auth-template.yml.ejs

<% var autoVerifiedAttributes = props.autoVerifiedAttributes ? props.autoVerifiedAttributes.concat(props.aliasAttributes ? props.aliasAttributes : []).filter((attr, i, aliasAttributeArray) => ['email', 'phone_number'].includes(attr) && aliasAttributeArray.indexOf(attr) === i) : [] %>
<% var configureSMS = ((props.autoVerifiedAttributes && props.autoVerifiedAttributes.includes('phone_number')) || (props.mfaConfiguration != 'OFF' && props.mfaTypes && props.mfaTypes.includes('SMS Text Message')) || (props.requiredAttributes && props.requiredAttributes.includes('phone_number'))) %> 
AWSTemplateFormatVersion: 2010-09-09

Parameters:
  env:
    Type: String
  authRoleArn:
    Type: String
  unauthRoleArn:
    Type: String

  <% if (props.dependsOn && props.dependsOn.length > 0) { %>
  <% for(var i=0; i < props.dependsOn.length; i++) { %>
  <% for(var j=0; j < props.dependsOn[i].attributes.length; j++) { %>
  <%= props.dependsOn[i].category %><%= props.dependsOn[i].resourceName %><%= props.dependsOn[i].attributes[j] %>:
    Type: String
    Default: <%= props.dependsOn[i].category %><%= props.dependsOn[i].resourceName %><%= props.dependsOn[i].attributes[j] %>
  <% } %>
  <% } %>
  <% } %>

  <% for(var i=0; i < Object.keys(props).length; i++) { -%>
  <% if (typeof Object.values(props)[i] === 'string' || (Object.values(props)[i] && Object.values(props)[i].value)) { %>
  <%=Object.keys(props)[i]%>:
    Type: String
  <% } -%>

  <% if (typeof Object.values(props)[i] === 'boolean') { %>
  <%=Object.keys(props)[i]%>:
    Type: String
  <% } -%>
  <% if (typeof Object.values(props)[i] === 'number') { %>
  <%=Object.keys(props)[i]%>:
    Type: Number
  <% } -%>
  <% if (Object.keys(props)[i] === 'parentStack') { %>
  <%=Object.keys(props)[i]%>:
    Type: String
  <% } -%>
  <% if (Array.isArray(Object.values(props)[i])) { %>
  <%=Object.keys(props)[i]%>:
    Type: CommaDelimitedList
  <% } -%>
  <% } -%>
  <% if(Object.keys(props).includes('hostedUIProviderMeta') && !Object.keys(props).includes('hostedUIProviderCreds')) { %>
  hostedUIProviderCreds:
    Type: String
    Default: '[]'
  <% } -%>

Conditions:
  ShouldNotCreateEnvResources: !Equals [ !Ref env, NONE ]
  <%if (props.authSelections !=='identityPoolOnly' ) { %>
  ShouldOutputAppClientSecrets: !Equals [!Ref userpoolClientGenerateSecret, true ]
  <% } %>

Resources:
  <%if (props.verificationBucketName) { %>
  CustomMessageConfirmationBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: "Retain"
    Properties:
      BucketName:  !If [ShouldNotCreateEnvResources, !Ref verificationBucketName, !Join ['',[!Ref verificationBucketName, '-', !Ref env]]]
      AccessControl: "Private"
      WebsiteConfiguration:
        IndexDocument: "index.html"
        ErrorDocument: "index.html"
      CorsConfiguration:
        CorsRules:
          -
            AllowedHeaders:
              - "Authorization"
              - "Content-Length"
            AllowedMethods:
              - "GET"
            AllowedOrigins:
              - "*"
            MaxAge: 3000
  <% } %>
  <%if (props.authSelections !== 'identityPoolOnly') { %>
  <% if(!props.useEnabledMfas || configureSMS) { %>
  # BEGIN SNS ROLE RESOURCE
  SNSRole:
  # Created to allow the UserPool SMS Config to publish via the Simple Notification Service during MFA Process
    Type: AWS::IAM::Role
    Properties:
      RoleName: !If [ShouldNotCreateEnvResources, '<%=`${props.resourceNameTruncated}_sns-role`%>', !Join ['',[ 'sns', '<%=`${props.sharedId}`%>', !Select [3, !Split ['-', !Ref 'AWS::StackName']], '-', !Ref env]]]
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Principal:
              Service: "cognito-idp.amazonaws.com"
            Action:
              - "sts:AssumeRole"
            Condition:
              StringEquals:
                sts:ExternalId: <%=`${props.resourceNameTruncated}_role_external_id`%>
      Policies:
        -
          PolicyName: <%=`${props.resourceNameTruncated}-sns-policy`%>
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action:
                  - "sns:Publish"
                Resource: "*"
  <% } %> 
  # BEGIN USER POOL RESOURCES
  UserPool:
  # Created upon user selection
  # Depends on SNS Role for Arn if MFA is enabled
    Type: AWS::Cognito::UserPool
    UpdateReplacePolicy: Retain
    Properties:
      UserPoolName: !If [ShouldNotCreateEnvResources, !Ref userPoolName, !Join ['',[!Ref userPoolName, '-', !Ref env]]]
      <%if (props.requiredAttributes && props.requiredAttributes.length > 0) { %>
      <%if (props.usernameCaseSensitive !== undefined) { %>
      UsernameConfiguration:
        CaseSensitive: <%= props.usernameCaseSensitive %>
      <% } %>
      Schema:
        <% for(var i=0; i < props.requiredAttributes.length; i++) { %>
        -
          Name: <%= props.requiredAttributes[i] %>
          Required: true
          Mutable: true
        <% } %>
      <% } %>
      <%if (!props.breakCircularDependency && props.triggers && props.triggers !== '{}' && props.dependsOn) { %>
      LambdaConfig:
        <%if (props.dependsOn.find(i => i.resourceName.includes('CreateAuthChallenge'))) { %>
          CreateAuthChallenge: !Ref function<%=props.resourceName%>CreateAuthChallengeArn
        <% } %>
        <%if (props.dependsOn.find(i => i.resourceName.includes('CustomMessage'))) { %>
          CustomMessage: !Ref function<%=props.resourceName%>CustomMessageArn
        <% } %>
        <%if (props.dependsOn.find(i => i.resourceName.includes('DefineAuthChallenge'))) { %>
          DefineAuthChallenge: !Ref function<%=props.resourceName%>DefineAuthChallengeArn
        <% } %>
        <%if (props.dependsOn.find(i => i.resourceName.includes('PostAuthentication'))) { %>
          PostAuthentication: !Ref function<%=props.resourceName%>PostAuthenticationArn
        <% } %>
        <%if (props.dependsOn.find(i => i.resourceName.includes('PostConfirmation'))) { %>
          PostConfirmation: !Ref function<%=props.resourceName%>PostConfirmationArn
        <% } %>
        <%if (props.dependsOn.find(i => i.resourceName.includes('PreAuthentication'))) { %>
          PreAuthentication: !Ref function<%=props.resourceName%>PreAuthenticationArn
        <% } %>
        <%if (props.dependsOn.find(i => i.resourceName.includes('PreSignup'))) { %>
          PreSignUp: !Ref function<%=props.resourceName%>PreSignupArn
        <% } %>
        <%if (props.dependsOn.find(i => i.resourceName.includes('PreTokenGeneration'))) { %>
          PreTokenGeneration: !Ref function<%=props.resourceName%>PreTokenGenerationArn
        <% } %>
        <%if (props.dependsOn.find(i => i.resourceName.includes('VerifyAuthChallengeResponse'))) { %>
          VerifyAuthChallengeResponse: !Ref function<%=props.resourceName%>VerifyAuthChallengeResponseArn
        <% } %>
      <% } %>
      <%if (autoVerifiedAttributes && autoVerifiedAttributes.length > 0) { %>
      AutoVerifiedAttributes:
      <% for(let x = 0; x < autoVerifiedAttributes.length; x++) { %>
        - <%= autoVerifiedAttributes[x] %>
      <% } %>
      <% } %>
      <%if (autoVerifiedAttributes && autoVerifiedAttributes.includes('email')) { %>
      EmailVerificationMessage: !Ref emailVerificationMessage
      EmailVerificationSubject: !Ref emailVerificationSubject
      <% } %>
      Policies:
        PasswordPolicy:
          MinimumLength: !Ref passwordPolicyMinLength
          RequireLowercase: <%= props.passwordPolicyCharacters.includes('Requires Lowercase') %>
          RequireNumbers: <%=  props.passwordPolicyCharacters.includes('Requires Numbers') %>
          RequireSymbols: <%= props.passwordPolicyCharacters.includes('Requires Symbols') %>
          RequireUppercase: <%= props.passwordPolicyCharacters.includes('Requires Uppercase') %>
      <% if (props.usernameAttributes && props.usernameAttributes !== 'username') { %>
      UsernameAttributes: !Ref usernameAttributes
      <% } %>
      <% if (props.aliasAttributes && props.aliasAttributes.length > 0) { %>
      AliasAttributes: !Ref aliasAttributes
      <% } %>
      MfaConfiguration: !Ref mfaConfiguration
      <% if(props.useEnabledMfas && props.mfaConfiguration != 'OFF') {%>
      EnabledMfas:
        <% if(configureSMS) {%> 
        - SMS_MFA
        <% } %>
        <% if(props.mfaTypes.includes('TOTP')) {%>
        - SOFTWARE_TOKEN_MFA
        <% } %>
      <% } %>  
      <% if(!props.useEnabledMfas || configureSMS) {%> 
      SmsVerificationMessage: !Ref smsVerificationMessage
      SmsAuthenticationMessage: !Ref smsAuthenticationMessage
      SmsConfiguration:
        SnsCallerArn: !GetAtt SNSRole.Arn
        ExternalId: <%=`${props.resourceNameTruncated}_role_external_id`%>
      <% } %>
    <%if (configureSMS) { %>
    DependsOn: SNSRole
    <% } %>
  <%if (!props.breakCircularDependency && props.triggers && props.dependsOn) { %>
  <%if (props.dependsOn.find(i => i.resourceName.includes('CreateAuthChallenge'))) { %>
  UserPoolCreateAuthChallengeLambdaInvokePermission:
    Type: "AWS::Lambda::Permission"
    DependsOn: UserPool
    Properties:
      Action: "lambda:invokeFunction"
      Principal: "cognito-idp.amazonaws.com"
      FunctionName: !Ref function<%=props.resourceName%>CreateAuthChallengeName
      SourceArn: !GetAtt UserPool.Arn
  <% } %>
  <%if (props.dependsOn.find(i => i.resourceName.includes('CustomMessage'))) { %>
  UserPoolCustomMessageLambdaInvokePermission:
    Type: "AWS::Lambda::Permission"
    DependsOn: UserPool
    Properties:
      Action: "lambda:invokeFunction"
      Principal: "cognito-idp.amazonaws.com"
      FunctionName: !Ref function<%=props.resourceName%>CustomMessageName
      SourceArn: !GetAtt UserPool.Arn
  <% } %>
  <%if (props.dependsOn.find(i => i.resourceName.includes('DefineAuthChallenge'))) { %>
  UserPoolDefineAuthChallengeLambdaInvokePermission:
    Type: "AWS::Lambda::Permission"
    DependsOn: UserPool
    Properties:
      Action: "lambda:invokeFunction"
      Principal: "cognito-idp.amazonaws.com"
      FunctionName: !Ref function<%=props.resourceName%>DefineAuthChallengeName
      SourceArn: !GetAtt UserPool.Arn
  <% } %>
  <%if (props.dependsOn.find(i => i.resourceName.includes('PostAuthentication'))) { %>
  UserPoolPostAuthenticationLambdaInvokePermission:
    Type: "AWS::Lambda::Permission"
    DependsOn: UserPool
    Properties:
      Action: "lambda:invokeFunction"
      Principal: "cognito-idp.amazonaws.com"
      FunctionName: !Ref function<%=props.resourceName%>PostAuthenticationName
      SourceArn: !GetAtt UserPool.Arn
  <% } %>
  <%if (props.dependsOn.find(i => i.resourceName.includes('PostConfirmation'))) { %>
  UserPoolPostConfirmationLambdaInvokePermission:
    Type: "AWS::Lambda::Permission"
    DependsOn: UserPool
    Properties:
      Action: "lambda:invokeFunction"
      Principal: "cognito-idp.amazonaws.com"
      FunctionName: !Ref function<%=props.resourceName%>PostConfirmationName
      SourceArn: !GetAtt UserPool.Arn
  <% } %>
  <%if (props.dependsOn.find(i => i.resourceName.includes('PreAuthentication'))) { %>
  UserPoolPreAuthenticationLambdaInvokePermission:
    Type: "AWS::Lambda::Permission"
    DependsOn: UserPool
    Properties:
      Action: "lambda:invokeFunction"
      Principal: "cognito-idp.amazonaws.com"
      FunctionName: !Ref function<%=props.resourceName%>PreAuthenticationName
      SourceArn: !GetAtt UserPool.Arn
  <% } %>
  <%if (props.dependsOn.find(i => i.resourceName.includes('PreSignup'))) { %>
  UserPoolPreSignupLambdaInvokePermission:
    Type: "AWS::Lambda::Permission"
    DependsOn: UserPool
    Properties:
      Action: "lambda:invokeFunction"
      Principal: "cognito-idp.amazonaws.com"
      FunctionName: !Ref function<%=props.resourceName%>PreSignupName
      SourceArn: !GetAtt UserPool.Arn
  <% } %>
  <%if (props.dependsOn.find(i => i.resourceName.includes('PreTokenGeneration'))) { %>
  UserPoolPreTokenGenerationLambdaInvokePermission:
    Type: "AWS::Lambda::Permission"
    DependsOn: UserPool
    Properties:
      Action: "lambda:invokeFunction"
      Principal: "cognito-idp.amazonaws.com"
      FunctionName: !Ref function<%=props.resourceName%>PreTokenGenerationName
      SourceArn: !GetAtt UserPool.Arn
  <% } %>
  <%if (props.dependsOn.find(i => i.resourceName.includes('VerifyAuthChallengeResponse'))) { %>
  UserPoolVerifyAuthChallengeResponseLambdaInvokePermission:
    Type: "AWS::Lambda::Permission"
    DependsOn: UserPool
    Properties:
      Action: "lambda:invokeFunction"
      Principal: "cognito-idp.amazonaws.com"
      FunctionName: !Ref function<%=props.resourceName%>VerifyAuthChallengeResponseName
      SourceArn: !GetAtt UserPool.Arn
  <% } %>
  # Updating lambda role with permissions to Cognito
  <% if (props.permissions && props.permissions.length > 0) { %>
  <% for(var i=0; i < props.permissions.length; i++) { %>
  <%=`${props.resourceName}${JSON.parse(props.permissions[i]).trigger}${JSON.parse(props.permissions[i]).policyName}:`%>
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: <%=`${props.resourceName}${JSON.parse(props.permissions[i]).trigger}${JSON.parse(props.permissions[i]).policyName}`%>
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: <%= JSON.parse(props.permissions[i]).effect %>
            Action:
            <% for(let x = 0; x < JSON.parse(props.permissions[i]).actions.length; x++) { %>
              - <%=JSON.parse(props.permissions[i]).actions[x]%>
            <% } %>
            <% if(JSON.parse(props.permissions[i]).resource.paramType === 'string') { %>
            Resource: "<%=JSON.parse(props.permissions[i]).resource.keys %>"
            <% } %>
            <% if(JSON.parse(props.permissions[i]).resource.paramType === '!GetAtt') { %>
            Resource: !GetAtt
            <% for(let z = 0; z < JSON.parse(props.permissions[i]).resource.keys.length; z++) { %>
              - <%= JSON.parse(props.permissions[i]).resource.keys[z] %>
            <% } %>
            <% } %>
            <% if(JSON.parse(props.permissions[i]).resource.paramType === '!Ref') { %>
            Resource: !Ref <%=JSON.parse(props.permissions[i]).resource.keys %>
            <% } %>

      Roles:
        - !Join ['',["<%=`${props.resourceName}${JSON.parse(props.permissions[i]).trigger}`%>", '-', !Ref env]]
  <% } %>
  <% } %>
  <% } %>
  UserPoolClientWeb:
  # Created provide application access to user pool
  # Depends on UserPool for ID reference
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
      ClientName: <%= props.resourceNameTruncated %>_app_clientWeb
      <%if (props.userpoolClientSetAttributes) { %>
      ReadAttributes: !Ref userpoolClientReadAttributes
      WriteAttributes: !Ref userpoolClientWriteAttributes
      <% } %>
      RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity
      UserPoolId: !Ref UserPool
    DependsOn: UserPool
  UserPoolClient:
  # Created provide application access to user pool
  # Depends on UserPool for ID reference
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
      ClientName: <%= props.resourceNameTruncated %>_app_client
      <%if (props.userpoolClientSetAttributes) { %>
      ReadAttributes: !Ref userpoolClientReadAttributes
      WriteAttributes: !Ref userpoolClientWriteAttributes
      <% } %>
      GenerateSecret: !Ref userpoolClientGenerateSecret
      RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity
      UserPoolId: !Ref UserPool
    DependsOn: UserPool
  # BEGIN USER POOL LAMBDA RESOURCES
  UserPoolClientRole:
  # Created to execute Lambda which gets userpool app client config values
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',['upClientLambdaRole', '<%=`${props.sharedId}`%>', !Select [3, !Split ['-', !Ref 'AWS::StackName']], '-', !Ref env]]]
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
    DependsOn: UserPoolClient
  UserPoolClientLambda:
  # Lambda which gets userpool app client config values
  # Depends on UserPool for id
  # Depends on UserPoolClientRole for role ARN
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        ZipFile: !Join
          - |+
          - - 'const response = require(''cfn-response'');'
            - 'const aws = require(''aws-sdk'');'
            - 'const identity = new aws.CognitoIdentityServiceProvider();'
            - 'exports.handler = (event, context, callback) => {'
            - ' if (event.RequestType == ''Delete'') { '
            - '   response.send(event, context, response.SUCCESS, {})'
            - ' }'
            - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
            - '   const params = {'
            - '     ClientId: event.ResourceProperties.clientId,'
            - '     UserPoolId: event.ResourceProperties.userpoolId'
            - '   };'
            - '   identity.describeUserPoolClient(params).promise()'
            - '     .then((res) => {'
            - '       response.send(event, context, response.SUCCESS, {''appSecret'': res.UserPoolClient.ClientSecret});'
            - '     })'
            - '     .catch((err) => {'
            - '       response.send(event, context, response.FAILED, {err});'
            - '     });'
            - ' }'
            - '};'
      Handler: index.handler
      Runtime: nodejs12.x
      Timeout: 300
      Role: !GetAtt
        - UserPoolClientRole
        - Arn
    DependsOn: UserPoolClientRole
  UserPoolClientLambdaPolicy:
  # Sets userpool policy for the role that executes the Userpool Client Lambda
  # Depends on UserPool for Arn
  # Marked as depending on UserPoolClientRole for easier to understand CFN sequencing
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: <%=`${props.resourceNameTruncated}_userpoolclient_lambda_iam_policy`%>
      Roles:
        - !Ref UserPoolClientRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'cognito-idp:DescribeUserPoolClient'
            Resource: !GetAtt UserPool.Arn
    DependsOn: UserPoolClientLambda
  UserPoolClientLogPolicy:
  # Sets log policy for the role that executes the Userpool Client Lambda
  # Depends on UserPool for Arn
  # Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: <%=`${props.resourceNameTruncated}_userpoolclient_lambda_log_policy`%>
      Roles:
        - !Ref UserPoolClientRole
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'logs:CreateLogGroup'
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
            Resource: !Sub
              - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
              - { region: !Ref "AWS::Region",  account: !Ref "AWS::AccountId", lambda: !Ref UserPoolClientLambda}
    DependsOn: UserPoolClientLambdaPolicy
  UserPoolClientInputs:
  # Values passed to Userpool client Lambda
  # Depends on UserPool for Id
  # Depends on UserPoolClient for Id
  # Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing
    Type: 'Custom::LambdaCallout'
    Properties:
      ServiceToken: !GetAtt UserPoolClientLambda.Arn
      clientId: !Ref UserPoolClient
      userpoolId: !Ref UserPool
    DependsOn: UserPoolClientLogPolicy
  <%if (props.hostedUIDomainName) { %>
  HostedUICustomResource:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        ZipFile: !Join
          - |+
          - - 'const response = require(''cfn-response'');'
            - 'const aws = require(''aws-sdk'');'
            - 'const identity = new aws.CognitoIdentityServiceProvider();'
            - 'exports.handler = (event, context, callback) => {'
            - ' const userPoolId = event.ResourceProperties.userPoolId;'
            - ' const inputDomainName = event.ResourceProperties.hostedUIDomainName;'
            - ' let deleteUserPoolDomain = (domainName) => {'
            - '   let params = { Domain: domainName, UserPoolId: userPoolId };'
            - '   return identity.deleteUserPoolDomain(params).promise();'
            - ' };'
            - ' if (event.RequestType == ''Delete'') {'
            - '   deleteUserPoolDomain(inputDomainName)'
            - '   .then(() => {response.send(event, context, response.SUCCESS, {})})'
            - '   .catch((err) => { console.log(err); response.send(event, context, response.FAILED, {err}) });'
            - ' }'
            - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
            - '  let checkDomainAvailability = (domainName) => {'
            - '  let params = { Domain: domainName };'
            - '  return identity.describeUserPoolDomain(params).promise().then((res) => {'
            - '   if (res.DomainDescription && res.DomainDescription.UserPool) {'
            - '    return false;'
            - '   }'
            - '   return true;'
            - '   }).catch((err) => { return false; });'
            - ' };'
            - ' let createUserPoolDomain = (domainName) => {'
            - '  let params = { Domain: domainName, UserPoolId: userPoolId };'
            - '   return identity.createUserPoolDomain(params).promise();'
            - ' };'
            - ' identity.describeUserPool({UserPoolId: userPoolId }).promise().then((result) => {'
            - '  if (inputDomainName) {'
            - '   if (result.UserPool.Domain === inputDomainName) {'
            - '    return;'
            - '    } else {'
            - '       if (!result.UserPool.Domain) {'
            - '         return checkDomainAvailability(inputDomainName).then((isDomainAvailable) => {'
            - '           if (isDomainAvailable) {'
            - '             return createUserPoolDomain(inputDomainName);'
            - '           } else {'
            - '               throw new Error(''Domain not available'');'
            - '           }'
            - '         });'
            - '       } else {'
            - '           return checkDomainAvailability(inputDomainName).then((isDomainAvailable) => {'
            - '             if (isDomainAvailable) {'
            - '               return deleteUserPoolDomain(result.UserPool.Domain).then(() => createUserPoolDomain(inputDomainName));'
            - '             } else {'
            - '                 throw new Error(''Domain not available'');'
            - '             }'
            - '           });'
            - '       }'
            - '     }'
            - '   } else {'
            - '       if (result.UserPool.Domain) {'
            - '         return deleteUserPoolDomain(result.UserPool.Domain);'
            - '       }'
            - '   }'
            - ' }).then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
            - ' console.log(err);  response.send(event, context, response.FAILED, {err});'
            - ' });'
            - '}}'


      Handler: index.handler
      Runtime: nodejs12.x
      Timeout: 300
      Role: !GetAtt
        - UserPoolClientRole
        - Arn
    DependsOn: UserPoolClientRole

  HostedUICustomResourcePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: !Join ['-',[!Ref UserPool, 'hostedUI']]
      Roles:
        - !Ref UserPoolClientRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'cognito-idp:CreateUserPoolDomain'
              - 'cognito-idp:DescribeUserPool'
              - 'cognito-idp:DeleteUserPoolDomain'
            Resource: !GetAtt UserPool.Arn
          - Effect: Allow
            Action:
              - 'cognito-idp:DescribeUserPoolDomain'
            Resource: '*'
    DependsOn: HostedUICustomResource
  HostedUICustomResourceLogPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: !Join ['-',[!Ref UserPool, 'hostedUILogPolicy']]
      Roles:
        - !Ref UserPoolClientRole
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'logs:CreateLogGroup'
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
            Resource: !Sub
              - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
              - { region: !Ref "AWS::Region",  account: !Ref "AWS::AccountId", lambda: !Ref HostedUICustomResource}
    DependsOn: HostedUICustomResourcePolicy
  HostedUICustomResourceInputs:
    Type: 'Custom::LambdaCallout'
    Properties:
      ServiceToken: !GetAtt HostedUICustomResource.Arn
      userPoolId: !Ref UserPool
      hostedUIDomainName: !If [ShouldNotCreateEnvResources, !Ref hostedUIDomainName, !Join ['-',[!Ref hostedUIDomainName, !Ref env]]]
    DependsOn: HostedUICustomResourceLogPolicy
  <% } %>

  <%if (props.hostedUIProviderMeta) { %>
  HostedUIProvidersCustomResource:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        ZipFile: !Join
          - |+
          - - 'const response = require(''cfn-response'');'
            - 'const aws = require(''aws-sdk'');'
            - 'const identity = new aws.CognitoIdentityServiceProvider();'
            - 'exports.handler = (event, context, callback) => {'
            - 'try{'
            - ' const userPoolId = event.ResourceProperties.userPoolId;'
            - ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);'
            - ' let hostedUIProviderCreds = JSON.parse(event.ResourceProperties.hostedUIProviderCreds);'
            - ' if(hostedUIProviderCreds.length === 0) {'
            - '  response.send(event, context, response.SUCCESS, {});'
            - ' }'
            - ' if (event.RequestType == ''Delete'') {'
            - '  response.send(event, context, response.SUCCESS, {});'
            - ' }'
            - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
            - '  let getRequestParams = (providerName) => {'
            - '   let providerMetaIndex = hostedUIProviderMeta.findIndex((provider) => provider.ProviderName === providerName);'
            - '   let providerMeta =  hostedUIProviderMeta[providerMetaIndex];'
            - '   let providerCredsIndex = hostedUIProviderCreds.findIndex((provider) => provider.ProviderName === providerName);'
            - '   let providerCreds = hostedUIProviderCreds[providerCredsIndex];'
            - '   let requestParams = {'
            - '    ProviderName: providerMeta.ProviderName,'
            - '    UserPoolId: userPoolId,'
            - '    AttributeMapping: providerMeta.AttributeMapping,'
            - '   };'
            - '   if (providerMeta.ProviderName === ''SignInWithApple'') {'
            - '    requestParams.ProviderDetails = {'
            - '     ''client_id'': providerCreds.client_id,'
            - '     ''team_id'': providerCreds.team_id,'
            - '     ''key_id'': providerCreds.key_id,'
            - '     ''private_key'': providerCreds.private_key ? providerCreds.private_key : null,'
            - '     ''authorize_scopes'': providerMeta.authorize_scopes,'
            - '    };'
            - '   } else {'
            - '    requestParams.ProviderDetails = {'
            - '     ''client_id'': providerCreds.client_id,'
            - '     ''client_secret'': providerCreds.client_secret,'
            - '     ''authorize_scopes'': providerMeta.authorize_scopes,'
            - '    };'
            - '   }'
            - '   return requestParams;'
            - '  };'
            - '  let createIdentityProvider = (providerName) => {'
            - '   let requestParams = getRequestParams(providerName);'
            - '   requestParams.ProviderType = requestParams.ProviderName;'
            - '   return identity.createIdentityProvider(requestParams).promise();'
            - '  };'
            - '  let updateIdentityProvider = (providerName) => {'
            - '   let requestParams = getRequestParams(providerName);'
            - '   return identity.updateIdentityProvider(requestParams).promise();'
            - '  };'
            - '  let deleteIdentityProvider = (providerName) => {'
            - '   let params = {ProviderName: providerName, UserPoolId: userPoolId};'
            - '   return identity.deleteIdentityProvider(params).promise();'
            - '  };'
            - '  let providerPromises = [];'
            - '  identity.listIdentityProviders({UserPoolId: userPoolId, MaxResults: 60}).promise()'
            - '  .then((result) => {'
            - '   let providerList = result.Providers.map(provider => provider.ProviderName);'
            - '   let providerListInParameters = hostedUIProviderMeta.map(provider => provider.ProviderName);'
            - '   hostedUIProviderMeta.forEach((providerMetadata) => {'
            - '    if(providerList.indexOf(providerMetadata.ProviderName) > -1) {'
            - '     providerPromises.push(updateIdentityProvider(providerMetadata.ProviderName));'
            - '    } else {'
            - '     providerPromises.push(createIdentityProvider(providerMetadata.ProviderName));'
            - '    }'
            - '  });'
            - '  providerList.forEach((provider) => {'
            - '   if(providerListInParameters.indexOf(provider) < 0) {'
            - '    providerPromises.push(deleteIdentityProvider(provider));'
            - '   }'
            - '  });'
            - '  return Promise.all(providerPromises);'
            - ' }).then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
            - '   console.log(err.stack); response.send(event, context, response.FAILED, {err})'
            - ' });'
            - ' } '
            - ' } catch(err) { console.log(err.stack); response.send(event, context, response.FAILED, {err});};'
            - '} '

      Handler: index.handler
      Runtime: nodejs12.x
      Timeout: 300
      Role: !GetAtt
        - UserPoolClientRole
        - Arn
    DependsOn: UserPoolClientRole

  HostedUIProvidersCustomResourcePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: !Join ['-',[!Ref UserPool, 'hostedUIProvider']]
      Roles:
        - !Ref UserPoolClientRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'cognito-idp:CreateIdentityProvider'
              - 'cognito-idp:UpdateIdentityProvider'
              - 'cognito-idp:ListIdentityProviders'
              - 'cognito-idp:DeleteIdentityProvider'
            Resource: !GetAtt UserPool.Arn
    DependsOn: HostedUIProvidersCustomResource

  HostedUIProvidersCustomResourceLogPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: !Join ['-',[!Ref UserPool, 'hostedUIProviderLogPolicy']]
      Roles:
        - !Ref UserPoolClientRole
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'logs:CreateLogGroup'
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
            Resource: !Sub
              - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
              - { region: !Ref "AWS::Region",  account: !Ref "AWS::AccountId", lambda: !Ref HostedUIProvidersCustomResource}
    DependsOn: HostedUIProvidersCustomResourcePolicy

  HostedUIProvidersCustomResourceInputs:
    Type: 'Custom::LambdaCallout'
    Properties:
      ServiceToken: !GetAtt HostedUIProvidersCustomResource.Arn
      userPoolId: !Ref UserPool
      hostedUIProviderMeta: !Ref hostedUIProviderMeta
      hostedUIProviderCreds: !Ref hostedUIProviderCreds
    DependsOn: HostedUIProvidersCustomResourceLogPolicy
  <% } %>
  <%if (props.oAuthMetadata) { %>
  OAuthCustomResource:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        ZipFile: !Join
          - |+
          - - 'const response = require(''cfn-response'');'
            - 'const aws = require(''aws-sdk'');'
            - 'const identity = new aws.CognitoIdentityServiceProvider();'
            - 'exports.handler = (event, context, callback) => {'
            - 'try{'
            - ' const userPoolId = event.ResourceProperties.userPoolId;'
            - ' let webClientId = event.ResourceProperties.webClientId;'
            - ' let nativeClientId = event.ResourceProperties.nativeClientId;'
            - ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);'
            - ' let oAuthMetadata = JSON.parse(event.ResourceProperties.oAuthMetadata);'
            - ' let providerList = hostedUIProviderMeta.map(provider => provider.ProviderName);'
            - ' providerList.push(''COGNITO'');'
            - ' if (event.RequestType == ''Delete'') {'
            - '  response.send(event, context, response.SUCCESS, {});'
            - ' }'
            - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
            - '  let params = {'
            - '   UserPoolId: userPoolId,'
            - '   AllowedOAuthFlows: oAuthMetadata.AllowedOAuthFlows,'
            - '   AllowedOAuthFlowsUserPoolClient: true,'
            - '   AllowedOAuthScopes: oAuthMetadata.AllowedOAuthScopes,'
            - '   CallbackURLs: oAuthMetadata.CallbackURLs,'
            - '   LogoutURLs: oAuthMetadata.LogoutURLs,'
            - '   SupportedIdentityProviders: providerList'
            - '  };'
            - '  let updateUserPoolClientPromises = [];'
            - '  params.ClientId = webClientId;'
            - '  updateUserPoolClientPromises.push(identity.updateUserPoolClient(params).promise());'
            - '  params.ClientId = nativeClientId;'
            - '  updateUserPoolClientPromises.push(identity.updateUserPoolClient(params).promise());'
            - '  Promise.all(updateUserPoolClientPromises)'
            - '  .then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
            - '    console.log(err.stack); response.send(event, context, response.FAILED, {err});'
            - '  });'
            - ' }'
            - '} catch(err) { console.log(err.stack); response.send(event, context, response.FAILED, {err});};'
            - '}'

      Handler: index.handler
      Runtime: nodejs12.x
      Timeout: 300
      Role: !GetAtt
        - UserPoolClientRole
        - Arn
    DependsOn: HostedUIProvidersCustomResourceInputs

  OAuthCustomResourcePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: !Join ['-',[!Ref UserPool, 'OAuth']]
      Roles:
        - !Ref UserPoolClientRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'cognito-idp:UpdateUserPoolClient'
            Resource: !GetAtt UserPool.Arn
    DependsOn: OAuthCustomResource

  OAuthCustomResourceLogPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: !Join ['-',[!Ref UserPool, 'OAuthLogPolicy']]
      Roles:
        - !Ref UserPoolClientRole
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'logs:CreateLogGroup'
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
            Resource: !Sub
              - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
              - { region: !Ref "AWS::Region",  account: !Ref "AWS::AccountId", lambda: !Ref OAuthCustomResource}
    DependsOn: OAuthCustomResourcePolicy

  OAuthCustomResourceInputs:
    Type: 'Custom::LambdaCallout'
    Properties:
      ServiceToken: !GetAtt OAuthCustomResource.Arn
      userPoolId: !Ref UserPool
      hostedUIProviderMeta: !Ref hostedUIProviderMeta
      oAuthMetadata: !Ref oAuthMetadata
      webClientId: !Ref 'UserPoolClientWeb'
      nativeClientId: !Ref 'UserPoolClient'
    DependsOn: OAuthCustomResourceLogPolicy
  <% } %>

  <%if (!props.useEnabledMfas && props.mfaConfiguration != 'OFF') { %>
  # BEGIN MFA LAMBDA RESOURCES
  MFALambdaRole:
  # Created to execute Lambda which sets MFA config values
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !If [ShouldNotCreateEnvResources, '<%=`${props.resourceNameTruncated}_totp_lambda_role`%>', !Join ['',['<%=`${props.resourceNameTruncated}_totp_lambda_role`%>', '-', !Ref env]]]
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Policies:
      - PolicyName: <%=`${props.resourceNameTruncated}_totp_pass_role_policy`%>
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Action:
                - 'iam:PassRole'
              Resource: !If [ShouldNotCreateEnvResources, '<%= `arn:aws:iam:::role/${props.resourceNameTruncated}_totp_lambda_role`%>', !Join ['',['<%= `arn:aws:iam:::role/${props.resourceNameTruncated}_totp_lambda_role` %>', '-', !Ref env]]]
      - PolicyName: <%=`${props.resourceNameTruncated}_sns_pass_role_policy`%>
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Action:
                - 'iam:PassRole'
              Resource: !GetAtt SNSRole.Arn
    DependsOn: SNSRole
  MFALambda:
  # Lambda which sets MFA config values
  # Depends on MFALambdaRole for role ARN
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        ZipFile: !Join
          - |+
          - - 'const response = require(''cfn-response'');'
            - 'const aws = require(''aws-sdk'');'
            - 'const identity = new aws.CognitoIdentityServiceProvider();'
            - 'exports.handler = (event, context, callback) => {'
            - ' if (event.RequestType == ''Delete'') { '
            - '   response.send(event, context, response.SUCCESS, {})'
            - ' }'
            - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
            - '   let totpParams = {};'
            - '   try {'
            - '     totpParams = {'
            - '       UserPoolId: event.ResourceProperties.userPoolId,'
            - '       MfaConfiguration: event.ResourceProperties.mfaConfiguration,'
            - '       SmsMfaConfiguration: {'
            - '         SmsAuthenticationMessage: event.ResourceProperties.smsAuthenticationMessage,'
            - '         SmsConfiguration: {'
            - '           SnsCallerArn: event.ResourceProperties.smsConfigCaller,'
            - '           ExternalId: event.ResourceProperties.smsConfigExternalId'
            - '         }'
            - '       },'
            - '       SoftwareTokenMfaConfiguration: {Enabled: event.ResourceProperties.totpEnabled.toLowerCase() === ''true'' ? true : false}'
            - '     };'
            - '   } catch(e) {'
            - '     response.send(event, context, response.FAILED, {e});'
            - '   };'
            - '   identity.setUserPoolMfaConfig(totpParams).promise()'
            - '     .then((res) => {'
            - '       response.send(event, context, response.SUCCESS, {res});'
            - '     })'
            - '     .catch((err) => {'
            - '       response.send(event, context, response.FAILED, {err});'
            - '     });'
            - ' }'
            - '};'
      Handler: index.handler
      Runtime: nodejs12.x
      Timeout: 300
      Role: !GetAtt
        - MFALambdaRole
        - Arn
    DependsOn: MFALambdaRole
  MFALambdaPolicy:
  # Sets policy for the role that executes the MFA Lambda
  # Depends on Userpool for Arn
  # Marked as depending on MFALambda for easier to understand CFN sequencing
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: <%=`${props.resourceNameTruncated}_totp_lambda_iam_policy`%>
      Roles:
        - !If [ShouldNotCreateEnvResources, '<%=`${props.resourceNameTruncated}_totp_lambda_role`%>', !Join ['',['<%=`${props.resourceNameTruncated}_totp_lambda_role`%>', '-', !Ref env]]]
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'cognito-idp:SetUserPoolMfaConfig'
            Resource: !GetAtt UserPool.Arn
    DependsOn: MFALambda
  MFALogPolicy:
  # Sets log policy for the role that executes the MFA Lambda
  # Marked as depending on MFALambdaPolicy for easier to understand CFN sequencing
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: <%=`${props.resourceNameTruncated}_totp_lambda_log_policy`%>
      Roles:
        - !If [ShouldNotCreateEnvResources, '<%=`${props.resourceNameTruncated}_totp_lambda_role`%>', !Join ['',['<%=`${props.resourceNameTruncated}_totp_lambda_role`%>', '-', !Ref env]]]
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'logs:CreateLogGroup'
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
            Resource: !Sub
              - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
              - { region: !Ref "AWS::Region",  account: !Ref "AWS::AccountId", lambda: !Ref MFALambda}
    DependsOn: MFALambdaPolicy
  MFALambdaInputs:
  # Values passed to MFA Lambda
  # Depends on UserPool for Arn
  # Depends on MFALambda for Arn
  # Marked as depending on MFALambdaPolicy for easier to understand CFN sequencing
    Type: 'Custom::LambdaCallout'
    Properties:
      ServiceToken: !GetAtt MFALambda.Arn
      userPoolId: !Ref UserPool
      mfaConfiguration: !Ref mfaConfiguration
      totpEnabled: <%= props.mfaTypes.includes('TOTP') %>
      smsConfigCaller: !GetAtt SNSRole.Arn
      smsAuthenticationMessage: !Ref smsAuthenticationMessage
      smsConfigExternalId: <%=`${props.resourceNameTruncated}_role_external_id`%>
    DependsOn: MFALogPolicy
  <% } %>
  <% } -%>
  <%if (props.authSelections === 'identityPoolAndUserPool' || props.authSelections === 'identityPoolOnly') { %>
  # BEGIN IDENTITY POOL RESOURCES
  <%if (props.audiences && props.audiences.length > 0) { %>
  OpenIdLambdaRole:
  # Created to execute Lambda which sets MFA config values
  # Depends on UserPoolClientInputs to prevent further identity pool resources from being created before userpool is ready
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !If [ShouldNotCreateEnvResources, '<%=`${props.resourceNameTruncated}_openid_lambda_role`%>', !Join ['',['<%=`${props.resourceNameTruncated}_openid_lambda_role`%>', '-', !Ref env]]]
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Policies:
      - PolicyName: <%=`${props.resourceNameTruncated}_openid_pass_role_policy`%>
        PolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Action:
                - 'iam:PassRole'
              Resource: !If [ShouldNotCreateEnvResources, '<%= `arn:aws:iam:::role/${props.resourceNameTruncated}_openid_lambda_role` %>', !Join ['',['<%= `arn:aws:iam:::role/${props.resourceNameTruncated}_openid_lambda_role` %>', '-', !Ref env]]]
    DependsOn: UserPoolClientInputs
  OpenIdLambda:
  # Lambda which sets OpenId Values
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        ZipFile: !Join
          - |+
          - - 'const response = require(''cfn-response'');'
            - 'const aws = require(''aws-sdk'');'
            - 'const iam = new aws.IAM();'
            - 'exports.handler = (event, context) => {'
            - ' if (event.RequestType == ''Delete'') { '
            - '   response.send(event, context, response.SUCCESS, {});'
            - ' }'
            - ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
            - '   const params = {'
            - '     ClientIDList: event.ResourceProperties.clientIdList.split('',''),'
            - '     ThumbprintList: ["0000000000000000000000000000000000000000"],'
            - '     Url: event.ResourceProperties.url'
            - '   };'
            - '   let exists = false;'
            - '   let existingValue;'
            - '   iam.listOpenIDConnectProviders({}).promise().then((data) => {'
            - '     if (data.OpenIDConnectProviderList && data.OpenIDConnectProviderList.length > 0) {'
            - '       const vals = data.OpenIDConnectProviderList.map(x => x.Arn);'
            - '       existingValue = vals.find(i => i.split(''/'')[1] === params.Url.split(''//'')[1]);'
            - '       if (!existingValue) {'
            - '         exists = true;'
            - '       }'
            - '     }'
            - '     if (!existingValue) {'
            - '       iam.createOpenIDConnectProvider(params).promise().then((data) => {'
            - '         response.send(event, context, response.SUCCESS, {providerArn: data.OpenIDConnectProviderArn, providerIds: params.ClientIDList});'
            - '       })'
            - '       .catch((err) => {'
            - '         response.send(event, context, response.FAILED, {err});'
            - '       });'
            - '     } else {'
            - '       const findParams = {'
            - '         OpenIDConnectProviderArn: existingValue'
            - '       };'
            - '       iam.getOpenIDConnectProvider(findParams).promise().then((data) => {'
            - '         const audiences = data.ClientIDList;'
            - '         const updateCalls = [];'
            - '         params.ClientIDList.forEach((a) => {'
            - '           if (!audiences.includes(a)) {'
            - '             const updateParams = {'
            - '               ClientID: a,'
            - '               OpenIDConnectProviderArn: existingValue'
            - '             };'
            - '             const prom = iam.addClientIDToOpenIDConnectProvider(updateParams).promise();'
            - '             updateCalls.push(prom);'
            - '           }'
            - '         });'
            - '         Promise.all(updateCalls).then(function(values) {'
            - '           response.send(event, context, response.SUCCESS, {providerArn: existingValue, providerIds: params.ClientIDList});'
            - '         })'
            - '         .catch((err3) => {'
            - '           response.send(event, context, response.FAILED, {err3});'
            - '         });'
            - '       })'
            - '       .catch((err2) => {'
            - '           response.send(event, context, response.FAILED, {err2});'
            - '       });'
            - '     }'
            - '   })'
            - '   .catch((err1) => {'
            - '           response.send(event, context, response.FAILED, {err1});'
            - '   });'
            - ' }'
            - '};'
      Handler: index.handler
      Runtime: nodejs12.x
      Timeout: 300
      Role: !GetAtt
        - OpenIdLambdaRole
        - Arn
    DependsOn: OpenIdLambdaRole
  OpenIdLambdaIAMPolicy:
  # Sets policy for the role that executes the OpenId Lambda
  # Depends on OpenIdLambda for Arn
  # Marked as depending on MFALambda for easier to understand CFN sequencing
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: <%=`${props.resourceNameTruncated}_openid_lambda_iam_policy`%>
      Roles:
        - !If [ShouldNotCreateEnvResources, '<%=`${props.resourceNameTruncated}_openid_lambda_role`%>', !Join ['',['<%=`${props.resourceNameTruncated}_openid_lambda_role`%>', '-', !Ref env]]]
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'iam:CreateOpenIDConnectProvider'
              - 'iam:GetOpenIDConnectProvider'
              - 'iam:AddClientIDToOpenIDConnectProvider'
            Resource: !Sub
              - arn:aws:iam::${account}:oidc-provider/accounts.google.com
              - { account: !Ref "AWS::AccountId"}
          - Effect: Allow
            Action:
              - 'iam:ListOpenIDConnectProviders'
            Resource: !Sub
              - arn:aws:iam::${account}:oidc-provider/${selector}
              - { account: !Ref "AWS::AccountId", selector: '*'}
    DependsOn: OpenIdLambda
  OpenIdLogPolicy:
  # Sets log policy for the role that executes the OpenId  Lambda
  # Depends on OpenIdLambda for Arn
  # Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: <%=`${props.resourceNameTruncated}_openid_lambda_log_policy`%>
      Roles:
        - !If [ShouldNotCreateEnvResources, '<%=`${props.resourceNameTruncated}_openid_lambda_role`%>', !Join ['',['<%=`${props.resourceNameTruncated}_openid_lambda_role`%>', '-', !Ref env]]]
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'logs:CreateLogGroup'
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
            Resource: !Sub
              - arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
              - { region: !Ref "AWS::Region",  account: !Ref "AWS::AccountId", lambda: !Ref OpenIdLambda}
    DependsOn: OpenIdLambdaIAMPolicy
  OpenIdLambdaInputs:
  # Values passed to OpenId Lambda
  # Depends on OpenId for Arn
  # Marked as depending on OpenIdLogPolicy for easier to understand CFN sequencing
    Type: 'Custom::LambdaCallout'
    Properties:
      ServiceToken: !GetAtt OpenIdLambda.Arn
      clientIdList: <%= props.audiences.join() %>
      url: 'https://accounts.google.com'
    DependsOn: OpenIdLogPolicy
  <% } %>

  IdentityPool:
  # Always created
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: !If [ShouldNotCreateEnvResources, '<%= props.identityPoolName %>', !Join ['',['<%= props.identityPoolName %>', '__', !Ref env]]]
      <%if (props.authSelections !== 'identityPoolOnly') { %>
      CognitoIdentityProviders:
        - ClientId:  !Ref UserPoolClient
          ProviderName: !Sub
            - cognito-idp.${region}.amazonaws.com/${client}
            - { region: !Ref "AWS::Region",  client: !Ref UserPool}
        - ClientId:  !Ref UserPoolClientWeb
          ProviderName: !Sub
            - cognito-idp.${region}.amazonaws.com/${client}
            - { region: !Ref "AWS::Region",  client: !Ref UserPool}
      <% } -%>
      <%if (props.authProviders && Object.keys(props.authProviders).length > 0 && props.authProviders !== '{}' && !(Object.keys(props.authProviders).length === 1 && props.authProviders[0] === 'accounts.google.com' && props.audiences)) { %>
      SupportedLoginProviders:
        <%if (props.authProviders.indexOf('graph.facebook.com') !== -1) { %>
        graph.facebook.com: !Ref facebookAppId
        <% } %>
        <%if (props.authProviders.indexOf('accounts.google.com') !== -1 && !props.audiences) { %>
        accounts.google.com: !Ref googleClientId
        <% } %>
        <%if (props.authProviders.indexOf('www.amazon.com') !== -1) { %>
        www.amazon.com: !Ref amazonAppId
        <% } %>
        <%if (props.authProviders.indexOf('appleid.apple.com') !== -1) { %>
        appleid.apple.com: !Ref appleAppId
        <% } %>
      <% } %>
      AllowUnauthenticatedIdentities: !Ref allowUnauthenticatedIdentities
      <%if (props.audiences && props.audiences.length > 0) { %>
      OpenIdConnectProviderARNs:
        - !GetAtt OpenIdLambdaInputs.providerArn
    DependsOn: OpenIdLambdaInputs
      <% } %>
    <%if ((!props.audiences || props.audiences.length === 0) && props.authSelections !== 'identityPoolOnly') { %>
    DependsOn: UserPoolClientInputs
    <% } %>

  IdentityPoolRoleMap:
  # Created to map Auth and Unauth roles to the identity pool
  # Depends on Identity Pool for ID ref
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles:
          unauthenticated: !Ref unauthRoleArn
          authenticated: !Ref authRoleArn
    DependsOn: IdentityPool
  <% } %>

Outputs :
  <%if (props.authSelections === 'identityPoolAndUserPool' || props.authSelections == 'identityPoolOnly') { %>
  IdentityPoolId:
    Value: !Ref 'IdentityPool'
    Description:  Id for the identity pool
  IdentityPoolName:
    Value: !GetAtt IdentityPool.Name
  <% } %>
  <%if (props.hostedUIDomainName) { %>
  HostedUIDomain:
    Value: !If [ShouldNotCreateEnvResources, !Ref hostedUIDomainName, !Join ['-',[!Ref hostedUIDomainName, !Ref env]]]
  <% } %>
  <%if (props.oAuthMetadata) { %>
  OAuthMetadata:
    Value: !Ref oAuthMetadata
  <% } %>
  <%if (props.authSelections !== 'identityPoolOnly') { %>
  UserPoolId:
    Value: !Ref 'UserPool'
    Description:  Id for the user pool
  UserPoolArn:
    Value: !GetAtt UserPool.Arn
    Description:  Arn for the user pool
  UserPoolName:
    Value: !Ref userPoolName
  AppClientIDWeb:
    Value: !Ref 'UserPoolClientWeb'
    Description: The user pool app client id for web
  AppClientID:
    Value: !Ref 'UserPoolClient'
    Description: The user pool app client id
  AppClientSecret:
    Value: !GetAtt UserPoolClientInputs.appSecret
    Condition: ShouldOutputAppClientSecrets
  <%if (!props.useEnabledMfas || configureSMS) { %>
  CreatedSNSRole:
    Value: !GetAtt SNSRole.Arn
    Description: role arn
  <% } %>
  <%if (props.googleClientId) { %>
  GoogleWebClient:
    Value: !Ref googleClientId
  <% } %>
  <%if (props.googleIos) { %>
  GoogleIOSClient:
    Value: !Ref googleIos
  <% } %>
  <%if (props.googleAndroid) { %>
  GoogleAndroidClient:
    Value: !Ref googleAndroid
  <% } %>
  <%if (props.facebookAppId) { %>
  FacebookWebClient:
    Value: !Ref facebookAppId
  <% } %>
  <%if (props.amazonAppId) { %>
  AmazonWebClient:
    Value: !Ref amazonAppId
  <% } %>
  <%if (props.appleAppId) { %>
  AppleWebClient:
    Value: !Ref appleAppId
  <% } %>
  <% } %>