예제 #1
0
 def create_user_pool(self, tag: str) -> aws_cognito.CfnUserPool:
     user_pool = aws_cognito.CfnUserPool(
         self,
         f"userpool_{tag}",
         auto_verified_attributes=["email"],
         device_configuration=aws_cognito.CfnUserPool.DeviceConfigurationProperty(
             challenge_required_on_new_device=False, device_only_remembered_on_user_prompt=True
         ),
         schema=[
             aws_cognito.CfnUserPool.SchemaAttributeProperty(
                 attribute_data_type="String", mutable=False, name="email", required=True,
             ),
             aws_cognito.CfnUserPool.SchemaAttributeProperty(
                 attribute_data_type="String",
                 mutable=True,
                 name="mutableStringAttr1",
                 required=False,
             ),
             aws_cognito.CfnUserPool.SchemaAttributeProperty(
                 attribute_data_type="String",
                 mutable=True,
                 name="mutableStringAttr2",
                 required=False,
             ),
         ],
     )
     return user_pool
예제 #2
0
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        user_pool = cognito.CfnUserPool(self,
                                        'msa',
                                        auto_verified_attributes=['email'],
                                        username_attributes=['email'],
                                        user_pool_name='msa-user-pool',
                                        schema=[{
                                            'attributeDataType': 'String',
                                            'name': 'custom:tenant_id',
                                            'mutable': True
                                        }, {
                                            'attributeDataType': 'String',
                                            'name': 'role',
                                            'mutable': True
                                        }, {
                                            'attributeDataType': 'String',
                                            'name': 'restrictions',
                                            'mutable': True
                                        }])

        user_pool_client = cognito.CfnUserPoolClient(
            self,
            'pool-client',
            user_pool_id=user_pool.ref,
            client_name='msa-user-client')
        '''
예제 #3
0
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        prj_name = self.node.try_get_context("project_name")
        env_name = self.node.try_get_context("env")

        user_pool = cognito.CfnUserPool(
            self,
            'cognitouserpool',
            auto_verified_attributes=['email'],
            username_attributes=['email', 'phone_number'],
            user_pool_name=prj_name + '-user-pool',
            schema=[{
                'attributeDataType': 'String',
                'name': 'param1',
                'mutable': True
            }],
            policies=cognito.CfnUserPool.PoliciesProperty(
                password_policy=cognito.CfnUserPool.PasswordPolicyProperty(
                    minimum_length=10,
                    require_lowercase=True,
                    require_numbers=True,
                    require_symbols=False,
                    require_uppercase=True)))

        user_pool_client = cognito.CfnUserPoolClient(
            self,
            'pool-client',
            user_pool_id=user_pool.ref,
            client_name=env_name + '-app-client')

        identity_pool = cognito.CfnIdentityPool(
            self,
            'identitypool',
            allow_unauthenticated_identities=False,
            cognito_identity_providers=[
                cognito.CfnIdentityPool.CognitoIdentityProviderProperty(
                    client_id=user_pool_client.ref,
                    provider_name=user_pool.attr_provider_name)
            ],
            identity_pool_name=prj_name + '-identity-pool')

        ssm.StringParameter(self,
                            'app-id',
                            parameter_name='/' + env_name +
                            '/cognito-app-client-id',
                            string_value=user_pool_client.ref)

        ssm.StringParameter(self,
                            'user-pool-id',
                            parameter_name='/' + env_name +
                            '/cognito-user-pool-id',
                            string_value=user_pool_client.user_pool_id)

        ssm.StringParameter(self,
                            'identity-pool-id',
                            parameter_name='/' + env_name +
                            '/cognito-identity-pool-id',
                            string_value=identity_pool.ref)
    def __init__(self, scope: core.Construct, id: str,
                 props: CognitoUserPoolProps) -> None:
        super().__init__(scope, id)

        # Create L1 user pool

        if "phone_number" in props.auto_verified_attributes:
            sns_role = iam.Role(
                # Role to allow Cognitio to send SNS (SMS) messages
                self,
                "SNSRole",
                assumed_by=iam.ServicePrincipal("cognito-idp.amazonaws.com"),
                inline_policies=[
                    iam.PolicyDocument(statements=[
                        iam.PolicyStatement(actions=["sns:Publish"],
                                            resources=["*"])
                    ])
                ],
            )

            user_pool = cognito.CfnUserPool(
                self,
                "UserPool",
                alias_attributes=props.alias_attributes,
                auto_verified_attributes=props.auto_verified_attributes,
                user_pool_name=props._user_pool_name,
                schema=props._schema,
                policies=props._policies,
                sms_configuration=cognito.CfnUserPool.SmsConfigurationProperty(
                    external_id=props.user_pool_name + "-external",
                    sns_caller_arn=sns_role.role_arn,
                ),
            )
        else:
            # Email verification, SMS config not needed
            user_pool = cognito.CfnUserPool(
                self,
                "UserPool",
                alias_attributes=props.alias_attributes,
                auto_verified_attributes=props.auto_verified_attributes,
                user_pool_name=props._user_pool_name,
                schema=props._schema,
                policies=props._policies,
                username_attributes=props._username_attributes,
            )

        user_pool_client = cognito.CfnUserPoolClient(
            self,
            "UserPoolClient",
            user_pool_id=user_pool.ref,
            client_name=props._client_name,
            generate_secret=False,
            refresh_token_validity=30,
        )
        self.user_pool = user_pool
        self.user_pool_id = user_pool.ref
        self.user_pool_arn = user_pool.attr_arn
        self.client_id = user_pool_client.ref
        self.provider_name = user_pool.attr_provider_name
        core.CfnOutput(
            self,
            "CognitoUserPoolId",
            export_name="CognitoUserPoolId",
            value=user_pool.ref,
        )
        core.CfnOutput(
            self,
            "CognitoUserPoolIdArn",
            export_name="CognitoUserPoolIdArn",
            value=user_pool.attr_arn,
        )
        core.CfnOutput(
            self,
            "CognitoClientId",
            export_name="CognitoClientId",
            value=user_pool_client.ref,
        )
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        # Parameters
        parameters = core.CfnParameter(
            self, "SourceBucket",
            description="Building on AWS Cognito Stack Modified https://github.com/rosberglinhares/CloudFormationCognitoCustomResources",
            default="default"
        )

        LogoutURL = core.CfnParameter(
            self, "LogoutURL",
            type="String",
            default="http://localhost"
        )

        CallbackURL = core.CfnParameter(
            self, "CallbackURL",
            type="String",
            default="http://localhost/callback"
        )

        AppDomain = core.CfnParameter(
            self, "AppDomain",
            type="String",
            default="default"
        )
        
        # CognitoSNSPolicy
        CognitoSNSPolicy = iam.CfnManagedPolicy(
            self, 'CognitoSNSPolicy',
            description='Managed policy to allow Amazon Cognito to access SNS',
            policy_document={
                "Version": "2012-10-17",
                "Statement": {
                    "Effect": "Allow",
                    "Action": ["sns:publish"],
                    "Resource": "*"
                }
            })

        # SNSRole
        SNSRole = iam.CfnRole(
            self, "SNSRole",
            role_name="SNSRole",
            managed_policy_arns=[CognitoSNSPolicy.ref],
            assume_role_policy_document={
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": ["sts:AssumeRole"],
                        "Principal": {"Service": ["cognito-idp.amazonaws.com"]}
                    }]
            }
        )
        SNSRole.add_depends_on(CognitoSNSPolicy)

        # CognitoUserPool
        CognitoUserPool = cognito.CfnUserPool(
            self, 'UserPool',
            user_pool_name='photos-pool',
            alias_attributes=[
                "email", "phone_number"],
            auto_verified_attributes=[
                "email"],
            email_verification_message="Hi, Your verification code is <br/>{####}\n",
            email_verification_subject="EDX Email Verification",
            mfa_configuration="OPTIONAL",
            policies={
                "passwordPolicy": {
                    "minimumLength": 8,
                    "requireLowercase": True,
                    "requireNumbers": True,
                    "requireSymbols": True,
                    "requireUppercase": True
                }
            },
            schema=[{
                "attributeDataType": "String",
                "mutable": False,
                "name": "nickname",
                "required": True
            },
                {
                "attributeDataType": "String",
                "mutable": False,
                "name": "email",
                "required": True
            },
                {
                "attributeDataType": "String",
                "mutable": False,
                "name": "phone_number",
                "required": True
            }],
            sms_configuration={
                "externalId": "%s-external" % (core.Aws.STACK_NAME),
                "snsCallerArn": SNSRole.attr_arn
            }
        )

        # CognitoUserPoolClient
        CognitoUserPoolClient = cognito.CfnUserPoolClient(
            self, "UserPoolClient",
            client_name="WebsiteClient",
            generate_secret=True,
            user_pool_id=CognitoUserPool.ref
        )

        # CognitoCustomResourceRole
        CustomResourceRole = iam.CfnRole(
            self, "CustomResourceRole",
            role_name="cognito-resource-role",
            assume_role_policy_document={
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": [
                                "lambda.amazonaws.com"
                            ]
                        },
                        "Action": [
                            "sts:AssumeRole"
                        ]
                    }
                ]
            },
            policies=[
                {
                    "policyName": "writeCloudWatchLogs",
                    "policyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Action": "logs:CreateLogGroup",
                                "Resource": "arn:aws:logs:*:*:*"
                            },
                            {
                                "Effect": "Allow",
                                "Action": "logs:CreateLogStream",
                                "Resource": "arn:aws:logs:*:*:*"
                            },
                            {
                                "Effect": "Allow",
                                "Action": "logs:PutLogEvents",
                                "Resource": "arn:aws:logs:*:*:*"
                            }
                        ]
                    }
                },
                {
                    "policyName": "updateUserPoolClient",
                    "policyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Action": "cognito-idp:UpdateUserPoolClient",
                                "Resource": "arn:aws:cognito-idp:*:*:userpool/*"
                            }
                        ]
                    }
                },
                {
                    "policyName": "manageUserPoolDomain",
                    "policyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Action": "cognito-idp:CreateUserPoolDomain",
                                "Resource": "arn:aws:cognito-idp:*:*:userpool/*"
                            },
                            {
                                "Effect": "Allow",
                                "Action": "cognito-idp:DeleteUserPoolDomain",
                                "Resource": "arn:aws:cognito-idp:*:*:userpool/*"
                            },
                            {
                                "Effect": "Allow",
                                "Action": "cognito-idp:DescribeUserPoolDomain",
                                "Resource": "*"
                            },
                            {
                                "Effect": "Allow",
                                "Action": "cognito-idp:DescribeUserPoolClient",
                                "Resource": "*"
                            }
                        ]
                    }
                },
                {
                    "policyName": "invokeLambdaFunction",
                    "policyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Action": "lambda:InvokeFunction",
                                "Resource": "arn:aws:lambda:*:*:function:*"
                            }
                        ]
                    }
                },
            ]
        )

        # CognitoUserPoolClientClientSettings
        with open("./cdk/CognitoUserPoolClientClientSettings/index.js", encoding="utf-8") as fp:
            code_body = fp.read()

        CognitoUserPoolClientClientSettings = cfn.CustomResource(
            self, "CognitoUserPoolClientClientSettings",
            provider=cfn.CustomResourceProvider.lambda_(
                lambda_.SingletonFunction(
                    self, "CognitoUserPoolClientClientSettingsLambda",
                    uuid="f7d4f730-4ee1-11e8-9c2d-fa7ae01bbebc",
                    code=lambda_.InlineCode(code_body),
                    handler="index.handler",
                    runtime=lambda_.Runtime.NODEJS_8_10,
                    role=iam.Role.from_role_arn(
                        self, 'CustomResourceRoleiam', role_arn=CustomResourceRole.attr_arn)
                )
            ),
            properties={"UserPoolId": CognitoUserPool.ref,
                        "UserPoolClientId": CognitoUserPoolClient.ref,
                        "AppDomain": AppDomain.value_as_string,
                        "SupportedIdentityProviders": ['COGNITO'],
                        "CallbackURL": CallbackURL.value_as_string,
                        "LogoutURL": LogoutURL.value_as_string,
                        "AllowedOAuthFlowsUserPoolClient": True,
                        "AllowedOAuthFlows": ['code'],
                        "AllowedOAuthScopes": ['openid']
                        },
        )

        # CognitoIdPool
        CognitoIdPool = cognito.CfnIdentityPool(
            self, 'CognitoIdPool',
            identity_pool_name='edxcognitoidpool',
            cognito_identity_providers=[{
                "clientId": CognitoUserPoolClient.ref,
                "providerName": CognitoUserPool.attr_provider_name
            }],
            allow_unauthenticated_identities=False
        )

        # Output
        core.CfnOutput(self, "CognitoUserPoolIdOutput",
                       value=CognitoUserPool.ref,
                       description="The Pool ID of the Cognito User Pool",
                       export_name="CognitoUserPoolId"
                       )
        core.CfnOutput(self, "CognitoUserPoolProviderURLOutput",
                       value=CognitoUserPool.attr_provider_url,
                       description="The Pool ProviderURL of the Cognito User Pool",
                       export_name="CognitoUserPoolProviderURL"
                       )
        core.CfnOutput(self, "CognitoUserPoolArnOutput",
                       value=CognitoUserPool.attr_arn,
                       description="The Pool Arn of the Cognito User Pool",
                       export_name="CognitoUserPoolArn"
                       )
        core.CfnOutput(self, "CognitoUserPoolClientIdOutput",
                       value=CognitoUserPoolClient.ref,
                       description="The App Client ID ",
                       export_name="CognitoUserPoolClientId"
                       )
        core.CfnOutput(self, "ClientSecretOutput",
                       value=core.Fn.get_att(
                           "CognitoUserPoolClientClientSettings", "ClientSecret").to_string(),
                       description="The Client Secret ",
                       export_name="ClientSecret"
                       )
예제 #6
0
    def __init__(self, scope: core.Construct, id: str, **kwargs):
        super().__init__(scope, id, **kwargs)

        prj_name = self.node.try_get_context('project_name')
        env_name = self.node.try_get_context('env')

        user_pool2 = cognito.UserPool(
            self,
            id=f'{env_name}-precog',
            auto_verify=cognito.AutoVerifiedAttrs(email=True),
            sign_in_aliases=cognito.SignInAliases(email=True, phone=True),
            self_sign_up_enabled=True,
            user_pool_name=f'{env_name}-cdk-2-user-pool',
            custom_attributes={
                "param1": cognito.StringAttribute(mutable=True)
            },
            password_policy=cognito.PasswordPolicy(min_length=10,
                                                   require_lowercase=True,
                                                   require_digits=True,
                                                   require_symbols=False,
                                                   require_uppercase=True))

        user_pool = cognito.CfnUserPool(
            self,
            id=f'{env_name}-cognito-user-pool',
            auto_verified_attributes=['email'],
            username_attributes=['email', 'phone_number'],
            user_pool_name=f'{env_name}-cdk-user-pool',
            schema=[{
                "attributeDataType": "String",
                "name": "param1",
                "mutable": True
            }],
            policies=cognito.CfnUserPool.PoliciesProperty(
                password_policy=cognito.CfnUserPool.PasswordPolicyProperty(
                    minimum_length=10,
                    require_lowercase=True,
                    require_numbers=True,
                    require_symbols=False,
                    require_uppercase=True)))

        user_pool_client2 = cognito.UserPoolClient(
            self,
            id=f'{env_name}-pool-client2',
            user_pool=user_pool2,
            user_pool_client_name=f'{env_name}-cdk-app-client2')
        identity_pool2 = cognito.CfnIdentityPool(
            self,
            id=f'{env_name}-identify-pool-2',
            allow_unauthenticated_identities=False,
            cognito_identity_providers=[
                cognito.CfnIdentityPool.CognitoIdentityProviderProperty(
                    client_id=user_pool_client2.user_pool_client_id,
                    provider_name=user_pool.attr_provider_name)
            ],
            identity_pool_name=f'{env_name}-cdk-identity-pool2')

        user_pool_client = cognito.CfnUserPoolClient(
            self,
            id=f'{env_name}-pool-client',
            user_pool_id=user_pool.ref,
            client_name=f'{env_name}-cdk-app-client')

        identity_pool = cognito.CfnIdentityPool(
            self,
            id=f'{env_name}-identify-pool',
            allow_unauthenticated_identities=False,
            cognito_identity_providers=[
                cognito.CfnIdentityPool.CognitoIdentityProviderProperty(
                    client_id=user_pool_client.ref,
                    provider_name=user_pool.attr_provider_name)
            ],
            identity_pool_name=f'{env_name}-cdk-identity-pool')

        ssm.StringParameter(
            self,
            id='app-id',
            parameter_name=f"/{env_name}/cognito-app-client-id",
            string_value=user_pool_client.ref)

        ssm.StringParameter(self,
                            id='user-pool-id',
                            parameter_name=f"/{env_name}/cognito-user-pool-id",
                            string_value=user_pool_client.user_pool_id)

        ssm.StringParameter(
            self,
            id='identity-pool-id',
            parameter_name=f"/{env_name}/cognito-identity-pool-id",
            string_value=identity_pool.ref  # ref returns the id
        )
    def __init__(self, scope: core.Construct, id: str, domain_prefix: str, other_account: str,  **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        user_pool = cognito.CfnUserPool(
            scope=self,
            id="user-pool",
            admin_create_user_config=cognito.CfnUserPool.AdminCreateUserConfigProperty(
                allow_admin_create_user_only=True,
            ),
            policies=cognito.CfnUserPool.PoliciesProperty(
                password_policy=cognito.CfnUserPool.PasswordPolicyProperty(
                    minimum_length=20,
                )),
            username_attributes=["email"],
            auto_verified_attributes=["email"],
        )

        cognito.CfnUserPoolDomain(
            scope=self,
            id="cognito-user-pool-domain",
            domain=f"{domain_prefix}-{core.Aws.ACCOUNT_ID}",
            user_pool_id=user_pool.ref,
        )

        id_pool = cognito.CfnIdentityPool(
            scope=self,
            id="identity-pool",
            allow_unauthenticated_identities=False,
            cognito_identity_providers=[],
        )

        auth_role = iam.Role(
            scope=self,
            id="auth-role",
            assumed_by=iam.FederatedPrincipal(
                federated="cognito-identity.amazonaws.com",
                conditions={
                    "StringEquals": {"cognito-identity.amazonaws.com:aud": id_pool.ref},
                    "ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "authenticated"},
                },
                assume_role_action="sts:AssumeRoleWithWebIdentity"),
        )

        es_role = iam.Role(
            scope=self,
            id="es-role",
            assumed_by=iam.ServicePrincipal('es.amazonaws.com'),
            managed_policies=[
                iam.ManagedPolicy.from_aws_managed_policy_name(
                    managed_policy_name="AmazonESCognitoAccess"
                )
            ],
        )

        es_domain = elasticsearch.CfnDomain(
            scope=self,
            id="search-domain",
            elasticsearch_cluster_config=elasticsearch.CfnDomain.ElasticsearchClusterConfigProperty(
                instance_count=2,
                instance_type="m5.large.elasticsearch",
            ),
            node_to_node_encryption_options=elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty(
                enabled=True),
            encryption_at_rest_options=elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty(
                enabled=True),
            ebs_options=elasticsearch.CfnDomain.EBSOptionsProperty(
                ebs_enabled=True,
                volume_size=20),
            elasticsearch_version="7.4",
            domain_name=domain_prefix,
            access_policies={
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": auth_role.role_arn
                        },
                        "Action": [
                            "es:ESHttpGet",
                            "es:ESHttpPut",
                            "es:ESHttpPost",
                            "es:ESHttpDelete"
                        ],
                        "Resource": "arn:aws:es:" + core.Aws.REGION + ":" + core.Aws.ACCOUNT_ID + ":domain/" + domain_prefix + "/*"
                    },
                ]
            },
        )

        es_domain.add_property_override(
            'CognitoOptions.Enabled', True)
        es_domain.add_property_override(
            'CognitoOptions.IdentityPoolId', id_pool.ref)
        es_domain.add_property_override(
            'CognitoOptions.RoleArn', es_role.role_arn)
        es_domain.add_property_override(
            'CognitoOptions.UserPoolId', user_pool.ref)

        cognito.CfnIdentityPoolRoleAttachment(
            scope=self,
            id='user-pool-role-attachment',
            identity_pool_id=id_pool.ref,
            roles={
                'authenticated': auth_role.role_arn
            }
        )

        es_external_role = iam.Role(
            scope=self,
            id="logger-role",
            assumed_by=iam.CompositePrincipal(
                iam.ServicePrincipal("lambda.amazonaws.com"),
                iam.AccountPrincipal(other_account),
            ),
            description="role to use elastic search assumed by lambda",
            inline_policies={
                "es_policy": iam.PolicyDocument(statements=[
                    iam.PolicyStatement(
                        actions=[
                            "es:ESHttpPost",
                        ],
                        resources=[
                            es_domain.attr_arn + "/*",
                        ],
                    )]),
            },
        )

        core.CfnOutput(
            scope=self,
            id="es-host",
            value=es_domain.attr_domain_endpoint,
        )

        core.CfnOutput(
            scope=self,
            id="es-region",
            value=core.Aws.REGION,
        )

        core.CfnOutput(
            scope=self,
            id="es-external-role",
            value=es_external_role.role_arn,
        )