I already have my cognito user pool cloudformation template working, and have it integrated to my api gateway. But somehow i still have to manually configure the app client settings, domain, and federated identities to have a working login portal for the users. I have been looking here and there for possible solutions in automating these, but i cannot seem to find anything close to it.
I would like to automate the configuration of the app client settings, domain, and federated identities via cloudformation sam template so i do not have to do these manually.
Any suggestions are much appreciated. Thank you.
(attachments posted for additional info)
I have created two CloudFormation custom resources to apply Cognito app client settings and domain name. With these resources, you can have a script like this:
UserPoolTestClient:
  Type: 'AWS::Cognito::UserPoolClient'
  Properties:
    ClientName: UserPoolTestClient
    GenerateSecret: true
    UserPoolId: !Ref UserPoolTest
UserPoolTestClientSettings:
  Type: 'Custom::CognitoUserPoolClientSettings'
  Properties:
    ServiceToken: !GetAtt CloudFormationCognitoUserPoolClientSettings.Arn
    UserPoolId: !Ref UserPoolTest
    UserPoolClientId: !Ref UserPoolTestClient
    SupportedIdentityProviders:
      - COGNITO
    CallbackURL: 'https://www.amazon.com'
    LogoutURL: 'https://www.google.com'
    AllowedOAuthFlowsUserPoolClient: true
    AllowedOAuthFlows:
      - code
    AllowedOAuthScopes:
      - openid
UserPoolTestDomain:
  Type: 'Custom::CognitoUserPoolDomain'
  Properties:
    ServiceToken: !GetAtt CloudFormationCognitoUserPoolDomain.Arn
    UserPoolId: !Ref UserPoolTest
    Domain: 'userpool-test-01'
The complete code is here.
Update: Since end of 2019, AWS Cloudformation natively supports App Client Settings, Domain and Federated Identities. See other answers.
Looks like there is no way to provide App integration -> Domain name and Federation -> Identity providers via CloudFormation.
I found only reference for User Pool Client (General settings -> App clients) but it will not configure App integration -> App client settings.
If you need to automate process of providing Domain name, Identity providers and App client settings for user pool, you can do that by creating custom script (AWS CLI) or Lambda (AWS SDK) which should be performed after stack deployment.
Check out excellent example (answer below) that shows usage of CloudFormation Custom Resources with Lambda.
CloudFormation has added the resource AWS::Cognito::UserPoolDomain to manage the User Pool Domain:
Type: AWS::Cognito::UserPoolDomain
Properties: 
  CustomDomainConfig: 
     CertificateArn: !Ref CertificateArn
  Domain: "your.custom.domain.com"
  UserPoolId: !Ref UserPool
In addition, there has been added configuration to the AWS::Cognito::UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties: 
  AllowedOAuthFlows: 
    - String
  AllowedOAuthFlowsUserPoolClient: Boolean
  AllowedOAuthScopes: 
    - String
  AnalyticsConfiguration: 
    AnalyticsConfiguration
  CallbackURLs: 
    - String
  ClientName: String
  DefaultRedirectURI: String
  ExplicitAuthFlows: 
    - String
  GenerateSecret: Boolean
  LogoutURLs: 
    - String
  ReadAttributes: 
    - String
  RefreshTokenValidity: Integer
  SupportedIdentityProviders: 
    - String
  UserPoolId: String
  WriteAttributes: 
    - String
Since yesterday, AWS CloudFormation added native support for configuring domain name, identities and other settings directly: https://aws.amazon.com/about-aws/whats-new/2019/10/amazon-cognito-increases-cloudformation-support/
This new support includes the ability to securely and automatically configure a hosted UI domain, configure customization for a hosted UI, configure an IdentityProvider, configure the behavior of advanced security features and configure resource servers, all directly within CloudFormation.
(thanks to my colleague Bernhard for this update)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With