Skip to content

Instantly share code, notes, and snippets.

@lampidudelj

lampidudelj/ChangeCognitoPassword.json

Last active February 11, 2024 02:43
Show Gist options
  • Save lampidudelj/bdd94f820e8c93fa62818cc579452770 to your computer and use it in GitHub Desktop.
Save lampidudelj/bdd94f820e8c93fa62818cc579452770 to your computer and use it in GitHub Desktop.
Download ZIP
AWS Automation Document - Change Cognito Password
Raw
ChangeCognitoPassword.json
{
"schemaVersion": "0.3",
"description": "Updates a Microsoft Windows AMI. By default it will install all Windows updates, Amazon software, and Amazon drivers. It will then sysprep and create a new AMI. Supports Windows Server 2008 R2 and greater.",
"assumeRole": "{{ AutomationAssumeRole }}",
"parameters": {
"SourceAmiId": {
"type": "String",
"description": "(Required) The source Amazon Machine Image ID."
},
"TopicArn": {
"type": "String",
"default": "arn:aws:sns:{{global:REGION}}:{{global:ACCOUNT_ID}}:cloudtrail-alarms",
"description": "(Required) Specify SNS topic ARN to which message will be published."
},
"IamInstanceProfileName": {
"type": "String",
"description": "(Required) The name of the role that enables Systems Manager to manage the instance.",
"default": "ManagedInstanceProfile"
},
"AutomationAssumeRole": {
"type": "String",
"description": "(Required) The ARN of the role that allows Automation to perform the actions on your behalf.",
"default": "arn:aws:iam::{{global:ACCOUNT_ID}}:role/AutomationServiceRole"
},
"SubnetId": {
"type": "String",
"description": "(Optional) Specify the SubnetId if you want to launch into a specific subnet.",
"default": ""
},
"InstanceType": {
"type": "String",
"description": "(Optional) Type of instance to launch as the workspace host. Instance types vary by region. Default is t2.medium.",
"default": "t2.small"
}
},
"mainSteps": [
{
"name": "LaunchInstance",
"action": "aws:runInstances",
"timeoutSeconds": 1800,
"maxAttempts": 3,
"onFailure": "step:PublishFailureSNSNotification",
"inputs": {
"ImageId": "{{ SourceAmiId }}",
"InstanceType": "{{ InstanceType }}",
"MinInstanceCount": 1,
"MaxInstanceCount": 1,
"IamInstanceProfileName": "{{ IamInstanceProfileName }}",
"SubnetId": "{{ SubnetId }}",
"TagSpecifications": [
{
"ResourceType": "instance",
"Tags": [
{
"Key": "LaunchedBy",
"Value": "SSMAutomation"
},
{
"Key": "WEEK_DAY_STOP",
"Value": "1"
},
{
"Key": "billing:CostCenter",
"Value": "DittoAI"
},
{
"Key": "Name",
"Value": "CognitoPasswordUpdate"
}
]
}
]
}
},
{
"name": "ChangePassword",
"action": "aws:runCommand",
"maxAttempts": 3,
"onFailure": "step:PublishFailureSNSNotification",
"timeoutSeconds": 7200,
"inputs": {
"DocumentName": "AWS-RunPowerShellScript",
"InstanceIds": [
"{{ LaunchInstance.InstanceIds }}"
],
"Parameters": {
"commands": [
" function Get-RandomCharacters($length, $characters) {",
" $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }",
" $private:ofs=''",
" return [String]$characters[$random]",
"}",
"",
"function Scramble-String([string]$inputString){ ",
" $characterArray = $inputString.ToCharArray() ",
" $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length",
" $outputString = -join $scrambledStringArray",
" return $outputString ",
"}",
"",
"function Update-Password([string]$passwordParamName, [string]$region, [string]$poolId, [string]$username){",
" try {",
" $password = Get-RandomCharacters -length 6 -characters 'abcdefghiklmnoprstuvwxyz'",
" $password += Get-RandomCharacters -length 2 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'",
" $password += Get-RandomCharacters -length 1 -characters '1234567890'",
" $password += Get-RandomCharacters -length 1 -characters '!§$%&/()=?}][{@#*+'",
" $password = Scramble-String $password",
"",
" Set-DefaultAWSRegion -Region $region",
" Set-CGIPUserPasswordAdmin -Username $username -Password $password -Permanent $true -UserPoolId $poolId -Force ",
" Write-SSMParameter -Name $passwordParamName -Type 'String' -Value $password -Overwrite $true ",
" } catch {",
" Write-Host ('Error encountered updating the password: {0}.' -f $_.Exception.Message)",
" Exit -1",
" }",
"}",
"",
"Update-Password '/LIVE/rio/admin_account_password' 'eu-west-2' 'eu-west-2_CXMj8XQn0' 'a6b486fc-42aa-4765-890a-d16874dd5572'",
"Update-Password '/LIVE/tax/admin_account_password' 'eu-west-2' 'eu-west-2_0DijHAOo4' '62de1841-507a-4ea3-95df-f2b99e0dbb48'"
]
}
}
},
{
"name": "TerminateInstanceNormally",
"action": "aws:changeInstanceState",
"maxAttempts": 3,
"onFailure": "step:TerminateInstanceError",
"nextStep": "PublishSuccessSNSNotification",
"inputs": {
"InstanceIds": [
"{{ LaunchInstance.InstanceIds }}"
],
"DesiredState": "terminated"
}
},
{
"name": "TerminateInstanceError",
"action": "aws:changeInstanceState",
"maxAttempts": 3,
"onFailure": "step:PublishFailureSNSNotification",
"nextStep": "PublishFailureSNSNotification",
"inputs": {
"InstanceIds": [
"{{ LaunchInstance.InstanceIds }}"
],
"DesiredState": "terminated"
}
},
{
"name": "PublishSuccessSNSNotification",
"action": "aws:executeAwsApi",
"maxAttempts": 3,
"onFailure": "Abort",
"timeoutSeconds": 7200,
"inputs": {
"Service": "sns",
"Api": "Publish",
"TopicArn": "{{TopicArn}}",
"Message": "Passwords for hello@ditto.ai on LIVE have been changed on {{ global:DATE_TIME }}. For more information see https://{{global:REGION}}.console.aws.amazon.com/systems-manager/automation/execution/{{automation:EXECUTION_ID}}?region={{global:REGION}}"
},
"isEnd": true
},
{
"name": "PublishFailureSNSNotification",
"action": "aws:executeAwsApi",
"maxAttempts": 3,
"onFailure": "Abort",
"timeoutSeconds": 7200,
"inputs": {
"Service": "sns",
"Api": "Publish",
"TopicArn": "{{TopicArn}}",
"Message": "Password rotation for hello@ditto.ai on LIVE failed on {{ global:DATE_TIME }}. For more information see https://{{global:REGION}}.console.aws.amazon.com/systems-manager/automation/execution/{{automation:EXECUTION_ID}}?region={{global:REGION}}"
},
"isEnd": true
}
],
"outputs": []
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment