@ttoss/cloud-auth 0.10.6 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +73 -1
  2. package/dist/esm/index.js +94 -70
  3. package/dist/index.d.mts +6 -0
  4. package/dist/index.d.ts +6 -0
  5. package/dist/index.js +94 -70
  6. package/package.json +4 -4
  7. package/src/template.ts +121 -82
package/README.md CHANGED
@@ -1,9 +1,11 @@
1
1
  # @ttoss/cloud-auth
2
2
 
3
+ It's a library for creating AWS Cognito resources. It creates an user pool, an identity pool and a client application.
4
+
3
5
  ## Installation
4
6
 
5
7
  ```bash
6
- yarn install @ttoss/cloud-auth
8
+ pnpm add @ttoss/cloud-auth
7
9
  ```
8
10
 
9
11
  ## Quickstart
@@ -17,3 +19,73 @@ const template = createAuthTemplate();
17
19
 
18
20
  export default template;
19
21
  ```
22
+
23
+ ## Usage
24
+
25
+ ### Identity Pool
26
+
27
+ #### Create an basic identity pool
28
+
29
+ ```typescript
30
+ const template = createAuthTemplate({
31
+ identityPool: {
32
+ enabled: true, // false by default
33
+ name: 'MyIdentityPool',
34
+ allowUnauthenticatedIdentities: false, // false by default
35
+ },
36
+ });
37
+ ```
38
+
39
+ #### Create an identity pool with external roles
40
+
41
+ ```typescript
42
+ const template = createAuthTemplate({
43
+ identityPool: {
44
+ enabled: true,
45
+ authenticatedRoleArn:
46
+ 'arn:aws:iam::123456789012:role/MyIdentityPool_AuthenticatedRole',
47
+ unauthenticatedRoleArn:
48
+ 'arn:aws:iam::123456789012:role/MyIdentityPool_UnauthenticatedRole',
49
+ },
50
+ });
51
+ ```
52
+
53
+ #### Create an identity pool with defined policies
54
+
55
+ ```typescript
56
+ const template = createAuthTemplate({
57
+ identityPool: {
58
+ enabled: true,
59
+ authenticatedPolicies: [
60
+ {
61
+ policyName: 'MyIdentityPool_AuthenticatedPolicy',
62
+ policyDocument: {
63
+ Version: '2012-10-17',
64
+ Statement: [
65
+ {
66
+ Effect: 'Allow',
67
+ Action: ['mobileanalytics:PutEvents', 'cognito-sync:*'],
68
+ Resource: ['*'],
69
+ },
70
+ ],
71
+ },
72
+ },
73
+ ],
74
+ unauthenticatedPolicies: [
75
+ {
76
+ policyName: 'MyIdentityPool_UnauthenticatedPolicy',
77
+ policyDocument: {
78
+ Version: '2012-10-17',
79
+ Statement: [
80
+ {
81
+ Effect: 'Deny',
82
+ Action: ['*'],
83
+ Resource: ['*'],
84
+ },
85
+ ],
86
+ },
87
+ },
88
+ ],
89
+ },
90
+ });
91
+ ```
package/dist/esm/index.js CHANGED
@@ -25,6 +25,9 @@ var createAuthTemplate = ({
25
25
  AWSTemplateFormatVersion: "2010-09-09",
26
26
  Resources: {
27
27
  [CognitoUserPoolLogicalId]: {
28
+ /**
29
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
30
+ */
28
31
  Type: "AWS::Cognito::UserPool",
29
32
  Properties: {
30
33
  AutoVerifiedAttributes,
@@ -48,6 +51,9 @@ var createAuthTemplate = ({
48
51
  }
49
52
  },
50
53
  [CognitoUserPoolClientLogicalId]: {
54
+ /**
55
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
56
+ */
51
57
  Type: "AWS::Cognito::UserPoolClient",
52
58
  Properties: {
53
59
  SupportedIdentityProviders: ["COGNITO"],
@@ -129,9 +135,12 @@ var createAuthTemplate = ({
129
135
  }
130
136
  if (identityPool?.enabled) {
131
137
  template.Resources[CognitoIdentityPoolLogicalId] = {
138
+ /**
139
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
140
+ */
132
141
  Type: "AWS::Cognito::IdentityPool",
133
142
  Properties: {
134
- AllowUnauthenticatedIdentities: true,
143
+ AllowUnauthenticatedIdentities: identityPool.allowUnauthenticatedIdentities || false,
