如何将Cognito用户池设置导出到CloudFormation模板？

Question

我已经通过AWS控制台创建了Cognito用户池，但我想通过CloudFormation自动创建新的Cognito用户池。我可以将当​​前的用户池配置导出到CloudFormation模板吗？

Answer 1

目前无法从Cognito导出现有用户池。但是，您可以在AWS CloudFormation中创建新的用户池，然后使用AWS::Cognito::UserPool资源类型从CloudFormation本身继续管理这些池。

Answer 2

它不可能导出。您需要以下6个资源才能使过程自动化。

1. Cognito验证的作用
2. Cognito未经验证的作用
3. 用户池
4. 用户群的客户
5. 身份游泳池
6. 身份池角色附件

您将需要3个输出其你可能需要在你的代码中使用。以下是创建这些代码

AWSTemplateFormatVersion: 2010-09-09 
Parameters: 
    envParameter: 
    Type: String 
    Default: dev 
    AllowedValues: [ dev, test, qa, prod ] 
    Description: Suffix to be added for names. 
Resources: 
    myApiUserPool: 
    Type: "AWS::Cognito::UserPool" 
    Properties: 
     UserPoolName: !Sub myApiUserPool${envParameter} 
    myApiUserPoolClient: 
    Type: "AWS::Cognito::UserPoolClient" 
    Properties: 
     ClientName: !Sub myApiUserPoolClient${envParameter}, 
     GenerateSecret: False 
     RefreshTokenValidity: 30 
     UserPoolId: !Ref myApiUserPool 
    myApiIdentityPool: 
    Type: "AWS::Cognito::IdentityPool" 
    Properties: 
     IdentityPoolName: !Sub myApiIdentityPool${envParameter} 
     AllowUnauthenticatedIdentities: False 
     CognitoIdentityProviders: 
     - ClientId: !Ref myApiUserPoolClient 
      ProviderName: !GetAtt myApiUserPool.ProviderName 
    cognitoUnauthRole: 
    Type: 'AWS::IAM::Role' 
    Properties: 
     RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Unauth_Role 
     AssumeRolePolicyDocument: 
     Version: 2012-10-17 
     Statement: 
      - Effect: Allow 
      Principal: 
       Federated: cognito-identity.amazonaws.com 
      Action: [ 'sts:AssumeRole' ] 
     Policies: 
     - PolicyName: cognitounauth 
      PolicyDocument: 
      Version: '2012-10-17' 
      Statement: 
       - Effect: Allow 
       Action: 
       - mobileanalytics:PutEvents 
       - cognito-sync:* 
       Resource: 
       - "*" 
    cognitoAuthRole: 
    Type: 'AWS::IAM::Role' 
    Properties: 
     RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Auth_Role 
     AssumeRolePolicyDocument: 
     Version: 2012-10-17 
     Statement: 
      - Effect: Allow 
      Principal: 
       Federated: cognito-identity.amazonaws.com 
      Action: [ 'sts:AssumeRole' ] 
     Policies: 
     - PolicyName: cognitoauth 
      PolicyDocument: 
      Version: '2012-10-17' 
      Statement: 
       - Effect: Allow 
       Action: 
       - mobileanalytics:PutEvents 
       - cognito-sync:* 
       - execute-api:* 
       Resource: 
       - "*" 
    myApiIdentityPoolRoleAttachment: 
    DependsOn: [ myApiIdentityPool, cognitoUnauthRole, cognitoAuthRole ] 
    Type: "AWS::Cognito::IdentityPoolRoleAttachment" 
    Properties: 
     IdentityPoolId: !Ref myApiIdentityPool 
     Roles: 
     authenticated: !GetAtt cognitoAuthRole.Arn 
     unauthenticated: !GetAtt cognitoUnauthRole.Arn 
Outputs: 
userPool: 
    Description: "User pool ID" 
    Value: !Ref myApiUserPool 
identityPool: 
    Description: "Identity pool ID" 
    Value: !Ref myApiIdentityPool 
ClientId: 
    Description: "Client id for the user pool appclient" 
    Value: !Ref myApiUserPoolClient