dist/cfn-cognito-resource-server.yml

AWSTemplateFormatVersion: '2010-09-09'
Description: Custom Cognito Resource Server CloudFormation resource
Resources:
  CustomResourceServerLambda:
    Metadata:
      Source: https://github.com/tobilg/cfn-custom-resource-server
      Version: 0.1.2
    Properties:
      Code:
        ZipFile: |
          const AWS = require('aws-sdk'), https = require('https'), url = require('url'), cisp = new AWS.CognitoIdentityServiceProvider({
            'apiVersion': '2016-04-18'
          });

          function checkProps(e, o) {
            let s = !0;
            return 0 === Object.getOwnPropertyNames(o).length && (s = !1), e.forEach(e => {
              o.hasOwnProperty(e) || (s = !1);
            }), s;
          }

          function handleRequest(e, o, s, r) {
            let t = null;
            if (checkProps(r, e.ResourceProperties)) {
              const n = {};
              r.forEach(o => {
                'Scopes' !== o && (n[o] = e.ResourceProperties[o]);
              }), r.includes('Scopes') && (n.Scopes = [], e.ResourceProperties.Scopes.forEach(e => {
                e.hasOwnProperty('Name') && e.hasOwnProperty('Description') ? n.Scopes.push({
                  'ScopeName': e.Name,
                  'ScopeDescription': e.Description
                }) : t = 'Invalid scope:\n' + JSON.stringify(e);
              })), cisp[s](n).promise().then(s => {
                console.log(s), sendResponse(e, o, 'SUCCESS');
              }).catch(s => {
                console.log(s), sendResponse(e, o, 'FAILED', {
                  error: s
                });
              });
            } else console.log('Not all necessary ResourceProperties specified!'), 
            sendResponse(e, o, 'FAILED', {
              error: t
            });
          }

          function setupWatchdogTimer(e, o, s) {
            setTimeout(() => {
              console.log('Timeout FAILURE!'), new Promise(() => sendResponse(e, o, 'FAILED')).then(() => s(new Error('Function timed out')));
            }, o.getRemainingTimeInMillis() - 1e3);
          }

          function sendResponse(e, o, s, r) {
            const t = JSON.stringify({
              Status: s,
              Reason: r && r.hasOwnProperty('error') && r.error.hasOwnProperty('message') ? r.error.message : '-',
              PhysicalResourceId: e.LogicalResourceId,
              StackId: e.StackId,
              RequestId: e.RequestId,
              LogicalResourceId: e.LogicalResourceId,
              Data: r
            }), n = url.parse(e.ResponseURL), c = {
              hostname: n.hostname,
              port: 443,
              path: n.path,
              method: 'PUT',
              headers: {
                'content-type': '',
                'content-length': t.length
              }
            }, i = https.request(c, (function(e) {
              o.done();
            }));
            i.on('error', (function(e) {
              o.done();
            })), i.write(t), i.end();
          }

          exports.handler = function(e, o, s) {
            try {
              setupWatchdogTimer(e, o, s), console.log(JSON.stringify(e)), 'Create' === e.RequestType ? handleRequest(e, o, 'createResourceServer', [ 'Identifier', 'Name', 'UserPoolId', 'Scopes' ]) : 'Update' === e.RequestType ? handleRequest(e, o, 'updateResourceServer', [ 'Identifier', 'Name', 'UserPoolId', 'Scopes' ]) : 'Delete' === e.RequestType && handleRequest(e, o, 'deleteResourceServer', [ 'Identifier', 'UserPoolId' ]);
            } catch (s) {
              console.log(s), sendResponse(e, o, 'FAILED', {
                error: s
              });
            }
          };
      Description: Cloudformation custom resource for Cognito Resource Servers
      Handler: index.handler
      Role: !GetAtt 'CustomResourceServerLambdaExecutionRole.Arn'
      Runtime: nodejs10.x
      Timeout: 30
    Type: AWS::Lambda::Function
  CustomResourceServerLambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - arn:aws:iam::aws:policy/service-role/AWSLambdaRole
      Policies:
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - cognito-idp:CreateResourceServer
                  - cognito-idp:UpdateResourceServer
                  - cognito-idp:DeleteResourceServer
                Resource: !Sub 'arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/*'
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*'
          PolicyName: !Sub 'CustomResourceServerLambdaExecutionPolicy-${AWS::StackName}'
    