-
Notifications
You must be signed in to change notification settings - Fork 160
/
template.yaml
1332 lines (1286 loc) · 49.8 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
Protect downloads of your content hosted on CloudFront with Cognito authentication using Lambda@Edge
Metadata:
AWS::ServerlessRepo::Application:
Name: cloudfront-authorization-at-edge
Description: >
Protect downloads of your content hosted on CloudFront with Cognito authentication using Lambda@Edge.
Includes: S3 Bucket w. sample SPA, Cognito User Pool with hosted UI set up, Lambda@Edge functions to validate JWTs and handle OAuth2 redirects.
Author: AWS Samples
SpdxLicenseId: MIT-0
LicenseUrl: LICENSE
ReadmeUrl: SERVERLESS-REPO.md
Labels:
[
"cognito",
"lambda@edge",
"cloudfront",
"s3",
"react",
"angular",
"vue",
"amplify",
]
HomePageUrl: https://github.com/aws-samples/cloudfront-authorization-at-edge
SemanticVersion: 2.3.2
SourceCodeUrl: https://github.com/aws-samples/cloudfront-authorization-at-edge
Parameters:
EmailAddress:
Type: String
Description: The email address of the user that will be created in the Cognito User Pool. Leave empty to skip user creation.
Default: ""
RedirectPathSignIn:
Type: String
Description: The URL path that should handle the redirect from Cognito after sign-in
Default: /parseauth
RedirectPathSignOut:
Type: String
Description: The URL path that should handle the redirect from Cognito after sign-out
Default: /
RedirectPathAuthRefresh:
Type: String
Description: The URL path that should handle the JWT refresh request
Default: /refreshauth
SignOutUrl:
Type: String
Description: The URL path that you can visit to sign-out
Default: /signout
AlternateDomainNames:
Type: CommaDelimitedList
Description: >
If you intend to use one or more custom domain names for the CloudFront distribution, please set that up yourself on the CloudFront distribution after deployment.
If you provide those domain names now (comma-separated) the necessary Cognito configuration will already be done for you (unless you're bring your own User Pool from a different AWS account).
Alternatively, update the Cognito configuration yourself after deployment: add sign in and sign out URLs for your custom domains to the user pool app client settings.
Default: ""
CookieSettings:
Type: String
Description: >
The settings for the cookies holding e.g. the JWTs. To be provided as a JSON object, mapping cookie type to setting.
Provide the setting for the particular cookie type as a string, e.g. "Path=/; Secure; HttpOnly; Max-Age=1800; SameSite=Lax".
If left to null, a default setting will be used that should be suitable given the value of "EnableSPAMode" parameter.
Default: >-
{
"idToken": null,
"accessToken": null,
"refreshToken": null,
"nonce": null
}
OAuthScopes:
Type: CommaDelimitedList
Description: The OAuth scopes to request the User Pool to add to the access token JWT
Default: "phone, email, profile, openid, aws.cognito.signin.user.admin"
HttpHeaders:
Type: String
Description: The HTTP headers to set on all responses from CloudFront. To be provided as a JSON object
Default: >-
{
"Content-Security-Policy": "default-src 'none'; img-src 'self'; script-src 'self' https://code.jquery.com https://stackpath.bootstrapcdn.com; style-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com; object-src 'none'; connect-src 'self' https://*.amazonaws.com https://*.amazoncognito.com",
"Strict-Transport-Security": "max-age=31536000; includeSubdomains; preload",
"Referrer-Policy": "same-origin",
"X-XSS-Protection": "1; mode=block",
"X-Frame-Options": "DENY",
"X-Content-Type-Options": "nosniff"
}
EnableSPAMode:
Type: String
Description: Set to 'false' to disable SPA-specific features (i.e. when deploying a static site that won't interact with logout/refresh)
Default: "true"
AllowedValues:
- "true"
- "false"
CreateCloudFrontDistribution:
Type: String
Description: >
Set to 'false' to skip the creation of a CloudFront distribution and associated resources, such as the private S3 bucket and the sample React app.
This may be of use to you, if you just want to create the Lambda@Edge functions to use with your own CloudFront distribution.
Default: "true"
AllowedValues:
- "true"
- "false"
CookieCompatibility:
Type: String
Description: >
Specify whether naming of cookies should be compatible with AWS Amplify (default) or Amazon Elasticsearch Service. In case of the latter, turn off SPA mode too: set parameter EnableSPAMode to false
Default: "amplify"
AllowedValues:
- "amplify"
- "elasticsearch"
AdditionalCookies:
Type: String
Description: 'Specify one or more additional cookies to set after successfull sign-in. Specify as a JSON object––mapping cookie names to values and settings: {"cookieName1": "cookieValue1; HttpOnly; Secure"}'
Default: >-
{}
UserPoolArn:
Type: String
Description: "Specify the ARN of an existing user pool to use that one instead of creating a new one. If specified, then UserPoolClientId must also be specified. Also, the User Pool should have a domain configured"
Default: ""
UserPoolAuthDomain:
Type: String
Description: >
The auth domain of the existing User Pool, whose ARN you specified as UserPoolArn, e.g. "my-domain.auth.<region>.amazoncognito.com".
If you don't provide this value, it will be looked up for you automatically. This automatic lookup only works if the pre-existing User Pool is in the same AWS account as this stack,
so if it's not, make sure to explictly specify the UserPoolAuthDomain.
Default: ""
UserPoolClientId:
Type: String
Description: >
Specify the ID of an existing user pool client to use that one instead of creating a new one. If specified, then UserPoolArn must also be specified.
Note: new callback URL's will be added to the pre-existing user pool client (but only if it's in the same AWS account as this stack)
Default: ""
UserPoolClientSecret:
Type: String
Description: >
The client secret of the existing User Pool Client, whose ClientId you specified as UserPoolClientId.
If you don't provide this value, it will be looked up for you automatically. This automatic lookup only works if the pre-existing User Pool Client is in the same AWS account as this stack,
so if it's not, make sure to explictly specify the UserPoolClientSecret.
Default: ""
UserPoolGroupName:
Type: String
Description: >
Specify a group that users have to be part of to view the private site. Use this to further protect your private site, in case you don't want every user in the User Pool to have access.
The UserPoolGroup will be created if the UserPool is also created (that happens when no UserPoolArn is set).
If the UserPoolGroup is created and the default user is also created (when you specify EmailAddress), that user will also be added to the group.
Default: ""
Version:
Type: String
Description: "Changing this parameter after initial deployment forces redeployment of Lambda@Edge functions"
Default: "2.3.2"
LogLevel:
Type: String
Description: "Use for development: setting to a value other than none turns on logging at that level. Warning! This will log sensitive data, use for development only"
Default: "none"
AllowedValues:
- "none"
- "info"
- "warn"
- "error"
- "debug"
PermissionsBoundaryPolicyArn:
Description: ARN of a boundary policy if your organisation uses some for roles, optional.
Type: String
Default: ""
RewritePathWithTrailingSlashToIndex:
Description: Do you want to append "index.html" to paths that end with a slash ("/")?
Type: String
Default: "false"
AllowedValues:
- "true"
- "false"
WebACLId:
Description: AWS WAF Web ACL Id, if any, to associate with this distribution
Type: String
Default: ""
DefaultRootObject:
Description: The object that you want CloudFront to request from your origin (for example, index.html) when a viewer requests the root URL for your distribution (http://www.example.com).
Type: String
Default: index.html
S3OriginDomainName:
Description: >
The S3 origin you want to front with CloudFront. Specify the bucket's region specific hostname, in the form of <bucket-name>.s3.<region>.amazonaws.com.
If you don't provide an origin, and "CreateCloudFrontDistribution" is set to "true" (the default), then an S3 bucket will be created for you.
Type: String
Default: ""
CustomOriginDomainName:
Description: >
The custom origin you want to front with CloudFront. If using an existing S3 bucket (in non-website mode), don't use this parameter, specify parameter "S3OriginDomainName" instead.
If you don't provide an origin, and "CreateCloudFrontDistribution" is set to "true" (the default), then an S3 bucket will be created for you.
Type: String
Default: ""
CustomOriginHeaderName:
Description: >
The HTTP header name of the (secret) custom header that you want CloudFront to send to your custom origin. Also specify parameter "CustomOriginHeaderValue".
Only of use if you are also specifying parameter "CustomOriginDomainName".
Type: String
Default: ""
CustomOriginHeaderValue:
Description: >
The HTTP header value of the (secret) custom header that you want CloudFront to send to your custom origin. Also specify parameter "CustomOriginHeaderName".
Only of use if you are also specifying parameter "CustomOriginDomainName".
Type: String
Default: ""
CreateCloudFrontAccessLogsBucket:
Description: >
Set to "true" to create a CloudFront access logs bucket and deliver logs to it. Ignored if CloudFrontAccessLogsBucket is also specified.
Type: String
Default: "false"
AllowedValues:
- "true"
- "false"
CloudFrontAccessLogsBucket:
Description: >
The (pre-existing) Amazon S3 bucket to store CloudFront access logs in, for example, myawslogbucket.s3.amazonaws.com. Only of use if "CreateCloudFrontDistribution" is set to "true" (the default).
This bucket must have ACLs enabled. If this value is unset and CreateCloudFrontAccessLogsBucket is set to "true", a bucket will be created.
Type: String
Default: ""
ResourceSuffix:
Description: The suffix to use for Lambda function names. Use this to disambiguate between multiple deployments of this application
Type: String
Default: ""
Conditions:
ApplyPermissionsBoundary:
!Not [!Equals [!Ref PermissionsBoundaryPolicyArn, ""]]
CreateUser: !And
- !Not [!Equals [!Ref EmailAddress, ""]]
- !Equals [!Ref UserPoolArn, ""]
- !Equals [!Ref UserPoolClientId, ""]
CreateCloudFrontDistribution:
!Equals [!Ref CreateCloudFrontDistribution, "true"]
SPAMode: !Equals [!Ref EnableSPAMode, "true"]
StaticSiteMode: !Equals [!Ref EnableSPAMode, "false"]
CreateSampleStaticSite: !And
- !Equals [!Ref EnableSPAMode, "false"]
- !Equals [!Ref CreateCloudFrontDistribution, "true"]
- !Equals [!Ref CustomOriginDomainName, ""]
- !Equals [!Ref S3OriginDomainName, ""]
CreateSampleReactApp: !And
- !Equals [!Ref EnableSPAMode, "true"]
- !Equals [!Ref CreateCloudFrontDistribution, "true"]
- !Equals [!Ref CustomOriginDomainName, ""]
- !Equals [!Ref S3OriginDomainName, ""]
CreateUserPoolAndClient: !Equals [!Ref UserPoolArn, ""]
CreateUserPoolGroup: !And
- !Condition CreateUserPoolAndClient
- !Not [!Equals [!Ref UserPoolGroupName, ""]]
AttachUserToPoolGroup: !And
- !Condition CreateUser
- !Condition CreateUserPoolGroup
NoExistingUserPoolProvidedOrExistingUserPoolIsInThisAccount: !Or
- !Equals [!Ref UserPoolArn, ""]
- !Equals
- !Ref AWS::AccountId
- !Select [4, !Split [":", !Sub "${UserPoolArn}::::otheraccount"]] # Appending :::::otheraccount is a trick to make the select work even if UserPoolArn is empty
UpdateUserPoolClient: !And
- !Or
- !Equals [!Ref CreateCloudFrontDistribution, "true"]
- !Not [!Equals [!Join ["", !Ref AlternateDomainNames], ""]]
- !Condition NoExistingUserPoolProvidedOrExistingUserPoolIsInThisAccount
RegionIsNotUsEast1: !Not [!Equals [!Ref AWS::Region, "us-east-1"]]
RewritePathWithTrailingSlashToIndex:
!Equals [!Ref RewritePathWithTrailingSlashToIndex, "true"]
CreateS3Bucket: !And
- !Equals [!Ref CreateCloudFrontDistribution, "true"]
- !Equals [!Ref CustomOriginDomainName, ""]
- !Equals [!Ref S3OriginDomainName, ""]
UseS3Origin: !And
- !Equals [!Ref CreateCloudFrontDistribution, "true"]
- !Equals [!Ref CustomOriginDomainName, ""]
UseWAF: !Not [!Equals [!Ref WebACLId, ""]]
UseResourceSuffix: !Not [!Equals [!Ref ResourceSuffix, ""]]
DefaultRootObjectProvided: !Not [!Equals [!Ref DefaultRootObject, ""]]
CloudFrontAccessLogsBucketProvided:
!Not [!Equals [!Ref CloudFrontAccessLogsBucket, ""]]
CustomOriginHeaderProvided: !And
- !Not [!Equals [!Ref CustomOriginHeaderName, ""]]
- !Not [!Equals [!Ref CustomOriginHeaderValue, ""]]
LookupAuthDomain: !And
- !Condition NoExistingUserPoolProvidedOrExistingUserPoolIsInThisAccount
- !Equals [!Ref UserPoolAuthDomain, ""]
LookupClientSecret: !And
- !Condition StaticSiteMode
- !Condition NoExistingUserPoolProvidedOrExistingUserPoolIsInThisAccount
- !Equals [!Ref UserPoolClientSecret, ""]
CreateCloudFrontAccessLogsBucket: !And
- !Equals [!Ref CreateCloudFrontAccessLogsBucket, "true"]
- !Not [!Condition CloudFrontAccessLogsBucketProvided]
Globals:
Function:
Timeout: 60
PermissionsBoundary: !If
- ApplyPermissionsBoundary
- !Ref PermissionsBoundaryPolicyArn
- !Ref AWS::NoValue
Runtime: nodejs20.x
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Condition: CreateS3Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
AccessLogsBucket:
Type: AWS::S3::Bucket
Condition: CreateCloudFrontAccessLogsBucket
Properties:
OwnershipControls:
Rules:
- ObjectOwnership: BucketOwnerPreferred
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
CheckAuthHandler:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/lambda-edge/check-auth/
Handler: bundle.handler
Role: !GetAtt LambdaEdgeExecutionRole.Arn
Timeout: 5
FunctionName: !If
- UseResourceSuffix
- !Sub "CheckAuthHandler-${ResourceSuffix}"
- !Ref AWS::NoValue
ParseAuthHandler:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/lambda-edge/parse-auth/
Handler: bundle.handler
Role: !GetAtt LambdaEdgeExecutionRole.Arn
Timeout: 5
FunctionName: !If
- UseResourceSuffix
- !Sub "ParseAuthHandler-${ResourceSuffix}"
- !Ref AWS::NoValue
RefreshAuthHandler:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/lambda-edge/refresh-auth/
Handler: bundle.handler
Role: !GetAtt LambdaEdgeExecutionRole.Arn
Timeout: 5
FunctionName: !If
- UseResourceSuffix
- !Sub "RefreshAuthHandler-${ResourceSuffix}"
- !Ref AWS::NoValue
HttpHeadersHandler:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/lambda-edge/http-headers/
Handler: bundle.handler
Role: !GetAtt LambdaEdgeExecutionRole.Arn
Timeout: 5
FunctionName: !If
- UseResourceSuffix
- !Sub "HttpHeadersHandler-${ResourceSuffix}"
- !Ref AWS::NoValue
SignOutHandler:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/lambda-edge/sign-out/
Handler: bundle.handler
Role: !GetAtt LambdaEdgeExecutionRole.Arn
Timeout: 5
FunctionName: !If
- UseResourceSuffix
- !Sub "SignOutHandler-${ResourceSuffix}"
- !Ref AWS::NoValue
TrailingSlashHandler:
Type: AWS::Serverless::Function
Condition: RewritePathWithTrailingSlashToIndex
Properties:
CodeUri: src/lambda-edge/rewrite-trailing-slash/
Handler: bundle.handler
Role: !GetAtt LambdaEdgeExecutionRole.Arn
Timeout: 5
FunctionName: !If
- UseResourceSuffix
- !Sub "TrailingSlashHandler-${ResourceSuffix}"
- !Ref AWS::NoValue
LambdaEdgeExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- edgelambda.amazonaws.com
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
PermissionsBoundary: !If
- ApplyPermissionsBoundary
- !Ref PermissionsBoundaryPolicyArn
- !Ref AWS::NoValue
UsEast1Deployment:
Type: Custom::UsEast1LambdaEdgeDeployment
Condition: RegionIsNotUsEast1
Properties:
ServiceToken: !GetAtt UsEast1DeploymentHandler.Arn
LambdaRoleArn: !GetAtt LambdaEdgeExecutionRole.Arn
CheckAuthHandlerArn: !GetAtt CheckAuthHandler.Arn
ParseAuthHandlerArn: !GetAtt ParseAuthHandler.Arn
RefreshAuthHandlerArn: !GetAtt RefreshAuthHandler.Arn
HttpHeadersHandlerArn: !GetAtt HttpHeadersHandler.Arn
SignOutHandlerArn: !GetAtt SignOutHandler.Arn
TrailingSlashHandlerArn: !If
- RewritePathWithTrailingSlashToIndex
- !GetAtt TrailingSlashHandler.Arn
- !Ref AWS::NoValue
Version: !Ref Version
UsEast1DeploymentHandler:
Type: AWS::Serverless::Function
Condition: RegionIsNotUsEast1
Properties:
CodeUri: src/cfn-custom-resources/us-east-1-lambda-stack
Handler: bundle.handler
Timeout: 900
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cloudformation:CreateChangeSet
- cloudformation:CreateStack
- cloudformation:DeleteChangeSet
- cloudformation:DeleteStack
- cloudformation:DescribeChangeSet
- cloudformation:DescribeStacks
- cloudformation:ExecuteChangeSet
- cloudformation:UpdateStack
Resource:
- !Sub "arn:${AWS::Partition}:cloudformation:us-east-1:${AWS::AccountId}:stack/${AWS::StackName}/*"
- !Sub "arn:${AWS::Partition}:cloudformation:us-east-1:${AWS::AccountId}:changeset/${AWS::StackName}/*"
- Effect: Allow
Action:
- cloudformation:DescribeStacks
- cloudformation:GetTemplate
Resource: !Ref AWS::StackId
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:CreateBucket
- s3:DeleteBucket
- s3:DeleteObject
- s3:ListBucket
- s3:PutBucketTagging
Resource: !Sub "arn:${AWS::Partition}:s3:::*-authedgedeploymentbucket-*"
- Effect: Allow
Action: lambda:GetFunction
Resource:
- !GetAtt ParseAuthHandler.Arn
- !GetAtt CheckAuthHandler.Arn
- !GetAtt HttpHeadersHandler.Arn
- !GetAtt RefreshAuthHandler.Arn
- !GetAtt SignOutHandler.Arn
- !If
- RewritePathWithTrailingSlashToIndex
- !GetAtt TrailingSlashHandler.Arn
- !Ref AWS::NoValue
- Effect: Allow
Action:
- lambda:GetFunction
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:UpdateFunctionCode
- lambda:UpdateFunctionConfiguration
- lambda:TagResource
- lambda:ListTags
Resource:
- !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*CheckAuthHandler-*"
- !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*ParseAuthHandler-*"
- !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*RefreshAuthHandler-*"
- !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*SignOutHandler-*"
- !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*HttpHeadersHandler-*"
- !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*TrailingSlashHandler-*"
- Effect: Allow
Action: iam:PassRole
Resource: !GetAtt LambdaEdgeExecutionRole.Arn
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Condition: CreateCloudFrontDistribution
Properties:
DistributionConfig:
CacheBehaviors:
- PathPattern: !Ref RedirectPathSignIn
Compress: true
ForwardedValues:
QueryString: true
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: !GetAtt ParseAuthHandlerCodeUpdate.FunctionArn
TargetOriginId: dummy-origin
ViewerProtocolPolicy: redirect-to-https
- PathPattern: !Ref RedirectPathAuthRefresh
Compress: true
ForwardedValues:
QueryString: true
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: !GetAtt RefreshAuthHandlerCodeUpdate.FunctionArn
TargetOriginId: dummy-origin
ViewerProtocolPolicy: redirect-to-https
- PathPattern: !Ref SignOutUrl
Compress: true
ForwardedValues:
QueryString: true
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: !GetAtt SignOutHandlerCodeUpdate.FunctionArn
TargetOriginId: dummy-origin
ViewerProtocolPolicy: redirect-to-https
DefaultCacheBehavior:
Compress: true
ForwardedValues:
QueryString: true
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: !GetAtt CheckAuthHandlerCodeUpdate.FunctionArn
- EventType: origin-response
LambdaFunctionARN: !GetAtt HttpHeadersHandlerCodeUpdate.FunctionArn
- !If
- RewritePathWithTrailingSlashToIndex
- EventType: origin-request
LambdaFunctionARN: !GetAtt TrailingSlashHandlerCodeUpdate.FunctionArn
- !Ref AWS::NoValue
TargetOriginId: protected-origin
ViewerProtocolPolicy: redirect-to-https
Enabled: true
DefaultRootObject: !If
- DefaultRootObjectProvided
- !Ref DefaultRootObject
- !Ref AWS::NoValue
WebACLId: !If
- UseWAF
- !Ref WebACLId
- !Ref AWS::NoValue
Logging: !If
- CloudFrontAccessLogsBucketProvided
- Bucket: !Ref CloudFrontAccessLogsBucket
- !If
- CreateCloudFrontAccessLogsBucket
- Bucket: !GetAtt AccessLogsBucket.DomainName
- !Ref AWS::NoValue
Origins:
- DomainName: !If
- UseS3Origin
- !If
- CreateS3Bucket
- !GetAtt S3Bucket.RegionalDomainName
- !Ref S3OriginDomainName
- !Ref CustomOriginDomainName
Id: protected-origin
CustomOriginConfig: !If
- UseS3Origin
- !Ref AWS::NoValue
- OriginProtocolPolicy: https-only
OriginCustomHeaders: !If
- UseS3Origin
- !Ref AWS::NoValue
- !If
- CustomOriginHeaderProvided
- - HeaderName: !Ref CustomOriginHeaderName
HeaderValue: !Ref CustomOriginHeaderValue
- !Ref AWS::NoValue
OriginAccessControlId: !If
- UseS3Origin
- !GetAtt CloudFrontOriginAccessControl.Id
- !Ref AWS::NoValue
S3OriginConfig: !If
- UseS3Origin
# If you're using origin access control (OAC) instead of origin access identity,
# specify an empty OriginAccessIdentity element. For more information, see
# Restricting access to an AWS in the Amazon CloudFront Developer Guide.
- OriginAccessIdentity: ""
- !Ref AWS::NoValue
- DomainName: will-never-be-reached.org
Id: dummy-origin
CustomOriginConfig:
OriginProtocolPolicy: match-viewer
CustomErrorResponses:
- !If
- SPAMode # In SPA mode, 404's from S3 should return index.html, to enable SPA routing
- ErrorCode: 404
ResponseCode: 200
ResponsePagePath: /index.html
- !Ref AWS::NoValue
CloudFrontOriginAccessControl:
Type: AWS::CloudFront::OriginAccessControl
Condition: UseS3Origin
Properties:
OriginAccessControlConfig:
Name: !If [CreateS3Bucket, !GetAtt S3Bucket.DomainName, !Ref S3OriginDomainName]
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
CloudFrontBucketPolicy:
Type: AWS::S3::BucketPolicy
Condition: CreateS3Bucket
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowCloudFrontDistributionToGetObjects
Action:
- "s3:GetObject"
Effect: "Allow"
Resource: !Sub "${S3Bucket.Arn}/*"
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
"AWS:SourceArn": !Sub "arn:${AWS::Partition}:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}"
- Sid: AllowCloudFrontDistributionToListBucket
Action:
- "s3:ListBucket"
Effect: "Allow"
Resource: !GetAtt S3Bucket.Arn
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
"AWS:SourceArn": !Sub "arn:${AWS::Partition}:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}"
UserPool:
Type: AWS::Cognito::UserPool
Condition: CreateUserPoolAndClient
Properties:
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
UserPoolName: !Ref AWS::StackName
UsernameAttributes:
- email
UserPoolGroup:
Type: AWS::Cognito::UserPoolGroup
Condition: CreateUserPoolGroup
Properties:
GroupName: !Ref UserPoolGroupName
UserPoolId: !Ref UserPool
User:
Type: AWS::Cognito::UserPoolUser
Condition: CreateUser
Properties:
Username: !Ref EmailAddress
UserPoolId: !Ref UserPool
UserPoolGroupAttachment:
Type: AWS::Cognito::UserPoolUserToGroupAttachment
Condition: AttachUserToPoolGroup
Properties:
GroupName: !Ref UserPoolGroupName
Username: !Ref EmailAddress
UserPoolId: !Ref UserPool
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Condition: CreateUserPoolAndClient
Properties:
UserPoolId: !Ref UserPool
PreventUserExistenceErrors: ENABLED
GenerateSecret: !If
- StaticSiteMode
- true
- false
AllowedOAuthScopes: !Ref OAuthScopes
AllowedOAuthFlowsUserPoolClient: true
AllowedOAuthFlows:
- code
SupportedIdentityProviders:
- COGNITO
CallbackURLs:
- https://example.com/will-be-replaced
LogoutURLs:
- https://example.com/will-be-replaced
UserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Condition: CreateUserPoolAndClient
Properties:
Domain: !Sub
- "auth-${StackIdSuffix}"
- StackIdSuffix: !Select
- 2
- !Split
- "/"
- !Ref AWS::StackId
UserPoolId: !Ref UserPool
UserPoolDomainLookup:
Type: Custom::UserPoolDomainLookup
Condition: LookupAuthDomain
Properties:
ServiceToken: !GetAtt UserPoolDomainLookupHandler.Arn
UserPoolArn: !If
- CreateUserPoolAndClient
- !GetAtt UserPool.Arn
- !Ref UserPoolArn
UserPoolDomainLookupHandler:
Type: AWS::Serverless::Function
Condition: LookupAuthDomain
Properties:
CodeUri: src/cfn-custom-resources/user-pool-domain/
Handler: bundle.handler
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cognito-idp:DescribeUserPool
Resource: !If
- CreateUserPoolAndClient
- !GetAtt UserPool.Arn
- !Ref UserPoolArn
UserPoolClientUpdate:
Type: Custom::UserPoolClientUpdate
Condition: UpdateUserPoolClient
Properties:
ServiceToken: !GetAtt UserPoolClientUpdateHandler.Arn
UserPoolArn: !If
- CreateUserPoolAndClient
- !GetAtt UserPool.Arn
- !Ref UserPoolArn
UserPoolClientId: !If
- CreateUserPoolAndClient
- !Ref UserPoolClient
- !Ref UserPoolClientId
CloudFrontDistributionDomainName: !If
- CreateCloudFrontDistribution
- !GetAtt CloudFrontDistribution.DomainName
- ""
RedirectPathSignIn: !Ref RedirectPathSignIn
RedirectPathSignOut: !Ref RedirectPathSignOut
AlternateDomainNames: !Ref AlternateDomainNames
OAuthScopes: !Ref OAuthScopes
UserPoolClientUpdateHandler:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/cfn-custom-resources/user-pool-client/
Handler: bundle.handler
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cognito-idp:UpdateUserPoolClient
- cognito-idp:DescribeUserPoolClient
Resource: "*" # * to be able to clean up after myself, if you change the User Pool Client ID
ClientSecretRetrieval:
Type: Custom::ClientSecretRetrieval
Condition: LookupClientSecret
Properties:
ServiceToken: !GetAtt ClientSecretRetrievalHandler.Arn
UserPoolArn: !If
- CreateUserPoolAndClient
- !GetAtt UserPool.Arn
- !Ref UserPoolArn
UserPoolClientId: !If
- CreateUserPoolAndClient
- !Ref UserPoolClient
- !Ref UserPoolClientId
ClientSecretRetrievalHandler:
Type: AWS::Serverless::Function
Condition: LookupClientSecret
Properties:
CodeUri: src/cfn-custom-resources/client-secret-retrieval/
Handler: bundle.handler
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cognito-idp:DescribeUserPoolClient
Resource: !If
- CreateUserPoolAndClient
- !GetAtt UserPool.Arn
- !Ref UserPoolArn
CognitoJwksFetchHandler:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/cfn-custom-resources/fetch-jwks/
Handler: bundle.handler
FetchedJwks:
Type: Custom::FetchedJwks
Properties:
ServiceToken: !GetAtt CognitoJwksFetchHandler.Arn
Version: !Ref Version
UserPoolArn: !If
- CreateUserPoolAndClient
- !GetAtt UserPool.Arn
- !Ref UserPoolArn
StaticSite:
Type: Custom::StaticSite
Condition: CreateSampleStaticSite
Properties:
ServiceToken: !GetAtt StaticSiteHandler.Arn
BucketName: !Ref S3Bucket
Version: !Ref Version
StaticSiteHandler:
Type: AWS::Serverless::Function
Condition: CreateSampleStaticSite
Properties:
CodeUri: src/cfn-custom-resources/static-site/
Handler: bundle.handler
Timeout: 180
MemorySize: 2048
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- !GetAtt S3Bucket.Arn
- Effect: Allow
Action:
- s3:DeleteObject
- s3:PutObject
Resource:
- !GetAtt S3Bucket.Arn
- !Join ["/", [!GetAtt S3Bucket.Arn, "*"]]