135
144
  CognitoIdentityProviders: [{
136
145
  ClientId: {
137
146
  Ref: CognitoUserPoolClientLogicalId
@@ -142,86 +151,99 @@ var createAuthTemplate = ({
142
151
  }]
143
152
  }
144
153
  };
145
- template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
146
- Type: "AWS::IAM::Role",
154
+ if (identityPool.name) {
155
+ template.Resources[CognitoIdentityPoolLogicalId].Properties.IdentityPoolName = identityPool.name;
156
+ }
157
+ template.Resources.CognitoIdentityPoolRoleAttachment = {
158
+ /**
159
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
160
+ */
161
+ Type: "AWS::Cognito::IdentityPoolRoleAttachment",
147
162
  Properties: {
148
- AssumeRolePolicyDocument: {
149
- Version: "2012-10-17",
150
- Statement: [{
151
- Effect: "Allow",
152
- Principal: {
153
- Federated: "cognito-identity.amazonaws.com"
154
- },
155
- Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
156
- Condition: {
157
- StringEquals: {
158
- "cognito-identity.amazonaws.com:aud": {
159
- Ref: CognitoIdentityPoolLogicalId
160
- }
161
- },
162
- "ForAnyValue:StringLike": {
163
- "cognito-identity.amazonaws.com:amr": "authenticated"
164
- }
165
- }
166
- }]
163
+ IdentityPoolId: {
164
+ Ref: CognitoIdentityPoolLogicalId
167
165
  },
168
- Policies: identityPool.authenticatedPolicies || [{
169
- PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
170
- PolicyDocument: {
171
- Version: "2012-10-17",
172
- Statement: [DenyStatement]
173
- }
174
- }]
166
+ Roles: {}
175
167
  }
176
168
  };
177
- template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
178
- Type: "AWS::IAM::Role",
179
- Properties: {
180
- AssumeRolePolicyDocument: {
181
- Version: "2012-10-17",
182
- Statement: [{
183
- Effect: "Allow",
184
- Principal: {
185
- Federated: "cognito-identity.amazonaws.com"
186
- },
187
- Action: "sts:AssumeRoleWithWebIdentity",
188
- Condition: {
189
- StringEquals: {
190
- "cognito-identity.amazonaws.com:aud": {
191
- Ref: CognitoIdentityPoolLogicalId
192
- }
169
+ if (!identityPool.authenticatedRoleArn) {
170
+ template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
171
+ Type: "AWS::IAM::Role",
172
+ Properties: {
173
+ AssumeRolePolicyDocument: {
174
+ Version: "2012-10-17",
175
+ Statement: [{
176
+ Effect: "Allow",
177
+ Principal: {
178
+ Federated: "cognito-identity.amazonaws.com"
193
179
  },
194
- "ForAnyValue:StringLike": {
195
- "cognito-identity.amazonaws.com:amr": "unauthenticated"
180
+ Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
181
+ Condition: {
182
+ StringEquals: {
183
+ "cognito-identity.amazonaws.com:aud": {
184
+ Ref: CognitoIdentityPoolLogicalId
185
+ }
186
+ },
187
+ "ForAnyValue:StringLike": {
188
+ "cognito-identity.amazonaws.com:amr": "authenticated"
189
+ }
196
190
  }
191
+ }]
192
+ },
193
+ Policies: identityPool.authenticatedPolicies || [{
194
+ PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
195
+ PolicyDocument: {
196
+ Version: "2012-10-17",
197
+ Statement: [DenyStatement]
197
198
  }
198
199
  }]
199
- },
200
- Policies: identityPool.authenticatedPolicies || [{
201
- PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
202
- PolicyDocument: {
200
+ }
201
+ };
202
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = {
203
+ "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
204
+ };
205
+ } else {
206
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = identityPool.authenticatedRoleArn;
207
+ }
208
+ if (!identityPool.unauthenticatedRoleArn) {
209
+ template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
210
+ Type: "AWS::IAM::Role",
211
+ Properties: {
212
+ AssumeRolePolicyDocument: {
203
213
  Version: "2012-10-17",
204
- Statement: [DenyStatement]
205
- }
206
- }]
207
- }
208
- };
209
- template.Resources.CognitoIdentityPoolRoleAttachment = {
210
- Type: "AWS::Cognito::IdentityPoolRoleAttachment",
211
- Properties: {
212
- IdentityPoolId: {
213
- Ref: CognitoIdentityPoolLogicalId
214
- },
215
- Roles: {
216
- authenticated: {
217
- "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
214
+ Statement: [{
215
+ Effect: "Allow",
216
+ Principal: {
217
+ Federated: "cognito-identity.amazonaws.com"
218
+ },
219
+ Action: "sts:AssumeRoleWithWebIdentity",
220
+ Condition: {
221
+ StringEquals: {
222
+ "cognito-identity.amazonaws.com:aud": {
223
+ Ref: CognitoIdentityPoolLogicalId
224
+ }
225
+ },
226
+ "ForAnyValue:StringLike": {
227
+ "cognito-identity.amazonaws.com:amr": "unauthenticated"
228
+ }
229
+ }
230
+ }]
218
231
  },
219
- unauthenticated: {
220
- "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
221
- }
232
+ Policies: identityPool.authenticatedPolicies || [{
233
+ PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
234
+ PolicyDocument: {
235
+ Version: "2012-10-17",
236
+ Statement: [DenyStatement]
237
+ }
238
+ }]
222
239
  }
223
- }
224
- };
240
+ };
241
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = {
242
+ "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
243
+ };
244
+ } else {
245
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = identityPool.unauthenticatedRoleArn;
246
+ }
225
247
  if (!template.Outputs) {
226
248
  template.Outputs = {};
227
249
  }
@@ -244,4 +266,6 @@ var createAuthTemplate = ({
244
266
  createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;
245
267
  createAuthTemplate.CognitoUserPoolClientLogicalId = CognitoUserPoolClientLogicalId;
246
268
  createAuthTemplate.CognitoIdentityPoolLogicalId = CognitoIdentityPoolLogicalId;
269
+ createAuthTemplate.IdentityPoolAuthenticatedIAMRoleLogicalId = IdentityPoolAuthenticatedIAMRoleLogicalId;
270
+ createAuthTemplate.IdentityPoolUnauthenticatedIAMRoleLogicalId = IdentityPoolUnauthenticatedIAMRoleLogicalId;
247
271
  export { PASSWORD_MINIMUM_LENGTH, createAuthTemplate };
package/dist/index.d.mts CHANGED
@@ -7,7 +7,11 @@ declare const createAuthTemplate: {
7
7
  autoVerifiedAttributes?: false | ("email" | "phone_number")[] | null | undefined;
8
8
  identityPool?: {
9
9
  enabled?: boolean | undefined;
10
+ name?: string | undefined;
11
+ allowUnauthenticatedIdentities?: boolean | undefined;
12
+ authenticatedRoleArn?: string | undefined;
10
13
  authenticatedPolicies?: Policy[] | undefined;
14
+ unauthenticatedRoleArn?: string | undefined;
11
15
  unauthenticatedPolicies?: Policy[] | undefined;
12
16
  } | undefined;
13
17
  /**
@@ -33,6 +37,8 @@ declare const createAuthTemplate: {
33
37
  CognitoUserPoolLogicalId: string;
34
38
  CognitoUserPoolClientLogicalId: string;
35
39
  CognitoIdentityPoolLogicalId: string;
40
+ IdentityPoolAuthenticatedIAMRoleLogicalId: string;
41
+ IdentityPoolUnauthenticatedIAMRoleLogicalId: string;
36
42
  };
37
43
 
38
44
  export { PASSWORD_MINIMUM_LENGTH, createAuthTemplate };
package/dist/index.d.ts CHANGED
@@ -7,7 +7,11 @@ declare const createAuthTemplate: {
7
7
  autoVerifiedAttributes?: false | ("email" | "phone_number")[] | null | undefined;
8
8
  identityPool?: {
9
9
  enabled?: boolean | undefined;
10
+ name?: string | undefined;
11
+ allowUnauthenticatedIdentities?: boolean | undefined;
12
+ authenticatedRoleArn?: string | undefined;
10
13
  authenticatedPolicies?: Policy[] | undefined;
14
+ unauthenticatedRoleArn?: string | undefined;
11
15
  unauthenticatedPolicies?: Policy[] | undefined;
12
16
  } | undefined;
13
17
  /**
@@ -33,6 +37,8 @@ declare const createAuthTemplate: {
33
37
  CognitoUserPoolLogicalId: string;
34
38
  CognitoUserPoolClientLogicalId: string;
35
39
  CognitoIdentityPoolLogicalId: string;
40
+ IdentityPoolAuthenticatedIAMRoleLogicalId: string;
41
+ IdentityPoolUnauthenticatedIAMRoleLogicalId: string;
36
42
  };
37
43
 
38
44
  export { PASSWORD_MINIMUM_LENGTH, createAuthTemplate };
package/dist/index.js CHANGED
@@ -57,6 +57,9 @@ var createAuthTemplate = ({
57
57
  AWSTemplateFormatVersion: "2010-09-09",
58
58
  Resources: {
59
59
  [CognitoUserPoolLogicalId]: {
60
+ /**
61
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
62
+ */
60
63
  Type: "AWS::Cognito::UserPool",
61
64
  Properties: {
62
65
  AutoVerifiedAttributes,
@@ -80,6 +83,9 @@ var createAuthTemplate = ({
80
83
  }
81
84
  },
82
85
  [CognitoUserPoolClientLogicalId]: {
86
+ /**
87
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
88
+ */
83
89
  Type: "AWS::Cognito::UserPoolClient",
84
90
  Properties: {
85
91
  SupportedIdentityProviders: ["COGNITO"],
@@ -161,9 +167,12 @@ var createAuthTemplate = ({
161
167
  }
162
168
  if (identityPool?.enabled) {
163
169
  template.Resources[CognitoIdentityPoolLogicalId] = {
170
+ /**
171
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
172
+ */
164
173
  Type: "AWS::Cognito::IdentityPool",
165
174
  Properties: {
166
- AllowUnauthenticatedIdentities: true,
175
+ AllowUnauthenticatedIdentities: identityPool.allowUnauthenticatedIdentities || false,
167
176
  CognitoIdentityProviders: [{
168
177
  ClientId: {
169
178
  Ref: CognitoUserPoolClientLogicalId
@@ -174,86 +183,99 @@ var createAuthTemplate = ({
174
183
  }]
175
184
  }
176
185
  };
177
- template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
178
- Type: "AWS::IAM::Role",
186
+ if (identityPool.name) {
187
+ template.Resources[CognitoIdentityPoolLogicalId].Properties.IdentityPoolName = identityPool.name;
188
+ }
189
+ template.Resources.CognitoIdentityPoolRoleAttachment = {
190
+ /**
191
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
192
+ */
193
+ Type: "AWS::Cognito::IdentityPoolRoleAttachment",
179
194
  Properties: {
180
- AssumeRolePolicyDocument: {
181
- Version: "2012-10-17",
182
- Statement: [{
183
- Effect: "Allow",
184
- Principal: {
185
- Federated: "cognito-identity.amazonaws.com"
186
- },
187
- Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
188
- Condition: {
189
- StringEquals: {
190
- "cognito-identity.amazonaws.com:aud": {
191
- Ref: CognitoIdentityPoolLogicalId
192
- }
193
- },
194
- "ForAnyValue:StringLike": {
195
- "cognito-identity.amazonaws.com:amr": "authenticated"
196
- }
197
- }
198
- }]
195
+ IdentityPoolId: {
196
+ Ref: CognitoIdentityPoolLogicalId
199
197
  },
200
- Policies: identityPool.authenticatedPolicies || [{
201
- PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
