Forked from lampidudelj/ChangeCognitoPassword.json
Last active
February 11, 2024 02:45
-
-
Save awsvpc/74ecc7f985eda49b37d0c3f6c7a4e81c to your computer and use it in GitHub Desktop.
AWS Automation Document - Change Cognito Password
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"schemaVersion": "0.3", | |
"description": "Updates a Microsoft Windows AMI. By default it will install all Windows updates, Amazon software, and Amazon drivers. It will then sysprep and create a new AMI. Supports Windows Server 2008 R2 and greater.", | |
"assumeRole": "{{ AutomationAssumeRole }}", | |
"parameters": { | |
"SourceAmiId": { | |
"type": "String", | |
"description": "(Required) The source Amazon Machine Image ID." | |
}, | |
"TopicArn": { | |
"type": "String", | |
"default": "arn:aws:sns:{{global:REGION}}:{{global:ACCOUNT_ID}}:cloudtrail-alarms", | |
"description": "(Required) Specify SNS topic ARN to which message will be published." | |
}, | |
"IamInstanceProfileName": { | |
"type": "String", | |
"description": "(Required) The name of the role that enables Systems Manager to manage the instance.", | |
"default": "ManagedInstanceProfile" | |
}, | |
"AutomationAssumeRole": { | |
"type": "String", | |
"description": "(Required) The ARN of the role that allows Automation to perform the actions on your behalf.", | |
"default": "arn:aws:iam::{{global:ACCOUNT_ID}}:role/AutomationServiceRole" | |
}, | |
"SubnetId": { | |
"type": "String", | |
"description": "(Optional) Specify the SubnetId if you want to launch into a specific subnet.", | |
"default": "" | |
}, | |
"InstanceType": { | |
"type": "String", | |
"description": "(Optional) Type of instance to launch as the workspace host. Instance types vary by region. Default is t2.medium.", | |
"default": "t2.small" | |
} | |
}, | |
"mainSteps": [ | |
{ | |
"name": "LaunchInstance", | |
"action": "aws:runInstances", | |
"timeoutSeconds": 1800, | |
"maxAttempts": 3, | |
"onFailure": "step:PublishFailureSNSNotification", | |
"inputs": { | |
"ImageId": "{{ SourceAmiId }}", | |
"InstanceType": "{{ InstanceType }}", | |
"MinInstanceCount": 1, | |
"MaxInstanceCount": 1, | |
"IamInstanceProfileName": "{{ IamInstanceProfileName }}", | |
"SubnetId": "{{ SubnetId }}", | |
"TagSpecifications": [ | |
{ | |
"ResourceType": "instance", | |
"Tags": [ | |
{ | |
"Key": "LaunchedBy", | |
"Value": "SSMAutomation" | |
}, | |
{ | |
"Key": "WEEK_DAY_STOP", | |
"Value": "1" | |
}, | |
{ | |
"Key": "billing:CostCenter", | |
"Value": "DittoAI" | |
}, | |
{ | |
"Key": "Name", | |
"Value": "CognitoPasswordUpdate" | |
} | |
] | |
} | |
] | |
} | |
}, | |
{ | |
"name": "ChangePassword", | |
"action": "aws:runCommand", | |
"maxAttempts": 3, | |
"onFailure": "step:PublishFailureSNSNotification", | |
"timeoutSeconds": 7200, | |
"inputs": { | |
"DocumentName": "AWS-RunPowerShellScript", | |
"InstanceIds": [ | |
"{{ LaunchInstance.InstanceIds }}" | |
], | |
"Parameters": { | |
"commands": [ | |
" function Get-RandomCharacters($length, $characters) {", | |
" $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }", | |
" $private:ofs=''", | |
" return [String]$characters[$random]", | |
"}", | |
"", | |
"function Scramble-String([string]$inputString){ ", | |
" $characterArray = $inputString.ToCharArray() ", | |
