def create_user_pool(self, tag: str) -> aws_cognito.CfnUserPool:
user_pool = aws_cognito.CfnUserPool(
self,
f"userpool_{tag}",
auto_verified_attributes=["email"],
device_configuration=aws_cognito.CfnUserPool.DeviceConfigurationProperty(
challenge_required_on_new_device=False, device_only_remembered_on_user_prompt=True
),
schema=[
aws_cognito.CfnUserPool.SchemaAttributeProperty(
attribute_data_type="String", mutable=False, name="email", required=True,
),
aws_cognito.CfnUserPool.SchemaAttributeProperty(
attribute_data_type="String",
mutable=True,
name="mutableStringAttr1",
required=False,
),
aws_cognito.CfnUserPool.SchemaAttributeProperty(
attribute_data_type="String",
mutable=True,
name="mutableStringAttr2",
required=False,
),
],
)
return user_pool
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
user_pool = cognito.CfnUserPool(self,
'msa',
auto_verified_attributes=['email'],
username_attributes=['email'],
user_pool_name='msa-user-pool',
schema=[{
'attributeDataType': 'String',
'name': 'custom:tenant_id',
'mutable': True
}, {
'attributeDataType': 'String',
'name': 'role',
'mutable': True
}, {
'attributeDataType': 'String',
'name': 'restrictions',
'mutable': True
}])
user_pool_client = cognito.CfnUserPoolClient(
self,
'pool-client',
user_pool_id=user_pool.ref,
client_name='msa-user-client')
'''
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
prj_name = self.node.try_get_context("project_name")
env_name = self.node.try_get_context("env")
user_pool = cognito.CfnUserPool(
self,
'cognitouserpool',
auto_verified_attributes=['email'],
username_attributes=['email', 'phone_number'],
user_pool_name=prj_name + '-user-pool',
schema=[{
'attributeDataType': 'String',
'name': 'param1',
'mutable': True
}],
policies=cognito.CfnUserPool.PoliciesProperty(
password_policy=cognito.CfnUserPool.PasswordPolicyProperty(
minimum_length=10,
require_lowercase=True,
require_numbers=True,
require_symbols=False,
require_uppercase=True)))
user_pool_client = cognito.CfnUserPoolClient(
self,
'pool-client',
user_pool_id=user_pool.ref,
client_name=env_name + '-app-client')
identity_pool = cognito.CfnIdentityPool(
self,
'identitypool',
allow_unauthenticated_identities=False,
cognito_identity_providers=[
cognito.CfnIdentityPool.CognitoIdentityProviderProperty(
client_id=user_pool_client.ref,
provider_name=user_pool.attr_provider_name)
],
identity_pool_name=prj_name + '-identity-pool')
ssm.StringParameter(self,
'app-id',
parameter_name='/' + env_name +
'/cognito-app-client-id',
string_value=user_pool_client.ref)
ssm.StringParameter(self,
'user-pool-id',
parameter_name='/' + env_name +
'/cognito-user-pool-id',
string_value=user_pool_client.user_pool_id)
ssm.StringParameter(self,
'identity-pool-id',
parameter_name='/' + env_name +
'/cognito-identity-pool-id',
string_value=identity_pool.ref)
def __init__(self, scope: core.Construct, id: str,
props: CognitoUserPoolProps) -> None:
super().__init__(scope, id)
# Create L1 user pool
if "phone_number" in props.auto_verified_attributes:
sns_role = iam.Role(
# Role to allow Cognitio to send SNS (SMS) messages
self,
"SNSRole",
assumed_by=iam.ServicePrincipal("cognito-idp.amazonaws.com"),
inline_policies=[
iam.PolicyDocument(statements=[
iam.PolicyStatement(actions=["sns:Publish"],
resources=["*"])
])
],
)
user_pool = cognito.CfnUserPool(
self,
"UserPool",
alias_attributes=props.alias_attributes,
auto_verified_attributes=props.auto_verified_attributes,
user_pool_name=props._user_pool_name,
schema=props._schema,
policies=props._policies,
sms_configuration=cognito.CfnUserPool.SmsConfigurationProperty(
external_id=props.user_pool_name + "-external",
sns_caller_arn=sns_role.role_arn,
),
)
else:
# Email verification, SMS config not needed
user_pool = cognito.CfnUserPool(
self,
"UserPool",
alias_attributes=props.alias_attributes,
auto_verified_attributes=props.auto_verified_attributes,
user_pool_name=props._user_pool_name,
schema=props._schema,
policies=props._policies,
username_attributes=props._username_attributes,
)
user_pool_client = cognito.CfnUserPoolClient(
self,
