371 lines
10 KiB
YAML
371 lines
10 KiB
YAML
{
|
|
"AWSTemplateFormatVersion": "2010-09-09",
|
|
"Description": "Root stack for the Amplify AWS CloudFormation provider",
|
|
"Parameters": {
|
|
"DeploymentBucketName": {
|
|
"Description": "Name of the common deployment bucket provided by the parent stack",
|
|
"Type": "String",
|
|
"Default": "DeploymentBucket"
|
|
},
|
|
"AuthRoleName": {
|
|
"Type": "String",
|
|
"Default": "AuthRoleName"
|
|
},
|
|
"UnauthRoleName": {
|
|
"Type": "String",
|
|
"Default": "UnauthRoleName"
|
|
}
|
|
},
|
|
"Resources": {
|
|
"DeploymentBucket": {
|
|
"Type": "AWS::S3::Bucket",
|
|
"DeletionPolicy": "Retain",
|
|
"Properties": {
|
|
"BucketName": {
|
|
"Ref": "DeploymentBucketName"
|
|
}
|
|
}
|
|
},
|
|
"AuthRole": {
|
|
"Type": "AWS::IAM::Role",
|
|
"Properties": {
|
|
"RoleName": {
|
|
"Ref": "AuthRoleName"
|
|
},
|
|
"AssumeRolePolicyDocument": {
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "",
|
|
"Effect": "Deny",
|
|
"Principal": {
|
|
"Federated": "cognito-identity.amazonaws.com"
|
|
},
|
|
"Action": "sts:AssumeRoleWithWebIdentity"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"UnauthRole": {
|
|
"Type": "AWS::IAM::Role",
|
|
"Properties": {
|
|
"RoleName": {
|
|
"Ref": "UnauthRoleName"
|
|
},
|
|
"AssumeRolePolicyDocument": {
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "",
|
|
"Effect": "Deny",
|
|
"Principal": {
|
|
"Federated": "cognito-identity.amazonaws.com"
|
|
},
|
|
"Action": "sts:AssumeRoleWithWebIdentity"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"hostingS3AndCloudFront": {
|
|
"Type": "AWS::CloudFormation::Stack",
|
|
"Properties": {
|
|
"TemplateURL": "https://s3.amazonaws.com/amplify-hpiot-react-hpiot-162610-deployment/amplify-cfn-templates/hosting/template.json",
|
|
"Parameters": {
|
|
"bucketName": "hpiot-react",
|
|
"env": "hpiot"
|
|
}
|
|
}
|
|
},
|
|
"authhpiotreact8c9024fb": {
|
|
"Type": "AWS::CloudFormation::Stack",
|
|
"Properties": {
|
|
"TemplateURL": "https://s3.amazonaws.com/amplify-hpiot-react-hpiot-162610-deployment/amplify-cfn-templates/auth/hpiotreact8c9024fb-cloudformation-template.yml",
|
|
"Parameters": {
|
|
"identityPoolName": "hpiotwebapp78e5977f_identitypool_78e5977f",
|
|
"allowUnauthenticatedIdentities": false,
|
|
"resourceNameTruncated": "hpiotw78e5977f",
|
|
"userPoolName": "hpiotwebapp78e5977f_userpool_78e5977f",
|
|
"autoVerifiedAttributes": "email",
|
|
"mfaConfiguration": "OFF",
|
|
"mfaTypes": "SMS Text Message",
|
|
"smsAuthenticationMessage": "Your authentication code is {####}",
|
|
"smsVerificationMessage": "Your verification code is {####}",
|
|
"emailVerificationSubject": "Your verification code",
|
|
"emailVerificationMessage": "Your verification code is {####}",
|
|
"defaultPasswordPolicy": false,
|
|
"passwordPolicyMinLength": 8,
|
|
"passwordPolicyCharacters": "",
|
|
"requiredAttributes": "email",
|
|
"userpoolClientGenerateSecret": true,
|
|
"userpoolClientRefreshTokenValidity": 30,
|
|
"userpoolClientWriteAttributes": "email",
|
|
"userpoolClientReadAttributes": "email",
|
|
"userpoolClientLambdaRole": "hpiotw78e5977f_userpoolclient_lambda_role",
|
|
"userpoolClientSetAttributes": false,
|
|
"resourceName": "hpiotwebapp78e5977f",
|
|
"authSelections": "identityPoolAndUserPool",
|
|
"authRoleArn": {
|
|
"Fn::GetAtt": [
|
|
"AuthRole",
|
|
"Arn"
|
|
]
|
|
},
|
|
"unauthRoleArn": {
|
|
"Fn::GetAtt": [
|
|
"UnauthRole",
|
|
"Arn"
|
|
]
|
|
},
|
|
"useDefault": "default",
|
|
"usernameAttributes": "email, phone_number",
|
|
"dependsOn": "",
|
|
"env": "hpiot"
|
|
}
|
|
}
|
|
},
|
|
"UpdateRolesWithIDPFunction": {
|
|
"DependsOn": [
|
|
"AuthRole",
|
|
"UnauthRole",
|
|
"authhpiotreact8c9024fb"
|
|
],
|
|
"Type": "AWS::Lambda::Function",
|
|
"Properties": {
|
|
"Code": {
|
|
"ZipFile": {
|
|
"Fn::Join": [
|
|
"\n",
|
|
[
|
|
"const response = require('cfn-response');",
|
|
"const aws = require('aws-sdk');",
|
|
"let responseData = {};",
|
|
"exports.handler = function(event, context) {",
|
|
" try {",
|
|
" let authRoleName = event.ResourceProperties.authRoleName;",
|
|
" let unauthRoleName = event.ResourceProperties.unauthRoleName;",
|
|
" let idpId = event.ResourceProperties.idpId;",
|
|
" let promises = [];",
|
|
" let authParamsJson = { 'Version': '2012-10-17','Statement': [{'Effect': 'Allow','Principal': {'Federated': 'cognito-identity.amazonaws.com'},'Action': 'sts:AssumeRoleWithWebIdentity','Condition': {'StringEquals': {'cognito-identity.amazonaws.com:aud': idpId},'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'authenticated'}}}]};",
|
|
" let unauthParamsJson = { 'Version': '2012-10-17','Statement': [{'Effect': 'Allow','Principal': {'Federated': 'cognito-identity.amazonaws.com'},'Action': 'sts:AssumeRoleWithWebIdentity','Condition': {'StringEquals': {'cognito-identity.amazonaws.com:aud': idpId},'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'unauthenticated'}}}]};",
|
|
" if (event.RequestType == 'Delete') {",
|
|
" delete authParamsJson.Statement.Condition;",
|
|
" delete unauthParamsJson.Statement.Condition;",
|
|
" let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};",
|
|
" let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};",
|
|
" const iam = new aws.IAM({ apiVersion: '2010-05-08', region: event.ResourceProperties.region});",
|
|
" promises.push(iam.updateAssumeRolePolicy(authParams).promise());",
|
|
" promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());",
|
|
" Promise.all(promises)",
|
|
" .then((res) => {",
|
|
" console.log(\"delete response data\" + JSON.stringify(res));",
|
|
" response.send(event, context, response.SUCCESS, {});",
|
|
" });",
|
|
" }",
|
|
" if (event.RequestType == 'Update' || event.RequestType == 'Create') {",
|
|
" const iam = new aws.IAM({ apiVersion: '2010-05-08', region: event.ResourceProperties.region});",
|
|
" let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};",
|
|
" let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};",
|
|
" promises.push(iam.updateAssumeRolePolicy(authParams).promise());",
|
|
" promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());",
|
|
" Promise.all(promises)",
|
|
" .then((res) => {",
|
|
" console.log(\"createORupdate\" + res);",
|
|
" console.log(\"response data\" + JSON.stringify(res));",
|
|
" response.send(event, context, response.SUCCESS, {});",
|
|
" });",
|
|
" }",
|
|
" } catch(err) {",
|
|
" console.log(err.stack);",
|
|