202
- PolicyDocument: {
203
- Version: "2012-10-17",
204
- Statement: [DenyStatement]
205
- }
206
- }]
198
+ Roles: {}
207
199
  }
208
200
  };
209
- template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
210
- Type: "AWS::IAM::Role",
211
- Properties: {
212
- AssumeRolePolicyDocument: {
213
- Version: "2012-10-17",
214
- Statement: [{
215
- Effect: "Allow",
216
- Principal: {
217
- Federated: "cognito-identity.amazonaws.com"
218
- },
219
- Action: "sts:AssumeRoleWithWebIdentity",
220
- Condition: {
221
- StringEquals: {
222
- "cognito-identity.amazonaws.com:aud": {
223
- Ref: CognitoIdentityPoolLogicalId
224
- }
201
+ if (!identityPool.authenticatedRoleArn) {
202
+ template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
203
+ Type: "AWS::IAM::Role",
204
+ Properties: {
205
+ AssumeRolePolicyDocument: {
206
+ Version: "2012-10-17",
207
+ Statement: [{
208
+ Effect: "Allow",
209
+ Principal: {
210
+ Federated: "cognito-identity.amazonaws.com"
225
211
  },
226
- "ForAnyValue:StringLike": {
227
- "cognito-identity.amazonaws.com:amr": "unauthenticated"
212
+ Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
213
+ Condition: {
214
+ StringEquals: {
215
+ "cognito-identity.amazonaws.com:aud": {
216
+ Ref: CognitoIdentityPoolLogicalId
217
+ }
218
+ },
219
+ "ForAnyValue:StringLike": {
220
+ "cognito-identity.amazonaws.com:amr": "authenticated"
221
+ }
228
222
  }
223
+ }]
224
+ },
225
+ Policies: identityPool.authenticatedPolicies || [{
226
+ PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
227
+ PolicyDocument: {
228
+ Version: "2012-10-17",
229
+ Statement: [DenyStatement]
229
230
  }
230
231
  }]
231
- },
232
- Policies: identityPool.authenticatedPolicies || [{
233
- PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
234
- PolicyDocument: {
232
+ }
233
+ };
234
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = {
235
+ "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
236
+ };
237
+ } else {
238
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = identityPool.authenticatedRoleArn;
239
+ }
240
+ if (!identityPool.unauthenticatedRoleArn) {
241
+ template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
242
+ Type: "AWS::IAM::Role",
243
+ Properties: {
244
+ AssumeRolePolicyDocument: {
235
245
  Version: "2012-10-17",
236
- Statement: [DenyStatement]
237
- }
238
- }]
239
- }
240
- };
241
- template.Resources.CognitoIdentityPoolRoleAttachment = {
242
- Type: "AWS::Cognito::IdentityPoolRoleAttachment",
243
- Properties: {
244
- IdentityPoolId: {
245
- Ref: CognitoIdentityPoolLogicalId
246
- },
247
- Roles: {
248
- authenticated: {
249
- "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
246
+ Statement: [{
247
+ Effect: "Allow",
248
+ Principal: {
249
+ Federated: "cognito-identity.amazonaws.com"
250
+ },
251
+ Action: "sts:AssumeRoleWithWebIdentity",
252
+ Condition: {
253
+ StringEquals: {
254
+ "cognito-identity.amazonaws.com:aud": {
255
+ Ref: CognitoIdentityPoolLogicalId
256
+ }
257
+ },
258
+ "ForAnyValue:StringLike": {
259
+ "cognito-identity.amazonaws.com:amr": "unauthenticated"
260
+ }
261
+ }
262
+ }]
250
263
  },
251
- unauthenticated: {
252
- "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
253
- }
264
+ Policies: identityPool.authenticatedPolicies || [{
265
+ PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
266
+ PolicyDocument: {
267
+ Version: "2012-10-17",