"UserPoolClient",
user_pool_id=user_pool.ref,
client_name=props._client_name,
generate_secret=False,
refresh_token_validity=30,
)
self.user_pool = user_pool
self.user_pool_id = user_pool.ref
self.user_pool_arn = user_pool.attr_arn
self.client_id = user_pool_client.ref
self.provider_name = user_pool.attr_provider_name
core.CfnOutput(
self,
"CognitoUserPoolId",
export_name="CognitoUserPoolId",
value=user_pool.ref,
)
core.CfnOutput(
self,
"CognitoUserPoolIdArn",
export_name="CognitoUserPoolIdArn",
value=user_pool.attr_arn,
)
core.CfnOutput(
self,
"CognitoClientId",
export_name="CognitoClientId",
value=user_pool_client.ref,
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Parameters
parameters = core.CfnParameter(
self, "SourceBucket",
description="Building on AWS Cognito Stack Modified https://github.com/rosberglinhares/CloudFormationCognitoCustomResources",
default="default"
)
LogoutURL = core.CfnParameter(
self, "LogoutURL",
type="String",
default="http://localhost"
)
CallbackURL = core.CfnParameter(
self, "CallbackURL",
type="String",
default="http://localhost/callback"
)
AppDomain = core.CfnParameter(
self, "AppDomain",
type="String",
default="default"
)
# CognitoSNSPolicy
CognitoSNSPolicy = iam.CfnManagedPolicy(
self, 'CognitoSNSPolicy',
description='Managed policy to allow Amazon Cognito to access SNS',
policy_document={
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": ["sns:publish"],
"Resource": "*"
}
})
# SNSRole
SNSRole = iam.CfnRole(
self, "SNSRole",
role_name="SNSRole",
managed_policy_arns=[CognitoSNSPolicy.ref],
assume_role_policy_document={
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Principal": {"Service": ["cognito-idp.amazonaws.com"]}
}]
}
)
SNSRole.add_depends_on(CognitoSNSPolicy)
# CognitoUserPool
CognitoUserPool = cognito.CfnUserPool(
self, 'UserPool',
user_pool_name='photos-pool',
alias_attributes=[
"email", "phone_number"],
auto_verified_attributes=[
"email"],
email_verification_message="Hi, Your verification code is <br/>{####}\n",
email_verification_subject="EDX Email Verification",
mfa_configuration="OPTIONAL",
policies={
"passwordPolicy": {
"minimumLength": 8,
"requireLowercase": True,
"requireNumbers": True,
"requireSymbols": True,
"requireUppercase": True
}
},
schema=[{
"attributeDataType": "String",
"mutable": False,
"name": "nickname",
"required": True
},
{
"attributeDataType": "String",
"mutable": False,
"name": "email",
"required": True
},
{
"attributeDataType": "String",
"mutable": False,
"name": "phone_number",
"required": True
}],
sms_configuration={
"externalId": "%s-external" % (core.Aws.STACK_NAME),
"snsCallerArn": SNSRole.attr_arn
}
)
# CognitoUserPoolClient
CognitoUserPoolClient = cognito.CfnUserPoolClient(
self, "UserPoolClient",
client_name="WebsiteClient",
generate_secret=True,
user_pool_id=CognitoUserPool.ref
)
# CognitoCustomResourceRole
CustomResourceRole = iam.CfnRole(
self, "CustomResourceRole",
role_name="cognito-resource-role",
assume_role_policy_document={
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
policies=[
{
"policyName": "writeCloudWatchLogs",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": "logs:CreateLogStream",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": "logs:PutLogEvents",
"Resource": "arn:aws:logs:*:*:*"
}
]
}
},
{
"policyName": "updateUserPoolClient",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "cognito-idp:UpdateUserPoolClient",
"Resource": "arn:aws:cognito-idp:*:*:userpool/*"
}
]
}
},
{
"policyName": "manageUserPoolDomain",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "cognito-idp:CreateUserPoolDomain",
"Resource": "arn:aws:cognito-idp:*:*:userpool/*"
},
{
"Effect": "Allow",
"Action": "cognito-idp:DeleteUserPoolDomain",
"Resource": "arn:aws:cognito-idp:*:*:userpool/*"
},
{
"Effect": "Allow",
"Action": "cognito-idp:DescribeUserPoolDomain",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cognito-idp:DescribeUserPoolClient",
"Resource": "*"
}
]
}
},
{
"policyName": "invokeLambdaFunction",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:*:*:function:*"
