amazon-bedrock-agentcore-sa.../01-tutorials/07-AgentCore-E2E/prerequisite/cognito.yaml

AWSTemplateFormatVersion: '2010-09-09'
Description: 'CloudFormation template for Customer Support System with DynamoDB tables, SSM parameters, and synthetic data'
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Cognito Configuration
        Parameters:
          - UserPoolName
          - MachineAppClientName
          - WebAppClientName

Parameters:

  UserPoolName:
    Type: String
    Default: 'CustomerSupportGatewayPool'
    Description: 'Name of the Cognito User Pool'
  
  MachineAppClientName:
    Type: String
    Default: 'CustomerSupportMachineClient'
    Description: 'Name of the Cognito User Pool Application Client'
  
  WebAppClientName:
    Type: String
    Default: 'CustomerSupportWebClient'
    Description: 'Name of the Cognito User Pool Web Application Client'

Resources:

  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Ref UserPoolName
      MfaConfiguration: 'OFF'
      UsernameConfiguration:
        CaseSensitive: false
      UsernameAttributes:
        - email  # <--- Use email as username
      AutoVerifiedAttributes:
        - email  # <--- Auto-verify email if you want to skip confirmation step
      # LambdaConfig:
      #   PostConfirmation: !GetAtt PostSignupFunction.Arn
  
  AdminGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties:
      GroupName: admin
      Description: Administrator group
      UserPoolId: !Ref UserPool
      Precedence: 1  # Higher priority (lower number = higher precedence)

  CustomerGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties:
      GroupName: customer
      Description: Regular customer group
      UserPoolId: !Ref UserPool
      Precedence: 2

  WebUserPoolClient:
    DependsOn: ResourceServer
    Type: AWS::Cognito::UserPoolClient
    Properties:
      ClientName: !Ref WebAppClientName
      UserPoolId: !Ref UserPool
      GenerateSecret: false  # Don't use secret for SPA or web apps
      AllowedOAuthFlows:
        - code
      AllowedOAuthScopes:
        - openid
        - email
        - profile
        - !Join
            - ''
            - - 'default-m2m-resource-server-'
              - !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]
              - '/read'
      AllowedOAuthFlowsUserPoolClient: true
      CallbackURLs:
        - http://localhost:8501/
        - https://example.com/auth/callback
      LogoutURLs:
        - http://localhost:8501/
      SupportedIdentityProviders:
        - COGNITO
      AccessTokenValidity: 60
      IdTokenValidity: 60
      RefreshTokenValidity: 30
      TokenValidityUnits:
        AccessToken: minutes
        IdToken: minutes
        RefreshToken: days
      EnableTokenRevocation: true

  MachineUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    DependsOn: ResourceServer
    Properties:
      ClientName: !Ref MachineAppClientName
      UserPoolId: !Ref UserPool
      GenerateSecret: true
      ExplicitAuthFlows:
        - ALLOW_REFRESH_TOKEN_AUTH
      RefreshTokenValidity: 1
      AccessTokenValidity: 60
      IdTokenValidity: 60
      TokenValidityUnits:
        AccessToken: minutes
        IdToken: minutes
        RefreshToken: days
      AllowedOAuthFlows:
        - client_credentials
      AllowedOAuthScopes:
        - !Join
          - ''
          - - 'default-m2m-resource-server-'
            - !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]
            - '/read'
      AllowedOAuthFlowsUserPoolClient: true
      SupportedIdentityProviders:
        - COGNITO
      EnableTokenRevocation: true
  
  ResourceServer:
    Type: AWS::Cognito::UserPoolResourceServer
    Properties:
      UserPoolId: !Ref UserPool
      Identifier: !Join
        - '-'
        - - 'default-m2m-resource-server'
          - !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]
      Name: !Join
        - '-'
        - - 'Default M2M Resource Server '
          - !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]
      Scopes:
        - ScopeName: 'read'
          ScopeDescription: 'An example scope created by Amazon Cognito quick start'
  
  UserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      UserPoolId: !Ref UserPool
      Domain: !Join
        - ''
        - - !Ref 'AWS::Region'
          - !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]
  
  PostSignupFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: AllowBasicLogs
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: arn:aws:logs:*:*:*
        - PolicyName: Cognito
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - cognito-idp:AdminAddUserToGroup
                Resource: "*"

  PostSignupFunction:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.lambda_handler
      Runtime: python3.13
      Role: !GetAtt PostSignupFunctionRole.Arn
      Timeout: 10
      Code:
        ZipFile: |
          import boto3

          def lambda_handler(event, context):
              user_pool_id = event['userPoolId']
              username = event['userName']
              client = boto3.client('cognito-idp')

              # Add user to 'customer' group
              try:
                  client.admin_add_user_to_group(
                      UserPoolId=user_pool_id,
                      Username=username,
                      GroupName='Customer'
                  )
                  print(f"User {username} added to 'customer' group.")
              except Exception as e:
                  print(f"Error adding user to group: {e}")

              return event

  
  CognitoMachineClientIdParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /app/customersupport/agentcore/machine_client_id
      Type: String
      Value: !Ref MachineUserPoolClient
      Description: Machine Cognito client ID
      Tags:
        Application: CustomerSupport
  
  CognitoWebClientIdParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /app/customersupport/agentcore/web_client_id
      Type: String
      Value: !Ref WebUserPoolClient
      Description: Cognito client ID for web app
      Tags:
        Application: CustomerSuppor

  UserPoolIdParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /app/customersupport/agentcore/userpool_id
      Type: String
      Value: !Ref UserPool
      Description: Cognito client ID
      Tags:
        Application: CustomerSupport
  

  CognitoAuthScopeParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /app/customersupport/agentcore/cognito_auth_scope
      Type: String
      Value: !Join
        - ''
        - - 'default-m2m-resource-server-'
          - !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]
          - '/read'
      Description: OAuth2 scope for Cognito auth
      Tags:
        Application: CustomerSupport

  CognitoDiscoveryURLParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /app/customersupport/agentcore/cognito_discovery_url
      Type: String
      Value: !Sub 'https://cognito-idp.${AWS::Region}.amazonaws.com/${UserPool}/.well-known/openid-configuration'
      Description: OAuth2 Discovery URL
      Tags:
        Application: CustomerSupport

  CognitoTokenURLParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /app/customersupport/agentcore/cognito_token_url
      Type: String
      Value: !Join
        - ''
        - - !Sub 'https://${AWS::Region}'
          - !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]
          - !Sub '.auth.${AWS::Region}.amazoncognito.com/oauth2/token'
      Description: OAuth2 Token URL
      Tags:
        Application: CustomerSupport

  CognitoAuthorizeURLParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /app/customersupport/agentcore/cognito_auth_url
      Type: String
      Value: !Join
        - ''
        - - !Sub 'https://${AWS::Region}'
          - !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]
          - !Sub '.auth.${AWS::Region}.amazoncognito.com/oauth2/authorize'
      Description: OAuth2 Token URL
      Tags:
        Application: CustomerSupport

  CognitoDomainParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /app/customersupport/agentcore/cognito_domain
      Type: String
      Value: !Join
        - ''
        - - !Sub 'https://${AWS::Region}'
          - !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]
          - !Sub '.auth.${AWS::Region}.amazoncognito.com'
      Description: Cognito hosted domain for OAuth2
      Tags:
        Application: CustomerSupport
Add Workshop E2E (#253) * feat: e2e tutorial lab5 * docs: Add README.md for 05-AgentCore Observability lab * feat: Add Lab 6 of E2E tutorial * fix: Fix Agent ECR repository typo * docs: Update Lab 6 Guidelines * feat: cleanup guardrails * docs: fix step name * added lab4 * Add Lab 3 Identity Notebook and README * added memory and updated lab 1 * pushing all of the helper files from original use case. Remove as needed * feat: update lab1 helper file * chore: restructure utils * feat: update memory helper * chore: restructure identity * chore: append to agent definition from the helper * Renamed agentcore identity to lab6 * Renamed Gateway notebook to Lab 3 and reviewed with fixes * Fixed typo in delete_memory * Lab 1: review and minor fixes * Lab 1: cleanup * Lab 2: refactored * fix: change model to Claude 3.7 * added TODOs * updated lab1 notebook * update runtime intro * refactor utils file * minor_update to memory * memory return client * revert change. * feat: update runtime lab * feat: add helper for bedrock guardrails * fix: fix typos * docs: minor update * update lab1 tools * update memory * update - runtime * updated lab3 + lambda * removed outputs * changed sh * removed zip * added one missing piece * chore: rm observability old lab * Updates to Lab6 Identity * Updates to Lab6 Identity * updated arch. diagram * update docs lab1 * rename-lab-5-6 * update arch doc * lab 03 * fixed lab 3 docs * Fix Lab 4 * Lab 7 frontend * Fix lab7 * Fix prereq issues and update gitignore * adding lab 3 tool removal * removed checkpoints * merged * chore: Update Lab 4 documentation * fix: Update AgentCore IAM Role to access memory * Lab 7 fixed invoke to runtime * minor changes * removed guardrails + minor edits * Deleting files and folders. * Rename, Refactor and deletion Added sagemaker_helper * fixing Client * Removing guardrails code * remove unused arch * remove unused files * updating lab01 * remove policies * updating lab02 * docs: Update lab 4 markdown * chore: Update Lab 4 * update cleanup * cleaning up DS_Store files * frontend * updates to lab1 notebook * updating architectures * Lab5: fixed response formatting in streamlit app * updating lab3 * updated lab3 * Lab 5 and Lab 6 and Helper Scripts Updates Lab 5: Added the architecture diagram Lab 6: Updated the notebook Utils: Added helper functions Sagemaker_helper: Cosmetic Updates * Updating lab 4 * removing clean up from lab 3 * added lab3 changes * Streamlit Fixes, Cosmetic Updates, Notebook Updates * add maira's changes * update lab2+3 * minor updates * sync labs * fix runtime docs * refactoring end-to-end tutorials * remove guardrail ss --------- Co-authored-by: Aleksei Iancheruk <aianch@amazon.fr> Co-authored-by: EugeneSel <youdjin.sel15@gmail.com> Co-authored-by: Aidan Ricci <riaidan@amazon.com> Co-authored-by: Achintya <pinnintiachintya@gmail.com> Co-authored-by: naresh rajaram <nareshrd@amazon.com> Co-authored-by: Lorenzo Micheli <lorenzo.micheli@gmail.com> Co-authored-by: Achintya <apinnint@amazon.com> Co-authored-by: HT <hardikvt@amazon.com> Co-authored-by: HT <hardik.thakkar00@gmail.com> Co-authored-by: Maira Ladeira Tanke <mttanke@amazon.com> 2025-08-14 22:52:33 -04:00			`AWSTemplateFormatVersion: '2010-09-09'`
			`Description: 'CloudFormation template for Customer Support System with DynamoDB tables, SSM parameters, and synthetic data'`
			`Metadata:`
			`AWS::CloudFormation::Interface:`
			`ParameterGroups:`
			`- Label:`
			`default: Cognito Configuration`
			`Parameters:`
			`- UserPoolName`
			`- MachineAppClientName`
			`- WebAppClientName`

			`Parameters:`

			`UserPoolName:`
			`Type: String`
			`Default: 'CustomerSupportGatewayPool'`
			`Description: 'Name of the Cognito User Pool'`

			`MachineAppClientName:`
			`Type: String`
			`Default: 'CustomerSupportMachineClient'`
			`Description: 'Name of the Cognito User Pool Application Client'`

			`WebAppClientName:`
			`Type: String`
			`Default: 'CustomerSupportWebClient'`
			`Description: 'Name of the Cognito User Pool Web Application Client'`

			`Resources:`

			`UserPool:`
			`Type: AWS::Cognito::UserPool`
			`Properties:`
			`UserPoolName: !Ref UserPoolName`
			`MfaConfiguration: 'OFF'`
			`UsernameConfiguration:`
			`CaseSensitive: false`
			`UsernameAttributes:`
			`- email # <--- Use email as username`
			`AutoVerifiedAttributes:`
			`- email # <--- Auto-verify email if you want to skip confirmation step`
			`# LambdaConfig:`
			`# PostConfirmation: !GetAtt PostSignupFunction.Arn`

			`AdminGroup:`
			`Type: AWS::Cognito::UserPoolGroup`
			`Properties:`
			`GroupName: admin`
			`Description: Administrator group`
			`UserPoolId: !Ref UserPool`
			`Precedence: 1 # Higher priority (lower number = higher precedence)`

			`CustomerGroup:`
			`Type: AWS::Cognito::UserPoolGroup`
			`Properties:`
			`GroupName: customer`
			`Description: Regular customer group`
			`UserPoolId: !Ref UserPool`
			`Precedence: 2`

			`WebUserPoolClient:`
			`DependsOn: ResourceServer`
			`Type: AWS::Cognito::UserPoolClient`
			`Properties:`
			`ClientName: !Ref WebAppClientName`
			`UserPoolId: !Ref UserPool`
			`GenerateSecret: false # Don't use secret for SPA or web apps`
			`AllowedOAuthFlows:`
			`- code`
			`AllowedOAuthScopes:`
			`- openid`
			`- email`
			`- profile`
			`- !Join`
			`- ''`
			`- - 'default-m2m-resource-server-'`
			`- !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]`
			`- '/read'`
			`AllowedOAuthFlowsUserPoolClient: true`
			`CallbackURLs:`
			`- http://localhost:8501/`
			`- https://example.com/auth/callback`
			`LogoutURLs:`
			`- http://localhost:8501/`
			`SupportedIdentityProviders:`
			`- COGNITO`
			`AccessTokenValidity: 60`
			`IdTokenValidity: 60`
			`RefreshTokenValidity: 30`
			`TokenValidityUnits:`
			`AccessToken: minutes`
			`IdToken: minutes`
			`RefreshToken: days`
			`EnableTokenRevocation: true`

			`MachineUserPoolClient:`
			`Type: AWS::Cognito::UserPoolClient`
			`DependsOn: ResourceServer`
			`Properties:`
			`ClientName: !Ref MachineAppClientName`
			`UserPoolId: !Ref UserPool`
			`GenerateSecret: true`
			`ExplicitAuthFlows:`
			`- ALLOW_REFRESH_TOKEN_AUTH`
			`RefreshTokenValidity: 1`
			`AccessTokenValidity: 60`
			`IdTokenValidity: 60`
			`TokenValidityUnits:`
			`AccessToken: minutes`
			`IdToken: minutes`
			`RefreshToken: days`
			`AllowedOAuthFlows:`
			`- client_credentials`
			`AllowedOAuthScopes:`
			`- !Join`
			`- ''`
			`- - 'default-m2m-resource-server-'`
			`- !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]`
			`- '/read'`
			`AllowedOAuthFlowsUserPoolClient: true`
			`SupportedIdentityProviders:`
			`- COGNITO`
			`EnableTokenRevocation: true`

			`ResourceServer:`
			`Type: AWS::Cognito::UserPoolResourceServer`
			`Properties:`
			`UserPoolId: !Ref UserPool`
			`Identifier: !Join`
			`- '-'`
			`- - 'default-m2m-resource-server'`
			`- !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]`
			`Name: !Join`
			`- '-'`
			`- - 'Default M2M Resource Server '`
			`- !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]`
			`Scopes:`
			`- ScopeName: 'read'`
			`ScopeDescription: 'An example scope created by Amazon Cognito quick start'`

			`UserPoolDomain:`
			`Type: AWS::Cognito::UserPoolDomain`
			`Properties:`
			`UserPoolId: !Ref UserPool`
			`Domain: !Join`
			`- ''`
			`- - !Ref 'AWS::Region'`
			`- !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]`

			`PostSignupFunctionRole:`
			`Type: AWS::IAM::Role`
			`Properties:`
			`AssumeRolePolicyDocument:`
			`Version: '2012-10-17'`
			`Statement:`
			`- Effect: Allow`
			`Principal:`
			`Service: lambda.amazonaws.com`
			`Action: sts:AssumeRole`
			`Policies:`
			`- PolicyName: AllowBasicLogs`
			`PolicyDocument:`
			`Version: '2012-10-17'`
			`Statement:`
			`- Effect: Allow`
			`Action:`
			`- logs:CreateLogGroup`
			`- logs:CreateLogStream`
			`- logs:PutLogEvents`
			`Resource: arn:aws:logs:::*`
			`- PolicyName: Cognito`
			`PolicyDocument:`
			`Version: '2012-10-17'`
			`Statement:`
			`- Effect: Allow`
			`Action:`
			`- cognito-idp:AdminAddUserToGroup`
			`Resource: "*"`