268
+ Statement: [DenyStatement]
269
+ }
270
+ }]
254
271
  }
255
- }
256
- };
272
+ };
273
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = {
274
+ "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
275
+ };
276
+ } else {
277
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = identityPool.unauthenticatedRoleArn;
278
+ }
257
279
  if (!template.Outputs) {
258
280
  template.Outputs = {};
259
281
  }
@@ -276,6 +298,8 @@ var createAuthTemplate = ({
276
298
  createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;
277
299
  createAuthTemplate.CognitoUserPoolClientLogicalId = CognitoUserPoolClientLogicalId;
278
300
  createAuthTemplate.CognitoIdentityPoolLogicalId = CognitoIdentityPoolLogicalId;
301
+ createAuthTemplate.IdentityPoolAuthenticatedIAMRoleLogicalId = IdentityPoolAuthenticatedIAMRoleLogicalId;
302
+ createAuthTemplate.IdentityPoolUnauthenticatedIAMRoleLogicalId = IdentityPoolUnauthenticatedIAMRoleLogicalId;
279
303
  // Annotate the CommonJS export names for ESM import in node:
280
304
  0 && (module.exports = {
281
305
  PASSWORD_MINIMUM_LENGTH,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ttoss/cloud-auth",
3
- "version": "0.10.6",
3
+ "version": "0.11.0",
4
4
  "repository": {
5
5
  "type": "git",
6
6
  "url": "https://github.com/ttoss/ttoss.git",
@@ -15,14 +15,14 @@
15
15
  "sideEffects": false,
16
16
  "typings": "./dist/index.d.ts",
17
17
  "dependencies": {
18
- "@ttoss/cloudformation": "^0.8.6"
18
+ "@ttoss/cloudformation": "^0.8.7"
19
19
  },
20
20
  "devDependencies": {
21
- "@types/jest": "^29.5.10",
21
+ "@types/jest": "^29.5.11",
22
22
  "jest": "^29.7.0",
23
23
  "tsup": "^8.0.1",
24
24
  "typescript": "~5.2.2",
25
- "@ttoss/config": "^1.31.3"
25
+ "@ttoss/config": "^1.31.4"
26
26
  },
27
27
  "publishConfig": {
28
28
  "access": "public",
package/src/template.ts CHANGED
@@ -28,7 +28,11 @@ export const createAuthTemplate = ({
28
28
  autoVerifiedAttributes?: Array<'email' | 'phone_number'> | null | false;
29
29
  identityPool?: {
30
30
  enabled?: boolean;
31
+ name?: string;
32
+ allowUnauthenticatedIdentities?: boolean;
33
+ authenticatedRoleArn?: string;
31
34
  authenticatedPolicies?: Policy[];
35
+ unauthenticatedRoleArn?: string;
32
36
  unauthenticatedPolicies?: Policy[];
33
37
  };
34
38
  /**
@@ -50,6 +54,7 @@ export const createAuthTemplate = ({
50
54
  };
51
55
  }[];
52
56
  usernameAttributes?: Array<'email' | 'phone_number'> | null;
57
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
53
58
  } = {}): any => {
54
59
  const AutoVerifiedAttributes =
55
60
  Array.isArray(autoVerifiedAttributes) && autoVerifiedAttributes.length > 0
@@ -60,6 +65,9 @@ export const createAuthTemplate = ({
60
65
  AWSTemplateFormatVersion: '2010-09-09',
61
66
  Resources: {
62
67
  [CognitoUserPoolLogicalId]: {
68
+ /**
69
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
70
+ */
63
71
  Type: 'AWS::Cognito::UserPool',
64
72
  Properties: {
65
73
  AutoVerifiedAttributes,
@@ -83,6 +91,9 @@ export const createAuthTemplate = ({
83
91
  },
84
92
  },
85
93
  [CognitoUserPoolClientLogicalId]: {
94
+ /**
95
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
96
+ */
86
97
  Type: 'AWS::Cognito::UserPoolClient',
87
98
  Properties: {
88
99
  SupportedIdentityProviders: ['COGNITO'],
@@ -165,13 +176,14 @@ export const createAuthTemplate = ({
165
176
  }
166
177
 
167
