kalleeh · kalleeh · Feb 13, 2020 · Feb 13, 2020 · Apr 1, 2020 · Apr 1, 2020
diff --git a/helpers/cognito_quick_group.sh b/helpers/cognito_quick_group.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+set -e
+
+echo -e "Checking if the platform has been setup..\n"
+
+## Retreive Cognito Details
+USER_POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id')
+if [ -z $USER_POOL_ID ]; then 
+    echo "No user pool found. Ensure the platform has been setup first."
+    exit 1
+fi
+
+##App client id
+IDENTITY_POOL_ID=$(aws cognito-identity list-identity-pools --max-results 20 | jq -r '.IdentityPools[] | select(.IdentityPoolName == "gurum_idp") | .IdentityPoolId')
+if [ -z $IDENTITY_POOL_ID ]; then 
+    echo "No identity pool found. Ensure the platform has been setup first."
+    exit 1
+fi
+
+# MODIFY TRUST POLICY JSON
+MYDIR="$(dirname "$(which "$0")")"
+sed -i.bak "s/###REPLACEIDENTITYPOOLID###/$IDENTITY_POOL_ID/g" $MYDIR/group_trust_policy.json
+
+# USER CREATION
+echo "Enter a group name:"
+read GROUP_NAME
+
+## Create the IAM Role
+ROLE_NAME="gurum-$GROUP_NAME-role"
+ROLE_ARN=$(aws iam create-role \
+    --path '/gurum/groups/' \
+    --role-name $ROLE_NAME \
+    --assume-role-policy-document file://$MYDIR/group_trust_policy.json \
+    --description "Gurum Cognito Group Assume Role for $GROUP_NAME" \
+    --tags Key=gurum-groups,Value=$GROUP_NAME | jq -r '.Role.Arn')
+
+## Attach IAM role policy
+ACCOUNT_ID=$(aws sts get-caller-identity --output text --query 'Account')
+aws iam attach-role-policy \
+    --role-name $ROLE_NAME \
+    --policy-arn "arn:aws:iam::$ACCOUNT_ID:policy/gurum/gurum-group-policy"
+
+## Create the Cognito Group
+aws cognito-idp create-group \
+    --group-name $GROUP_NAME \
+    --user-pool-id $USER_POOL_ID \
+    --role-arn $ROLE_ARN > /dev/null
+
+echo -e "\n\nSuccess! Group created and mapped to an IAM role."
diff --git a/helpers/cognito_quick_user.sh b/helpers/cognito_quick_user.sh
@@ -4,14 +4,14 @@ set -e
 echo -e "Checking if the platform has been setup..\n"
 
 ## Retreive Cognito Details
-POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id')
-if [ -z $POOL_ID ]; then 
+USER_POOL_ID=$(aws cognito-idp list-user-pools --max-results 20 | jq -r '.UserPools[] | select(.Name == "gurum_users") | .Id')
+if [ -z $USER_POOL_ID ]; then 
     echo "No user pool found. Ensure the platform has been setup first."
     exit 1
 fi
 
 ##App client id
-CLIENT_ID=$(aws cognito-idp list-user-pool-clients --user-pool-id $POOL_ID | jq -r '.UserPoolClients[] | select(.ClientName == "gurum-client") | .ClientId')
+CLIENT_ID=$(aws cognito-idp list-user-pool-clients --user-pool-id $USER_POOL_ID | jq -r '.UserPoolClients[] | select(.ClientName == "gurum-client") | .ClientId')
 if [ -z $CLIENT_ID ]; then 
     echo "No client id found. Ensure the platform has been setup first."
     exit 1
@@ -21,21 +21,24 @@ fi
 echo "Enter a username:"
 read USERNAME
 
+echo "Enter a valid e-mail:"
+read EMAIL
+
 echo -e "\nEnter a password:"
 read -s PASSWORD
 
 ## Create the Cognito user
-aws cognito-idp sign-up --client-id $CLIENT_ID --username $USERNAME --password $PASSWORD > /dev/null
+aws cognito-idp sign-up --client-id $CLIENT_ID --username $USERNAME --password $PASSWORD --user-attributes Name="email",Value="$EMAIL" > /dev/null
 
 ## Assign cognito user to group
-GROUP_NAMES=$(aws cognito-idp list-groups --user-pool-id $POOL_ID | jq -r '.Groups | map(.GroupName) | join(" , ")')
+GROUP_NAMES=$(aws cognito-idp list-groups --user-pool-id $USER_POOL_ID | jq -r '.Groups | map(.GroupName) | join(" , ")')
 
 echo -e "\n\nEnter a group for the user (valid: $GROUP_NAMES):"
 read SELECTED_GROUP
 
-aws cognito-idp admin-add-user-to-group --username $USERNAME --user-pool-id $POOL_ID --group-name $SELECTED_GROUP
+aws cognito-idp admin-add-user-to-group --username $USERNAME --user-pool-id $USER_POOL_ID --group-name $SELECTED_GROUP
 
 ## Confirm the user account
-aws cognito-idp admin-confirm-sign-up --username $USERNAME --user-pool-id $POOL_ID
+aws cognito-idp admin-confirm-sign-up --username $USERNAME --user-pool-id $USER_POOL_ID
 
 echo -e "\n\nSuccess! Log-in with your chosen details."
diff --git a/helpers/group_trust_policy.json b/helpers/group_trust_policy.json
@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "cognito-identity.amazonaws.com"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "cognito-identity.amazonaws.com:aud": "###REPLACEIDENTITYPOOLID###"
+        }
+      }
+    }
+  ]
+}
diff --git a/src/template.yaml b/src/template.yaml
@@ -120,7 +120,7 @@ Resources:
       GenerateSecret: false
       UserPoolId: !Ref UserPool
 
-  # Creates a federated Identity pool
+  # Creates a Federated Identity pool
   IdentityPool:
     Type: 'AWS::Cognito::IdentityPool'
     Properties:
@@ -130,11 +130,31 @@ Resources:
         - ClientId: !Ref UserPoolClient
           ProviderName: !GetAtt UserPool.ProviderName
 
+  # Creates an IAM Policy using Tag Based authorization to dynamically authorize
+  # cognito federated roles to their resources based on gurum-groups tag.
+  GurumGroupPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: gurum-group-policy
+      Path: '/gurum/'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: 'Allow'
+            Action:
+              - 'codecommit:*'
+              - 'logs:FilterLogEvents'
+            Resource: '*'
+            Condition:
+              StringEquals:
+                'aws:ResourceTag/gurum-groups': '${aws:PrincipalTag/gurum-groups}'
+
   # Create a role for unauthorized access to AWS resources. Very limited access.
   # Only allows users in the previously created Identity Pool
   CognitoUnAuthorizedRole:
     Type: 'AWS::IAM::Role'
     Properties:
+      Path: '/gurum/'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -171,6 +191,7 @@ Resources:
   CognitoAuthorizedRole:
     Type: 'AWS::IAM::Role'
     Properties:
+      Path: '/gurum/'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -211,20 +232,6 @@ Resources:
                   - 'cognito-identity:UpdateIdentityPool'
                 Resource: !Sub 'arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool}'
 
-  CognitoESAccessRole:
-    Type: 'AWS::IAM::Role'
-    Properties:
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/AmazonESCognitoAccess
-      AssumeRolePolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Effect: 'Allow'
-            Principal:
-              Service: 'es.amazonaws.com'
-            Action:
-              - 'sts:AssumeRole'
-
   # Assigns the roles to the Identity Pool
   IdentityPoolRoleMapping:
     Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
@@ -237,7 +244,7 @@ Resources:
   DeploymentRole:
     Type: AWS::IAM::Role
     Properties:
-      Path: /
+      Path: '/gurum/'
       AssumeRolePolicyDocument: 
         Version: "2012-10-17"
         Statement: