quicksight-cognito-cloudformation.yml

Resources:

#### Lambda ####
  # You can use AWS Serverless Application Model (SAM) tasks (AWS::Serverless::HttpApi, AWS::Serverless::Function) to easily create a serverless application.
  # This hides some creation tasks (iam roles, logs, api gateway links, ...), this is not the goal here.

  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: quicksight-cognito-lambda-execution-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
              - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - cognito-identity:GetId
                  - cognito-identity:GetOpenIdToken
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Effect: Allow
                Resource: '*'
          PolicyName: quicksight-cognito-execution-policy
  
  QuicksightCognitoFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: quicksight-cognito-lambda
      Handler: main.handler
      Runtime: nodejs12.x
      Role: !GetAtt LambdaExecutionRole.Arn
      Code:
        ZipFile: !Sub |
          exports.handler = function(event, context) {
            console.log('upload quicksight cognito code & update nodejs version to nodejs14.x');
          };
      Environment:
        Variables:
          COGNITO_IDENTITY_POOL_ID: !Ref CognitoIdentityPool
          COGNITO_USER_POOL_URL: !Select [1, !Split ['://', !GetAtt CognitoUserPool.ProviderURL]] # Remove https:// from provider url
          STS_ROLE_ARN_TO_ASSUME: !GetAtt ConnectedUserRoleToAssume.Arn
          QUICKSIGHT_REGION: !Ref AWS::Region
          QUICKSIGHT_DASHBOARD_ID: dashboardId
          AWS_ACCOUNT_ID: !Ref AWS::AccountId
          AWS_REGION: !Ref AWS::Region

  LambdaApiGatewayPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt QuicksightCognitoFunction.Arn
      Action: lambda:InvokeFunction
      Principal: apigateway.amazonaws.com

  LambdaLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub '/aws/lambda/${QuicksightCognitoFunction}'
      RetentionInDays: 1
#### ####

#### API Gateway ####
  APIGatewayHttpApi:
    Type: AWS::ApiGatewayV2::Api
    Properties:
      Name: quicksight-cognito-api-gateway
      Description: Quicksight Cognito API forward to lambda
      ProtocolType: HTTP

  APIGatewayLambdaIntegration:
    Type: AWS::ApiGatewayV2::Integration
    Properties:
      ApiId: !Ref APIGatewayHttpApi
      IntegrationType: AWS_PROXY
      PayloadFormatVersion: 2.0
      IntegrationUri: !Sub 'arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${QuicksightCognitoFunction.Arn}/invocations'
      RequestParameters:
        'overwrite:path': '$request.path' # Remove any stage name from path

  APIGatewayAuthorizer:
    Type: AWS::ApiGatewayV2::Authorizer
    Properties:
      ApiId: !Ref APIGatewayHttpApi
      AuthorizerType: JWT
      IdentitySource:
        - "$request.header.Authorization"
      JwtConfiguration:
        Audience:
          - !Ref CognitoUserPoolClient
        Issuer: !Sub 'https://cognito-idp.${AWS::Region}.amazonaws.com/${CognitoUserPool}'
      Name: JwtCognitoAuthorizer

  APIGatewayGetLambdaProxyRoute:
    Type: AWS::ApiGatewayV2::Route
    Properties:
      ApiId: !Ref APIGatewayHttpApi
      RouteKey: 'GET /quicksight-cognito/{proxy+}'
      AuthorizationType: JWT
      AuthorizerId: !Ref APIGatewayAuthorizer
      Target: !Sub 'integrations/${APIGatewayLambdaIntegration}'

  APIGatewayOptionsLambdaProxyRoute:
    Type: AWS::ApiGatewayV2::Route
    Properties:
      ApiId: !Ref APIGatewayHttpApi
      RouteKey: 'OPTIONS /quicksight-cognito/{proxy+}'
      Target: !Sub 'integrations/${APIGatewayLambdaIntegration}'

  APIGatewayLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: api-gateway-log-grp
      RetentionInDays: 1

  APIGatewayDevStage:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      StageName: Dev
      Description: Dev Stage
      AccessLogSettings:
        DestinationArn: !GetAtt APIGatewayLogGroup.Arn
        Format: '{ "requestId":"$context.requestId", "ip": "$context.identity.sourceIp", "requestTime":"$context.requestTime", "httpMethod":"$context.httpMethod","routeKey":"$context.routeKey", "status":"$context.status","protocol":"$context.protocol", "responseLength":"$context.responseLength", "integrationError":"$context.integrationErrorMessage" }'
      AutoDeploy: true
      ApiId: !Ref APIGatewayHttpApi
#### ####

#### Cognito ####
  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: quicksight-cognito-user-pool

  CognitoUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      UserPoolId: !Ref CognitoUserPool
      ClientName: quicksight-cognito-web-app
      AccessTokenValidity: 1 # eq 1 hour
      IdTokenValidity: 1 # eq 1 hour
      RefreshTokenValidity: 1 # eq 1 day
      AllowedOAuthFlowsUserPoolClient: false
      SupportedIdentityProviders:
        - COGNITO

  CognitoIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      AllowUnauthenticatedIdentities: false
      IdentityPoolName: quicksight-cognito-identity-pool
      CognitoIdentityProviders:
        - ProviderName: !GetAtt CognitoUserPool.ProviderName
          ClientId: !Ref CognitoUserPoolClient

  CognitoIdentityPoolRoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref CognitoIdentityPool
      Roles:
        "authenticated": !GetAtt CognitoAuthenticatedRole.Arn
        "unauthenticated": !GetAtt CognitoUnAuthenticatedRole.Arn

  CognitoAuthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: cognito-auth-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated:
                - cognito-identity.amazonaws.com
            Action:
              - sts:AssumeRoleWithWebIdentity
            Condition: { "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" },  "StringEquals": { "cognito-identity.amazonaws.com:aud": !Ref CognitoIdentityPool } }
      Policies:
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - mobileanalytics:PutEvents
                  - cognito-sync:*
                  - cognito-identity:*
                Effect: Allow
                Resource: '*'
          PolicyName: cognito-auth-policy

  CognitoUnAuthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: cognito-unauth-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated:
                - cognito-identity.amazonaws.com
            Action:
              - sts:AssumeRoleWithWebIdentity
            Condition: { "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" },  "StringEquals": { "cognito-identity.amazonaws.com:aud": !Ref CognitoIdentityPool } }
#### ####

#### Quicksight ####
  ConnectedUserRoleToAssume:
    Type: AWS::IAM::Role
    Properties:
      RoleName: cognito-quicksight-assumed-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated:
                - cognito-identity.amazonaws.com
            Action:
              - sts:AssumeRoleWithWebIdentity
      Policies:
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - quicksight:RegisterUser
                  - quicksight:GetDashboardEmbedUrl
                Effect: Allow
                Resource: '*'
          PolicyName: cognito-quicksight-assumed-policy

  # Add quicksight create account + quicksight create analysis (AWS::QuickSight::Analysis) + quicksight create dashboard (AWS::QuickSight::Dashboard) when it's possible with CloudFormation
#### ####

#### S3 Website ####
  WebAppS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketName: quicksight-cognito-web-app-s3

  WebAppS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref WebAppS3Bucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - s3:GetObject
            Principal:
              CanonicalUser: !GetAtt WebAppAccessIdentity.S3CanonicalUserId
            Effect: Allow
            Resource: !Sub '${WebAppS3Bucket.Arn}/*'

  WebAppAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: quicksight-cognito-web-app-cloudfront-access-identity

  WebAppDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !GetAtt WebAppS3Bucket.RegionalDomainName
            Id: quicksightCognitoWebAppBucket
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${WebAppAccessIdentity.Id}'
        Enabled: true
        DefaultRootObject: index.html
        HttpVersion: http2
        CustomErrorResponses:
          - ErrorCode: 403
            ResponseCode: 200
            ResponsePagePath: /index.html
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
          Compress: true
          TargetOriginId: quicksightCognitoWebAppBucket
          ForwardedValues:
            QueryString: false
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        PriceClass: PriceClass_100
#### ####

#### CI/CD User to deploy Web App / Lambda files #####
  IAMGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: quicksight-cognito-operators-grp

  IAMUser:
    Type: AWS::IAM::User
    Properties:
      UserName: ci-user
      Groups:
        - !Ref IAMGroup

  IAMUserAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      Status: Active
      UserName: !Ref IAMUser

  FilesUploadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: quicksight-cognito-upload-code-policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - s3:ListBucket
            Resource: !GetAtt WebAppS3Bucket.Arn
          - Effect: Allow
            Action:
              - s3:PutObject
              - s3:DeleteObject
            Resource: !Sub '${WebAppS3Bucket.Arn}/*'
          - Effect: Allow
            Action:
              - lambda:UpdateFunctionCode
            Resource: !GetAtt QuicksightCognitoFunction.Arn
      Groups:
        - !Ref IAMGroup

#### ####

Outputs:
  WebAppCloudFrontUrl:
    Description: Web App Domain name to add to Quicksight Domains & Integration
    Value: !Sub 'https://${WebAppDistribution.DomainName}'

  CIUserAccessKey:
    Description: CI User Access Information
    Value: !Sub 'Access Key: ${IAMUserAccessKey}, Secret Key: ${IAMUserAccessKey.SecretAccessKey}' # Be careful with credentials in Cloudformation output :)