178
  if (identityPool?.enabled) {
168
- /**
169
- * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
170
- */
171
179
  template.Resources[CognitoIdentityPoolLogicalId] = {
180
+ /**
181
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
182
+ */
172
183
  Type: 'AWS::Cognito::IdentityPool',
173
184
  Properties: {
174
- AllowUnauthenticatedIdentities: true,
185
+ AllowUnauthenticatedIdentities:
186
+ identityPool.allowUnauthenticatedIdentities || false,
175
187
  CognitoIdentityProviders: [
176
188
  {
177
189
  ClientId: {
@@ -185,99 +197,118 @@ export const createAuthTemplate = ({
185
197
  },
186
198
  };
187
199
 
188
- template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
189
- Type: 'AWS::IAM::Role',
200
+ if (identityPool.name) {
201
+ template.Resources[
202
+ CognitoIdentityPoolLogicalId
203
+ ].Properties.IdentityPoolName = identityPool.name;
204
+ }
205
+
206
+ template.Resources.CognitoIdentityPoolRoleAttachment = {
207
+ /**
208
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
209
+ */
210
+ Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
190
211
  Properties: {
191
- AssumeRolePolicyDocument: {
192
- Version: '2012-10-17' as const,
193
- Statement: [
194
- {
195
- Effect: 'Allow' as const,
196
- Principal: {
197
- Federated: 'cognito-identity.amazonaws.com',
198
- },
199
- Action: ['sts:AssumeRoleWithWebIdentity', 'sts:TagSession'],
200
- Condition: {
201
- StringEquals: {
202
- 'cognito-identity.amazonaws.com:aud': {
203
- Ref: CognitoIdentityPoolLogicalId,
204
- },
212
+ IdentityPoolId: {
213
+ Ref: CognitoIdentityPoolLogicalId,
214
+ },
215
+ Roles: {},
216
+ },
217
+ };
218
+
219
+ if (!identityPool.authenticatedRoleArn) {
220
+ template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
221
+ Type: 'AWS::IAM::Role',
222
+ Properties: {
223
+ AssumeRolePolicyDocument: {
224
+ Version: '2012-10-17' as const,
225
+ Statement: [
226
+ {
227
+ Effect: 'Allow' as const,
228
+ Principal: {
229
+ Federated: 'cognito-identity.amazonaws.com',
205
230
  },
206
- 'ForAnyValue:StringLike': {
207
- 'cognito-identity.amazonaws.com:amr': 'authenticated',
231
+ Action: ['sts:AssumeRoleWithWebIdentity', 'sts:TagSession'],
232
+ Condition: {
233
+ StringEquals: {
234
+ 'cognito-identity.amazonaws.com:aud': {
235
+ Ref: CognitoIdentityPoolLogicalId,
236
+ },
237
+ },
238
+ 'ForAnyValue:StringLike': {
239
+ 'cognito-identity.amazonaws.com:amr': 'authenticated',
240
+ },
208
241
  },
209
242
  },
243
+ ],
244
+ },
245
+ Policies: identityPool.authenticatedPolicies || [
246
+ {
247
+ PolicyName: 'IdentityPoolAuthenticatedIAMRolePolicyName',
248
+ PolicyDocument: {
249
+ Version: '2012-10-17' as const,
250
+ Statement: [DenyStatement],
251
+ },
210
252
  },
211
253
  ],
212
254
  },
213
- Policies: identityPool.authenticatedPolicies || [
214
- {
215
- PolicyName: 'IdentityPoolAuthenticatedIAMRolePolicyName',
216
- PolicyDocument: {
217
- Version: '2012-10-17' as const,
218
- Statement: [DenyStatement],
219
- },
220
- },
221
- ],
222
- },
223
- };
255
+ };
224
256
 
225
- template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
226
- Type: 'AWS::IAM::Role',
227
- Properties: {
228
- AssumeRolePolicyDocument: {
229
- Version: '2012-10-17' as const,
230
- Statement: [
231
- {
232
- Effect: 'Allow' as const,
233
- Principal: {
234
- Federated: 'cognito-identity.amazonaws.com',
235
- },
236