			`PostSignupFunction:`
			`Type: AWS::Lambda::Function`
			`Properties:`
			`Handler: index.lambda_handler`
			`Runtime: python3.13`
			`Role: !GetAtt PostSignupFunctionRole.Arn`
			`Timeout: 10`
			`Code:`
			`ZipFile: \|`
			`import boto3`

			`def lambda_handler(event, context):`
			`user_pool_id = event['userPoolId']`
			`username = event['userName']`
			`client = boto3.client('cognito-idp')`

			`# Add user to 'customer' group`
			`try:`
			`client.admin_add_user_to_group(`
			`UserPoolId=user_pool_id,`
			`Username=username,`
			`GroupName='Customer'`
			`)`
			`print(f"User {username} added to 'customer' group.")`
			`except Exception as e:`
			`print(f"Error adding user to group: {e}")`

			`return event`


			`CognitoMachineClientIdParameter:`
			`Type: AWS::SSM::Parameter`
			`Properties:`
			`Name: /app/customersupport/agentcore/machine_client_id`
			`Type: String`
			`Value: !Ref MachineUserPoolClient`
			`Description: Machine Cognito client ID`
			`Tags:`
			`Application: CustomerSupport`

			`CognitoWebClientIdParameter:`
			`Type: AWS::SSM::Parameter`
			`Properties:`
			`Name: /app/customersupport/agentcore/web_client_id`
			`Type: String`
			`Value: !Ref WebUserPoolClient`
			`Description: Cognito client ID for web app`
			`Tags:`
			`Application: CustomerSuppor`

			`UserPoolIdParameter:`
			`Type: AWS::SSM::Parameter`
			`Properties:`
			`Name: /app/customersupport/agentcore/userpool_id`
			`Type: String`
			`Value: !Ref UserPool`
			`Description: Cognito client ID`
			`Tags:`
			`Application: CustomerSupport`


			`CognitoAuthScopeParameter:`
			`Type: AWS::SSM::Parameter`
			`Properties:`
			`Name: /app/customersupport/agentcore/cognito_auth_scope`
			`Type: String`
			`Value: !Join`
			`- ''`
			`- - 'default-m2m-resource-server-'`
			`- !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]`
			`- '/read'`
			`Description: OAuth2 scope for Cognito auth`
			`Tags:`
			`Application: CustomerSupport`

			`CognitoDiscoveryURLParameter:`
			`Type: AWS::SSM::Parameter`
			`Properties:`
			`Name: /app/customersupport/agentcore/cognito_discovery_url`
			`Type: String`
			`Value: !Sub 'https://cognito-idp.${AWS::Region}.amazonaws.com/${UserPool}/.well-known/openid-configuration'`
			`Description: OAuth2 Discovery URL`
			`Tags:`
			`Application: CustomerSupport`

			`CognitoTokenURLParameter:`
			`Type: AWS::SSM::Parameter`
			`Properties:`
			`Name: /app/customersupport/agentcore/cognito_token_url`
			`Type: String`
			`Value: !Join`
			`- ''`
			`- - !Sub 'https://${AWS::Region}'`
			`- !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]`
			`- !Sub '.auth.${AWS::Region}.amazoncognito.com/oauth2/token'`
			`Description: OAuth2 Token URL`
			`Tags:`
			`Application: CustomerSupport`

			`CognitoAuthorizeURLParameter:`
			`Type: AWS::SSM::Parameter`
			`Properties:`
			`Name: /app/customersupport/agentcore/cognito_auth_url`
			`Type: String`
			`Value: !Join`
			`- ''`
			`- - !Sub 'https://${AWS::Region}'`
			`- !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]`
			`- !Sub '.auth.${AWS::Region}.amazoncognito.com/oauth2/authorize'`
			`Description: OAuth2 Token URL`
			`Tags:`
			`Application: CustomerSupport`

			`CognitoDomainParameter:`
			`Type: AWS::SSM::Parameter`
			`Properties:`
			`Name: /app/customersupport/agentcore/cognito_domain`
			`Type: String`
			`Value: !Join`
			`- ''`
			`- - !Sub 'https://${AWS::Region}'`
			`- !Select [0, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]`
			`- !Sub '.auth.${AWS::Region}.amazoncognito.com'`
			`Description: Cognito hosted domain for OAuth2`
			`Tags:`
			`Application: CustomerSupport`