arabold/serverless.yml

## serverless.yml
service: auth

frameworkVersion: "3"

provider:
  name: aws
  runtime: nodejs16.x
  stage: ${opt:stage, 'dev'}
  region: ${opt:region, 'us-east-1'}
  timeout: 300
  memorySize: 1024

resources:
  Resources:
    # Creates a user pool for the app to auth against
    UserPool:
      Type: "AWS::Cognito::UserPool"
      Properties:
        UserPoolName: ${self:provider.stage}-${self:service}-user-pool
        UsernameAttributes:
          - email
        AutoVerifiedAttributes:
          - email
        Schema:
          - Name: name
            AttributeDataType: String
            Mutable: true
            Required: true
          - Name: email
            AttributeDataType: String
            Mutable: false
            Required: true

    # Creates a User Pool Client to be used by the identity pool
    UserPoolClient:
      Type: "AWS::Cognito::UserPoolClient"
      Properties:
        ClientName: ${self:provider.stage}-${self:service}-client
        GenerateSecret: false
        UserPoolId: !Ref UserPool
        AllowedOAuthFlowsUserPoolClient: true
        CallbackURLs:
          - http://localhost:3000
          - http://localhost:5173
        AllowedOAuthFlows:
          - code
          - implicit
        AllowedOAuthScopes:
          - phone
          - email
          - openid
          - profile
        SupportedIdentityProviders:
          - COGNITO

    # Setup Hosted UI
    UserPoolDomain:
      Type: AWS::Cognito::UserPoolDomain
      Properties:
        Domain: ${self:provider.stage}-${self:service}
        UserPoolId: !Ref UserPool

    # Creates a federeated Identity pool
    IdentityPool:
      Type: "AWS::Cognito::IdentityPool"
      Properties:
        IdentityPoolName: ${self:provider.stage}Identity
        AllowUnauthenticatedIdentities: true
        CognitoIdentityProviders:
          - ClientId: !Ref UserPoolClient
            ProviderName: !GetAtt UserPool.ProviderName

    # Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
    CognitoUnAuthorizedRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal:
                Federated: "cognito-identity.amazonaws.com"
              Action:
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals:
                  "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
                "ForAnyValue:StringLike":
                  "cognito-identity.amazonaws.com:amr": unauthenticated
        Policies:
          - PolicyName: "CognitoUnauthorizedPolicy"
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: "Allow"
                  Action:
                    - "mobileanalytics:PutEvents"
                    - "cognito-sync:*"
                  Resource: "*"

    # Create a role for authorized acces to AWS resources. Control what your user can access.
    # Only allows users in the previously created Identity Pool
    CognitoAuthorizedRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal:
                Federated: "cognito-identity.amazonaws.com"
              Action:
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals:
                  "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
                "ForAnyValue:StringLike":
                  "cognito-identity.amazonaws.com:amr": authenticated
        Policies:
          - PolicyName: "CognitoAuthorizedPolicy"
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: "Allow"
                  Action:
                    - "mobileanalytics:PutEvents"
                    - "cognito-sync:*"
                    - "cognito-identity:*"
                  Resource: "*"
                - Effect: "Allow"
                  Action:
                    - "appsync:*"
                  Resource: "*"

    # Assigns the roles to the Identity Pool
    IdentityPoolRoleMapping:
      Type: "AWS::Cognito::IdentityPoolRoleAttachment"
      Properties:
        IdentityPoolId: !Ref IdentityPool
        Roles:
          authenticated: !GetAtt CognitoAuthorizedRole.Arn
          unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn

  Outputs:
    UserPoolId:
      Value: !Ref UserPool
      Export:
        Name: "UserPool::Id"
    UserPoolClientId:
      Value: !Ref UserPoolClient
      Export:
        Name: "UserPoolClient::Id"
    IdentityPoolId:
      Value: !Ref IdentityPool
      Export:
        Name: "IdentityPool::Id"
    HostedUIURL:
      Value:
        !Join [
          "",
          [
            "https://",
            !Ref UserPoolDomain,
            ".auth.${self:provider.region}.amazoncognito.com/login",
            "?client_id=",
            !Ref UserPoolClient,
            "&response_type=code",
            "&scope=email+openid+phone+profile",
            "&redirect_uri=",
          ],
        ]
      Description: The hosted UI URL
	service: auth

	frameworkVersion: "3"

	provider:
	name: aws
	runtime: nodejs16.x
	stage: ${opt:stage, 'dev'}
	region: ${opt:region, 'us-east-1'}
	timeout: 300
	memorySize: 1024

	resources:
	Resources:
	# Creates a user pool for the app to auth against
	UserPool:
	Type: "AWS::Cognito::UserPool"
	Properties:
	UserPoolName: ${self:provider.stage}-${self:service}-user-pool
	UsernameAttributes:
	- email
	AutoVerifiedAttributes:
	- email
	Schema:
	- Name: name
	AttributeDataType: String
	Mutable: true
	Required: true
	- Name: email
	AttributeDataType: String
	Mutable: false
	Required: true

