Skip to content

Instantly share code, notes, and snippets.

@Umoren

Umoren/amplifyapp.yaml

Last active April 19, 2023 15:37
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Umoren/afc57c954817f37dd4062dd0bf26f39c to your computer and use it in GitHub Desktop.
Save Umoren/afc57c954817f37dd4062dd0bf26f39c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
amplifyapp.yaml
Description: Root Stack for AWS Amplify Console
AWSTemplateFormatVersion: 2010-09-09
Parameters:
DeploymentBucketName:
Type: String
Default: DeploymentBucket
Description: Name of the common deployment bucket provided by the parent stack
AuthRoleName:
Type: String
Default: AuthRoleName
Description: Name of the common deployment bucket provided by the parent stack
UnauthRoleName:
Type: String
Default: UnAuthRoleName
Description: Name of the common deployment bucket provided by the parent stack
Outputs:
Region:
Description: CloudFormation provider root stack Region
Value: !Ref 'AWS::Region'
Export:
Name: !Sub '${AWS::StackName}-Region'
StackName:
Description: CloudFormation provider root stack ID
Value: !Ref 'AWS::StackName'
Export:
Name: !Sub '${AWS::StackName}-StackName'
StackId:
Description: CloudFormation provider root stack name
Value: !Ref 'AWS::StackId'
Export:
Name: !Sub '${AWS::StackName}-StackId'
AuthRoleArn:
Value: !GetAtt
- AuthRole
- Arn
UnauthRoleArn:
Value: !GetAtt
- UnauthRole
- Arn
DeploymentBucketName:
Description: CloudFormation provider root stack deployment bucket name
Value: !Ref DeploymentBucketName
Export:
Name: !Sub '${AWS::StackName}-DeploymentBucketName'
AuthRoleName:
Value: !Ref AuthRole
UnauthRoleName:
Value: !Ref UnauthRole
Resources:
DeploymentBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Ref DeploymentBucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
AuthRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Deny
Principal:
Federated: cognito-identity.amazonaws.com
Action: 'sts:AssumeRoleWithWebIdentity'
RoleName: !Ref AuthRoleName
UnauthRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Deny
Principal:
Federated: cognito-identity.amazonaws.com
Action: 'sts:AssumeRoleWithWebIdentity'
RoleName: !Ref UnauthRoleName
apimoviedirectory:
Type: 'AWS::CloudFormation::Stack'
Properties:
TemplateURL: >-
https://s3.amazonaws.com/amplify-moviedirectory-dev-171452-deployment/amplify-cfn-templates/api/cloudformation-template.json
Parameters:
AppSyncApiName: moviedirectory
DynamoDBBillingMode: PAY_PER_REQUEST
DynamoDBEnableServerSideEncryption: false
authRoleName: !Ref AuthRoleName
unauthRoleName: !Ref UnauthRoleName
S3DeploymentBucket: amplify-moviedirectory-dev-171452-deployment
S3DeploymentRootKey: amplify-appsync-files/6f16273d192124e5397adc08d200894e95c9ab85
env: dev
authmoviedirectory:
Type: 'AWS::CloudFormation::Stack'
Properties:
TemplateURL: >-
https://s3.amazonaws.com/amplify-moviedirectory-dev-171452-deployment/amplify-cfn-templates/auth/moviedirectory-cloudformation-template.json
Parameters:
identityPoolName: moviedirectory_identitypool_462900e6
allowUnauthenticatedIdentities: true
authSelections: identityPoolOnly
resourceName: moviedirectory
sharedId: 462900e6
serviceName: Cognito
useDefault: manual
authRoleArn: !GetAtt
- AuthRole
- Arn
unauthRoleArn: !GetAtt
- UnauthRole
- Arn
breakCircularDependency: true
useEnabledMfas: true
dependsOn: ''
env: dev
analyticsmoviedirectory:
Type: 'AWS::CloudFormation::Stack'
Properties:
TemplateURL: >-
https://s3.amazonaws.com/amplify-moviedirectory-dev-171452-deployment/amplify-cfn-templates/analytics/pinpoint-cloudformation-template.json
Parameters:
appName: moviedirectory
roleName: pinpointLambdaRolead5dda0b
cloudformationPolicyName: cloudformationPolicyad5dda0b
cloudWatchPolicyName: cloudWatchPolicyad5dda0b
pinpointPolicyName: pinpointPolicyad5dda0b
authPolicyName: pinpoint_amplify_ad5dda0b
unauthPolicyName: pinpoint_amplify_ad5dda0b
authRoleName: !Ref AuthRoleName
unauthRoleName: !Ref UnauthRoleName
authRoleArn: !GetAtt
- AuthRole
- Arn
pinpointInAppMessagingPolicyName: pinpointInAppMessagingPolicyNamead5dda0b
env: dev
UpdateRolesWithIDPFunction:
DependsOn:
- AuthRole
- UnauthRole
- authmoviedirectory
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - const response = require('cfn-response');
- const aws = require('aws-sdk');
- 'let responseData = {};'
- 'exports.handler = function(event, context) {'
- ' try {'
- ' let authRoleName = event.ResourceProperties.authRoleName;'
- ' let unauthRoleName = event.ResourceProperties.unauthRoleName;'
- ' let idpId = event.ResourceProperties.idpId;'
- ' let promises = [];'
- ' let getPromises = [];'
- ' let authParamsJson = { ''Version'': ''2012-10-17'',''Statement'': [{''Effect'': ''Allow'',''Principal'': {''Federated'': ''cognito-identity.amazonaws.com''},''Action'': ''sts:AssumeRoleWithWebIdentity'',''Condition'': {''StringEquals'': {''cognito-identity.amazonaws.com:aud'': idpId},''ForAnyValue:StringLike'': {''cognito-identity.amazonaws.com:amr'': ''authenticated''}}}]};'
- ' let unauthParamsJson = { ''Version'': ''2012-10-17'',''Statement'': [{''Effect'': ''Allow'',''Principal'': {''Federated'': ''cognito-identity.amazonaws.com''},''Action'': ''sts:AssumeRoleWithWebIdentity'',''Condition'': {''StringEquals'': {''cognito-identity.amazonaws.com:aud'': idpId},''ForAnyValue:StringLike'': {''cognito-identity.amazonaws.com:amr'': ''unauthenticated''}}}]};'
- ' if (event.RequestType == ''Delete'') {'
- ' delete authParamsJson.Statement[0].Condition;'
- ' delete unauthParamsJson.Statement[0].Condition;'
- ' let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};'
- ' let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};'
- ' const iam = new aws.IAM({ apiVersion: ''2010-05-08'', region: event.ResourceProperties.region});'
- ' getPromises.push(iam.getRole({RoleName: authParams.RoleName}).promise());'
- ' getPromises.push(iam.getRole({RoleName: unauthParams.RoleName}).promise());'
- ' Promise.all(getPromises)'
- ' .then((res) => {'
- ' console.log(''in res'' , res)'
- ' promises.push(iam.updateAssumeRolePolicy(authParams).promise());'
- ' promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());'
- ' return Promise.all(promises)'
- ' .then((res) => {'
- ' console.log("delete response data" + JSON.stringify(res));'
- ' response.send(event, context, response.SUCCESS, {});'
- ' });'
- ' })'
- ' .catch((err) => {'
- ' console.log(err.stack);'
- ' responseData = {Error: err};'
- ' response.send(event, context, response.SUCCESS, responseData);'
- ' })'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' const iam = new aws.IAM({ apiVersion: ''2010-05-08'', region: event.ResourceProperties.region});'
- ' let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};'
- ' let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};'
- ' promises.push(iam.updateAssumeRolePolicy(authParams).promise());'
- ' promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());'
- ' Promise.all(promises)'
- ' .then((res) => {'
- ' console.log("createORupdate" + res);'
- ' console.log("response data" + JSON.stringify(res));'
- ' response.send(event, context, response.SUCCESS, {});'
- ' });'
- ' }'
- ' } catch(err) {'
- ' console.log(err.stack);'
- ' responseData = {Error: err};'
- ' response.send(event, context, response.FAILED, responseData);'
- ' throw err;'
- ' }'
- '};'
Handler: index.handler
Runtime: nodejs14.x
Timeout: 300
Role: !GetAtt
- UpdateRolesWithIDPFunctionRole
- Arn
UpdateRolesWithIDPFunctionOutputs:
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt
- UpdateRolesWithIDPFunction
- Arn
region: !Ref 'AWS::Region'
idpId: !GetAtt
- authmoviedirectory
- Outputs.IdentityPoolId
authRoleName: !Ref AuthRole
unauthRoleName: !Ref UnauthRole
UpdateRolesWithIDPFunctionRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Join
- ''
- - !Ref AuthRole
- '-idp'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: UpdateRolesWithIDPFunctionPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: 'arn:aws:logs:*:*:*'
- Effect: Allow
Action:
- 'iam:UpdateAssumeRolePolicy'
- 'iam:GetRole'
Resource: !GetAtt
- AuthRole
- Arn
- Effect: Allow
Action:
- 'iam:UpdateAssumeRolePolicy'
- 'iam:GetRole'
Resource: !GetAtt
- UnauthRole
- Arn
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment