@ttoss/cloud-auth 0.10.7 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +125 -2
  2. package/dist/esm/index.js +121 -69
  3. package/dist/index.d.mts +7 -0
  4. package/dist/index.d.ts +7 -0
  5. package/dist/index.js +121 -69
  6. package/package.json +1 -1
  7. package/src/template.ts +156 -77
package/README.md CHANGED
@@ -1,14 +1,16 @@
1
1
  # @ttoss/cloud-auth
2
2
 
3
+ It's a library for creating AWS Cognito resources. It creates an user pool, identity pool, a client application, and others resources.
4
+
3
5
  ## Installation
4
6
 
5
7
  ```bash
6
- yarn install @ttoss/cloud-auth
8
+ pnpm add @ttoss/cloud-auth
7
9
  ```
8
10
 
9
11
  ## Quickstart
10
12
 
11
- Create a `clouformation.ts` file in your project and export the template:
13
+ Create a `cloudformation.ts` file in your project and export the template:
12
14
 
13
15
  ```typescript src/cloudformation.ts
14
16
  import { createAuthTemplate } from '@ttoss/cloud-auth';
@@ -17,3 +19,124 @@ const template = createAuthTemplate();
17
19
 
18
20
  export default template;
19
21
  ```
22
+
23
+ ## Usage
24
+
25
+ ### Identity Pool
26
+
27
+ #### Create an basic identity pool
28
+
29
+ ```typescript
30
+ const template = createAuthTemplate({
31
+ identityPool: {
32
+ enabled: true, // false by default
33
+ name: 'MyIdentityPool',
34
+ allowUnauthenticatedIdentities: false, // false by default
35
+ },
36
+ });
37
+ ```
38
+
39
+ #### Create an identity pool with external roles
40
+
41
+ ```typescript
42
+ const template = createAuthTemplate({
43
+ identityPool: {
44
+ enabled: true,
45
+ authenticatedRoleArn:
46
+ 'arn:aws:iam::123456789012:role/MyIdentityPool_AuthenticatedRole',
47
+ unauthenticatedRoleArn:
48
+ 'arn:aws:iam::123456789012:role/MyIdentityPool_UnauthenticatedRole',
49
+ },
50
+ });
51
+ ```
52
+
53
+ #### Create an identity pool with defined policies
54
+
55
+ ```typescript
56
+ const template = createAuthTemplate({
57
+ identityPool: {
58
+ enabled: true,
59
+ authenticatedPolicies: [
60
+ {
61
+ policyName: 'MyIdentityPool_AuthenticatedPolicy',
62
+ policyDocument: {
63
+ Version: '2012-10-17',
64
+ Statement: [
65
+ {
66
+ Effect: 'Allow',
67
+ Action: ['mobileanalytics:PutEvents', 'cognito-sync:*'],
68
+ Resource: ['*'],
69
+ },
70
+ ],
71
+ },
72
+ },
73
+ ],
74
+ unauthenticatedPolicies: [
75
+ {
76
+ policyName: 'MyIdentityPool_UnauthenticatedPolicy',
77
+ policyDocument: {
78
+ Version: '2012-10-17',
79
+ Statement: [
80
+ {
81
+ Effect: 'Deny',
82
+ Action: ['*'],
83
+ Resource: ['*'],
84
+ },
85
+ ],
86
+ },
87
+ },
88
+ ],
89
+ },
90
+ });
91
+ ```
92
+
93
+ #### Using attributes for access control
94
+
95
+ When you enable the identity pool, it maps the following [principal tags to handle access control](https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html) by default:
96
+
97
+ ```yml
98
+ PrincipalTags:
99
+ appClientId: 'aud'
100
+ userId: 'sub'
101
+ ```
102
+
103
+ This way you can use the `appClientId` and `userId` tags in your IAM policies by [controlling access for IAM principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html#access_iam-tags_control-principals). For example:
104
+
105
+ ```json
106
+ {
107
+ "Version": "2012-10-17",
108
+ "Statement": [
109
+ {
110
+ "Effect": "Allow",
111
+ "Action": "s3:GetObject*",
112
+ "Resource": "arn:aws:s3:::*-${aws:PrincipalTag/userId}/*"
113
+ }
114
+ ]
115
+ }
116
+ ```
117
+
118
+ You can change the default tags by passing the `principalTags` property and [other tokens](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#token-claims-for-role-based-access-control):
119
+
120
+ ```typescript
121
+ const template = createAuthTemplate({
122
+ identityPool: {
123
+ enabled: true,
124
+ principalTags: {
125
+ appId: 'aud',
126
+ username: 'sub',
127
+ name: 'name',
128
+ },
129
+ },
130
+ });
131
+ ```
132
+
133
+ If you want to disable the principal tags, you can pass the `principalTags` property with `false` value:
134
+
135
+ ```typescript
136
+ const template = createAuthTemplate({
137
+ identityPool: {
138
+ enabled: true,
139
+ principalTags: false,
140
+ },
141
+ });
142
+ ```
package/dist/esm/index.js CHANGED
@@ -14,6 +14,10 @@ var DenyStatement = {
14
14
  Action: ["*"],
15
15
  Resource: ["*"]
16
16
  };
17
+ var defaultPrincipalTags = {
18
+ appClientId: "aud",
19
+ userId: "sub"
20
+ };
17
21
  var createAuthTemplate = ({
18
22
  autoVerifiedAttributes = ["email"],
19
23
  identityPool,
@@ -25,6 +29,9 @@ var createAuthTemplate = ({
25
29
  AWSTemplateFormatVersion: "2010-09-09",
26
30
  Resources: {
27
31
  [CognitoUserPoolLogicalId]: {
32
+ /**
33
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
34
+ */
28
35
  Type: "AWS::Cognito::UserPool",
29
36
  Properties: {
30
37
  AutoVerifiedAttributes,
@@ -48,6 +55,9 @@ var createAuthTemplate = ({
48
55
  }
49
56
  },
50
57
  [CognitoUserPoolClientLogicalId]: {
58
+ /**
59
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
60
+ */
51
61
  Type: "AWS::Cognito::UserPoolClient",
52
62
  Properties: {
53
63
  SupportedIdentityProviders: ["COGNITO"],
@@ -129,9 +139,12 @@ var createAuthTemplate = ({
129
139
  }
130
140
  if (identityPool?.enabled) {
131
141
  template.Resources[CognitoIdentityPoolLogicalId] = {
142
+ /**
143
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
144
+ */
132
145
  Type: "AWS::Cognito::IdentityPool",
133
146
  Properties: {
134
- AllowUnauthenticatedIdentities: true,
147
+ AllowUnauthenticatedIdentities: identityPool.allowUnauthenticatedIdentities || false,
135
148
  CognitoIdentityProviders: [{
136
149
  ClientId: {
137
150
  Ref: CognitoUserPoolClientLogicalId
@@ -142,86 +155,123 @@ var createAuthTemplate = ({
142
155
  }]
143
156
  }
144
157
  };
145
- template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
146
- Type: "AWS::IAM::Role",
158
+ if (identityPool.name) {
159
+ template.Resources[CognitoIdentityPoolLogicalId].Properties.IdentityPoolName = identityPool.name;
160
+ }
161
+ template.Resources.CognitoIdentityPoolRoleAttachment = {
162
+ /**
163
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
164
+ */
165
+ Type: "AWS::Cognito::IdentityPoolRoleAttachment",
147
166
  Properties: {
148
- AssumeRolePolicyDocument: {
149
- Version: "2012-10-17",
150
- Statement: [{
151
- Effect: "Allow",
152
- Principal: {
153
- Federated: "cognito-identity.amazonaws.com"
154
- },
155
- Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
156
- Condition: {
157
- StringEquals: {
158
- "cognito-identity.amazonaws.com:aud": {
159
- Ref: CognitoIdentityPoolLogicalId
160
- }
167
+ IdentityPoolId: {
168
+ Ref: CognitoIdentityPoolLogicalId
169
+ },
170
+ Roles: {}
171
+ }
172
+ };
173
+ if (!identityPool.authenticatedRoleArn) {
174
+ template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
175
+ Type: "AWS::IAM::Role",
176
+ Properties: {
177
+ AssumeRolePolicyDocument: {
178
+ Version: "2012-10-17",
179
+ Statement: [{
180
+ Effect: "Allow",
181
+ Principal: {
182
+ Federated: "cognito-identity.amazonaws.com"
161
183
  },
162
- "ForAnyValue:StringLike": {
163
- "cognito-identity.amazonaws.com:amr": "authenticated"
184
+ Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
185
+ Condition: {
186
+ StringEquals: {
187
+ "cognito-identity.amazonaws.com:aud": {
188
+ Ref: CognitoIdentityPoolLogicalId
189
+ }
190
+ },
191
+ "ForAnyValue:StringLike": {
192
+ "cognito-identity.amazonaws.com:amr": "authenticated"
193
+ }
164
194
  }
195
+ }]
196
+ },
197
+ Policies: identityPool.authenticatedPolicies || [{
198
+ PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
199
+ PolicyDocument: {
200
+ Version: "2012-10-17",
201
+ Statement: [DenyStatement]
165
202
  }
166
203
  }]
167
- },
168
- Policies: identityPool.authenticatedPolicies || [{
169
- PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
170
- PolicyDocument: {
204
+ }
205
+ };
206
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = {
207
+ "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
208
+ };
209
+ } else {
210
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = identityPool.authenticatedRoleArn;
211
+ }
212
+ if (!identityPool.unauthenticatedRoleArn) {
213
+ template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
214
+ Type: "AWS::IAM::Role",
215
+ Properties: {
216
+ AssumeRolePolicyDocument: {
171
217
  Version: "2012-10-17",
172
- Statement: [DenyStatement]
173
- }
174
- }]
175
- }
176
- };
177
- template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
178
- Type: "AWS::IAM::Role",
179
- Properties: {
180
- AssumeRolePolicyDocument: {
181
- Version: "2012-10-17",
182
- Statement: [{
183
- Effect: "Allow",
184
- Principal: {
185
- Federated: "cognito-identity.amazonaws.com"
186
- },
187
- Action: "sts:AssumeRoleWithWebIdentity",
188
- Condition: {
189
- StringEquals: {
190
- "cognito-identity.amazonaws.com:aud": {
191
- Ref: CognitoIdentityPoolLogicalId
192
- }
218
+ Statement: [{
219
+ Effect: "Allow",
220
+ Principal: {
221
+ Federated: "cognito-identity.amazonaws.com"
193
222
  },
194
- "ForAnyValue:StringLike": {
195
- "cognito-identity.amazonaws.com:amr": "unauthenticated"
223
+ Action: "sts:AssumeRoleWithWebIdentity",
224
+ Condition: {
225
+ StringEquals: {
226
+ "cognito-identity.amazonaws.com:aud": {
227
+ Ref: CognitoIdentityPoolLogicalId
228
+ }
229
+ },
230
+ "ForAnyValue:StringLike": {
231
+ "cognito-identity.amazonaws.com:amr": "unauthenticated"
232
+ }
196
233
  }
234
+ }]
235
+ },
236
+ Policies: identityPool.authenticatedPolicies || [{
237
+ PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
238
+ PolicyDocument: {
239
+ Version: "2012-10-17",
240
+ Statement: [DenyStatement]
197
241
  }
198
242
  }]
199
- },
200
- Policies: identityPool.authenticatedPolicies || [{
201
- PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
202
- PolicyDocument: {
203
- Version: "2012-10-17",
204
- Statement: [DenyStatement]
205
- }
206
- }]
207
- }
208
- };
209
- template.Resources.CognitoIdentityPoolRoleAttachment = {
210
- Type: "AWS::Cognito::IdentityPoolRoleAttachment",
211
- Properties: {
212
- IdentityPoolId: {
213
- Ref: CognitoIdentityPoolLogicalId
214
- },
215
- Roles: {
216
- authenticated: {
217
- "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
243
+ }
244
+ };
245
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = {
246
+ "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
247
+ };
248
+ } else {
249
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = identityPool.unauthenticatedRoleArn;
250
+ }
251
+ if (identityPool.principalTags || identityPool.principalTags === void 0) {
252
+ const PrincipalTags = (() => {
253
+ if (typeof identityPool.principalTags === "boolean") {
254
+ return defaultPrincipalTags;
255
+ }
256
+ if (identityPool.principalTags === void 0) {
257
+ return defaultPrincipalTags;
258
+ }
259
+ return identityPool.principalTags;
260
+ })();
261
+ template.Resources.CognitoIdentityPoolPrincipalTag = {
262
+ Type: "AWS::Cognito::IdentityPoolPrincipalTag",
263
+ Properties: {
264
+ IdentityPoolId: {
265
+ Ref: CognitoIdentityPoolLogicalId
218
266
  },
219
- unauthenticated: {
220
- "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
221
- }
267
+ IdentityProviderName: {
268
+ "Fn::GetAtt": [CognitoUserPoolLogicalId, "ProviderName"]
269
+ },
270
+ PrincipalTags,
271
+ UseDefaults: false
222
272
  }
223
- }
224
- };
273
+ };
274
+ }
225
275
  if (!template.Outputs) {
226
276
  template.Outputs = {};
227
277
  }
@@ -244,4 +294,6 @@ var createAuthTemplate = ({
244
294
  createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;
245
295
  createAuthTemplate.CognitoUserPoolClientLogicalId = CognitoUserPoolClientLogicalId;
246
296
  createAuthTemplate.CognitoIdentityPoolLogicalId = CognitoIdentityPoolLogicalId;
297
+ createAuthTemplate.IdentityPoolAuthenticatedIAMRoleLogicalId = IdentityPoolAuthenticatedIAMRoleLogicalId;
298
+ createAuthTemplate.IdentityPoolUnauthenticatedIAMRoleLogicalId = IdentityPoolUnauthenticatedIAMRoleLogicalId;
247
299
  export { PASSWORD_MINIMUM_LENGTH, createAuthTemplate };
package/dist/index.d.mts CHANGED
@@ -7,8 +7,13 @@ declare const createAuthTemplate: {
7
7
  autoVerifiedAttributes?: false | ("email" | "phone_number")[] | null | undefined;
8
8
  identityPool?: {
9
9
  enabled?: boolean | undefined;
10
+ name?: string | undefined;
11
+ allowUnauthenticatedIdentities?: boolean | undefined;
12
+ authenticatedRoleArn?: string | undefined;
10
13
  authenticatedPolicies?: Policy[] | undefined;
14
+ unauthenticatedRoleArn?: string | undefined;
11
15
  unauthenticatedPolicies?: Policy[] | undefined;
16
+ principalTags?: boolean | Record<string, string> | undefined;
12
17
  } | undefined;
13
18
  /**
14
19
  * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html
@@ -33,6 +38,8 @@ declare const createAuthTemplate: {
33
38
  CognitoUserPoolLogicalId: string;
34
39
  CognitoUserPoolClientLogicalId: string;
35
40
  CognitoIdentityPoolLogicalId: string;
41
+ IdentityPoolAuthenticatedIAMRoleLogicalId: string;
42
+ IdentityPoolUnauthenticatedIAMRoleLogicalId: string;
36
43
  };
37
44
 
38
45
  export { PASSWORD_MINIMUM_LENGTH, createAuthTemplate };
package/dist/index.d.ts CHANGED
@@ -7,8 +7,13 @@ declare const createAuthTemplate: {
7
7
  autoVerifiedAttributes?: false | ("email" | "phone_number")[] | null | undefined;
8
8
  identityPool?: {
9
9
  enabled?: boolean | undefined;
10
+ name?: string | undefined;
11
+ allowUnauthenticatedIdentities?: boolean | undefined;
12
+ authenticatedRoleArn?: string | undefined;
10
13
  authenticatedPolicies?: Policy[] | undefined;
14
+ unauthenticatedRoleArn?: string | undefined;
11
15
  unauthenticatedPolicies?: Policy[] | undefined;
16
+ principalTags?: boolean | Record<string, string> | undefined;
12
17
  } | undefined;
13
18
  /**
14
19
  * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html
@@ -33,6 +38,8 @@ declare const createAuthTemplate: {
33
38
  CognitoUserPoolLogicalId: string;
34
39
  CognitoUserPoolClientLogicalId: string;
35
40
  CognitoIdentityPoolLogicalId: string;
41
+ IdentityPoolAuthenticatedIAMRoleLogicalId: string;
42
+ IdentityPoolUnauthenticatedIAMRoleLogicalId: string;
36
43
  };
37
44
 
38
45
  export { PASSWORD_MINIMUM_LENGTH, createAuthTemplate };
package/dist/index.js CHANGED
@@ -46,6 +46,10 @@ var DenyStatement = {
46
46
  Action: ["*"],
47
47
  Resource: ["*"]
48
48
  };
49
+ var defaultPrincipalTags = {
50
+ appClientId: "aud",
51
+ userId: "sub"
52
+ };
49
53
  var createAuthTemplate = ({
50
54
  autoVerifiedAttributes = ["email"],
51
55
  identityPool,
@@ -57,6 +61,9 @@ var createAuthTemplate = ({
57
61
  AWSTemplateFormatVersion: "2010-09-09",
58
62
  Resources: {
59
63
  [CognitoUserPoolLogicalId]: {
64
+ /**
65
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
66
+ */
60
67
  Type: "AWS::Cognito::UserPool",
61
68
  Properties: {
62
69
  AutoVerifiedAttributes,
@@ -80,6 +87,9 @@ var createAuthTemplate = ({
80
87
  }
81
88
  },
82
89
  [CognitoUserPoolClientLogicalId]: {
90
+ /**
91
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
92
+ */
83
93
  Type: "AWS::Cognito::UserPoolClient",
84
94
  Properties: {
85
95
  SupportedIdentityProviders: ["COGNITO"],
@@ -161,9 +171,12 @@ var createAuthTemplate = ({
161
171
  }
162
172
  if (identityPool?.enabled) {
163
173
  template.Resources[CognitoIdentityPoolLogicalId] = {
174
+ /**
175
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
176
+ */
164
177
  Type: "AWS::Cognito::IdentityPool",
165
178
  Properties: {
166
- AllowUnauthenticatedIdentities: true,
179
+ AllowUnauthenticatedIdentities: identityPool.allowUnauthenticatedIdentities || false,
167
180
  CognitoIdentityProviders: [{
168
181
  ClientId: {
169
182
  Ref: CognitoUserPoolClientLogicalId
@@ -174,86 +187,123 @@ var createAuthTemplate = ({
174
187
  }]
175
188
  }
176
189
  };
177
- template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
178
- Type: "AWS::IAM::Role",
190
+ if (identityPool.name) {
191
+ template.Resources[CognitoIdentityPoolLogicalId].Properties.IdentityPoolName = identityPool.name;
192
+ }
193
+ template.Resources.CognitoIdentityPoolRoleAttachment = {
194
+ /**
195
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
196
+ */
197
+ Type: "AWS::Cognito::IdentityPoolRoleAttachment",
179
198
  Properties: {
180
- AssumeRolePolicyDocument: {
181
- Version: "2012-10-17",
182
- Statement: [{
183
- Effect: "Allow",
184
- Principal: {
185
- Federated: "cognito-identity.amazonaws.com"
186
- },
187
- Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
188
- Condition: {
189
- StringEquals: {
190
- "cognito-identity.amazonaws.com:aud": {
191
- Ref: CognitoIdentityPoolLogicalId
192
- }
199
+ IdentityPoolId: {
200
+ Ref: CognitoIdentityPoolLogicalId
201
+ },
202
+ Roles: {}
203
+ }
204
+ };
205
+ if (!identityPool.authenticatedRoleArn) {
206
+ template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
207
+ Type: "AWS::IAM::Role",
208
+ Properties: {
209
+ AssumeRolePolicyDocument: {
210
+ Version: "2012-10-17",
211
+ Statement: [{
212
+ Effect: "Allow",
213
+ Principal: {
214
+ Federated: "cognito-identity.amazonaws.com"
193
215
  },
194
- "ForAnyValue:StringLike": {
195
- "cognito-identity.amazonaws.com:amr": "authenticated"
216
+ Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
217
+ Condition: {
218
+ StringEquals: {
219
+ "cognito-identity.amazonaws.com:aud": {
220
+ Ref: CognitoIdentityPoolLogicalId
221
+ }
222
+ },
223
+ "ForAnyValue:StringLike": {
224
+ "cognito-identity.amazonaws.com:amr": "authenticated"
225
+ }
196
226
  }
227
+ }]
228
+ },
229
+ Policies: identityPool.authenticatedPolicies || [{
230
+ PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
231
+ PolicyDocument: {
232
+ Version: "2012-10-17",
233
+ Statement: [DenyStatement]
197
234
  }
198
235
  }]
199
- },
200
- Policies: identityPool.authenticatedPolicies || [{
201
- PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
202
- PolicyDocument: {
236
+ }
237
+ };
238
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = {
239
+ "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
240
+ };
241
+ } else {
242
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = identityPool.authenticatedRoleArn;
243
+ }
244
+ if (!identityPool.unauthenticatedRoleArn) {
245
+ template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
246
+ Type: "AWS::IAM::Role",
247
+ Properties: {
248
+ AssumeRolePolicyDocument: {
203
249
  Version: "2012-10-17",
204
- Statement: [DenyStatement]
205
- }
206
- }]
207
- }
208
- };
209
- template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
210
- Type: "AWS::IAM::Role",
211
- Properties: {
212
- AssumeRolePolicyDocument: {
213
- Version: "2012-10-17",
214
- Statement: [{
215
- Effect: "Allow",
216
- Principal: {
217
- Federated: "cognito-identity.amazonaws.com"
218
- },
219
- Action: "sts:AssumeRoleWithWebIdentity",
220
- Condition: {
221
- StringEquals: {
222
- "cognito-identity.amazonaws.com:aud": {
223
- Ref: CognitoIdentityPoolLogicalId
224
- }
250
+ Statement: [{
251
+ Effect: "Allow",
252
+ Principal: {
253
+ Federated: "cognito-identity.amazonaws.com"
225
254
  },
226
- "ForAnyValue:StringLike": {
227
- "cognito-identity.amazonaws.com:amr": "unauthenticated"
255
+ Action: "sts:AssumeRoleWithWebIdentity",
256
+ Condition: {
257
+ StringEquals: {
258
+ "cognito-identity.amazonaws.com:aud": {
259
+ Ref: CognitoIdentityPoolLogicalId
260
+ }
261
+ },
262
+ "ForAnyValue:StringLike": {
263
+ "cognito-identity.amazonaws.com:amr": "unauthenticated"
264
+ }
228
265
  }
266
+ }]
267
+ },
268
+ Policies: identityPool.authenticatedPolicies || [{
269
+ PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
270
+ PolicyDocument: {
271
+ Version: "2012-10-17",
272
+ Statement: [DenyStatement]
229
273
  }
230
274
  }]
231
- },
232
- Policies: identityPool.authenticatedPolicies || [{
233
- PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
234
- PolicyDocument: {
235
- Version: "2012-10-17",
236
- Statement: [DenyStatement]
237
- }
238
- }]
239
- }
240
- };
241