" $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length", | |
" $outputString = -join $scrambledStringArray", | |
" return $outputString ", | |
"}", | |
"", | |
"function Update-Password([string]$passwordParamName, [string]$region, [string]$poolId, [string]$username){", | |
" try {", | |
" $password = Get-RandomCharacters -length 6 -characters 'abcdefghiklmnoprstuvwxyz'", | |
" $password += Get-RandomCharacters -length 2 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'", | |
" $password += Get-RandomCharacters -length 1 -characters '1234567890'", | |
" $password += Get-RandomCharacters -length 1 -characters '!§$%&/()=?}][{@#*+'", | |
" $password = Scramble-String $password", | |
"", | |
" Set-DefaultAWSRegion -Region $region", | |
" Set-CGIPUserPasswordAdmin -Username $username -Password $password -Permanent $true -UserPoolId $poolId -Force ", | |
" Write-SSMParameter -Name $passwordParamName -Type 'String' -Value $password -Overwrite $true ", | |
" } catch {", | |
" Write-Host ('Error encountered updating the password: {0}.' -f $_.Exception.Message)", | |
" Exit -1", | |
" }", | |
"}", | |
"", | |
"Update-Password '/LIVE/rio/admin_account_password' 'eu-west-2' 'eu-west-2_CXMj8XQn0' 'a6b486fc-42aa-4765-890a-d16874dd5572'", | |
"Update-Password '/LIVE/tax/admin_account_password' 'eu-west-2' 'eu-west-2_0DijHAOo4' '62de1841-507a-4ea3-95df-f2b99e0dbb48'" | |
] | |
} | |
} | |
}, | |
{ | |
"name": "TerminateInstanceNormally", | |
"action": "aws:changeInstanceState", | |
"maxAttempts": 3, | |
"onFailure": "step:TerminateInstanceError", | |
"nextStep": "PublishSuccessSNSNotification", | |
"inputs": { | |
"InstanceIds": [ | |
"{{ LaunchInstance.InstanceIds }}" | |
], | |
"DesiredState": "terminated" | |
} | |
}, | |
{ | |
"name": "TerminateInstanceError", | |
"action": "aws:changeInstanceState", | |
"maxAttempts": 3, | |
"onFailure": "step:PublishFailureSNSNotification", | |
"nextStep": "PublishFailureSNSNotification", | |
"inputs": { | |
"InstanceIds": [ | |
"{{ LaunchInstance.InstanceIds }}" | |
], | |
"DesiredState": "terminated" | |
} | |
}, | |
{ | |
"name": "PublishSuccessSNSNotification", | |
"action": "aws:executeAwsApi", | |
"maxAttempts": 3, | |
"onFailure": "Abort", | |
"timeoutSeconds": 7200, | |
"inputs": { | |
"Service": "sns", | |
"Api": "Publish", | |
"TopicArn": "{{TopicArn}}", | |
"Message": "Passwords for hello@ditto.ai on LIVE have been changed on {{ global:DATE_TIME }}. For more information see https://{{global:REGION}}.console.aws.amazon.com/systems-manager/automation/execution/{{automation:EXECUTION_ID}}?region={{global:REGION}}" | |
}, | |
"isEnd": true | |
}, | |
{ | |
"name": "PublishFailureSNSNotification", | |
"action": "aws:executeAwsApi", | |
"maxAttempts": 3, | |
"onFailure": "Abort", | |
"timeoutSeconds": 7200, | |
"inputs": { | |
"Service": "sns", | |
"Api": "Publish", | |
"TopicArn": "{{TopicArn}}", | |
"Message": "Password rotation for hello@ditto.ai on LIVE failed on {{ global:DATE_TIME }}. For more information see https://{{global:REGION}}.console.aws.amazon.com/systems-manager/automation/execution/{{automation:EXECUTION_ID}}?region={{global:REGION}}" | |
}, | |
"isEnd": true | |
} | |
], | |
"outputs": [] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment