@ttoss/cloud-auth 0.11.0 → 0.12.0

package/README.md

@@ -1,6 +1,6 @@
 # @ttoss/cloud-auth
 
-It's a library for creating AWS Cognito resources. It creates an user pool, an identity pool and a client application.
+It's a library for creating AWS Cognito resources. It creates an user pool, identity pool, a client application, and others resources.
 
 ## Installation
 
@@ -10,7 +10,7 @@ pnpm add @ttoss/cloud-auth
 
 ## Quickstart
 
-Create a `clouformation.ts` file in your project and export the template:
+Create a `cloudformation.ts` file in your project and export the template:
 
 ```typescript src/cloudformation.ts
 import { createAuthTemplate } from '@ttoss/cloud-auth';
@@ -89,3 +89,54 @@ const template = createAuthTemplate({
   },
 });
 ```
+
+#### Using attributes for access control
+
+When you enable the identity pool, it maps the following [principal tags to handle access control](https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html) by default:
+
+```yml
+PrincipalTags:
+  appClientId: 'aud'
+  userId: 'sub'
+```
+
+This way you can use the `appClientId` and `userId` tags in your IAM policies by [controlling access for IAM principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html#access_iam-tags_control-principals). For example:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject*",
+      "Resource": "arn:aws:s3:::*-${aws:PrincipalTag/userId}/*"
+    }
+  ]
+}
+```
+
+You can change the default tags by passing the `principalTags` property and [other tokens](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#token-claims-for-role-based-access-control):
+
+```typescript
+const template = createAuthTemplate({
+  identityPool: {
+    enabled: true,
+    principalTags: {
+      appId: 'aud',
+      username: 'sub',
+      name: 'name',
+    },
+  },
+});
+```
+
+If you want to disable the principal tags, you can pass the `principalTags` property with `false` value:
+
+```typescript
+const template = createAuthTemplate({
+  identityPool: {
+    enabled: true,
+    principalTags: false,
+  },
+});
+```

package/dist/esm/index.js

@@ -14,6 +14,10 @@ var DenyStatement = {
   Action: ["*"],
   Resource: ["*"]
 };
+var defaultPrincipalTags = {
+  appClientId: "aud",
+  userId: "sub"
+};
 var createAuthTemplate = ({
   autoVerifiedAttributes = ["email"],
   identityPool,
@@ -244,6 +248,30 @@ var createAuthTemplate = ({
     } else {
       template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = identityPool.unauthenticatedRoleArn;
     }
+    if (identityPool.principalTags || identityPool.principalTags === void 0) {
+      const PrincipalTags = (() => {
+        if (typeof identityPool.principalTags === "boolean") {
+          return defaultPrincipalTags;
+        }
+        if (identityPool.principalTags === void 0) {
+          return defaultPrincipalTags;
+        }
+        return identityPool.principalTags;
+      })();
+      template.Resources.CognitoIdentityPoolPrincipalTag = {
+        Type: "AWS::Cognito::IdentityPoolPrincipalTag",
+        Properties: {
+          IdentityPoolId: {
+            Ref: CognitoIdentityPoolLogicalId
+          },
+          IdentityProviderName: {
+            "Fn::GetAtt": [CognitoUserPoolLogicalId, "ProviderName"]
+          },
+          PrincipalTags,
+          UseDefaults: false
+        }
+      };
+    }
     if (!template.Outputs) {
       template.Outputs = {};
     }

package/dist/index.d.mts

@@ -13,6 +13,7 @@ declare const createAuthTemplate: {
             authenticatedPolicies?: Policy[] | undefined;
             unauthenticatedRoleArn?: string | undefined;
             unauthenticatedPolicies?: Policy[] | undefined;
+            principalTags?: boolean | Record<string, string> | undefined;
         } | undefined;
         /**
          * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html

package/dist/index.d.ts

@@ -13,6 +13,7 @@ declare const createAuthTemplate: {
             authenticatedPolicies?: Policy[] | undefined;
             unauthenticatedRoleArn?: string | undefined;
             unauthenticatedPolicies?: Policy[] | undefined;
+            principalTags?: boolean | Record<string, string> | undefined;
         } | undefined;
         /**
          * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html

package/dist/index.js

@@ -46,6 +46,10 @@ var DenyStatement = {
   Action: ["*"],
   Resource: ["*"]
 };
+var defaultPrincipalTags = {
+  appClientId: "aud",
+  userId: "sub"
+};
 var createAuthTemplate = ({
   autoVerifiedAttributes = ["email"],
   identityPool,
@@ -276,6 +280,30 @@ var createAuthTemplate = ({
     } else {
       template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = identityPool.unauthenticatedRoleArn;
     }
+    if (identityPool.principalTags || identityPool.principalTags === void 0) {
+      const PrincipalTags = (() => {
+        if (typeof identityPool.principalTags === "boolean") {
+          return defaultPrincipalTags;
+        }
+        if (identityPool.principalTags === void 0) {
+          return defaultPrincipalTags;
+        }
+        return identityPool.principalTags;
+      })();
+      template.Resources.CognitoIdentityPoolPrincipalTag = {
+        Type: "AWS::Cognito::IdentityPoolPrincipalTag",
+        Properties: {
+          IdentityPoolId: {
+            Ref: CognitoIdentityPoolLogicalId
+          },
+          IdentityProviderName: {
+            "Fn::GetAtt": [CognitoUserPoolLogicalId, "ProviderName"]
+          },
+          PrincipalTags,
+          UseDefaults: false
+        }
+      };
+    }
     if (!template.Outputs) {
       template.Outputs = {};
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ttoss/cloud-auth",
-  "version": "0.11.0",
+  "version": "0.12.0",
   "repository": {
     "type": "git",
     "url": "https://github.com/ttoss/ttoss.git",

package/src/template.ts

@@ -19,6 +19,11 @@ export const DenyStatement = {
   Resource: ['*'],
 };
 
+export const defaultPrincipalTags = {
+  appClientId: 'aud',
+  userId: 'sub',
+};
+
 export const createAuthTemplate = ({
   autoVerifiedAttributes = ['email'],
   identityPool,
@@ -34,6 +39,7 @@ export const createAuthTemplate = ({
     authenticatedPolicies?: Policy[];
     unauthenticatedRoleArn?: string;
     unauthenticatedPolicies?: Policy[];
+    principalTags?: Record<string, string> | boolean;
   };
   /**
    * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html
@@ -310,6 +316,40 @@ export const createAuthTemplate = ({
         identityPool.unauthenticatedRoleArn;
     }
 
+    /**
+     * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html
+     */
+    if (
+      identityPool.principalTags ||
+      identityPool.principalTags === undefined
+    ) {
+      const PrincipalTags = (() => {
+        if (typeof identityPool.principalTags === 'boolean') {
+          return defaultPrincipalTags;
+        }
+
+        if (identityPool.principalTags === undefined) {
+          return defaultPrincipalTags;
+        }
+
+        return identityPool.principalTags;
+      })();
+
+      template.Resources.CognitoIdentityPoolPrincipalTag = {
+        Type: 'AWS::Cognito::IdentityPoolPrincipalTag',
+        Properties: {
+          IdentityPoolId: {
+            Ref: CognitoIdentityPoolLogicalId,
+          },
+          IdentityProviderName: {
+            'Fn::GetAtt': [CognitoUserPoolLogicalId, 'ProviderName'],
+          },
+          PrincipalTags,
+          UseDefaults: false,
+        },
+      };
+    }
+
     if (!template.Outputs) {
       template.Outputs = {};
     }