- template.Resources.CognitoIdentityPoolRoleAttachment = {
242
- Type: "AWS::Cognito::IdentityPoolRoleAttachment",
243
- Properties: {
244
- IdentityPoolId: {
245
- Ref: CognitoIdentityPoolLogicalId
246
- },
247
- Roles: {
248
- authenticated: {
249
- "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
275
+ }
276
+ };
277
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = {
278
+ "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
279
+ };
280
+ } else {
281
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = identityPool.unauthenticatedRoleArn;
282
+ }
283
+ if (identityPool.principalTags || identityPool.principalTags === void 0) {
284
+ const PrincipalTags = (() => {
285
+ if (typeof identityPool.principalTags === "boolean") {
286
+ return defaultPrincipalTags;
287
+ }
288
+ if (identityPool.principalTags === void 0) {
289
+ return defaultPrincipalTags;
290
+ }
291
+ return identityPool.principalTags;
292
+ })();
293
+ template.Resources.CognitoIdentityPoolPrincipalTag = {
294
+ Type: "AWS::Cognito::IdentityPoolPrincipalTag",
295
+ Properties: {
296
+ IdentityPoolId: {
297
+ Ref: CognitoIdentityPoolLogicalId
250
298
  },
251
- unauthenticated: {
252
- "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
253
- }
299
+ IdentityProviderName: {
300
+ "Fn::GetAtt": [CognitoUserPoolLogicalId, "ProviderName"]
301
+ },
302
+ PrincipalTags,
303
+ UseDefaults: false
254
304
  }
255
- }
256
- };
305
+ };
306
+ }
257
307
  if (!template.Outputs) {
258
308
  template.Outputs = {};
259
309
  }
@@ -276,6 +326,8 @@ var createAuthTemplate = ({
276
326
  createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;
277
327
  createAuthTemplate.CognitoUserPoolClientLogicalId = CognitoUserPoolClientLogicalId;
278
328
  createAuthTemplate.CognitoIdentityPoolLogicalId = CognitoIdentityPoolLogicalId;
329
+ createAuthTemplate.IdentityPoolAuthenticatedIAMRoleLogicalId = IdentityPoolAuthenticatedIAMRoleLogicalId;
330
+ createAuthTemplate.IdentityPoolUnauthenticatedIAMRoleLogicalId = IdentityPoolUnauthenticatedIAMRoleLogicalId;
279
331
  // Annotate the CommonJS export names for ESM import in node:
280
332
  0 && (module.exports = {
281
333
  PASSWORD_MINIMUM_LENGTH,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ttoss/cloud-auth",
3
- "version": "0.10.7",
3
+ "version": "0.12.0",
4
4
  "repository": {
5
5
  "type": "git",
6
6
  "url": "https://github.com/ttoss/ttoss.git",
package/src/template.ts CHANGED
@@ -19,6 +19,11 @@ export const DenyStatement = {
19
19
  Resource: ['*'],
20
20
  };
21
21
 
22
+ export const defaultPrincipalTags = {
23
+ appClientId: 'aud',
24
+ userId: 'sub',
25
+ };
26
+
22
27
  export const createAuthTemplate = ({
23
28
  autoVerifiedAttributes = ['email'],
24
29
  identityPool,
@@ -28,8 +33,13 @@ export const createAuthTemplate = ({
28
33
  autoVerifiedAttributes?: Array<'email' | 'phone_number'> | null | false;
29
34
  identityPool?: {
30
35
  enabled?: boolean;
36
+ name?: string;
37
+ allowUnauthenticatedIdentities?: boolean;
38
+ authenticatedRoleArn?: string;
31
39
  authenticatedPolicies?: Policy[];
40
+ unauthenticatedRoleArn?: string;
32
41
  unauthenticatedPolicies?: Policy[];
42
+ principalTags?: Record<string, string> | boolean;
33
43
  };
34
44
  /**
35
45
  * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html
@@ -50,6 +60,7 @@ export const createAuthTemplate = ({
50
60
  };
51
61
  }[];
52
62
  usernameAttributes?: Array<'email' | 'phone_number'> | null;
63
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
53
64
  } = {}): any => {
54
65
  const AutoVerifiedAttributes =
55
66
  Array.isArray(autoVerifiedAttributes) && autoVerifiedAttributes.length > 0
@@ -60,6 +71,9 @@ export const createAuthTemplate = ({
60
71
  AWSTemplateFormatVersion: '2010-09-09',
61
72
  Resources: {
62
73
  [CognitoUserPoolLogicalId]: {
74
+ /**
75
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
76
+ */
63
77
  Type: 'AWS::Cognito::UserPool',
64
78
  Properties: {
65
79
  AutoVerifiedAttributes,
@@ -83,6 +97,9 @@ export const createAuthTemplate = ({
83
97
  },
84
98
  },
85
99
  [CognitoUserPoolClientLogicalId]: {
100
+ /**
101
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
102
+ */
86
103
  Type: 'AWS::Cognito::UserPoolClient',
87
104
  Properties: {
88
105
  SupportedIdentityProviders: ['COGNITO'],
@@ -165,13 +182,14 @@ export const createAuthTemplate = ({
165
182
  }
166
183
 
167
184
  if (identityPool?.enabled) {
168
- /**
169
- * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
170
- */
171
185
  template.Resources[CognitoIdentityPoolLogicalId] = {
186
+ /**
187
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
188
+ */
172
189
  Type: 'AWS::Cognito::IdentityPool',
173
190
  Properties: {
174
- AllowUnauthenticatedIdentities: true,
191
+ AllowUnauthenticatedIdentities:
192
+ identityPool.allowUnauthenticatedIdentities || false,
175
193
  CognitoIdentityProviders: [
176
194
  {
177
195
  ClientId: {
@@ -185,99 +203,152 @@ export const createAuthTemplate = ({
185
203
  },
186
204
  };
187
205
 
188
- template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
189
- Type: 'AWS::IAM::Role',
206
+ if (identityPool.name) {
207
+ template.Resources[
208
+ CognitoIdentityPoolLogicalId
209
+ ].Properties.IdentityPoolName = identityPool.name;
210
+ }
211
+
212
+ template.Resources.CognitoIdentityPoolRoleAttachment = {
213
+ /**
214
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
215
+ */
216
+ Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
190
217
  Properties: {
191
- AssumeRolePolicyDocument: {
192
- Version: '2012-10-17' as const,
193
- Statement: [
194
- {
195
- Effect: 'Allow' as const,
196
- Principal: {
197
- Federated: 'cognito-identity.amazonaws.com',
198
- },
199
- Action: ['sts:AssumeRoleWithWebIdentity', 'sts:TagSession'],
200
- Condition: {
201
- StringEquals: {
202
- 'cognito-identity.amazonaws.com:aud': {
203
- Ref: CognitoIdentityPoolLogicalId,
204
- },
218
+ IdentityPoolId: {
219
+ Ref: CognitoIdentityPoolLogicalId,
220
+ },
221
+ Roles: {},
222
+ },
223
+ };
224
+
225
+ if (!identityPool.authenticatedRoleArn) {
226
+ template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
227
+ Type: 'AWS::IAM::Role',
228
+ Properties: {
229
+ AssumeRolePolicyDocument: {
230
+ Version: '2012-10-17' as const,
231
+ Statement: [
232
+ {
233
+ Effect: 'Allow' as const,
234
+ Principal: {
235
+ Federated: 'cognito-identity.amazonaws.com',
205
236
  },
206
- 'ForAnyValue:StringLike': {
207
- 'cognito-identity.amazonaws.com:amr': 'authenticated',
237
+ Action: ['sts:AssumeRoleWithWebIdentity', 'sts:TagSession'],
238
+ Condition: {
239
+ StringEquals: {
240
+ 'cognito-identity.amazonaws.com:aud': {
241
+ Ref: CognitoIdentityPoolLogicalId,
242
+ },
243
+ },
244
+ 'ForAnyValue:StringLike': {
245
+ 'cognito-identity.amazonaws.com:amr': 'authenticated',
246
+ },
208
247
  },
209
248
  },
249
+ ],
250
+ },
251
+ Policies: identityPool.authenticatedPolicies || [
252
+ {
253
+ PolicyName: 'IdentityPoolAuthenticatedIAMRolePolicyName',
254
+ PolicyDocument: {
255
+ Version: '2012-10-17' as const,
256
+ Statement: [DenyStatement],
257
+ },
210
258
  },
211
259
  ],
212
260
  },
213
- Policies: identityPool.authenticatedPolicies || [
214
- {
215
- PolicyName: 'IdentityPoolAuthenticatedIAMRolePolicyName',
216
- PolicyDocument: {
217
- Version: '2012-10-17' as const,
218
- Statement: [DenyStatement],
219
- },
220
- },
221
- ],
222
- },
223
- };
261
+ };
224
262
 
225
- template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
226
- Type: 'AWS::IAM::Role',
227
- Properties: {
228
- AssumeRolePolicyDocument: {
229
- Version: '2012-10-17' as const,
230
- Statement: [
231
- {
232
- Effect: 'Allow' as const,
233
- Principal: {
234
- Federated: 'cognito-identity.amazonaws.com',
235
- },
236
- Action: 'sts:AssumeRoleWithWebIdentity',
237
- Condition: {
238
- StringEquals: {
239
- 'cognito-identity.amazonaws.com:aud': {
240
- Ref: CognitoIdentityPoolLogicalId,
241
- },
263
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated =
264