ReactApp:
Type: Custom::ReactApp
Condition: CreateSampleReactApp
Properties:
ServiceToken: !GetAtt ReactAppHandler.Arn
BucketName: !Ref S3Bucket
UserPoolArn: !If
- CreateUserPoolAndClient
- !GetAtt UserPool.Arn
- !Ref UserPoolArn
ClientId: !If
- CreateUserPoolAndClient
- !Ref UserPoolClient
- !Ref UserPoolClientId
CognitoAuthDomain: !If
- LookupAuthDomain
- !Ref UserPoolDomainLookup
- !Ref UserPoolAuthDomain
RedirectPathSignIn: !Ref RedirectPathSignIn
RedirectPathSignOut: !Ref RedirectPathSignOut
OAuthScopes: !Join
- ","
- !Ref OAuthScopes
SignOutUrl: !Ref SignOutUrl
CookieSettings: !Ref CookieSettings
Version: !Ref Version
ReactAppHandler:
Type: AWS::Serverless::Function
Condition: CreateSampleReactApp
Properties:
CodeUri: src/cfn-custom-resources/react-app/
Handler: bundle.handler
Timeout: 300
MemorySize: 3008
EphemeralStorage:
Size: 2048
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- !GetAtt S3Bucket.Arn
- Effect: Allow
Action:
- s3:DeleteObject
- s3:PutObject
Resource:
- !GetAtt S3Bucket.Arn
- !Join ["/", [!GetAtt S3Bucket.Arn, "*"]]
ParseAuthHandlerCodeUpdate:
Type: Custom::LambdaCodeUpdate
Properties:
ServiceToken: !GetAtt LambdaCodeUpdateHandler.Arn
LambdaFunction: !If
- RegionIsNotUsEast1
- !GetAtt UsEast1Deployment.ParseAuthHandler
- !GetAtt ParseAuthHandler.Arn
Version: !Ref Version
Configuration:
Fn::Sub:
- >
{
"userPoolArn": "${UserPoolArn}",
"jwks": ${FetchedJwks.Jwks},
"clientId": "${ClientId}",
"clientSecret": "${ClientSecret}",
"oauthScopes": ${OAuthScopesJsonArray},
"cognitoAuthDomain": "${UserPoolDomain}",
"redirectPathSignIn": "${RedirectPathSignIn}",
"redirectPathSignOut": "${RedirectPathSignOut}",
"signOutUrl": "${SignOutUrl}",
"redirectPathAuthRefresh": "${RedirectPathAuthRefresh}",
"cookieSettings": ${CookieSettings},
"mode": "${Mode}",
"httpHeaders": ${HttpHeaders},
"logLevel": "${LogLevel}",
"nonceSigningSecret": "${NonceSigningSecret}",
"cookieCompatibility": "${CookieCompatibility}",
"additionalCookies": ${AdditionalCookies},
"requiredGroup": "${UserPoolGroupName}"
}
- Mode: !If
- SPAMode
- "spaMode"
- "staticSiteMode"
UserPoolDomain: !If
- LookupAuthDomain
- !Ref UserPoolDomainLookup
- !Ref UserPoolAuthDomain
ClientSecret: !If
- StaticSiteMode
- !If
- LookupClientSecret
- !GetAtt ClientSecretRetrieval.ClientSecret
- !Ref UserPoolClientSecret
- ""
UserPoolArn: !If
- CreateUserPoolAndClient
- !GetAtt UserPool.Arn
- !Ref UserPoolArn
ClientId: !If
- CreateUserPoolAndClient
- !Ref UserPoolClient
- !Ref UserPoolClientId
OAuthScopesJsonArray: !Join
- ""
- - '["'
- !Join
- '", "'
- !Ref OAuthScopes
- '"]'
CheckAuthHandlerCodeUpdate:
Type: Custom::LambdaCodeUpdate
Properties:
ServiceToken: !GetAtt LambdaCodeUpdateHandler.Arn
LambdaFunction: !If
- RegionIsNotUsEast1
- !GetAtt UsEast1Deployment.CheckAuthHandler
- !GetAtt CheckAuthHandler.Arn
Version: !Ref Version
Configuration:
Fn::Sub:
- >
{
"userPoolArn": "${UserPoolArn}",
"jwks": ${FetchedJwks.Jwks},
"clientId": "${ClientId}",
"clientSecret": "${ClientSecret}",
"oauthScopes": ${OAuthScopesJsonArray},
"cognitoAuthDomain": "${UserPoolDomain}",
"redirectPathSignIn": "${RedirectPathSignIn}",
"redirectPathSignOut": "${RedirectPathSignOut}",
"signOutUrl": "${SignOutUrl}",
"redirectPathAuthRefresh": "${RedirectPathAuthRefresh}",
"cookieSettings": ${CookieSettings},
"mode": "${Mode}",