-
Notifications
You must be signed in to change notification settings - Fork 161
/
Copy pathreuse-with-existing-user-pool.yaml
90 lines (85 loc) · 3.2 KB
/
reuse-with-existing-user-pool.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
Example stack that shows how to reuse the serverless application with a pre-existing User Pool and Client.
The pre-existing User Pool Arn and Client ID can be provided to the Auth@Edge application through parameters.
In this example we're creating the User Pool and Client, and the Auth@Edge application in the same stack in the same region.
You could instead also use a pre-existing User Pool and Client from a different stack and region.
Parameters:
EnableSPAMode:
Type: String
Description: Set to 'false' to disable SPA-specific features (i.e. when deploying a static site that won't interact with logout/refresh)
Default: "true"
AllowedValues:
- "true"
- "false"
OAuthScopes:
Type: CommaDelimitedList
Description: The OAuth scopes to request the User Pool to add to the access token JWT
Default: "phone, email, profile, openid, aws.cognito.signin.user.admin"
Conditions:
GenerateClientSecret: !Equals
- EnableSPAMode
- "false"
Resources:
UserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: !Ref AWS::StackName
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
UsernameAttributes:
- email
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
UserPoolId: !Ref UserPool
PreventUserExistenceErrors: ENABLED
GenerateSecret: !If
- GenerateClientSecret
- true
- false
AllowedOAuthScopes: !Ref OAuthScopes
AllowedOAuthFlowsUserPoolClient: true
AllowedOAuthFlows:
- code
SupportedIdentityProviders:
- COGNITO
CallbackURLs:
# The following sentinel value will be replaced by Auth@Edge with the CloudFront domain name (if you let Auth@Edge create the CloudFront distribution)
- https://example.com/will-be-replaced
LogoutURLs:
# The following sentinel value will be replaced by Auth@Edge with the CloudFront domain name (if you let Auth@Edge create the CloudFront distribution)
- https://example.com/will-be-replaced
UserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Properties:
Domain: !Sub
- "auth-${StackIdSuffix}"
- StackIdSuffix: !Select
- 2
- !Split
- "/"
- !Ref AWS::StackId
UserPoolId: !Ref UserPool
MyLambdaEdgeProtectedSpaSetup:
Type: AWS::Serverless::Application
DependsOn: UserPoolDomain
Properties:
Location:
ApplicationId: arn:aws:serverlessrepo:us-east-1:520945424137:applications/cloudfront-authorization-at-edge
SemanticVersion: 2.3.2
Parameters:
UserPoolArn: !GetAtt UserPool.Arn
UserPoolClientId: !Ref UserPoolClient
EnableSPAMode: !Ref EnableSPAMode
CreateCloudFrontDistribution: true
OAuthScopes: !Join
- ","
- !Ref OAuthScopes
Outputs:
WebsiteUrl:
Description: URL of the CloudFront distribution that serves your SPA from S3
Value: !GetAtt MyLambdaEdgeProtectedSpaSetup.Outputs.WebsiteUrl