-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yaml
241 lines (229 loc) · 7.77 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
Simple template for a function behind an API gateway, supported by a DynamoDB table
Globals:
Function:
Timeout: 100
Tracing: Active
Api:
TracingEnabled: true
Parameters:
CognitoTestUserEmail:
Description: Email address of the created user
Type: String
ApiStageName:
Default: staging
Description: StageName of API Gateway deployment
Type: String
AuthPageUrl:
Type: String
Default: "https://instantiator.dev/auth-redirect-pages/index.html"
Description: Base url for an auth testing page
AuthRedirectUri:
Type: String
Default: "https://instantiator.dev/auth-redirect-pages/logged_in.html"
Description: Uri to redirect to on successful authentication
Resources:
ApiGateway:
Type: AWS::Serverless::Api
DependsOn: UserPool
Properties:
StageName: !Ref ApiStageName
GatewayResponses:
DEFAULT_4XX:
ResponseParameters:
Headers:
Access-Control-Allow-Headers: "'Content-Type,Authorization'"
Access-Control-Allow-Origin: "'https://localhost:5001'"
Access-Control-Allow-Methods: "'OPTIONS,GET,PUT'"
Access-Control-Allow-Credentials: "'true'"
DEFAULT_5XX:
ResponseParameters:
Headers:
Access-Control-Allow-Headers: "'Content-Type,Authorization'"
Access-Control-Allow-Origin: "'https://localhost:5001'"
Access-Control-Allow-Methods: "'OPTIONS,GET,PUT'"
Access-Control-Allow-Credentials: "'true'"
Auth:
# Do not provide a DefaultAuthorizer - instead mark endpoints that require authorization
# DefaultAuthorizer: CognitoAuthorizer
Authorizers:
CognitoAuthorizer:
UserPoolArn: !GetAtt UserPool.Arn
FunctionOneRoot:
Type: AWS::Serverless::Function
Properties:
Description: A simple serverless function - returns ok.
CodeUri: ./src/SampleFunctions/FunctionOne/
Handler: FunctionOne::FunctionOne.HandlerRoot::Handle
Runtime: dotnet6
MemorySize: 1024
Events:
RootResource:
Type: Api
Properties:
Path: /FunctionOne
Method: get
RestApiId: !Ref ApiGateway
RootResourceOptions:
Type: Api
Properties:
Path: /FunctionOne
Method: options
RestApiId: !Ref ApiGateway
FunctionOneNotes:
Type: AWS::Serverless::Function
Properties:
Description: A simple serverless function - GET to count notes, POST to add a note.
CodeUri: ./src/SampleFunctions/FunctionOne/
Handler: FunctionOne::FunctionOne.HandlerNotes::Handle
Runtime: dotnet6
MemorySize: 1024
Environment:
Variables:
NOTES_TABLE: !Ref NotesDbTable
Policies:
- DynamoDBCrudPolicy:
TableName: !Ref NotesDbTable
Events:
GetNotesResource:
Type: Api
Properties:
Path: /FunctionOne/notes
Method: get
RestApiId: !Ref ApiGateway
Auth: # optional per endpoint
Authorizer: CognitoAuthorizer
AuthorizationScopes:
- profile
- aws.cognito.signin.user.admin
PostNoteResource:
Type: Api
Properties:
Path: /FunctionOne/notes
Method: post
RestApiId: !Ref ApiGateway
Auth: # optional per endpoint
Authorizer: CognitoAuthorizer
AuthorizationScopes:
- profile
- aws.cognito.signin.user.admin
NotesResourceOptions:
Type: Api
Properties:
Path: /FunctionOne/notes
Method: options
RestApiId: !Ref ApiGateway
NotesDbTable:
Type: AWS::Serverless::SimpleTable
Properties:
TableName: !Sub ${AWS::StackName}-notes
PrimaryKey:
Name: Id
Type: String
ProvisionedThroughput:
ReadCapacityUnits: 2
WriteCapacityUnits: 2
UserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: MvpAppUserPool
Policies:
PasswordPolicy:
MinimumLength: 8
UsernameAttributes:
- email
Schema:
- AttributeDataType: String
Name: email
Required: false
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
AccessTokenValidity: 60 # (minutes) default value.
AllowedOAuthFlowsUserPoolClient: true
AllowedOAuthFlows:
- code
- implicit
AllowedOAuthScopes:
- aws.cognito.signin.user.admin
- email
- openid
- profile
CallbackURLs:
- https://instantiator.dev/auth-redirect-pages/logged_in.html
ClientName: !Sub ${AWS::StackName}-UserPoolClient
EnableTokenRevocation: true # default value.
ExplicitAuthFlows:
- ALLOW_CUSTOM_AUTH
- ALLOW_REFRESH_TOKEN_AUTH
- ALLOW_USER_SRP_AUTH
IdTokenValidity: 60 # (minutes) default value.
LogoutURLs:
- https://instantiator.dev/auth-redirect-pages/logged_out.html
PreventUserExistenceErrors: ENABLED # default value.
RefreshTokenValidity: 30 # (days) default value.
SupportedIdentityProviders:
- COGNITO
TokenValidityUnits:
AccessToken: minutes
IdToken: minutes
RefreshToken: days
UserPoolId: !Ref UserPool
UserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Properties:
UserPoolId: !Ref UserPool
Domain: !Sub '${AWS::StackName}'
UserPoolCustomisation:
Type: AWS::Cognito::UserPoolUICustomizationAttachment
Properties:
ClientId: !Ref UserPoolClient
UserPoolId: !Ref UserPool
UserPoolTestUser:
Type: AWS::Cognito::UserPoolUser
Properties:
DesiredDeliveryMediums:
- EMAIL
Username: !Ref CognitoTestUserEmail
UserPoolId: !Ref UserPool
Outputs:
FunctionOneEndpoint:
Description: API Gateway endpoint URL with auth
Value: !Sub "https://${ApiGateway}.execute-api.${AWS::Region}.amazonaws.com/staging/FunctionOne"
UserPoolId:
Description: "ID of the Cognito User Pool"
Value: !Ref UserPool
CognitoClientId:
Description: "ID of the Cognito User Pool Client"
Value: !Ref UserPoolClient
TestUserEmail:
Description: "Email address associated with the test user"
Value: !Ref CognitoTestUserEmail
AuthTestingUrl:
Description: "Auth testing tool"
Value: !Sub
- '${AuthPageUrl}?domain_prefix=${Prefix}®ion=${Region}&client_id=${ClientId}&redirect_uri=${AuthRedirectUri}'
- Prefix: !Sub '${AWS::StackName}'
Region: !Sub '${AWS::Region}'
ClientId: !Ref UserPoolClient
CognitoLoginUrl:
Description: "Cognito login url"
Value: !Sub
- 'https://${Prefix}.auth.${Region}.amazoncognito.com/login?response_type=code&client_id=${ClientId}&redirect_uri=${AuthRedirectUri}'
- Prefix: !Sub '${AWS::StackName}'
Region: !Sub '${AWS::Region}'
ClientId: !Ref UserPoolClient
CognitoTokenEndpoint:
Description: "POST code to this endpoint for user access, refresh, and id tokens. See: https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html"
Value: !Sub
- 'https://${Prefix}.auth.${Region}.amazoncognito.com/oauth2/token'
- Prefix: !Sub '${AWS::StackName}'
Region: !Sub '${AWS::Region}'
CognitoUserInfoEndpoint:
Description: "GET this endpoint for user info. See: https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html"
Value: !Sub
- 'https://${Prefix}.auth.${Region}.amazoncognito.com/oauth2/userInfo'
- Prefix: !Sub '${AWS::StackName}'
Region: !Sub '${AWS::Region}'