-
Notifications
You must be signed in to change notification settings - Fork 0
/
cfn-template.yml
207 lines (195 loc) · 6.26 KB
/
cfn-template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
AWSTemplateFormatVersion: 2010-09-09
Resources:
ImageStore:
Type: AWS::S3::Bucket
Properties:
CorsConfiguration:
CorsRules:
- AllowedHeaders: ['*']
AllowedMethods: [GET, POST, PUT, DELETE, HEAD]
AllowedOrigins: ['*']
ExposedHeaders: [Date]
MaxAge: '3600'
Website:
Type: AWS::S3::Bucket
Properties:
BucketName: !Join ['-', ['website', !Ref 'AWS::AccountId']]
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
WebsiteBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: Website
PolicyDocument:
Statement:
- Action: ['s3:GetObject']
Effect: Allow
Resource: !Join ['', ['arn:aws:s3:::', !Ref 'Website', '/*']]
Principal: "*"
LambdaCodeStore:
Type: AWS::S3::Bucket
Properties:
BucketName: !Join ['-', ['lambdacodestore', !Ref 'AWS::AccountId']]
DLModelStore:
Type: AWS::S3::Bucket
Properties:
BucketName: !Join ['-', ['dlmodelstore', !Ref 'AWS::AccountId']]
UserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: DLAppUserPool
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
GenerateSecret: False
RefreshTokenValidity: 30
UserPoolId: !Ref UserPool
IdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: True
CognitoIdentityProviders:
- ClientId: !Ref UserPoolClient
ProviderName: !GetAtt UserPool.ProviderName
CognitoUnauthRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub Cognito_${IdentityPool.Name}_Unauth_Role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: [ 'sts:AssumeRoleWithWebIdentity' ]
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: cognitounauth
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- mobileanalytics:PutEvents
- cognito-sync:*
- execute-api:*
Resource:
- "*"
- PolicyName: cognitounauths3access
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "s3:*"
Resource:
- !Join ['', ['arn:aws:s3:::', !Ref 'ImageStore', /*]]
CognitoAuthRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub Cognito_${IdentityPool.Name}_Auth_Role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action: [ 'sts:AssumeRole' ]
Policies:
- PolicyName: cognitoauth
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- mobileanalytics:PutEvents
- cognito-sync:*
- execute-api:*
Resource:
- "*"
IdentityPoolRoleAttachment:
DependsOn: [ IdentityPool, CognitoUnauthRole, CognitoAuthRole ]
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
authenticated: !GetAtt CognitoAuthRole.Arn
unauthenticated: !GetAtt CognitoUnauthRole.Arn
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: LambdaExecutionRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- lambda.amazonaws.com
Policies:
- PolicyName: LambdaExecution
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- Fn::Join:
- ':'
-
- 'arn:aws:logs'
- Ref: AWS::Region
- Ref: AWS::AccountId
- 'log-group:/aws/lambda/*:*:*'
- Effect: Allow
Action:
- lambda:InvokeFunction
Resource: "arn:aws:lambda:*:*:*:*"
- Effect: Allow
Action:
- "s3:*"
Resource:
- !Join ['', ['arn:aws:s3:::', !Ref 'ImageStore', /*]]
- !Join ['', ['arn:aws:s3:::', !Ref 'DLModelStore', /*]]
- !Join ['', ['arn:aws:s3:::', !Ref 'LambdaCodeStore', /*]]
Outputs:
LambdaCodeStore:
Description: "S3 bucket for storing lambda code"
Value: !Ref LambdaCodeStore
ImageStore:
Description: "S3 bucket for storing uploaded images"
Value: !Ref ImageStore
DLModelStore:
Description: "S3 bucket for storing deep learning models"
Value: !Ref DLModelStore
Website:
Description: "S3 bucket for hosting static website"
Value: !Ref Website
WebsiteURL:
Description: "URL for website hosted on S3"
Value: !GetAtt [Website, WebsiteURL]
WebsiteBucketSecureURL:
Description: Name of S3 bucket to hold website content
Value: !Join ['', ['https://', !GetAtt [Website, DomainName]]]
UserPool:
Description: "User pool ID"
Value: !Ref UserPool
IdentityPool:
Description: "Identity pool ID"
Value: !Ref IdentityPool
ClientId:
Description: "Client id for the user pool appclient"
Value: !Ref UserPoolClient
LambdaExecutionRole:
Description: "IAM Role for executing Lambda funtions"
Value: !Ref LambdaExecutionRole