How to export Cognito User Pool settings to CloudFormation template?

Question

I've created Cognito User Pool through AWS Console, but I want to automate creation of new Cognito User Pools through CloudFormation. Can I export my current User Pool configuration to CloudFormation template?

Answer 1

I am going to use the describe-user-pool action and then build the cf template based on the output

Answer 2

Its not possible to export. You would need the below 6 resources to automate the process.

1. Cognito Authenticated role
2. Cognito unAuthenticated role
3. User pool
4. User Pool Client
5. Identity Pool
6. Identity Pool Role attachment

You would need 3 outputs which you might need to use in your code. Below is the code for creating these

AWSTemplateFormatVersion: 2010-09-09
Parameters: 
  envParameter: 
    Type: String
    Default: dev
    AllowedValues: [ dev, test, qa, prod ]
    Description: Suffix to be added for names.
Resources:
  myApiUserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub myApiUserPool${envParameter}
  myApiUserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
        ClientName: !Sub myApiUserPoolClient${envParameter},
        GenerateSecret: False
        RefreshTokenValidity: 30
        UserPoolId: !Ref myApiUserPool
  myApiIdentityPool:
    Type: "AWS::Cognito::IdentityPool"
    Properties:
      IdentityPoolName: !Sub myApiIdentityPool${envParameter}
      AllowUnauthenticatedIdentities: False
      CognitoIdentityProviders:
        - ClientId: !Ref myApiUserPoolClient
          ProviderName: !GetAtt myApiUserPool.ProviderName
  cognitoUnauthRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Unauth_Role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
            Action: [ 'sts:AssumeRole' ]
      Policies:
        - PolicyName: cognitounauth
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                - mobileanalytics:PutEvents
                - cognito-sync:*
                Resource:
                - "*"
  cognitoAuthRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Sub Cognito_${myApiIdentityPool.Name}_Auth_Role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
            Action: [ 'sts:AssumeRole' ]
      Policies:
        - PolicyName: cognitoauth
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                - mobileanalytics:PutEvents
                - cognito-sync:*
                - execute-api:*
                Resource:
                - "*"
  myApiIdentityPoolRoleAttachment:
    DependsOn: [ myApiIdentityPool, cognitoUnauthRole, cognitoAuthRole ]
    Type: "AWS::Cognito::IdentityPoolRoleAttachment"
    Properties:
      IdentityPoolId: !Ref myApiIdentityPool
      Roles: 
        authenticated: !GetAtt cognitoAuthRole.Arn
        unauthenticated: !GetAtt cognitoUnauthRole.Arn
Outputs:
 userPool:
    Description: "User pool ID"
    Value: !Ref myApiUserPool
 identityPool:
    Description: "Identity pool ID"
    Value: !Ref myApiIdentityPool
 ClientId: 
    Description: "Client id for the user pool appclient"
    Value: !Ref myApiUserPoolClient

Answer 3

It's not currently possible to export existing user pools from Cognito. You can, however, create new user pools in AWS CloudFormation and then manage those pools from CloudFormation itself going forward, using AWS::Cognito::UserPool resource type.