in source/infrastructure/lib/auth.ts [28:171]
constructor(scope: Construct, id: string, props: CognitoAuthConstructProps) {
super(scope, id);
const cognitoUserPool = new UserPool(this, 'DLTUserPool', {
autoVerify: {
email: true
},
passwordPolicy: {
minLength: 12,
requireLowercase: true,
requireDigits: true,
requireSymbols: true,
requireUppercase: true
},
removalPolicy: RemovalPolicy.DESTROY,
selfSignUpEnabled: false,
signInAliases: {
email: true,
username: true
},
standardAttributes: {
email: {
required: true
}
},
userInvitation: {
emailSubject: 'Welcome to Distributed Load Testing',
emailBody: `
<p>
Please use the credentials below to login to the Distributed Load Testing console.
</p>
<p>
Username: <strong>{username}</strong>
</p>
<p>
Password: <strong>{####}</strong>
</p>
<p>
Console: <strong>https://${props.cloudFrontDomainName}/</strong>
</p>
`,
smsMessage: 'Your username is {username} and temporary password is {####}.'
},
userPoolName: `${Aws.STACK_NAME}-user-pool`
});
(cognitoUserPool.node.defaultChild as CfnUserPool).userPoolAddOns = { advancedSecurityMode: 'ENFORCED' };
this.cognitoUserPoolId = cognitoUserPool.userPoolId;
const clientWriteAttributes = new ClientAttributes().withStandardAttributes({
address: true,
email: true,
phoneNumber: true
});
const cognitoUserPoolClient = new UserPoolClient(this, 'DLTUserPoolClient', {
userPoolClientName: `${Aws.STACK_NAME}-userpool-client`,
userPool: cognitoUserPool,
generateSecret: false,
writeAttributes: clientWriteAttributes,
refreshTokenValidity: Duration.days(1),
});
this.cognitoUserPoolClientId = cognitoUserPoolClient.userPoolClientId;
const cognitoIdentityPool = new CfnIdentityPool(this, 'DLTIdentityPool', {
allowUnauthenticatedIdentities: false,
cognitoIdentityProviders: [
{
clientId: this.cognitoUserPoolClientId,
providerName: cognitoUserPool.userPoolProviderName
}
]
});
this.cognitoIdentityPoolId = cognitoIdentityPool.ref;
const apiProdExecuteArn = Stack.of(this).formatArn({ service: 'execute-api', resource: props.apiId, resourceName: 'prod/*' });
const cognitoAuthorizedRole = new Role(this, 'DLTCognitoAuthorizedRole', {
assumedBy: new FederatedPrincipal(
'cognito-identity.amazonaws.com',
{
StringEquals: { 'cognito-identity.amazonaws.com:aud': this.cognitoIdentityPoolId },
'ForAnyValue:StringLike': { 'cognito-identity.amazonaws.com:amr': 'authenticated' }
},
'sts:AssumeRoleWithWebIdentity'
),
description: `${Aws.STACK_NAME} Identity Pool authenticated role`,
inlinePolicies: {
'InvokeApiPolicy': new PolicyDocument({
statements: [
new PolicyStatement({
effect: Effect.ALLOW,
actions: ['execute-api:Invoke'],
resources: [
apiProdExecuteArn
]
}),
new PolicyStatement({
effect: Effect.ALLOW,
actions: [
's3:PutObject',
's3:GetObject'
],
resources: [
`${props.scenariosBucketArn}/public/*`,
`${props.scenariosBucketArn}/cloudWatchImages/*`
]
})
]
})
}
});
const cognitoUnauthorizedRole = new Role(this, 'DLTCognitoUnauthorizedRole', {
assumedBy: new FederatedPrincipal(
'cognito-identity.amazonaws.com',
{
StringEquals: { 'cognito-identity.amazonaws.com:aud': this.cognitoIdentityPoolId },
'ForAnyValue:StringLike': { 'cognito-identity.amazonaws.com:amr': 'unauthenticated' }
},
'sts:AssumeRoleWithWebIdentity'
)
});
new CfnIdentityPoolRoleAttachment(this, 'CognitoAttachRole', {
identityPoolId: this.cognitoIdentityPoolId,
roles: {
unauthenticated: cognitoUnauthorizedRole.roleArn,
authenticated: cognitoAuthorizedRole.roleArn
}
});
new CfnUserPoolUser(this, 'CognitoUser', {
desiredDeliveryMediums: ['EMAIL'],
forceAliasCreation: true,
userAttributes: [
{ name: 'email', value: props.adminEmail },
{ name: 'nickname', value: props.adminName },
{ name: 'email_verified', value: 'true' }
],
username: props.adminName,
userPoolId: this.cognitoUserPoolId
})
}