AWSTemplateFormatVersion: "2010-09-09"
Description: >
  All resources to be able to run chat example, publish example and integration tests.
Resources:
  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      AllowUnauthenticatedIdentities: true

  UnauthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      # This is about constraints who can assume this role
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Effect: "Allow"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals:
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": "unauthenticated"
      Policies:
        -
          PolicyName: "root"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action: "*"
                Resource: "*"

  AuthenticatedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Federated:
                - "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Policies:
        -
          PolicyName: "root"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action: "iot:*"
                Resource: "*"

  GuestRoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles:
        unauthenticated: !GetAtt UnauthenticatedRole.Arn
        authenticated: !GetAtt AuthenticatedRole.Arn

Outputs:
  IdentityPool:
    Value: !Ref IdentityPool