Add userpool client product

tmclaugh · tmclaugh · commit 7c77779c72a8 · 2024-11-05T20:25:13.000-05:00
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -35,6 +35,9 @@ jobs:
       - name: Validate template (products stackset)
         run: sam validate --lint --template ./products/stackset.yaml
 
+      - name: Validate template (client product)
+        run: sam validate --lint --template ./products/client/product.yaml
+
       - name: Validate template (server product)
         run: sam validate --lint --template ./products/server/product.yaml
 
diff --git a/products/client/product.yaml b/products/client/product.yaml
@@ -0,0 +1,44 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Create a Cognito User Pool Client
+
+Parameters:
+  CognitoUserPoolId:
+    Type: AWS::SSM::Parameter::Value<String>
+    Description: The ID of the user pool to which the resource server belongs
+    Default: /org/authnz/UserPoolId
+  ClientName:
+    Type: String
+    Description: The name of the client
+  AllowedAuthScopes:
+    Type: CommaDelimitedList
+    Description: The allowed OAuth scopes
+
+Resources:
+  CognitoUserPoolClient:
+    Type: AWS::Cognito::UserPoolClient
+    Properties:
+      ClientName: !Ref ClientName
+      UserPoolId: !Ref CognitoUserPoolId
+      PreventUserExistenceErrors: ENABLED
+      EnableTokenRevocation: true
+      GenerateSecret: true
+      TokenValidityUnits:
+        IdToken: minutes
+        AccessToken: minutes
+        RefreshToken: days
+      AccessTokenValidity: 10
+      IdTokenValidity: 10
+      RefreshTokenValidity: 1
+      AllowedOAuthFlowsUserPoolClient: true
+      AllowedOAuthFlows:
+        - client_credentials
+      AllowedOAuthScopes: !Ref AllowedAuthScopes
+      ReadAttributes:
+        - name
+      WriteAttributes:
+        - name
+      ExplicitAuthFlows:
+        - ALLOW_USER_SRP_AUTH
+        - ALLOW_REFRESH_TOKEN_AUTH
+      SupportedIdentityProviders:
+        - COGNITO
diff --git a/products/stackset.yaml b/products/stackset.yaml
@@ -50,4 +50,22 @@ Resources:
     Type: AWS::ServiceCatalog::PortfolioProductAssociation
     Properties:
       PortfolioId: !Ref ApiAuthnzPortfolio
-      ProductId: !Ref CognitoResourceServerProduct
+      ProductId: !Ref CognitoResourceServerProduct
+
+  CognitoUserPoolClientProduct:
+    Type: AWS::ServiceCatalog::CloudFormationProduct
+    Properties:
+      Name: Cognito User Pool Client
+      Description: Create a Cognito User Pool Client
+      Owner: ServerlessOps
+      ProvisioningArtifactParameters:
+        - Name: latest
+          Description: latest release
+          Info:
+            LoadTemplateFromURL: !Sub 'https://${CfnTemplateBucket}.s3.amazonaws.com/serverlessops-api-authnz/${GitHubSha}/client/product.yaml'
+
+  CognitoUserPoolClientProductAssociation:
+    Type: AWS::ServiceCatalog::PortfolioProductAssociation
+    Properties:
+      PortfolioId: !Ref ApiAuthnzPortfolio
+      ProductId: !Ref CognitoUserPoolClientProduct
