diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.assets.json new file mode 100644 index 0000000000000..e4880cdbd3418 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "99c1cd9f462b0eb4468998585bd7b2a90a4d3c254b5390023fb0414afc4e2279": { + "source": { + "path": "integ-user-pool-pre-token-generation-v2.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "99c1cd9f462b0eb4468998585bd7b2a90a4d3c254b5390023fb0414afc4e2279.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.template.json new file mode 100644 index 0000000000000..f0ee11466857e --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.template.json @@ -0,0 +1,182 @@ +{ + "Resources": { + "preTokenGenerationLambdaServiceRole0C3B4FA0": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "preTokenGenerationLambda1F130400": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "exports.handler = function(event, ctx, cb) { console.log(\"Mocked pre token generation\");return cb(null, \"success\"); }" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "preTokenGenerationLambdaServiceRole0C3B4FA0", + "Arn" + ] + }, + "Runtime": "nodejs18.x" + }, + "DependsOn": [ + "preTokenGenerationLambdaServiceRole0C3B4FA0" + ] + }, + "pool056F3F7E": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] + }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "LambdaConfig": { + "PreTokenGenerationConfig": { + "LambdaArn": { + "Fn::GetAtt": [ + "preTokenGenerationLambda1F130400", + "Arn" + ] + }, + "LambdaVersion": "V2_0" + } + }, + "SmsVerificationMessage": "The verification code to your new account is {####}", + "UserPoolAddOns": { + "AdvancedSecurityMode": "ENFORCED" + }, + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "poolPreTokenGenerationConfigCognito310B2A58": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "preTokenGenerationLambda1F130400", + "Arn" + ] + }, + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "pool056F3F7E", + "Arn" + ] + } + } + }, + "poolclient2623294C": { + "Type": "AWS::Cognito::UserPoolClient", + "Properties": { + "AllowedOAuthFlows": [ + "implicit", + "code" + ], + "AllowedOAuthFlowsUserPoolClient": true, + "AllowedOAuthScopes": [ + "profile", + "phone", + "email", + "openid", + "aws.cognito.signin.user.admin" + ], + "CallbackURLs": [ + "https://example.com" + ], + "ExplicitAuthFlows": [ + "ALLOW_USER_SRP_AUTH", + "ALLOW_REFRESH_TOKEN_AUTH" + ], + "SupportedIdentityProviders": [ + "COGNITO" + ], + "UserPoolId": { + "Ref": "pool056F3F7E" + } + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ.json new file mode 100644 index 0000000000000..8e9a275cc78c0 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "36.0.0", + "testCases": { + "preTokenGenerationIntegTest/DefaultTest": { + "stacks": [ + "integ-user-pool-pre-token-generation-v2" + ], + "assertionStack": "preTokenGenerationIntegTest/DefaultTest/DeployAssert", + "assertionStackName": "preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/manifest.json new file mode 100644 index 0000000000000..77d0b18fac852 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/manifest.json @@ -0,0 +1,137 @@ +{ + "version": "36.0.0", + "artifacts": { + "integ-user-pool-pre-token-generation-v2.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integ-user-pool-pre-token-generation-v2.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integ-user-pool-pre-token-generation-v2": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integ-user-pool-pre-token-generation-v2.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/99c1cd9f462b0eb4468998585bd7b2a90a4d3c254b5390023fb0414afc4e2279.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integ-user-pool-pre-token-generation-v2.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integ-user-pool-pre-token-generation-v2.assets" + ], + "metadata": { + "/integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "preTokenGenerationLambdaServiceRole0C3B4FA0" + } + ], + "/integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "preTokenGenerationLambda1F130400" + } + ], + "/integ-user-pool-pre-token-generation-v2/pool/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "pool056F3F7E" + } + ], + "/integ-user-pool-pre-token-generation-v2/pool/PreTokenGenerationConfigCognito": [ + { + "type": "aws:cdk:logicalId", + "data": "poolPreTokenGenerationConfigCognito310B2A58" + } + ], + "/integ-user-pool-pre-token-generation-v2/pool/client/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "poolclient2623294C" + } + ], + "/integ-user-pool-pre-token-generation-v2/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-user-pool-pre-token-generation-v2/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-user-pool-pre-token-generation-v2" + }, + "preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets" + ], + "metadata": { + "/preTokenGenerationIntegTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/preTokenGenerationIntegTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "preTokenGenerationIntegTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets.json new file mode 100644 index 0000000000000..fcccc235f36ff --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/tree.json new file mode 100644 index 0000000000000..12c8bf51d5406 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/tree.json @@ -0,0 +1,328 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "integ-user-pool-pre-token-generation-v2": { + "id": "integ-user-pool-pre-token-generation-v2", + "path": "integ-user-pool-pre-token-generation-v2", + "children": { + "preTokenGenerationLambda": { + "id": "preTokenGenerationLambda", + "path": "integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "zipFile": "exports.handler = function(event, ctx, cb) { console.log(\"Mocked pre token generation\");return cb(null, \"success\"); }" + }, + "handler": "index.handler", + "role": { + "Fn::GetAtt": [ + "preTokenGenerationLambdaServiceRole0C3B4FA0", + "Arn" + ] + }, + "runtime": "nodejs18.x" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, + "pool": { + "id": "pool", + "path": "integ-user-pool-pre-token-generation-v2/pool", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-user-pool-pre-token-generation-v2/pool/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true + }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "lambdaConfig": { + "preTokenGenerationConfig": { + "lambdaArn": { + "Fn::GetAtt": [ + "preTokenGenerationLambda1F130400", + "Arn" + ] + }, + "lambdaVersion": "V2_0" + } + }, + "smsVerificationMessage": "The verification code to your new account is {####}", + "userPoolAddOns": { + "advancedSecurityMode": "ENFORCED" + }, + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", + "version": "0.0.0" + } + }, + "PreTokenGenerationConfigCognito": { + "id": "PreTokenGenerationConfigCognito", + "path": "integ-user-pool-pre-token-generation-v2/pool/PreTokenGenerationConfigCognito", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Permission", + "aws:cdk:cloudformation:props": { + "action": "lambda:InvokeFunction", + "functionName": { + "Fn::GetAtt": [ + "preTokenGenerationLambda1F130400", + "Arn" + ] + }, + "principal": "cognito-idp.amazonaws.com", + "sourceArn": { + "Fn::GetAtt": [ + "pool056F3F7E", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", + "version": "0.0.0" + } + }, + "client": { + "id": "client", + "path": "integ-user-pool-pre-token-generation-v2/pool/client", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-user-pool-pre-token-generation-v2/pool/client/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolClient", + "aws:cdk:cloudformation:props": { + "allowedOAuthFlows": [ + "implicit", + "code" + ], + "allowedOAuthFlowsUserPoolClient": true, + "allowedOAuthScopes": [ + "profile", + "phone", + "email", + "openid", + "aws.cognito.signin.user.admin" + ], + "callbackUrLs": [ + "https://example.com" + ], + "explicitAuthFlows": [ + "ALLOW_USER_SRP_AUTH", + "ALLOW_REFRESH_TOKEN_AUTH" + ], + "supportedIdentityProviders": [ + "COGNITO" + ], + "userPoolId": { + "Ref": "pool056F3F7E" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolClient", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPoolClient", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPool", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-user-pool-pre-token-generation-v2/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-user-pool-pre-token-generation-v2/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "preTokenGenerationIntegTest": { + "id": "preTokenGenerationIntegTest", + "path": "preTokenGenerationIntegTest", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "preTokenGenerationIntegTest/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "preTokenGenerationIntegTest/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "preTokenGenerationIntegTest/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "preTokenGenerationIntegTest/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "preTokenGenerationIntegTest/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.ts new file mode 100644 index 0000000000000..f2431cf5d23f6 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.ts @@ -0,0 +1,32 @@ +import * as lambda from 'aws-cdk-lib/aws-lambda'; +import { App, RemovalPolicy, Stack } from 'aws-cdk-lib'; +import { AdvancedSecurityMode, LambdaVersion, UserPool, UserPoolOperation } from 'aws-cdk-lib/aws-cognito'; +import { STANDARD_NODEJS_RUNTIME } from '../../config'; +import * as integ from '@aws-cdk/integ-tests-alpha'; + +const app = new App(); +const stack = new Stack(app, 'integ-user-pool-pre-token-generation-v2'); + +const triggerLambda = new lambda.Function(stack, 'preTokenGenerationLambda', { + runtime: STANDARD_NODEJS_RUNTIME, + handler: 'index.handler', + code: lambda.Code.fromInline('exports.handler = function(event, ctx, cb) { console.log("Mocked pre token generation");return cb(null, "success"); }'), +}); + +const userpool = new UserPool(stack, 'pool', { + removalPolicy: RemovalPolicy.DESTROY, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, +}); +userpool.addTrigger(UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, triggerLambda, LambdaVersion.V2_0); + +userpool.addClient('client', { + authFlows: { + userSrp: true, + }, +}); + +new integ.IntegTest(app, 'preTokenGenerationIntegTest', { + testCases: [stack], +}); + +app.synth(); \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-cognito/README.md b/packages/aws-cdk-lib/aws-cognito/README.md index ae7b91ecc4f5a..198648577efaf 100644 --- a/packages/aws-cdk-lib/aws-cognito/README.md +++ b/packages/aws-cdk-lib/aws-cognito/README.md @@ -493,6 +493,15 @@ userpool.addTrigger(cognito.UserPoolOperation.USER_MIGRATION, new lambda.Functio })); ``` +Additionally, only the pre token generation Lambda trigger supports trigger events with lambda version V2.0: + +```ts +declare const userpool: cognito.UserPool; +declare const preTokenGenerationFn: lambda.Function; + +userpool.addTrigger(cognito.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, preTokenGenerationFn, cognito.LambdaVersion.V2_0); +``` + The following table lists the set of triggers available, and their corresponding method to add it to the user pool. For more information on the function of these triggers and how to configure them, read [User Pool Workflows with Triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html). diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts index 8da548198eb32..dff7b9651fff5 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts @@ -230,10 +230,20 @@ export class UserPoolOperation { /** * Add or remove attributes in Id tokens + * + * Set this parameter for legacy purposes. + * If you also set an ARN in PreTokenGenerationConfig, its value must be identical to PreTokenGeneration. + * For new instances of pre token generation triggers, set the LambdaArn of PreTokenGenerationConfig. * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html */ public static readonly PRE_TOKEN_GENERATION = new UserPoolOperation('preTokenGeneration'); + /** + * Add or remove attributes in Id tokens + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html + */ + public static readonly PRE_TOKEN_GENERATION_CONFIG = new UserPoolOperation('preTokenGenerationConfig'); + /** * Migrate a user from an existing user directory to user pools * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html @@ -282,6 +292,22 @@ export enum VerificationEmailStyle { LINK = 'CONFIRM_WITH_LINK', } +/** + * The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. + */ +export enum LambdaVersion { + /** + * V1_0 trigger + */ + V1_0 = 'V1_0', + /** + * V2_0 trigger + * + * This is supported only for PRE_TOKEN_GENERATION trigger. + */ + V2_0 = 'V2_0', +} + /** * User pool configuration for user self sign up. */ @@ -994,10 +1020,13 @@ export class UserPool extends UserPoolBase { * Add a lambda trigger to a user pool operation * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html */ - public addTrigger(operation: UserPoolOperation, fn: lambda.IFunction): void { + public addTrigger(operation: UserPoolOperation, fn: lambda.IFunction, lambdaVersion?: LambdaVersion): void { if (operation.operationName in this.triggers) { throw new Error(`A trigger for the operation ${operation.operationName} already exists.`); } + if (operation !== UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG && lambdaVersion === LambdaVersion.V2_0) { + throw new Error('Only the `PRE_TOKEN_GENERATION_CONFIG` operation supports V2_0 lambda version.'); + } this.addLambdaPermission(fn, operation.operationName); switch (operation.operationName) { @@ -1008,7 +1037,13 @@ export class UserPool extends UserPoolBase { } (this.triggers as any)[operation.operationName] = { lambdaArn: fn.functionArn, - lambdaVersion: 'V1_0', + lambdaVersion: LambdaVersion.V1_0, + }; + break; + case 'preTokenGenerationConfig': + (this.triggers as any)[operation.operationName] = { + lambdaArn: fn.functionArn, + lambdaVersion: lambdaVersion ?? LambdaVersion.V1_0, }; break; default: diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts index b80c669e205d7..934f6a312c81b 100644 --- a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts +++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts @@ -5,7 +5,7 @@ import { Role, ServicePrincipal } from '../../aws-iam'; import * as kms from '../../aws-kms'; import * as lambda from '../../aws-lambda'; import { CfnParameter, Duration, Stack, Tags } from '../../core'; -import { AccountRecovery, Mfa, NumberAttribute, StringAttribute, UserPool, UserPoolIdentityProvider, UserPoolOperation, VerificationEmailStyle, UserPoolEmail, AdvancedSecurityMode } from '../lib'; +import { AccountRecovery, Mfa, NumberAttribute, StringAttribute, UserPool, UserPoolIdentityProvider, UserPoolOperation, VerificationEmailStyle, UserPoolEmail, AdvancedSecurityMode, LambdaVersion } from '../lib'; describe('User Pool', () => { test('default setup', () => { @@ -508,6 +508,95 @@ describe('User Pool', () => { }); }); + test('add preTokenGeneration default trigger', () => { + // GIVEN + const stack = new Stack(); + const kmsKey = fooKey(stack, 'TestKMSKey'); + + const preTokenGeneration = fooFunction(stack, 'preTokenGeneration'); + + // WHEN + const pool = new UserPool(stack, 'Pool', { + customSenderKmsKey: kmsKey, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + }); + pool.addTrigger(UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, preTokenGeneration); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', { + LambdaConfig: { + PreTokenGenerationConfig: { + LambdaArn: stack.resolve(preTokenGeneration.functionArn), + LambdaVersion: 'V1_0', + }, + }, + UserPoolAddOns: { + AdvancedSecurityMode: 'ENFORCED', + }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', { + Action: 'lambda:InvokeFunction', + FunctionName: stack.resolve(preTokenGeneration.functionArn), + Principal: 'cognito-idp.amazonaws.com', + SourceArn: stack.resolve(pool.userPoolArn), + }); + }); + + test('add preTokenGeneration trigger v2', () => { + // GIVEN + const stack = new Stack(); + const kmsKey = fooKey(stack, 'TestKMSKey'); + + const preTokenGeneration = fooFunction(stack, 'preTokenGeneration'); + + // WHEN + const pool = new UserPool(stack, 'Pool', { + customSenderKmsKey: kmsKey, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + }); + pool.addTrigger(UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, preTokenGeneration, LambdaVersion.V2_0); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', { + LambdaConfig: { + PreTokenGenerationConfig: { + LambdaArn: stack.resolve(preTokenGeneration.functionArn), + LambdaVersion: 'V2_0', + }, + }, + UserPoolAddOns: { + AdvancedSecurityMode: 'ENFORCED', + }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', { + Action: 'lambda:InvokeFunction', + FunctionName: stack.resolve(preTokenGeneration.functionArn), + Principal: 'cognito-idp.amazonaws.com', + SourceArn: stack.resolve(pool.userPoolArn), + }); + }); + + test('throw error when lambda trigger version v2 is specified for an invalid operation', () => { + // GIVEN + const stack = new Stack(); + + const preTokenGeneration = fooFunction(stack, 'preTokenGeneration'); + + // WHEN + const pool = new UserPool(stack, 'Pool', { + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + }); + expect(() => { + pool.addTrigger( + UserPoolOperation.PRE_TOKEN_GENERATION, + preTokenGeneration, + LambdaVersion.V2_0, + ); + }).toThrow(/Only the `PRE_TOKEN_GENERATION_CONFIG` operation supports V2_0 lambda version./); + }); + test('can use same lambda as trigger for multiple user pools', () => { // GIVEN const stack = new Stack();