" responseData = {Error: err};",
|
|
" response.send(event, context, response.FAILED, responseData);",
|
|
" throw err;",
|
|
" }",
|
|
"};"
|
|
]
|
|
]
|
|
}
|
|
},
|
|
"Handler": "index.handler",
|
|
"Runtime": "nodejs10.x",
|
|
"Timeout": "300",
|
|
"Role": {
|
|
"Fn::GetAtt": [
|
|
"UpdateRolesWithIDPFunctionRole",
|
|
"Arn"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"UpdateRolesWithIDPFunctionOutputs": {
|
|
"Type": "Custom::LambdaCallout",
|
|
"Properties": {
|
|
"ServiceToken": {
|
|
"Fn::GetAtt": [
|
|
"UpdateRolesWithIDPFunction",
|
|
"Arn"
|
|
]
|
|
},
|
|
"region": {
|
|
"Ref": "AWS::Region"
|
|
},
|
|
"idpId": {
|
|
"Fn::GetAtt": [
|
|
"authhpiotreact8c9024fb",
|
|
"Outputs.IdentityPoolId"
|
|
]
|
|
},
|
|
"authRoleName": {
|
|
"Ref": "AuthRoleName"
|
|
},
|
|
"unauthRoleName": {
|
|
"Ref": "UnauthRoleName"
|
|
}
|
|
}
|
|
},
|
|
"UpdateRolesWithIDPFunctionRole": {
|
|
"Type": "AWS::IAM::Role",
|
|
"Properties": {
|
|
"RoleName": {
|
|
"Fn::Join": [
|
|
"",
|
|
[
|
|
{
|
|
"Ref": "AuthRoleName"
|
|
},
|
|
"-idp"
|
|
]
|
|
]
|
|
},
|
|
"AssumeRolePolicyDocument": {
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"Service": [
|
|
"lambda.amazonaws.com"
|
|
]
|
|
},
|
|
"Action": [
|
|
"sts:AssumeRole"
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"Policies": [
|
|
{
|
|
"PolicyName": "UpdateRolesWithIDPFunctionPolicy",
|
|
"PolicyDocument": {
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"logs:CreateLogGroup",
|
|
"logs:CreateLogStream",
|
|
"logs:PutLogEvents"
|
|
],
|
|
"Resource": "arn:aws:logs:*:*:*"
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "iam:UpdateAssumeRolePolicy",
|
|
"Resource": {
|
|
"Fn::GetAtt": [
|
|
"AuthRole",
|
|
"Arn"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": "iam:UpdateAssumeRolePolicy",
|
|
"Resource": {
|
|
"Fn::GetAtt": [
|
|
"UnauthRole",
|
|
"Arn"
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Outputs": {
|
|
"Region": {
|
|
"Description": "CloudFormation provider root stack Region",
|
|
"Value": {
|
|
"Ref": "AWS::Region"
|
|
},
|
|
"Export": {
|
|
"Name": {
|
|
"Fn::Sub": "${AWS::StackName}-Region"
|
|
}
|
|
}
|
|
},
|
|
"StackName": {
|
|
"Description": "CloudFormation provider root stack ID",
|
|
"Value": {
|
|
"Ref": "AWS::StackName"
|
|
},
|
|
"Export": {
|
|
"Name": {
|
|
"Fn::Sub": "${AWS::StackName}-StackName"
|
|
}
|
|
}
|
|
},
|
|
"StackId": {
|
|
"Description": "CloudFormation provider root stack name",
|
|
"Value": {
|
|
"Ref": "AWS::StackId"
|
|
},
|
|
"Export": {
|
|
"Name": {
|
|
"Fn::Sub": "${AWS::StackName}-StackId"
|
|
}
|
|
}
|
|
},
|
|
"DeploymentBucketName": {
|
|
"Description": "CloudFormation provider root stack deployment bucket name",
|
|
"Value": {
|
|
"Ref": "DeploymentBucketName"
|
|
},
|
|
"Export": {
|
|
"Name": {
|
|
"Fn::Sub": "${AWS::StackName}-DeploymentBucketName"
|
|
}
|
|
}
|
|
},
|
|
"AuthRoleArn": {
|
|
"Value": {
|
|
"Fn::GetAtt": [
|
|
"AuthRole",
|
|
"Arn"
|
|
]
|
|
}
|
|
},
|
|
"UnauthRoleArn": {
|
|
"Value": {
|
|
"Fn::GetAtt": [
|
|
"UnauthRole",
|
|
"Arn"
|
|
]
|
|
}
|
|
},
|
|
"AuthRoleName": {
|
|
"Value": {
|
|
"Ref": "AuthRole"
|
|
}
|
|
},
|
|
"UnauthRoleName": {
|
|
"Value": {
|
|
"Ref": "UnauthRole"
|
|
}
|
|
}
|
|
}
|
|
} |