- Action: 'sts:AssumeRoleWithWebIdentity',
237
- Condition: {
238
- StringEquals: {
239
- 'cognito-identity.amazonaws.com:aud': {
240
- Ref: CognitoIdentityPoolLogicalId,
241
- },
257
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated =
258
+ {
259
+ 'Fn::GetAtt': [IdentityPoolAuthenticatedIAMRoleLogicalId, 'Arn'],
260
+ };
261
+ } else {
262
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated =
263
+ identityPool.authenticatedRoleArn;
264
+ }
265
+
266
+ if (!identityPool.unauthenticatedRoleArn) {
267
+ template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
268
+ Type: 'AWS::IAM::Role',
269
+ Properties: {
270
+ AssumeRolePolicyDocument: {
271
+ Version: '2012-10-17' as const,
272
+ Statement: [
273
+ {
274
+ Effect: 'Allow' as const,
275
+ Principal: {
276
+ Federated: 'cognito-identity.amazonaws.com',
242
277
  },
243
- 'ForAnyValue:StringLike': {
244
- 'cognito-identity.amazonaws.com:amr': 'unauthenticated',
278
+ Action: 'sts:AssumeRoleWithWebIdentity',
279
+ Condition: {
280
+ StringEquals: {
281
+ 'cognito-identity.amazonaws.com:aud': {
282
+ Ref: CognitoIdentityPoolLogicalId,
283
+ },
284
+ },
285
+ 'ForAnyValue:StringLike': {
286
+ 'cognito-identity.amazonaws.com:amr': 'unauthenticated',
287
+ },
245
288
  },
246
289
  },
290
+ ],
291
+ },
292
+ Policies: identityPool.authenticatedPolicies || [
293
+ {
294
+ PolicyName: 'IdentityPoolUnauthenticatedIAMRolePolicyName',
295
+ PolicyDocument: {
296
+ Version: '2012-10-17' as const,
297
+ Statement: [DenyStatement],
298
+ },
247
299
  },
248
300
  ],
249
301
  },
250
- Policies: identityPool.authenticatedPolicies || [
251
- {
252
- PolicyName: 'IdentityPoolUnauthenticatedIAMRolePolicyName',
253
- PolicyDocument: {
254
- Version: '2012-10-17' as const,
255
- Statement: [DenyStatement],
256
- },
257
- },
258
- ],
259
- },
260
- };
302
+ };
261
303
 
262
- /**
263
- * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
264
- */
265
- template.Resources.CognitoIdentityPoolRoleAttachment = {
266
- Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
267
- Properties: {
268
- IdentityPoolId: {
269
- Ref: CognitoIdentityPoolLogicalId,
270
- },
271
- Roles: {
272
- authenticated: {
273
- 'Fn::GetAtt': [IdentityPoolAuthenticatedIAMRoleLogicalId, 'Arn'],
274
- },
275
- unauthenticated: {
276
- 'Fn::GetAtt': [IdentityPoolUnauthenticatedIAMRoleLogicalId, 'Arn'],
277
- },
278
- },
279
- },
280
- };
304
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated =
305
+ {
306
+ 'Fn::GetAtt': [IdentityPoolUnauthenticatedIAMRoleLogicalId, 'Arn'],
307
+ };
308
+ } else {
309
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated =
310
+ identityPool.unauthenticatedRoleArn;
311
+ }
281
312
 
282
313
  if (!template.Outputs) {
283
314
  template.Outputs = {};
@@ -303,6 +334,14 @@ export const createAuthTemplate = ({
303
334
  };
304
335
 
305
336
  createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;
337
+
306
338
  createAuthTemplate.CognitoUserPoolClientLogicalId =
307
339
  CognitoUserPoolClientLogicalId;
340
+
308
341
  createAuthTemplate.CognitoIdentityPoolLogicalId = CognitoIdentityPoolLogicalId;
342
+
343
+ createAuthTemplate.IdentityPoolAuthenticatedIAMRoleLogicalId =
344
+ IdentityPoolAuthenticatedIAMRoleLogicalId;
345
+
346
+ createAuthTemplate.IdentityPoolUnauthenticatedIAMRoleLogicalId =
347
+ IdentityPoolUnauthenticatedIAMRoleLogicalId;