はじめに
Cognito設定自動化にあたり、Cognito UserPool作成用のCloudFormationテンプレートの作成を行いました。
テンプレート例
AWSTemplateFormatVersion: 2010-09-09
Description:
This template creates an Amazon Cognito Userpool.
You will be billed for the AWS resources used if you create a stack from this
template.
Parameters:
FromEmailAddress:
Description: from email address
Type: String
FromEmailIdentityArn:
Description: from email ses arn
Type: String
Stage:
Type: String
Description: The name for a project stage, such as Prod, Acpt, Dev or Unit
UserPoolBaseName:
Description: User Pool Base Name
Type: String
UserPoolSuffixName:
Description: The suffix for UserPoolName
Type: String
UserPoolTagCost:
Description: The tag for cost management
Type: String
Resources:
UserPool:
Type: 'AWS::Cognito::UserPool'
Properties:
UserPoolName: !Sub '${UserPoolBaseName}${Stage}${UserPoolSuffixName}'
AccountRecoverySetting:
RecoveryMechanisms:
- Name: verified_email
Priority: 1
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
UnusedAccountValidityDays: 90
AutoVerifiedAttributes:
- email
EmailConfiguration:
SourceArn: !Ref FromEmailIdentityArn
From: !Ref FromEmailAddress
EmailSendingAccount: DEVELOPER
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireNumbers: true
RequireSymbols: false
RequireUppercase: false
Schema:
- Name: email
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Required: true
- Name: 'office_group_id'
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Required: false
StringAttributeConstraints:
MinLength: 0
MaxLength: 256
- Name: 'office_id'
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Required: false
StringAttributeConstraints:
MinLength: 0
MaxLength: 256
- Name: 'business_id'
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Required: false
StringAttributeConstraints:
MinLength: 0
MaxLength: 256
- Name: 'user_type'
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Required: false
StringAttributeConstraints:
MinLength: 0
MaxLength: 256
UsernameAttributes:
- email
UsernameConfiguration:
CaseSensitive: true
UserPoolAddOns:
AdvancedSecurityMode: 'OFF'
UserPoolTags:
Cost: !Ref UserPoolTagCost
VerificationMessageTemplate:
DefaultEmailOption: CONFIRM_WITH_CODE
AppClientWeb:
Type: 'AWS::Cognito::UserPoolClient'
Properties:
UserPoolId: !Ref UserPool
ClientName: !Sub '${UserPoolBaseName}${Stage}${UserPoolSuffixName}_app_clientWeb'
AllowedOAuthFlowsUserPoolClient: false
EnableTokenRevocation: false
ExplicitAuthFlows:
- ALLOW_CUSTOM_AUTH
- ALLOW_USER_SRP_AUTH
- ALLOW_REFRESH_TOKEN_AUTH
RefreshTokenValidity: 30
AccessTokenValidity: 1
IdTokenValidity: 1
TokenValidityUnits:
RefreshToken: days
AccessToken: hours
IdToken: hours
PreventUserExistenceErrors: LEGACY
ReadAttributes:
- 'birthdate'
- 'custom:office_group_id'
- 'custom:office_id'
- 'custom:business_id'
- 'custom:user_type'
- 'email'
- 'email_verified'
- 'family_name'
- 'given_name'
- 'middle_name'
- 'name'
WriteAttributes:
- 'birthdate'
- 'custom:office_group_id'
- 'custom:office_id'
- 'custom:business_id'
- 'custom:user_type'
- 'email'
- 'family_name'
- 'given_name'
- 'middle_name'
- 'name'
GenerateSecret: false
DependsOn:
- UserPool
補足
構成
UserPoolを1つと、そこに含まれるアプリクライアントを1つ作成する形になっています。
制限事項
日本語が利用不可ということもあり、全ての項目が自動反映される形にはなっていません。
Parameters: 部分
パラメータの入力定義。環境毎に共通な部分はデフォルト値を設定
※日本語は文字化けして設定不可でした
AppClientWeb: 部分
アプリ用のUserPoolClient定義
参考サイト
AWS::Cognito::UserPool
AWS::Cognito::UserPoolClient
参考にしたAWSの公式ドキュメントです
CloudFormation で Cognito
AWS CognitoユーザPoolの作成とSignupの実装
書き方や進め方の参考にしました
さいごに
上記参考になれば幸いです