-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathserverless.yml
122 lines (116 loc) · 3.37 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
service: cognito-mfa-email-example
# app and org for use with dashboard.serverless.com
#app: your-app-name
#org: your-org-name
# You can pin your service to only deploy with a specific Serverless version
# Check out our docs for more details
frameworkVersion: '2'
# plugins:
provider:
name: aws
runtime: nodejs12.x
stage: ${self:custom.stage}
region: us-east-1
environment:
# URL: {"Fn::Join": ["", ["https://", {"Ref": "ApiGatewayRestApi"}, ".execute-api.${self:provider.region}.amazonaws.com/${self:provider.stage}"]]}
USER_POOL_ID: {"Ref": "UserPool"}
iamRoleStatements:
- Effect: "Allow"
Action:
- cognito-idp:AdminGetUser
- cognito-idp:AdminUpdateUserAttributes
Resource:
- {"Fn::GetAtt": [UserPool, Arn]}
- Effect: "Allow"
Action:
- ses:SendEmail
Resource:
- "*"
functions:
define:
handler: defineAuth.handler
events:
- cognitoUserPool:
pool: ${self:custom.userPoolName}
trigger: DefineAuthChallenge
existing: true
create:
handler: createAuth.handler
environment:
EMAIL_ADDRESS: ${ssm:/${self:provider.stage}_EMAIL_ADDRESS}
events:
- cognitoUserPool:
pool: ${self:custom.userPoolName}
trigger: CreateAuthChallenge
existing: true
verify:
handler: verify.handler
events:
- cognitoUserPool:
pool: ${self:custom.userPoolName}
trigger: VerifyAuthChallengeResponse
existing: true
# Set up Cognito & S3
resources:
Resources:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
MfaConfiguration: OFF
UsernameConfiguration:
CaseSensitive: false
UserPoolName: ${self:custom.userPoolName}
AdminCreateUserConfig:
AllowAdminCreateUserOnly: false
UnusedAccountValidityDays: 1
AutoVerifiedAttributes:
- email
UsernameAttributes:
- email
Schema:
- Name: email
Mutable: true
Required: true
- Name: name
Mutable: true
- Name: authChallenge
AttributeDataType: String
Mutable: true
- Name: securityQuestions
AttributeDataType: String
Mutable: true
- Name: securityQuestion1
AttributeDataType: String
Mutable: true
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: True
RequireNumbers: True
RequireSymbols: True
RequireUppercase: True
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: ${self:custom.userPoolClientName}
UserPoolId:
Ref: UserPool
ExplicitAuthFlows:
# - ADMIN_NO_SRP_AUTH
# - ALLOW_USER_SRP_AUTH
# - ALLOW_REFRESH_TOKEN_AUTH
# - ALLOW_CUSTOM_AUTH
- CUSTOM_AUTH_FLOW_ONLY
PreventUserExistenceErrors: ENABLED
GenerateSecret: true
Outputs:
UserPoolId:
Value: !Ref UserPool
UserPoolClientId:
Value: !Ref UserPoolClient
custom:
name: ${opt:name, 'example'}
stage: ${opt:stage, 'dev'}
userPoolName: ${self:custom.name}-${self:custom.stage}
userPoolClientName: ${self:custom.name}-${self:custom.stage}
webBucketName: sls-authorizers-${self:custom.stage}