-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsls-cognito-resource-server.yml
141 lines (135 loc) · 5.35 KB
/
sls-cognito-resource-server.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
Resources:
CustomResourceServerLambda:
Metadata:
Source: https://github.com/tobilg/cfn-custom-resource-server
Version: 0.1.2
Properties:
Code:
ZipFile: |
const AWS = require('aws-sdk'), https = require('https'), url = require('url'), cisp = new AWS.CognitoIdentityServiceProvider({
'apiVersion': '2016-04-18'
});
function checkProps(e, o) {
let s = !0;
return 0 === Object.getOwnPropertyNames(o).length && (s = !1), e.forEach(e => {
o.hasOwnProperty(e) || (s = !1);
}), s;
}
function handleRequest(e, o, s, r) {
let t = null;
if (checkProps(r, e.ResourceProperties)) {
const n = {};
r.forEach(o => {
'Scopes' !== o && (n[o] = e.ResourceProperties[o]);
}), r.includes('Scopes') && (n.Scopes = [], e.ResourceProperties.Scopes.forEach(e => {
e.hasOwnProperty('Name') && e.hasOwnProperty('Description') ? n.Scopes.push({
'ScopeName': e.Name,
'ScopeDescription': e.Description
}) : t = 'Invalid scope:\n' + JSON.stringify(e);
})), cisp[s](n).promise().then(s => {
console.log(s), sendResponse(e, o, 'SUCCESS');
}).catch(s => {
console.log(s), sendResponse(e, o, 'FAILED', {
error: s
});
});
} else console.log('Not all necessary ResourceProperties specified!'),
sendResponse(e, o, 'FAILED', {
error: t
});
}
function setupWatchdogTimer(e, o, s) {
setTimeout(() => {
console.log('Timeout FAILURE!'), new Promise(() => sendResponse(e, o, 'FAILED')).then(() => s(new Error('Function timed out')));
}, o.getRemainingTimeInMillis() - 1e3);
}
function sendResponse(e, o, s, r) {
const t = JSON.stringify({
Status: s,
Reason: r && r.hasOwnProperty('error') && r.error.hasOwnProperty('message') ? r.error.message : '-',
PhysicalResourceId: e.LogicalResourceId,
StackId: e.StackId,
RequestId: e.RequestId,
LogicalResourceId: e.LogicalResourceId,
Data: r
}), n = url.parse(e.ResponseURL), c = {
hostname: n.hostname,
port: 443,
path: n.path,
method: 'PUT',
headers: {
'content-type': '',
'content-length': t.length
}
}, i = https.request(c, (function(e) {
o.done();
}));
i.on('error', (function(e) {
o.done();
})), i.write(t), i.end();
}
exports.handler = function(e, o, s) {
try {
setupWatchdogTimer(e, o, s), console.log(JSON.stringify(e)), 'Create' === e.RequestType ? handleRequest(e, o, 'createResourceServer', [ 'Identifier', 'Name', 'UserPoolId', 'Scopes' ]) : 'Update' === e.RequestType ? handleRequest(e, o, 'updateResourceServer', [ 'Identifier', 'Name', 'UserPoolId', 'Scopes' ]) : 'Delete' === e.RequestType && handleRequest(e, o, 'deleteResourceServer', [ 'Identifier', 'UserPoolId' ]);
} catch (s) {
console.log(s), sendResponse(e, o, 'FAILED', {
error: s
});
}
};
Description: Cloudformation custom resource for Cognito Resource Servers
Handler: index.handler
Role:
Fn::GetAtt:
- CustomResourceServerLambdaExecutionRole
- Arn
Runtime: nodejs10.x
Timeout: 30
Type: AWS::Lambda::Function
CustomResourceServerLambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaRole
Policies:
- PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-idp:CreateResourceServer
- cognito-idp:UpdateResourceServer
- cognito-idp:DeleteResourceServer
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:cognito-idp'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'userpool/*'
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'log-group:/aws/lambda/*:*:*'
PolicyName:
'Fn::Join':
- '-'
- - 'CustomResourceServerLambdaExecutionPolicy'
- Ref: 'AWS::StackName'