forked from aws-samples/aws-serverless-workshops
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathuser-management.yaml
164 lines (143 loc) · 4.76 KB
/
user-management.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
---
AWSTemplateFormatVersion: "2010-09-09"
Description:
Creates a Cognito User Pool for the Wild Rydes serverless web application workshop
Parameters:
WebsiteBucket:
Type: String
Description: The name for the bucket hosting your website, e.g. 'wildrydes-yourname.'
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: "Module 1 Details"
Parameters:
- WebsiteBucket
ParameterLabels:
WebsiteBucket:
default: "Website Bucket Name"
Resources:
UserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: WildRydes
AliasAttributes:
- email
AutoVerifiedAttributes:
- email
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: WildRydesWeb
UserPoolId: !Ref UserPool
GenerateSecret: false
UpdateConfig:
Properties:
ServiceToken: !GetAtt UpdateConfigFunction.Arn
UserPool: !Ref UserPool
Client: !Ref UserPoolClient
Region: !Ref "AWS::Region"
Bucket: !Ref WebsiteBucket
Type: "Custom::ConfigFile"
CognitoConfigRole:
Type: AWS::IAM::Role
Properties:
Path: /wildrydes/
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
-
PolicyName: CognitoConfig
PolicyDocument:
Version: 2012-10-17
Statement:
-
Sid: Logging
Effect: Allow
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "*"
-
Sid: Cognito
Effect: Allow
Action:
- "cognito-idp:CreateUserPool"
- "cognito-idp:DeleteUserPool"
- "cognito-idp:CreateUserPoolClient"
- "cognito-idp:DeleteUserPoolClient"
Resource: "*"
-
Sid: ConfigBucketWriteAccess
Effect: Allow
Action:
- "s3:PutObject"
- "s3:PutObjectAcl"
- "s3:PutObjectVersionAcl"
Resource:
- !Sub "arn:aws:s3:::${WebsiteBucket}/*"
UpdateConfigFunction:
Properties:
Description: Updates object on S3 for client-side configuration
Handler: index.handler
Runtime: python2.7
Role: !GetAtt CognitoConfigRole.Arn
Timeout: 120
Code:
ZipFile: |
import json
import boto3
import cfnresponse
s3 = boto3.resource('s3')
def create(properties, physical_id):
userPoolId = properties['UserPool']
clientId = properties['Client']
region = properties['Region']
bucket = properties['Bucket']
object = s3.Object(bucket, 'js/config.js')
config_content = """
var _config = {
cognito: {
userPoolId: '%s', // e.g. us-east-2_uXboG5pAb
userPoolClientId: '%s', // e.g. 25ddkmj4v6hfsfvruhpfi7n4hv
region: '%s', // e.g. us-east-2
},
api: {
invokeUrl: '', // Base URL of your API including the stage, e.g. 'https://rc7nyt4tql.execute-api.us-west-2.amazonaws.com/prod'
}
};
"""
config_content = config_content % (userPoolId, clientId, region)
config = s3.Object(bucket,'js/config.js')
config.put(Body=config_content)
return cfnresponse.SUCCESS, None
def update(properties, physical_id):
return create(properties, physical_id)
def delete(properties, physical_id):
return cfnresponse.SUCCESS, physical_id
def handler(event, context):
print "Received event: %s" % json.dumps(event)
status = cfnresponse.FAILED
new_physical_id = None
try:
properties = event.get('ResourceProperties')
physical_id = event.get('PhysicalResourceId')
status, new_physical_id = {
'Create': create,
'Update': update,
'Delete': delete
}.get(event['RequestType'], lambda x, y: (cfnresponse.FAILED, None))(properties, physical_id)
except Exception as e:
print "Exception: %s" % e
status = cfnresponse.FAILED
finally:
cfnresponse.send(event, context, status, {}, new_physical_id)
Type: AWS::Lambda::Function