+ {
265
+ 'Fn::GetAtt': [IdentityPoolAuthenticatedIAMRoleLogicalId, 'Arn'],
266
+ };
267
+ } else {
268
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated =
269
+ identityPool.authenticatedRoleArn;
270
+ }
271
+
272
+ if (!identityPool.unauthenticatedRoleArn) {
273
+ template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
274
+ Type: 'AWS::IAM::Role',
275
+ Properties: {
276
+ AssumeRolePolicyDocument: {
277
+ Version: '2012-10-17' as const,
278
+ Statement: [
279
+ {
280
+ Effect: 'Allow' as const,
281
+ Principal: {
282
+ Federated: 'cognito-identity.amazonaws.com',
242
283
  },
243
- 'ForAnyValue:StringLike': {
244
- 'cognito-identity.amazonaws.com:amr': 'unauthenticated',
284
+ Action: 'sts:AssumeRoleWithWebIdentity',
285
+ Condition: {
286
+ StringEquals: {
287
+ 'cognito-identity.amazonaws.com:aud': {
288
+ Ref: CognitoIdentityPoolLogicalId,
289
+ },
290
+ },
291
+ 'ForAnyValue:StringLike': {
292
+ 'cognito-identity.amazonaws.com:amr': 'unauthenticated',
293
+ },
245
294
  },
246
295
  },
296
+ ],
297
+ },
298
+ Policies: identityPool.authenticatedPolicies || [
299
+ {
300
+ PolicyName: 'IdentityPoolUnauthenticatedIAMRolePolicyName',
301
+ PolicyDocument: {
302
+ Version: '2012-10-17' as const,
303
+ Statement: [DenyStatement],
304
+ },
247
305
  },
248
306
  ],
249
307
  },
250
- Policies: identityPool.authenticatedPolicies || [
251
- {
252
- PolicyName: 'IdentityPoolUnauthenticatedIAMRolePolicyName',
253
- PolicyDocument: {
254
- Version: '2012-10-17' as const,
255
- Statement: [DenyStatement],
256
- },
257
- },
258
- ],
259
- },
260
- };
308
+ };
309
+
310
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated =
311
+ {
312
+ 'Fn::GetAtt': [IdentityPoolUnauthenticatedIAMRoleLogicalId, 'Arn'],
313
+ };
314
+ } else {
315
+ template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated =
316
+ identityPool.unauthenticatedRoleArn;
317
+ }
261
318
 
262
319
  /**
263
- * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
320
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html
264
321
  */
265
- template.Resources.CognitoIdentityPoolRoleAttachment = {
266
- Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
267
- Properties: {
268
- IdentityPoolId: {
269
- Ref: CognitoIdentityPoolLogicalId,
270
- },
271
- Roles: {
272
- authenticated: {
273
- 'Fn::GetAtt': [IdentityPoolAuthenticatedIAMRoleLogicalId, 'Arn'],
322
+ if (
323
+ identityPool.principalTags ||
324
+ identityPool.principalTags === undefined
325
+ ) {
326
+ const PrincipalTags = (() => {
327
+ if (typeof identityPool.principalTags === 'boolean') {
328
+ return defaultPrincipalTags;
329
+ }
330
+
331
+ if (identityPool.principalTags === undefined) {
332
+ return defaultPrincipalTags;
333
+ }
334
+
335
+ return identityPool.principalTags;
336
+ })();
337
+
338
+ template.Resources.CognitoIdentityPoolPrincipalTag = {
339
+ Type: 'AWS::Cognito::IdentityPoolPrincipalTag',
340
+ Properties: {
341
+ IdentityPoolId: {
342
+ Ref: CognitoIdentityPoolLogicalId,
274
343
  },
275
- unauthenticated: {
276
- 'Fn::GetAtt': [IdentityPoolUnauthenticatedIAMRoleLogicalId, 'Arn'],
344
+ IdentityProviderName: {
345
+ 'Fn::GetAtt': [CognitoUserPoolLogicalId, 'ProviderName'],
277
346
  },
347
+ PrincipalTags,
348
+ UseDefaults: false,
278
349
  },
279
- },
280
- };
350
+ };
351
+ }
281
352
 
282
353
  if (!template.Outputs) {
283
354
  template.Outputs = {};
@@ -303,6 +374,14 @@ export const createAuthTemplate = ({
303
374
  };
304
375
 
305
376
  createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;
377
+
306
378
  createAuthTemplate.CognitoUserPoolClientLogicalId =
307
379
  CognitoUserPoolClientLogicalId;
380
+
308
381
  createAuthTemplate.CognitoIdentityPoolLogicalId = CognitoIdentityPoolLogicalId;
382
+
383
+ createAuthTemplate.IdentityPoolAuthenticatedIAMRoleLogicalId =
384
+ IdentityPoolAuthenticatedIAMRoleLogicalId;
385
+
386
+ createAuthTemplate.IdentityPoolUnauthenticatedIAMRoleLogicalId =
387
+ IdentityPoolUnauthenticatedIAMRoleLogicalId;