brayoh/cognito.yml

## cognito.yml
#
# Cognito user pool/auth setup
#
Resources:
  MyAppUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: myapp_user_pool
      UsernameAttributes: # use email as username/login
        - 'email'
      AutoVerifiedAttributes:
        - 'email'
      UsernameConfiguration:
        CaseSensitive: false
      Policies:
        PasswordPolicy:
          MinimumLength: 8
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: false
          RequireUppercase: true
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
      VerificationMessageTemplate:
        DefaultEmailOption: CONFIRM_WITH_CODE
        EmailMessage: 'Thanks for signing up with MyApp! Your verification code is {####}'
        EmailSubject: 'Your MyApp verification code'
      UserPoolTags:
        MyApp: 'true'

  MyAppCognitoClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      ClientName: myapp_app_user_pool_client
      UserPoolId:
        Ref: MyAppUserPool
      AccessTokenValidity: 24 # hours
      IdTokenValidity: 24 # hours
      RefreshTokenValidity: 1825 # days - 5 years
  MyAppIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: myapp_identity_pool
      AllowUnauthenticatedIdentities: false
      CognitoIdentityProviders:
        - ClientId:
            Ref: MyAppCognitoClient
          ProviderName:
            Fn::GetAtt: [MyAppUserPool, ProviderName]
  MyAppIdentityPoolRoles:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId:
        Ref: MyAppIdentityPool
      Roles:
        authenticated:
          Fn::GetAtt: [MyAppUserAuthRole, Arn]
        unauthenticated:
          Fn::GetAtt: [MyAppUserUnauthRole, Arn]
  MyAppUserAuthRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyAppUserAuthRole
      Path: /
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Principal:
              Federated: 'cognito-identity.amazonaws.com'
            Action:
              - 'sts:AssumeRoleWithWebIdentity'
            Condition:
              StringEquals:
                'cognito-identity.amazonaws.com:aud':
                  Ref: MyAppIdentityPool
              'ForAnyValue:StringLike':
                'cognito-identity.amazonaws.com:amr': authenticated
      Policies:
        - PolicyName: 'MyAppUserAuthorizedPolicy'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: 'Allow'
                Action:
                  - 'mobileanalytics:PutEvents'
                  - 'cognito-sync:*'
                  - 'cognito-identity:*'
                Resource: '*'
              - Effect: 'Allow'
                Action:
                  - 'execute-api:Invoke'
                Resource: '*'
  MyAppUserUnauthRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyAppUserUnauthRole
      Path: /
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Principal:
              Federated: 'cognito-identity.amazonaws.com'
            Action:
              - 'sts:AssumeRoleWithWebIdentity'
            Condition:
              StringEquals:
                'cognito-identity.amazonaws.com:aud':
                  Ref: MyAppIdentityPool
              'ForAnyValue:StringLike':
                'cognito-identity.amazonaws.com:amr': unauthenticated
      Policies:
        - PolicyName: 'MyAppUserUnauthorizedPolicy'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: 'Allow'
                Action:
                  - 'mobileanalytics:PutEvents'
                  - 'cognito-sync:*'
                  - 'cognito-identity:*'
                Resource: '*'

  # This is a Cognito User Pool authorizer that allows API calls to MyApp
  # API endpoints are auth'ed via the Authorization header, without needing to
  # do AWS v4 signing. See:
  # https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
  # To set it to be used with a given lambda/API, add an "authorizer" section to
  # the lambda such as:
  #       authorizer:
  #         type: COGNITO_USER_POOLS
  #         authorizerId:
  #           Ref: MyAppAPIAuthorizer
  MyAppAPIAuthorizer:
    Type: AWS::ApiGateway::Authorizer
    Properties:
      AuthorizerResultTtlInSeconds: 300
      AuthType: String
      IdentitySource: method.request.header.Authorization
      Name: MyAppAPIAuthorizer
      ProviderARNs:
        - Fn::GetAtt: [MyAppUserPool, Arn]
      RestApiId:
        Ref: ApiGatewayRestApi
      Type: COGNITO_USER_POOLS
	#
	# Cognito user pool/auth setup
	#
	Resources:
	MyAppUserPool:
	Type: AWS::Cognito::UserPool
	Properties:
	UserPoolName: myapp_user_pool
	UsernameAttributes: # use email as username/login
	- 'email'
	AutoVerifiedAttributes:
	- 'email'
	UsernameConfiguration:
	CaseSensitive: false
	Policies:
	PasswordPolicy:
	MinimumLength: 8
	RequireLowercase: true
	RequireNumbers: true
	RequireSymbols: false
	RequireUppercase: true
	AccountRecoverySetting:
	RecoveryMechanisms:
	- Name: verified_email
	Priority: 1
	VerificationMessageTemplate:
	DefaultEmailOption: CONFIRM_WITH_CODE
	EmailMessage: 'Thanks for signing up with MyApp! Your verification code is {####}'
	EmailSubject: 'Your MyApp verification code'
	UserPoolTags:
	MyApp: 'true'

	MyAppCognitoClient:
	Type: AWS::Cognito::UserPoolClient
	Properties:
	ClientName: myapp_app_user_pool_client
	UserPoolId:
	Ref: MyAppUserPool
	AccessTokenValidity: 24 # hours
	IdTokenValidity: 24 # hours
	RefreshTokenValidity: 1825 # days - 5 years
	MyAppIdentityPool:
	Type: AWS::Cognito::IdentityPool
	Properties:
	IdentityPoolName: myapp_identity_pool
	AllowUnauthenticatedIdentities: false
	CognitoIdentityProviders:
	- ClientId:
	Ref: MyAppCognitoClient
	ProviderName:
	Fn::GetAtt: [MyAppUserPool, ProviderName]
	MyAppIdentityPoolRoles:
	Type: AWS::Cognito::IdentityPoolRoleAttachment
	Properties:
	IdentityPoolId:
	Ref: MyAppIdentityPool
	Roles:
	authenticated:
	Fn::GetAtt: [MyAppUserAuthRole, Arn]
	unauthenticated:
	Fn::GetAtt: [MyAppUserUnauthRole, Arn]
	MyAppUserAuthRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: MyAppUserAuthRole
	Path: /
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: 'Allow'
	Principal:
	Federated: 'cognito-identity.amazonaws.com'
	Action:
	- 'sts:AssumeRoleWithWebIdentity'
	Condition:
	StringEquals:
	'cognito-identity.amazonaws.com:aud':
	Ref: MyAppIdentityPool
	'ForAnyValue:StringLike':
	'cognito-identity.amazonaws.com:amr': authenticated
	Policies:
	- PolicyName: 'MyAppUserAuthorizedPolicy'
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: 'Allow'
	Action:
	- 'mobileanalytics:PutEvents'
	- 'cognito-sync:*'
	- 'cognito-identity:*'
	Resource: '*'
	- Effect: 'Allow'
	Action:
	- 'execute-api:Invoke'
	Resource: '*'
	MyAppUserUnauthRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: MyAppUserUnauthRole
	Path: /
	AssumeRolePolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: 'Allow'
	Principal:
	Federated: 'cognito-identity.amazonaws.com'
	Action:
	- 'sts:AssumeRoleWithWebIdentity'
	Condition:
	StringEquals:
	'cognito-identity.amazonaws.com:aud':
	Ref: MyAppIdentityPool
	'ForAnyValue:StringLike':
	'cognito-identity.amazonaws.com:amr': unauthenticated
	Policies:
	- PolicyName: 'MyAppUserUnauthorizedPolicy'
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: 'Allow'
	Action:
	- 'mobileanalytics:PutEvents'
	- 'cognito-sync:*'
	- 'cognito-identity:*'
	Resource: '*'

	# This is a Cognito User Pool authorizer that allows API calls to MyApp
	# API endpoints are auth'ed via the Authorization header, without needing to
	# do AWS v4 signing. See:
	# https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
	# To set it to be used with a given lambda/API, add an "authorizer" section to
	# the lambda such as:
	# authorizer:
	# type: COGNITO_USER_POOLS
	# authorizerId:
	# Ref: MyAppAPIAuthorizer
	MyAppAPIAuthorizer:
	Type: AWS::ApiGateway::Authorizer
	Properties:
	AuthorizerResultTtlInSeconds: 300
	AuthType: String
	IdentitySource: method.request.header.Authorization
	Name: MyAppAPIAuthorizer
	ProviderARNs:
	- Fn::GetAtt: [MyAppUserPool, Arn]
	RestApiId:
	Ref: ApiGatewayRestApi
	Type: COGNITO_USER_POOLS