v1.12.1 (#176)

* #167 - Add support for GovCloud (US) Regions

* #173 - Fix mapping SAML groups to Cognito Groups

* #174 - Saving Document can result in "Provided list of item keys contains duplicates" error

* #175 - Strip quotes around checksum

build.gradle

@@ -25,8 +25,8 @@ def getCmdParam() {
 repositories { mavenCentral() }
 
 allprojects {
-  version = '1.12.0'
-  ext.awsCognitoVersion = '1.5.1'
+  version = '1.12.1'
+  ext.awsCognitoVersion = '1.5.3'
   group = 'com.formkiq.stacks'
 
 	apply plugin: 'com.diffplug.spotless'

console/src/main/resources/cloudformation/template-install.yaml

@@ -101,6 +101,15 @@ Parameters:
     Type: String
     Default: ""
 
+  Partition:
+    Description: The partition in which the resource is located. A partition is a group of AWS Regions
+    Type: String
+
+  IsGovCloud:
+    Description: Is Installation AWS Region gov cloud
+    Type: String
+    AllowedValues: ["true", "false"]
+
 Conditions:
 
   HasCertificateStackName:
@@ -114,10 +123,16 @@ Conditions:
       - Fn::Equals: 
         - Ref: HostedZoneId
         - ''
-
+
+  IsNotGovCloud:
+    Fn::Equals: 
+      - Ref: IsGovCloud
+      - 'false'
+
 Resources:
 
   ConsoleInstallerParameter:
+    Condition: IsNotGovCloud
     Type: AWS::SSM::Parameter
     Properties:
       Description: "Lambda for Console Installation"
@@ -136,6 +151,7 @@ Resources:
 
   ConsoleInstaller:
     Type: AWS::Serverless::Function
+    Condition: IsNotGovCloud
     Properties:
       Handler: com.formkiq.stacks.console.ConsoleInstallHandler
       Description: Lambda function that Installs the FormKiQ Console
@@ -189,6 +205,7 @@ Resources:
 
   ConsoleInstallRole:
     Type: AWS::IAM::Role
+    Condition: IsNotGovCloud
     Properties:
       Tags:
         - Key: "Application"
@@ -224,7 +241,7 @@ Resources:
               Action:
               - ssm:GetParameter
               Resource: 
-              - Fn::Sub: "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/formkiq/*"
+              - Fn::Sub: "arn:${Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/formkiq/*"
             - Effect: Allow
               Action:
               - s3:GetObject
@@ -234,11 +251,11 @@ Resources:
               Resource: 
               - Fn::Join:
                 - ''
-                - - 'arn:aws:s3:::'
+                - - Fn::Sub: "arn:${Partition}:s3:::"
                   - Ref: ConsoleBucket
               - Fn::Join:
                 - ''
-                - - 'arn:aws:s3:::'
+                - - Fn::Sub: "arn:${Partition}:s3:::"
                   - Ref: ConsoleBucket
                   - '/*'
             - Effect: Allow
@@ -249,11 +266,11 @@ Resources:
               Resource:
               - Fn::Join:
                 - ''
-                - - 'arn:aws:s3:::'
+                - - Fn::Sub: "arn:${Partition}:s3:::"
                   - Ref: CognitoConfigBucket
               - Fn::Join:
                 - ''
-                - - 'arn:aws:s3:::'
+                - - Fn::Sub: "arn:${Partition}:s3:::"
                   - Ref: CognitoConfigBucket
                   - '/*'
             - Effect: Allow
@@ -262,7 +279,7 @@ Resources:
               Resource: 
               - Fn::Join:
                 - ''
-                - - 'arn:aws:s3:::'
+                - - Fn::Sub: "arn:${Partition}:s3:::"
                   - Ref: DistributionBucket
                   - '/*'
             - Effect: Allow
@@ -276,6 +293,7 @@ Resources:
 
   ConsoleInstallerRef:
     Type: Custom::ConsoleInstallerRef
+    Condition: IsNotGovCloud
     Properties:
       Nonce:
         Ref: ConsoleVersion

console/src/main/resources/cloudformation/template-users.yaml

@@ -40,10 +40,27 @@ Parameters:
     Description: Cognito User Pool Client
     AllowedPattern: ".+"    
 
+  Partition:
+    Description: The partition in which the resource is located. A partition is a group of AWS Regions
+    Type: String
+
+  IsGovCloud:
+    Description: Is Installation AWS Region gov cloud
+    Type: String
+    AllowedValues: ["true", "false"]
+
+Conditions:
+
+  IsNotGovCloud:
+    Fn::Equals: 
+      - Ref: IsGovCloud
+      - 'false'
+
 Resources:
 
   ConsoleAdminUser:
     Type: AWS::Cognito::UserPoolUser
+    Condition: IsNotGovCloud
     Properties:
       DesiredDeliveryMediums: 
         - EMAIL
@@ -60,6 +77,7 @@ Resources:
 
   ConsoleAddUserToGroup:
     Type: AWS::Cognito::UserPoolUserToGroupAttachment
+    Condition: IsNotGovCloud
     DependsOn:
     - ConsoleAdminUser
     Properties: 
@@ -72,6 +90,7 @@ Resources:
 
   ConsoleAddUserToDefaultGroup:
     Type: AWS::Cognito::UserPoolUserToGroupAttachment
+    Condition: IsNotGovCloud
     DependsOn:
     - ConsoleAdminUser
     Properties: 
@@ -203,7 +222,7 @@ Resources:
               - "sts:AssumeRole"
       Path: "/"
       ManagedPolicyArns:
-      - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole      
+      - Fn::Sub: "arn:${Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"      
       Policies: 
         - 
           PolicyName: 

console/src/main/resources/cloudformation/template.yaml

@@ -30,14 +30,24 @@ Parameters:
     Description: The name of the FormKiQ Certificate Stack Name
     Default: ""
 
+  IsGovCloud:
+    Description: Is Installation AWS Region gov cloud
+    Type: String
+    AllowedValues: ["true", "false"]
+
 Conditions:
 
   HasCertificateStackName:
     Fn::Not:
       - Fn::Equals: 
         - Ref: CertificateStackName
         - ''
-
+
+  IsNotGovCloud:
+    Fn::Equals: 
+      - Ref: IsGovCloud
+      - 'false'
+
 Resources:
 
   Console:
@@ -158,6 +168,7 @@ Resources:
 
   CloudFrontDistribution:
     Type: AWS::CloudFront::Distribution
+    Condition: IsNotGovCloud
     Properties:
       DistributionConfig:
         Origins:
@@ -228,6 +239,7 @@ Resources:
 
   ConsoleUrlParameter:
     Type: AWS::SSM::Parameter
+    Condition: IsNotGovCloud
     Properties:
       Description: "The URL for the FormKiQ Console"
       Name: 
@@ -258,13 +270,15 @@ Resources:
           Fn::Sub: "${AWS::StackName}"
 
   CloudFrontOriginAccessIdentity:
+    Condition: IsNotGovCloud
     Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
     Properties:
       CloudFrontOriginAccessIdentityConfig:
         Comment: 
           Fn::Sub: "FormKiQ Console CloudFront Identity"
 
   ConsoleBucketPolicy:
+    Condition: IsNotGovCloud
     Type: "AWS::S3::BucketPolicy"
     Properties: 
       Bucket: 
@@ -303,13 +317,16 @@ Outputs:
             - 'https://'
             - Fn::ImportValue:
                 Fn::Sub: '${CertificateStackName}-ConsoleDomain'
-      - Fn::Join: 
-          - ""
-          - 
-            - 'https://'
-            - Fn::GetAtt:
-              - CloudFrontDistribution
-              - DomainName
+      - Fn::If:
+        - IsNotGovCloud
+        - Fn::Join: 
+            - ""
+            - 
+              - 'https://'
+              - Fn::GetAtt:
+                - CloudFrontDistribution
+                - DomainName
+        - "none"
 
   ConsoleBucket:
     Value:
@@ -329,6 +346,9 @@ Outputs:
 
   CloudFrontDistributionDomainName:
     Value:
-      Fn::GetAtt:
-      - CloudFrontDistribution
-      - DomainName
+      Fn::If:
+      - IsNotGovCloud
+      - Fn::GetAtt:
+        - CloudFrontDistribution
+        - DomainName
+      - ""