Last active
April 19, 2023 15:37
-
-
Save Umoren/afc57c954817f37dd4062dd0bf26f39c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Description: Root Stack for AWS Amplify Console | |
AWSTemplateFormatVersion: 2010-09-09 | |
Parameters: | |
DeploymentBucketName: | |
Type: String | |
Default: DeploymentBucket | |
Description: Name of the common deployment bucket provided by the parent stack | |
AuthRoleName: | |
Type: String | |
Default: AuthRoleName | |
Description: Name of the common deployment bucket provided by the parent stack | |
UnauthRoleName: | |
Type: String | |
Default: UnAuthRoleName | |
Description: Name of the common deployment bucket provided by the parent stack | |
Outputs: | |
Region: | |
Description: CloudFormation provider root stack Region | |
Value: !Ref 'AWS::Region' | |
Export: | |
Name: !Sub '${AWS::StackName}-Region' | |
StackName: | |
Description: CloudFormation provider root stack ID | |
Value: !Ref 'AWS::StackName' | |
Export: | |
Name: !Sub '${AWS::StackName}-StackName' | |
StackId: | |
Description: CloudFormation provider root stack name | |
Value: !Ref 'AWS::StackId' | |
Export: | |
Name: !Sub '${AWS::StackName}-StackId' | |
AuthRoleArn: | |
Value: !GetAtt | |
- AuthRole | |
- Arn | |
UnauthRoleArn: | |
Value: !GetAtt | |
- UnauthRole | |
- Arn | |
DeploymentBucketName: | |
Description: CloudFormation provider root stack deployment bucket name | |
Value: !Ref DeploymentBucketName | |
Export: | |
Name: !Sub '${AWS::StackName}-DeploymentBucketName' | |
AuthRoleName: | |
Value: !Ref AuthRole | |
UnauthRoleName: | |
Value: !Ref UnauthRole | |
Resources: | |
DeploymentBucket: | |
Type: 'AWS::S3::Bucket' | |
Properties: | |
BucketName: !Ref DeploymentBucketName | |
BucketEncryption: | |
ServerSideEncryptionConfiguration: | |
- ServerSideEncryptionByDefault: | |
SSEAlgorithm: AES256 | |
UpdateReplacePolicy: Retain | |
DeletionPolicy: Retain | |
AuthRole: | |
Type: 'AWS::IAM::Role' | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Sid: '' | |
Effect: Deny | |
Principal: | |
Federated: cognito-identity.amazonaws.com | |
Action: 'sts:AssumeRoleWithWebIdentity' | |
RoleName: !Ref AuthRoleName | |
UnauthRole: | |
Type: 'AWS::IAM::Role' | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Sid: '' | |
Effect: Deny | |
Principal: | |
Federated: cognito-identity.amazonaws.com | |
Action: 'sts:AssumeRoleWithWebIdentity' | |
RoleName: !Ref UnauthRoleName | |
apimoviedirectory: | |
Type: 'AWS::CloudFormation::Stack' | |
Properties: | |
TemplateURL: >- | |
https://s3.amazonaws.com/amplify-moviedirectory-dev-171452-deployment/amplify-cfn-templates/api/cloudformation-template.json | |
Parameters: | |
AppSyncApiName: moviedirectory | |
DynamoDBBillingMode: PAY_PER_REQUEST | |
DynamoDBEnableServerSideEncryption: false | |
authRoleName: !Ref AuthRoleName | |
unauthRoleName: !Ref UnauthRoleName | |
S3DeploymentBucket: amplify-moviedirectory-dev-171452-deployment | |
S3DeploymentRootKey: amplify-appsync-files/6f16273d192124e5397adc08d200894e95c9ab85 | |
env: dev | |
authmoviedirectory: | |
Type: 'AWS::CloudFormation::Stack' | |
Properties: | |
TemplateURL: >- | |
https://s3.amazonaws.com/amplify-moviedirectory-dev-171452-deployment/amplify-cfn-templates/auth/moviedirectory-cloudformation-template.json | |
Parameters: | |
identityPoolName: moviedirectory_identitypool_462900e6 | |
allowUnauthenticatedIdentities: true | |
authSelections: identityPoolOnly | |
resourceName: moviedirectory | |
sharedId: 462900e6 | |
serviceName: Cognito | |
useDefault: manual | |
authRoleArn: !GetAtt | |
- AuthRole | |
- Arn | |
unauthRoleArn: !GetAtt | |
- UnauthRole | |
- Arn | |
breakCircularDependency: true | |
useEnabledMfas: true | |
dependsOn: '' | |
env: dev | |
analyticsmoviedirectory: | |
Type: 'AWS::CloudFormation::Stack' | |
Properties: | |
TemplateURL: >- | |
https://s3.amazonaws.com/amplify-moviedirectory-dev-171452-deployment/amplify-cfn-templates/analytics/pinpoint-cloudformation-template.json | |
Parameters: | |
appName: moviedirectory | |
roleName: pinpointLambdaRolead5dda0b | |
cloudformationPolicyName: cloudformationPolicyad5dda0b | |
cloudWatchPolicyName: cloudWatchPolicyad5dda0b | |
pinpointPolicyName: pinpointPolicyad5dda0b | |
authPolicyName: pinpoint_amplify_ad5dda0b | |
unauthPolicyName: pinpoint_amplify_ad5dda0b | |
authRoleName: !Ref AuthRoleName | |
unauthRoleName: !Ref UnauthRoleName | |
authRoleArn: !GetAtt | |
- AuthRole | |
- Arn | |
pinpointInAppMessagingPolicyName: pinpointInAppMessagingPolicyNamead5dda0b | |
env: dev | |
UpdateRolesWithIDPFunction: | |
DependsOn: | |
- AuthRole | |
- UnauthRole | |
- authmoviedirectory | |
Type: 'AWS::Lambda::Function' | |
Properties: | |