	# Creates a User Pool Client to be used by the identity pool
	UserPoolClient:
	Type: "AWS::Cognito::UserPoolClient"
	Properties:
	ClientName: ${self:provider.stage}-${self:service}-client
	GenerateSecret: false
	UserPoolId: !Ref UserPool
	AllowedOAuthFlowsUserPoolClient: true
	CallbackURLs:
	- http://localhost:3000
	- http://localhost:5173
	AllowedOAuthFlows:
	- code
	- implicit
	AllowedOAuthScopes:
	- phone
	- email
	- openid
	- profile
	SupportedIdentityProviders:
	- COGNITO

	# Setup Hosted UI
	UserPoolDomain:
	Type: AWS::Cognito::UserPoolDomain
	Properties:
	Domain: ${self:provider.stage}-${self:service}
	UserPoolId: !Ref UserPool

	# Creates a federeated Identity pool
	IdentityPool:
	Type: "AWS::Cognito::IdentityPool"
	Properties:
	IdentityPoolName: ${self:provider.stage}Identity
	AllowUnauthenticatedIdentities: true
	CognitoIdentityProviders:
	- ClientId: !Ref UserPoolClient
	ProviderName: !GetAtt UserPool.ProviderName

	# Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
	CognitoUnAuthorizedRole:
	Type: "AWS::IAM::Role"
	Properties:
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Principal:
	Federated: "cognito-identity.amazonaws.com"
	Action:
	- "sts:AssumeRoleWithWebIdentity"
	Condition:
	StringEquals:
	"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
	"ForAnyValue:StringLike":
	"cognito-identity.amazonaws.com:amr": unauthenticated
	Policies:
	- PolicyName: "CognitoUnauthorizedPolicy"
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Action:
	- "mobileanalytics:PutEvents"
	- "cognito-sync:*"
	Resource: "*"

	# Create a role for authorized acces to AWS resources. Control what your user can access.
	# Only allows users in the previously created Identity Pool
	CognitoAuthorizedRole:
	Type: "AWS::IAM::Role"
	Properties:
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Principal:
	Federated: "cognito-identity.amazonaws.com"
	Action:
	- "sts:AssumeRoleWithWebIdentity"
	Condition:
	StringEquals:
	"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
	"ForAnyValue:StringLike":
	"cognito-identity.amazonaws.com:amr": authenticated
	Policies:
	- PolicyName: "CognitoAuthorizedPolicy"
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Action:
	- "mobileanalytics:PutEvents"
	- "cognito-sync:*"
	- "cognito-identity:*"
	Resource: "*"
	- Effect: "Allow"
	Action:
	- "appsync:*"
	Resource: "*"

	# Assigns the roles to the Identity Pool
	IdentityPoolRoleMapping:
	Type: "AWS::Cognito::IdentityPoolRoleAttachment"
	Properties:
	IdentityPoolId: !Ref IdentityPool
	Roles:
	authenticated: !GetAtt CognitoAuthorizedRole.Arn
	unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn

	Outputs:
	UserPoolId:
	Value: !Ref UserPool
	Export:
	Name: "UserPool::Id"
	UserPoolClientId:
	Value: !Ref UserPoolClient
	Export:
	Name: "UserPoolClient::Id"
	IdentityPoolId:
	Value: !Ref IdentityPool
	Export:
	Name: "IdentityPool::Id"
	HostedUIURL:
	Value:
	!Join [
	"",
	[
	"https://",
	!Ref UserPoolDomain,
	".auth.${self:provider.region}.amazoncognito.com/login",
	"?client_id=",
	!Ref UserPoolClient,
	"&response_type=code",
	"&scope=email+openid+phone+profile",
	"&redirect_uri=",
	],
	]
	Description: The hosted UI URL