool
      Export:
        Name: !Sub ${AppName}:UserPoolId

    UserPoolClientId:
      Description: "Application client ID"
      Value: !Ref UserPoolClient

    AuthUrl:
      Description: "URL used for authentication"
      Value: !Sub https://${UserPoolDomain}.auth.${AWS::Region}.amazoncognito.com