Code: | |
ZipFile: !Join | |
- |+ | |
- - const response = require('cfn-response'); | |
- const aws = require('aws-sdk'); | |
- 'let responseData = {};' | |
- 'exports.handler = function(event, context) {' | |
- ' try {' | |
- ' let authRoleName = event.ResourceProperties.authRoleName;' | |
- ' let unauthRoleName = event.ResourceProperties.unauthRoleName;' | |
- ' let idpId = event.ResourceProperties.idpId;' | |
- ' let promises = [];' | |
- ' let getPromises = [];' | |
- ' let authParamsJson = { ''Version'': ''2012-10-17'',''Statement'': [{''Effect'': ''Allow'',''Principal'': {''Federated'': ''cognito-identity.amazonaws.com''},''Action'': ''sts:AssumeRoleWithWebIdentity'',''Condition'': {''StringEquals'': {''cognito-identity.amazonaws.com:aud'': idpId},''ForAnyValue:StringLike'': {''cognito-identity.amazonaws.com:amr'': ''authenticated''}}}]};' | |
- ' let unauthParamsJson = { ''Version'': ''2012-10-17'',''Statement'': [{''Effect'': ''Allow'',''Principal'': {''Federated'': ''cognito-identity.amazonaws.com''},''Action'': ''sts:AssumeRoleWithWebIdentity'',''Condition'': {''StringEquals'': {''cognito-identity.amazonaws.com:aud'': idpId},''ForAnyValue:StringLike'': {''cognito-identity.amazonaws.com:amr'': ''unauthenticated''}}}]};' | |
- ' if (event.RequestType == ''Delete'') {' | |
- ' delete authParamsJson.Statement[0].Condition;' | |
- ' delete unauthParamsJson.Statement[0].Condition;' | |
- ' let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};' | |
- ' let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};' | |
- ' const iam = new aws.IAM({ apiVersion: ''2010-05-08'', region: event.ResourceProperties.region});' | |
- ' getPromises.push(iam.getRole({RoleName: authParams.RoleName}).promise());' | |
- ' getPromises.push(iam.getRole({RoleName: unauthParams.RoleName}).promise());' | |
- ' Promise.all(getPromises)' | |
- ' .then((res) => {' | |
- ' console.log(''in res'' , res)' | |
- ' promises.push(iam.updateAssumeRolePolicy(authParams).promise());' | |
- ' promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());' | |
- ' return Promise.all(promises)' | |
- ' .then((res) => {' | |
- ' console.log("delete response data" + JSON.stringify(res));' | |
- ' response.send(event, context, response.SUCCESS, {});' | |
- ' });' | |
- ' })' | |
- ' .catch((err) => {' | |
- ' console.log(err.stack);' | |
- ' responseData = {Error: err};' | |
- ' response.send(event, context, response.SUCCESS, responseData);' | |
- ' })' | |
- ' }' | |
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {' | |
- ' const iam = new aws.IAM({ apiVersion: ''2010-05-08'', region: event.ResourceProperties.region});' | |
- ' let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};' | |
- ' let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};' | |
- ' promises.push(iam.updateAssumeRolePolicy(authParams).promise());' | |
- ' promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());' | |
- ' Promise.all(promises)' | |
- ' .then((res) => {' | |
- ' console.log("createORupdate" + res);' | |
- ' console.log("response data" + JSON.stringify(res));' | |
- ' response.send(event, context, response.SUCCESS, {});' | |
- ' });' | |
- ' }' | |
- ' } catch(err) {' | |
- ' console.log(err.stack);' | |
- ' responseData = {Error: err};' | |
- ' response.send(event, context, response.FAILED, responseData);' | |
- ' throw err;' | |
- ' }' | |
- '};' | |
Handler: index.handler | |
Runtime: nodejs14.x | |
Timeout: 300 | |
Role: !GetAtt | |
- UpdateRolesWithIDPFunctionRole | |
- Arn | |
UpdateRolesWithIDPFunctionOutputs: | |
Type: 'Custom::LambdaCallout' | |
Properties: | |
ServiceToken: !GetAtt | |
- UpdateRolesWithIDPFunction | |
- Arn | |
region: !Ref 'AWS::Region' | |
idpId: !GetAtt | |
- authmoviedirectory | |
- Outputs.IdentityPoolId | |
authRoleName: !Ref AuthRole | |
unauthRoleName: !Ref UnauthRole | |
UpdateRolesWithIDPFunctionRole: | |
Type: 'AWS::IAM::Role' | |
Properties: | |
RoleName: !Join | |
- '' | |
- - !Ref AuthRole | |
- '-idp' | |
AssumeRolePolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- lambda.amazonaws.com | |
Action: | |
- 'sts:AssumeRole' | |
Policies: | |
- PolicyName: UpdateRolesWithIDPFunctionPolicy | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Action: | |
- 'logs:CreateLogGroup' | |
- 'logs:CreateLogStream' | |
- 'logs:PutLogEvents' | |
Resource: 'arn:aws:logs:*:*:*' | |
- Effect: Allow | |
Action: | |
- 'iam:UpdateAssumeRolePolicy' | |
- 'iam:GetRole' | |
Resource: !GetAtt | |
- AuthRole | |
- Arn | |
- Effect: Allow | |
Action: | |
- 'iam:UpdateAssumeRolePolicy' | |
- 'iam:GetRole' | |
Resource: !GetAtt | |
- UnauthRole | |
- Arn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment