todos-shared/template.yaml at main · MisterMiros/todos-shared · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
AWSTemplateFormatVersion: 2010-09-09
Description: Shared resources for different todos applications
Transform:
- AWS::Serverless-2016-10-31

Parameters:
  GoogleClientId:
    Type: String
    Description: Google Client ID
  GoogleClientSecret:
    Type: String
    Description: Google Client Secret
  CognitoDomain:
    Type: String
    Description: Cognito Domain

Resources:
  ## Cognito Resources
  TodosUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: todos-user-pool
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: admin_only
            Priority: 1
      AutoVerifiedAttributes:
        - email
      MfaConfiguration: "OFF"
      Schema:
        - AttributeDataType: String
          Name: email
          Required: false
      UsernameAttributes:
        - email
      UserPoolTags:
        Project: todos

  TodosUserPoolGoogleIdp:
    Type: AWS::Cognito::UserPoolIdentityProvider
    Properties:
      ProviderName: Google
      ProviderType: Google
      UserPoolId: !Ref TodosUserPool
      AttributeMapping:
        email: email
        username: sub
        family_name: family_name
        given_name: given_name
        locale: locale
        name: name
      ProviderDetails:
        client_id: !Ref GoogleClientId
        client_secret: !Ref GoogleClientSecret
        authorize_scopes: "email openid profile"

  TodosUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      ClientName: web-app
      UserPoolId: !Ref TodosUserPool
      GenerateSecret: false
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthFlows:
        - code
      AllowedOAuthScopes:
        - email
        - openid
        - profile
      CallbackURLs:
        - http://localhost:4200/ # This is the default callback URL for the Angular CLI
      LogoutURLs:
        - http://localhost:4200/
      ExplicitAuthFlows:
        - ALLOW_USER_SRP_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH
      PreventUserExistenceErrors: ENABLED
      SupportedIdentityProviders:
        - !Ref TodosUserPoolGoogleIdp

  TodosUserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      Domain: mistermiros-todos
      UserPoolId: !Ref TodosUserPool

  TodosUserPoolSSMParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /todos/user-pool-id
      Type: String
      Value: !Ref TodosUserPool
      Tags:
        Project: todos

  TodosUserPoolClientSSMParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /todos/user-pool-client-id
      Type: String
      Value: !Ref TodosUserPoolClient
      Tags:
        Project: todos

  ## DynamoDB Resources
  TodosTodoTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: todos-TodoTable
      AttributeDefinitions:
        - AttributeName: user_email
          AttributeType: S
        - AttributeName: id
          AttributeType: S
      KeySchema:
        - AttributeName: user_email
          KeyType: HASH
        - AttributeName: id
          KeyType: RANGE
      BillingMode: PAY_PER_REQUEST
      Tags:
        - Key: Project
          Value: todos

  TodosTodoTableSSMParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /todos/todo-table-name
      Type: String
      Value: !Ref TodosTodoTable
      Tags:
        Project: todos

  ## Lambda permissions Resources
  TodosDynamoDbCrudPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: todos-dynamodb-crud-policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - dynamodb:DeleteItem
              - dynamodb:GetItem
              - dynamodb:PutItem
              - dynamodb:Query
              - dynamodb:Scan
              - dynamodb:UpdateItem
            Resource: !GetAtt TodosTodoTable.Arn

  TodosLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: todos-lambda-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - !Ref TodosDynamoDbCrudPolicy
      Tags:
        - Key: Project
          Value: todos

  TodosLambdaRoleSSMParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /todos/lambda-role-arn
      Type: String
      Value: !GetAtt TodosLambdaRole.Arn
      Tags:
        Project: todos