AWSTemplateFormatVersion: 2010-09-09 Description: 'Stack to setup elasticsearch service' Transform: - AWS::Serverless-2016-10-31 Parameters: DOMAINNAME: Description: Name for the Amazon ES domain that this template will create. Domain names must start with a lowercase letter and must be between 3 and 28 characters. Valid characters are a-z (lowercase only), 0-9. Type: String Default: apollodocumentsearch CognitoAdminEmail: Type: String Default: abc@xyz.com AllowedPattern: ^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$ Description: E-mail address of the Cognito admin name Mappings: SourceCode: General: S3Bucket: solutions KeyPrefix: centralized-logging/v2.2.0 Resources: UserPool: Type: AWS::Cognito::UserPool Properties: UserPoolName: Fn::Sub: ${DOMAINNAME}_kibana_access AutoVerifiedAttributes: - email MfaConfiguration: 'OFF' EmailVerificationSubject: Ref: AWS::StackName Schema: - Name: name AttributeDataType: String Mutable: true Required: true - Name: email AttributeDataType: String Mutable: false Required: true UserPoolGroup: Type: AWS::Cognito::UserPoolGroup Properties: Description: User pool group for Kibana access GroupName: Fn::Sub: ${DOMAINNAME}_kibana_access_group Precedence: 0 UserPoolId: Ref: UserPool UserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: ClientName: Fn::Sub: ${DOMAINNAME}-client GenerateSecret: false UserPoolId: Ref: UserPool IdentityPool: Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: Fn::Sub: ${DOMAINNAME}Identity AllowUnauthenticatedIdentities: true CognitoIdentityProviders: - ClientId: Ref: UserPoolClient ProviderName: Fn::GetAtt: - UserPool - ProviderName CognitoUnAuthorizedRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Federated: cognito-identity.amazonaws.com Action: - sts:AssumeRoleWithWebIdentity Condition: StringEquals: cognito-identity.amazonaws.com:aud: Ref: IdentityPool ForAnyValue:StringLike: cognito-identity.amazonaws.com:amr: unauthenticated Policies: - PolicyName: CognitoUnauthorizedPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - mobileanalytics:PutEvents - cognito-sync:BulkPublish - cognito-sync:DescribeIdentityPoolUsage - cognito-sync:GetBulkPublishDetails - cognito-sync:GetCognitoEvents - cognito-sync:GetIdentityPoolConfiguration - cognito-sync:ListIdentityPoolUsage - cognito-sync:SetCognitoEvents - congito-sync:SetIdentityPoolConfiguration Resource: Fn::Sub: arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool} CognitoAuthorizedRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Federated: cognito-identity.amazonaws.com Action: - sts:AssumeRoleWithWebIdentity Condition: StringEquals: cognito-identity.amazonaws.com:aud: Ref: IdentityPool ForAnyValue:StringLike: cognito-identity.amazonaws.com:amr: authenticated Policies: - PolicyName: CognitoAuthorizedPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - mobileanalytics:PutEvents - cognito-sync:BulkPublish - cognito-sync:DescribeIdentityPoolUsage - cognito-sync:GetBulkPublishDetails - cognito-sync:GetCognitoEvents - cognito-sync:GetIdentityPoolConfiguration - cognito-sync:ListIdentityPoolUsage - cognito-sync:SetCognitoEvents - congito-sync:SetIdentityPoolConfiguration - cognito-identity:DeleteIdentityPool - cognito-identity:DescribeIdentityPool - cognito-identity:GetIdentityPoolRoles - cognito-identity:GetOpenIdTokenForDeveloperIdentity - cognito-identity:ListIdentities - cognito-identity:LookupDeveloperIdentity - cognito-identity:MergeDeveloperIdentities - cognito-identity:UnlikeDeveloperIdentity - cognito-identity:UpdateIdentityPool Resource: Fn::Sub: arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool} CognitoESAccessRole: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonESCognitoAccess AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: es.amazonaws.com Action: - sts:AssumeRole IdentityPoolRoleMapping: Type: AWS::Cognito::IdentityPoolRoleAttachment Properties: IdentityPoolId: Ref: IdentityPool Roles: authenticated: Fn::GetAtt: - CognitoAuthorizedRole - Arn unauthenticated: Fn::GetAtt: - CognitoUnAuthorizedRole - Arn AdminUser: Type: AWS::Cognito::UserPoolUser Properties: DesiredDeliveryMediums: - EMAIL UserAttributes: - Name: email Value: Ref: CognitoAdminEmail Username: Ref: CognitoAdminEmail UserPoolId: Ref: UserPool SetupESCognito: Type: Custom::SetupESCognito Version: 1.0 Properties: ServiceToken: Fn::GetAtt: - LambdaESCognito - Arn Domain: Ref: DOMAINNAME CognitoDomain: Fn::Sub: ${DOMAINNAME}-${AWS::AccountId} UserPoolId: Ref: UserPool IdentityPoolId: Ref: IdentityPool RoleArn: Fn::GetAtt: - CognitoESAccessRole - Arn LambdaESCognito: Type: AWS::Lambda::Function Properties: Description: Centralized Logging - Lambda function to enable cognito authentication for kibana Environment: Variables: LOG_LEVEL: INFO Handler: index.handler Runtime: nodejs12.x Timeout: 600 Role: Fn::GetAtt: - LambdaESCognitoRole - Arn Code: S3Bucket: Fn::Join: - '-' - - Fn::FindInMap: - SourceCode - General - S3Bucket - Ref: AWS::Region S3Key: Fn::Join: - / - - Fn::FindInMap: - SourceCode - General - KeyPrefix - clog-auth.zip LambdaESCognitoRole: Type: AWS::IAM::Role DependsOn: ElasticsearchDomain Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: arn:aws:logs:*:*:* - Effect: Allow Action: - es:UpdateElasticsearchDomainConfig Resource: Fn::Sub: arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DOMAINNAME} - Effect: Allow Action: - cognito-idp:CreateUserPoolDomain - cognito-idp:DeleteUserPoolDomain Resource: Fn::GetAtt: - UserPool - Arn - Effect: Allow Action: - iam:PassRole Resource: Fn::GetAtt: - CognitoESAccessRole - Arn ElasticsearchDomain: Type: AWS::Elasticsearch::Domain Properties: DomainName: Ref: DOMAINNAME ElasticsearchVersion: '6.3' ElasticsearchClusterConfig: InstanceCount: '1' InstanceType: t2.small.elasticsearch EBSOptions: EBSEnabled: true Iops: 0 VolumeSize: 10 VolumeType: gp2 SnapshotOptions: AutomatedSnapshotStartHour: '0' AccessPolicies: Version: '2012-10-17' Statement: - Action: es:* Principal: AWS: Fn::Sub: - arn:aws:sts::${AWS::AccountId}:assumed-role/${AuthRole}/CognitoIdentityCredentials - AuthRole: Ref: CognitoAuthorizedRole Effect: Allow Resource: Fn::Sub: arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DOMAINNAME}/* Outputs: ElasticsearchDomain: Description: Elasticsearch domain URL Value: Fn::Sub: https://${ElasticsearchDomain.DomainEndpoint}/ KibanaLoginURL: Description: Kibana login URL Value: Fn::Sub: https://${ElasticsearchDomain.DomainEndpoint}/_plugin/kibana/