}
]
}
},
]
)
# CognitoUserPoolClientClientSettings
with open("./cdk/CognitoUserPoolClientClientSettings/index.js", encoding="utf-8") as fp:
code_body = fp.read()
CognitoUserPoolClientClientSettings = cfn.CustomResource(
self, "CognitoUserPoolClientClientSettings",
provider=cfn.CustomResourceProvider.lambda_(
lambda_.SingletonFunction(
self, "CognitoUserPoolClientClientSettingsLambda",
uuid="f7d4f730-4ee1-11e8-9c2d-fa7ae01bbebc",
code=lambda_.InlineCode(code_body),
handler="index.handler",
runtime=lambda_.Runtime.NODEJS_8_10,
role=iam.Role.from_role_arn(
self, 'CustomResourceRoleiam', role_arn=CustomResourceRole.attr_arn)
)
),
properties={"UserPoolId": CognitoUserPool.ref,
"UserPoolClientId": CognitoUserPoolClient.ref,
"AppDomain": AppDomain.value_as_string,
"SupportedIdentityProviders": ['COGNITO'],
"CallbackURL": CallbackURL.value_as_string,
"LogoutURL": LogoutURL.value_as_string,
"AllowedOAuthFlowsUserPoolClient": True,
"AllowedOAuthFlows": ['code'],
"AllowedOAuthScopes": ['openid']
},
)
# CognitoIdPool
CognitoIdPool = cognito.CfnIdentityPool(
self, 'CognitoIdPool',
identity_pool_name='edxcognitoidpool',
cognito_identity_providers=[{
"clientId": CognitoUserPoolClient.ref,
"providerName": CognitoUserPool.attr_provider_name
}],
allow_unauthenticated_identities=False
)
# Output
core.CfnOutput(self, "CognitoUserPoolIdOutput",
value=CognitoUserPool.ref,
description="The Pool ID of the Cognito User Pool",
export_name="CognitoUserPoolId"
)
core.CfnOutput(self, "CognitoUserPoolProviderURLOutput",
value=CognitoUserPool.attr_provider_url,
description="The Pool ProviderURL of the Cognito User Pool",
export_name="CognitoUserPoolProviderURL"
)
core.CfnOutput(self, "CognitoUserPoolArnOutput",
value=CognitoUserPool.attr_arn,
description="The Pool Arn of the Cognito User Pool",
export_name="CognitoUserPoolArn"
)
core.CfnOutput(self, "CognitoUserPoolClientIdOutput",
value=CognitoUserPoolClient.ref,
description="The App Client ID ",
export_name="CognitoUserPoolClientId"
)
core.CfnOutput(self, "ClientSecretOutput",
value=core.Fn.get_att(
"CognitoUserPoolClientClientSettings", "ClientSecret").to_string(),
description="The Client Secret ",
export_name="ClientSecret"
)
def __init__(self, scope: core.Construct, id: str, **kwargs):
super().__init__(scope, id, **kwargs)
prj_name = self.node.try_get_context('project_name')
env_name = self.node.try_get_context('env')
user_pool2 = cognito.UserPool(
self,
id=f'{env_name}-precog',
auto_verify=cognito.AutoVerifiedAttrs(email=True),
sign_in_aliases=cognito.SignInAliases(email=True, phone=True),
self_sign_up_enabled=True,
user_pool_name=f'{env_name}-cdk-2-user-pool',
custom_attributes={
"param1": cognito.StringAttribute(mutable=True)
},
password_policy=cognito.PasswordPolicy(min_length=10,
require_lowercase=True,
require_digits=True,
require_symbols=False,
require_uppercase=True))
user_pool = cognito.CfnUserPool(
self,
id=f'{env_name}-cognito-user-pool',
auto_verified_attributes=['email'],
username_attributes=['email', 'phone_number'],
user_pool_name=f'{env_name}-cdk-user-pool',
schema=[{
"attributeDataType": "String",
"name": "param1",
"mutable": True
}],
policies=cognito.CfnUserPool.PoliciesProperty(
password_policy=cognito.CfnUserPool.PasswordPolicyProperty(
minimum_length=10,
require_lowercase=True,
require_numbers=True,
require_symbols=False,
require_uppercase=True)))
user_pool_client2 = cognito.UserPoolClient(
self,
id=f'{env_name}-pool-client2',
user_pool=user_pool2,
user_pool_client_name=f'{env_name}-cdk-app-client2')
identity_pool2 = cognito.CfnIdentityPool(
self,
id=f'{env_name}-identify-pool-2',
allow_unauthenticated_identities=False,
cognito_identity_providers=[
cognito.CfnIdentityPool.CognitoIdentityProviderProperty(
client_id=user_pool_client2.user_pool_client_id,
provider_name=user_pool.attr_provider_name)
],
identity_pool_name=f'{env_name}-cdk-identity-pool2')
user_pool_client = cognito.CfnUserPoolClient(
self,
id=f'{env_name}-pool-client',
user_pool_id=user_pool.ref,
client_name=f'{env_name}-cdk-app-client')
identity_pool = cognito.CfnIdentityPool(
self,
id=f'{env_name}-identify-pool',
allow_unauthenticated_identities=False,
cognito_identity_providers=[
cognito.CfnIdentityPool.CognitoIdentityProviderProperty(
client_id=user_pool_client.ref,
provider_name=user_pool.attr_provider_name)
],
identity_pool_name=f'{env_name}-cdk-identity-pool')
ssm.StringParameter(
self,
id='app-id',
parameter_name=f"/{env_name}/cognito-app-client-id",
string_value=user_pool_client.ref)
ssm.StringParameter(self,
id='user-pool-id',
parameter_name=f"/{env_name}/cognito-user-pool-id",
string_value=user_pool_client.user_pool_id)
ssm.StringParameter(
self,
id='identity-pool-id',
parameter_name=f"/{env_name}/cognito-identity-pool-id",
string_value=identity_pool.ref # ref returns the id
)
def __init__(self, scope: core.Construct, id: str, domain_prefix: str, other_account: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
user_pool = cognito.CfnUserPool(
scope=self,
id="user-pool",
admin_create_user_config=cognito.CfnUserPool.AdminCreateUserConfigProperty(
allow_admin_create_user_only=True,
),
policies=cognito.CfnUserPool.PoliciesProperty(
password_policy=cognito.CfnUserPool.PasswordPolicyProperty(
minimum_length=20,
)),
username_attributes=["email"],
auto_verified_attributes=["email"],
)
cognito.CfnUserPoolDomain(
scope=self,
id="cognito-user-pool-domain",
domain=f"{domain_prefix}-{core.Aws.ACCOUNT_ID}",
user_pool_id=user_pool.ref,
)
id_pool = cognito.CfnIdentityPool(
scope=self,
id="identity-pool",
allow_unauthenticated_identities=False,
cognito_identity_providers=[],
)
auth_role = iam.Role(
scope=self,
id="auth-role",
assumed_by=iam.FederatedPrincipal(
federated="cognito-identity.amazonaws.com",
conditions={
"StringEquals": {"cognito-identity.amazonaws.com:aud": id_pool.ref},
"ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "authenticated"},
},
assume_role_action="sts:AssumeRoleWithWebIdentity"),
)
es_role = iam.Role(
scope=self,
id="es-role",
assumed_by=iam.ServicePrincipal('es.amazonaws.com'),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
managed_policy_name="AmazonESCognitoAccess"
)
],
)
es_domain = elasticsearch.CfnDomain(
scope=self,
id="search-domain",
elasticsearch_cluster_config=elasticsearch.CfnDomain.ElasticsearchClusterConfigProperty(
instance_count=2,
instance_type="m5.large.elasticsearch",
),
node_to_node_encryption_options=elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty(
enabled=True),
encryption_at_rest_options=elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty(
enabled=True),
ebs_options=elasticsearch.CfnDomain.EBSOptionsProperty(
ebs_enabled=True,
volume_size=20),
elasticsearch_version="7.4",
domain_name=domain_prefix,
access_policies={
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": auth_role.role_arn
},
"Action": [
"es:ESHttpGet",
"es:ESHttpPut",
"es:ESHttpPost",
"es:ESHttpDelete"
],
"Resource": "arn:aws:es:" + core.Aws.REGION + ":" + core.Aws.ACCOUNT_ID + ":domain/" + domain_prefix + "/*"
},
]
},
)
es_domain.add_property_override(
'CognitoOptions.Enabled', True)
es_domain.add_property_override(
'CognitoOptions.IdentityPoolId', id_pool.ref)
es_domain.add_property_override(
'CognitoOptions.RoleArn', es_role.role_arn)
es_domain.add_property_override(
'CognitoOptions.UserPoolId', user_pool.ref)
cognito.CfnIdentityPoolRoleAttachment(
scope=self,
id='user-pool-role-attachment',
identity_pool_id=id_pool.ref,
roles={
'authenticated': auth_role.role_arn
}
)
es_external_role = iam.Role(
scope=self,
id="logger-role",
assumed_by=iam.CompositePrincipal(
iam.ServicePrincipal("lambda.amazonaws.com"),
iam.AccountPrincipal(other_account),
),
description="role to use elastic search assumed by lambda",
inline_policies={
"es_policy": iam.PolicyDocument(statements=[
iam.PolicyStatement(
actions=[
"es:ESHttpPost",
],
resources=[
es_domain.attr_arn + "/*",
],
)]),
},
)
core.CfnOutput(
scope=self,
id="es-host",
value=es_domain.attr_domain_endpoint,
)
core.CfnOutput(
scope=self,
id="es-region",
value=core.Aws.REGION,
)
core.CfnOutput(
scope=self,
id="es-external-role",
value=es_external_role.role_arn,
)
