How to export Cognito User Pool settings to CloudFormation template?

Question

I've created Cognito User Pool through AWS Console, but I want to automate creation of new Cognito User Pools through CloudFormation. Can I export my current User Pool configuration to CloudFormation template?

Answer 1

Its not possible to export. You would need the below 6 resources to automate the process.

1. Cognito Authenticated role
2. Cognito unAuthenticated role
3. User pool
4. User Pool Client
5. Identity Pool
6. Identity Pool Role attachment

You would need 3 outputs which you might need to use in your code. Below is the code for creating these

AWSTemplateFormatVersion: 2010-09-09
Parameters: 
  envParameter: 
    Type: String
    Default: dev
    AllowedValues: [ dev, test, qa, prod ]
    Description: Suffix to be added for names.
Resources:
  myApiUserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub myApiUserPool${envParameter}
  myApiUserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
        ClientName: !Sub myApiUserPoolClient${envParameter},
        GenerateSecret: False
        RefreshTokenValidity: 30
        UserPoolId: !Ref myApiUserPool
  myApiIdentityPool:
    Type: "AWS::Cognito::IdentityPool"
    Properties:
      IdentityPoolName: !Sub myApiIdentityPool${envParameter}
      AllowUnauthenticatedIdentities: False
      CognitoIdentityProviders:
        - ClientId: !Ref myApiUserPoolClient
          ProviderName: !GetAtt myApiUserPool.ProviderName
  cognitoUnauthRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Unauth_Role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
            Action: [ 'sts:AssumeRole' ]
      Policies:
        - PolicyName: cognitounauth
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                - mobileanalytics:PutEvents
                - cognito-sync:*
                Resource:
                - "*"
  cognitoAuthRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Auth_Role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
            Action: [ 'sts:AssumeRole' ]
      Policies:
        - PolicyName: cognitoauth
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                - mobileanalytics:PutEvents
                - cognito-sync:*
                - execute-api:*
                Resource:
                - "*"
  myApiIdentityPoolRoleAttachment:
    DependsOn: [ myApiIdentityPool, cognitoUnauthRole, cognitoAuthRole ]
    Type: "AWS::Cognito::IdentityPoolRoleAttachment"
    Properties:
      IdentityPoolId: !Ref myApiIdentityPool
      Roles: 
        authenticated: !GetAtt cognitoAuthRole.Arn
        unauthenticated: !GetAtt cognitoUnauthRole.Arn
Outputs:
 userPool:
    Description: "User pool ID"
    Value: !Ref myApiUserPool
 identityPool:
    Description: "Identity pool ID"
    Value: !Ref myApiIdentityPool
 ClientId: 
    Description: "Client id for the user pool appclient"
    Value: !Ref myApiUserPoolClient