AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: Amazon S3 Find and Forget Auth Infrastructure

Parameters:
  CognitoAdvancedSecurity:
    Type: String
  ResourcePrefix:
    Type: String

Resources:
  CognitoIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: !Sub ${ResourcePrefix}IdentityPool
      CognitoIdentityProviders:
        - ClientId: !Ref CognitoUserPoolClient
          ProviderName: !GetAtt CognitoUserPool.ProviderName
      AllowUnauthenticatedIdentities: false

  CognitoIdentityPoolRole:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref CognitoIdentityPool
      Roles:
        authenticated: !GetAtt ServiceInvokeRole.Arn

  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Sub ${ResourcePrefix}UserPool
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: true
        InviteMessageTemplate:
          EmailMessage: 'Your Amazon S3 Find and Forget username is {username} and the temporary password is {####}'
          EmailSubject: 'Your temporary password for Amazon S3 Find and Forget'
      AutoVerifiedAttributes:
        - email
      UserPoolAddOns:
        AdvancedSecurityMode: !Ref CognitoAdvancedSecurity
      Policies:
        PasswordPolicy:
          MinimumLength: 8
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: true
          RequireUppercase: true
          
  CognitoUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      UserPoolId: !Ref CognitoUserPool
      ClientName: !Sub ${ResourcePrefix}UserPoolClientName
      GenerateSecret: false
      RefreshTokenValidity: 1
      PreventUserExistenceErrors: ENABLED

  ServiceInvokeRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Federated:
                - cognito-identity.amazonaws.com
            Action: sts:AssumeRoleWithWebIdentity
            Condition:
              StringEquals:
                "cognito-identity.amazonaws.com:aud": !Ref CognitoIdentityPool
      Path: "/"
      Policies:
        - PolicyName: WebServicesExecutionPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: "s3:ListAllMyBuckets"
                Resource: !Sub "arn:${AWS::Partition}:s3:::*"
              - Effect: Allow
                Action: "sts:GetCallerIdentity"
                Resource: "*"
              - Effect: "Allow"
                Action:
                  - "glue:BatchGetPartition"
                  - "glue:GetDatabase*"
                  - "glue:GetPartition*"
                  - "glue:GetTable*"
                Resource:
                  - !Sub "arn:${AWS::Partition}:glue:*:${AWS::AccountId}:catalog*"
                  - !Sub "arn:${AWS::Partition}:glue:*:${AWS::AccountId}:database*"
                  - !Sub "arn:${AWS::Partition}:glue:*:${AWS::AccountId}:table*"
                  - !Sub "arn:${AWS::Partition}:glue:*:${AWS::AccountId}:partition*"

Outputs:
  CognitoIdentityPoolId:
    Description: Cognito Identity Pool Id
    Value: !Ref CognitoIdentityPool
  CognitoUserPoolArn:
    Description: Cognito User Pool Arn
    Value: !GetAtt CognitoUserPool.Arn
  CognitoUserPoolId:
    Description: Cognito User Pool Id
    Value: !Ref CognitoUserPool
  CognitoUserPoolName:
    Description: Cognito User Pool Name
    Value: !Sub ${ResourcePrefix}UserPool
  CognitoUserPoolClientId:
    Description: Cognito User Pool Client Id
    Value: !Ref CognitoUserPoolClient
  ServiceInvokeRole:
    Description: Role used by the Web UI
    Value: !Ref ServiceInvokeRole