【AWS】Cognito UserPool作成のCloudFormationテンプレートの紹介


はじめに

Cognito設定自動化にあたり、Cognito UserPool作成用のCloudFormationテンプレートの作成を行いました。

テンプレート例

AWSTemplateFormatVersion: 2010-09-09
Description:
  This template creates an Amazon Cognito Userpool.
  You will be billed for the AWS resources used if you create a stack from this
  template.
Parameters:
  FromEmailAddress:
    Description: from email address
    Type: String
  FromEmailIdentityArn:
    Description: from email ses arn
    Type: String
  Stage:
    Type: String
    Description: The name for a project stage, such as Prod, Acpt, Dev or Unit
  UserPoolBaseName:
    Description: User Pool Base Name
    Type: String
  UserPoolSuffixName:
    Description: The suffix for UserPoolName
    Type: String
  UserPoolTagCost:
    Description: The tag for cost management
    Type: String

Resources:
  UserPool:
    Type: 'AWS::Cognito::UserPool'
    Properties:
      UserPoolName: !Sub '${UserPoolBaseName}${Stage}${UserPoolSuffixName}'
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: true
        UnusedAccountValidityDays: 90
      AutoVerifiedAttributes:
        - email
      EmailConfiguration:
        SourceArn: !Ref FromEmailIdentityArn
        From: !Ref FromEmailAddress
        EmailSendingAccount: DEVELOPER
      Policies:
        PasswordPolicy:
          MinimumLength: 8
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: false
          RequireUppercase: false
      Schema:
        - Name: email
          AttributeDataType: String
          DeveloperOnlyAttribute: false
          Mutable: true
          Required: true      
        - Name: 'office_group_id'
          AttributeDataType: String
          DeveloperOnlyAttribute: false
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: 0
            MaxLength: 256
        - Name: 'office_id'
          AttributeDataType: String
          DeveloperOnlyAttribute: false
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: 0
            MaxLength: 256
        - Name: 'business_id'
          AttributeDataType: String
          DeveloperOnlyAttribute: false
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: 0
            MaxLength: 256
        - Name: 'user_type'
          AttributeDataType: String
          DeveloperOnlyAttribute: false
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: 0
            MaxLength: 256
      UsernameAttributes:
        - email
      UsernameConfiguration:
        CaseSensitive: true
      UserPoolAddOns:
        AdvancedSecurityMode: 'OFF'
      UserPoolTags:
        Cost: !Ref UserPoolTagCost
      VerificationMessageTemplate:
        DefaultEmailOption: CONFIRM_WITH_CODE
  AppClientWeb:
    Type: 'AWS::Cognito::UserPoolClient'
    Properties:
      UserPoolId: !Ref UserPool
      ClientName: !Sub '${UserPoolBaseName}${Stage}${UserPoolSuffixName}_app_clientWeb'
      AllowedOAuthFlowsUserPoolClient: false
      EnableTokenRevocation: false
      ExplicitAuthFlows:
        - ALLOW_CUSTOM_AUTH
        - ALLOW_USER_SRP_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH
      RefreshTokenValidity: 30
      AccessTokenValidity: 1
      IdTokenValidity: 1
      TokenValidityUnits:
        RefreshToken: days
        AccessToken: hours
        IdToken: hours
      PreventUserExistenceErrors: LEGACY
      ReadAttributes:
        - 'birthdate'
        - 'custom:office_group_id'
        - 'custom:office_id'
        - 'custom:business_id'
        - 'custom:user_type'
        - 'email'
        - 'email_verified'
        - 'family_name'
        - 'given_name'
        - 'middle_name'
        - 'name'
      WriteAttributes:
        - 'birthdate'
        - 'custom:office_group_id'
        - 'custom:office_id'
        - 'custom:business_id'
        - 'custom:user_type'
        - 'email'
        - 'family_name'
        - 'given_name'
        - 'middle_name'
        - 'name'
      GenerateSecret: false
    DependsOn:
      - UserPool

補足

構成
UserPoolを1つと、そこに含まれるアプリクライアントを1つ作成する形になっています。

制限事項
日本語が利用不可ということもあり、全ての項目が自動反映される形にはなっていません。

Parameters: 部分
パラメータの入力定義。環境毎に共通な部分はデフォルト値を設定
※日本語は文字化けして設定不可でした

AppClientWeb: 部分
アプリ用のUserPoolClient定義

参考サイト

AWS::Cognito::UserPool
AWS::Cognito::UserPoolClient
参考にしたAWSの公式ドキュメントです

CloudFormation で Cognito
AWS CognitoユーザPoolの作成とSignupの実装
書き方や進め方の参考にしました

さいごに

上記参考になれば幸いです