Create userpool domain

tmclaugh · tmclaugh · commit 4d92969bf6e2 · 2024-10-27T16:50:40.000-04:00
diff --git a/cfn-parameters.json b/cfn-parameters.json
@@ -5,7 +5,7 @@
     "CodeBranch": $env.GITHUB_REF_SLUG_CS,
     "UserPoolName": $secrets.USER_POOL_NAME,
     "UserPoolDomainName": $secrets.USER_POOL_DOMAIN_NAME,
-    "DnsZoneId": "/org/dns/ZoneId",
+    "ParentDnsZoneId": $secrets.PARENT_DNS_ZONE_ID,
     "TargetOuIds": $secrets.DEPLOYMENT_TARGET_OU,
     "TargetRegions": "us-east-1",
     "TargetAccountIds": $secrets.DEPLOYMENT_TARGET_ACCOUNT_ID,
diff --git a/stacksets/userpool/stackset.yaml b/stacksets/userpool/stackset.yaml
@@ -5,6 +5,12 @@ Parameters:
   UserPoolName:
     Type: String
     Description: Name of UserPool
+  UserPoolDomainName:
+    Type: String
+    Description: Name of UserPool Domain
+  ParentDnsZoneId:
+    Type: String
+    Description: "Route53 Hosted Zone ID"
 
 Resources:
   UserPool:
@@ -15,3 +21,40 @@ Resources:
       UserPoolName: !Ref UserPoolName
       AdminCreateUserConfig:
         AllowAdminCreateUserOnly: true
+
+  # DNS
+  #
+  # Cognito site verification requires either an A record at the root of the site's domain or a
+  # delegation to another zone. Rathert than mess with the serverlessops.io apex record we
+  # create a new zone for the user pool domain and add a delegation set to the parent zone.
+
+  AuthnzZone:
+    Type: "AWS::Route53::HostedZone"
+    Properties:
+      Name: !Ref UserPoolDomainName
+      HostedZoneConfig:
+        Comment: ServerlessOps Authnz
+
+  AuthnzDelegationSet:
+    Type: "AWS::Route53::RecordSet"
+    Properties:
+      HostedZoneId: !Ref ParentDnsZoneId
+      Name: !Ref UserPoolDomainName
+      Type: NS
+      TTL: '3600'
+      ResourceRecords: !GetAtt AuthnzZone.NameServers
+
+  SiteCertificate:
+    Type: AWS::CertificateManager::Certificate
+    DependsOn: AuthnzZone
+    Properties:
+      DomainName: !Ref UserPoolDomainName
+      ValidationMethod: DNS
+
+  UserPoolDomain:
+    Type: AWS::Cognito::UserPoolDomain
+    Properties:
+      Domain: !Ref UserPoolDomainName
+      UserPoolId: !Ref UserPool
+      CustomDomainConfig:
+        CertificateArn: !Ref SiteCertificate
diff --git a/template.yaml b/template.yaml
@@ -18,6 +18,12 @@ Parameters:
   UserPoolName:
     Type: String
     Description: Name of UserPool
+  UserPoolDomainName:
+    Type: String
+    Description: Name of UserPool Domain
+  ParentDnsZoneId:
+    Type: String
+    Description: "Route53 Hosted Zone ID of parent zone"
 
 Resources:
   UserPoolStackSet:
@@ -28,6 +34,10 @@ Resources:
       Parameters:
         - ParameterKey: UserPoolName
           ParameterValue: !Ref UserPoolName
+        - ParameterKey: UserPoolDomainName
+          ParameterValue: !Ref UserPoolDomainName
+        - ParameterKey: ParentDnsZoneId
+          ParameterValue: !Ref ParentDnsZoneId
       StackInstancesGroup:
         - DeploymentTargets:
             AccountFilterType: INTERSECTION
