Skip to content

Commit

Permalink
fix(cognito-identitypool-alpha): cannot configure roleMappings with i…
Browse files Browse the repository at this point in the history
…mported userPool and client (#30421)

### Issue # (if applicable)

Closes #30304

### Reason for this change
Currently, we cannot use imported user pools and clients for role mapping in an identity pool.
This is because the `IdentityPoolProviderUrl.userPool` method takes an L2 construct as its argument type instead of Interface (`IUserPool`, `IUserPoolClient`).

```ts
    const userPool = cognito.UserPool.fromUserPoolArn(this, 'CognitoUserPool', 'arn');
    const userPoolClient = cognito.UserPoolClient.fromUserPoolClientId(this, 'UserPoolClientId', 'client-id');
    const identityPool = new cognitoidp.IdentityPool(this, 'IdentityPool', {
      // ~
      roleMappings: [
        {
          mappingKey: 'cognito', 
          providerUrl: cognitoidp.IdentityPoolProviderUrl.userPool(userPool, userPoolClient), // ! type error here !
          useToken: true
        }
      ],
      allowUnauthenticatedIdentities: false
    });
```

### Description of changes
The argument types of the `IdentityPoolProviderUrl.userPool` method are changed to `IUserPool` and `IUserPoolClient`.
This method requires the `userPoolProviderName` of the userPool, but since it does not exist for `IUserPool`, a property was added.
Since this property is required in the `UserPool` construct, it is also required in `IUserPool`.
https://github.com/aws/aws-cdk/blob/c3003ab41f0efc763f39eb2cab490c8a005e146b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts#L902

I add a required attribute to the Interface of the aws-cognito module(stable), but I do not think this to be a breaking change.
Please let me know if it is not.



### Description of how you validated changes
Unit tests and integ tests are added to verify that the imported userPool and clinet can be used.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
sakurai-ryo authored Sep 18, 2024
1 parent 1581190 commit 0fdd6a9
Show file tree
Hide file tree
Showing 11 changed files with 583 additions and 99 deletions.
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import {
CfnIdentityPool,
UserPool,
UserPoolClient,
IUserPool,
IUserPoolClient,
} from 'aws-cdk-lib/aws-cognito';
import {
IOpenIdConnectProvider,
Expand Down Expand Up @@ -158,7 +158,7 @@ export class IdentityPoolProviderUrl {
}

/** User Pool Provider Url */
public static userPool(userPool: UserPool, userPoolClient: UserPoolClient): IdentityPoolProviderUrl {
public static userPool(userPool: IUserPool, userPoolClient: IUserPoolClient): IdentityPoolProviderUrl {
const url = `${userPool.userPoolProviderName}:${userPoolClient.userPoolClientId}`;
return new IdentityPoolProviderUrl(IdentityPoolProviderType.USER_POOL, url);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import {
} from 'aws-cdk-lib/assertions';
import {
UserPool,
UserPoolClient,
UserPoolIdentityProvider,
} from 'aws-cdk-lib/aws-cognito';
import {
Expand Down Expand Up @@ -728,4 +729,39 @@ describe('role mappings', () => {
},
});
});

test('role mapping with an imported user pool and client', () => {
const stack = new Stack();
const importedPool = UserPool.fromUserPoolArn(stack, 'ImportedPool', 'arn:aws:cognito-idp:us-east-1:0123456789012:userpool/test-user-pool');
const importedClient = UserPoolClient.fromUserPoolClientId(stack, 'ImportedPoolClient', 'client-id');
new IdentityPool(stack, 'TestIdentityPoolRoleMappingRules', {
roleMappings: [{
mappingKey: 'cognito',
providerUrl: IdentityPoolProviderUrl.userPool(importedPool, importedClient),
useToken: true,
}],
});
const temp = Template.fromStack(stack);
temp.resourceCountIs('AWS::Cognito::IdentityPoolRoleAttachment', 1);
temp.hasResourceProperties('AWS::Cognito::IdentityPoolRoleAttachment', {
IdentityPoolId: {
Ref: 'TestIdentityPoolRoleMappingRulesC8C07BC3',
},
RoleMappings: {
cognito: {
IdentityProvider: {
'Fn::Join': [
'',
[
'cognito-idp.us-east-1.',
{ Ref: 'AWS::URLSuffix' },
'/test-user-pool:client-id',
],
],
},
Type: 'Token',
},
},
});
});
});

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,6 @@
"PooltestClientFE8D4935": {
"Type": "AWS::Cognito::UserPoolClient",
"Properties": {
"UserPoolId": {
"Ref": "PoolD3F588B8"
},
"AllowedOAuthFlows": [
"implicit",
"code"
Expand All @@ -57,17 +54,15 @@
"Ref": "PoolProviderGoogle76A1E8D0"
},
"COGNITO"
]
],
"UserPoolId": {
"Ref": "PoolD3F588B8"
}
}
},
"PoolProviderGoogle76A1E8D0": {
"Type": "AWS::Cognito::UserPoolIdentityProvider",
"Properties": {
"ProviderName": "Google",
"ProviderType": "Google",
"UserPoolId": {
"Ref": "PoolD3F588B8"
},
"AttributeMapping": {
"given_name": "given_name",
"family_name": "family_name",
Expand All @@ -79,6 +74,11 @@
"client_id": "google-client-id",
"client_secret": "google-client-secret",
"authorize_scopes": "profile"
},
"ProviderName": "Google",
"ProviderType": "Google",
"UserPoolId": {
"Ref": "PoolD3F588B8"
}
}
},
Expand Down Expand Up @@ -116,9 +116,6 @@
"OtherPoolUserPoolAuthenticationProviderClient08F670F8": {
"Type": "AWS::Cognito::UserPoolClient",
"Properties": {
"UserPoolId": {
"Ref": "OtherPool7DA7F2F7"
},
"AllowedOAuthFlows": [
"implicit",
"code"
Expand All @@ -139,17 +136,15 @@
"Ref": "OtherPoolProviderAmazon4EB0592F"
},
"COGNITO"
]
],
"UserPoolId": {
"Ref": "OtherPool7DA7F2F7"
}
}
},
"OtherPoolProviderAmazon4EB0592F": {
"Type": "AWS::Cognito::UserPoolIdentityProvider",
"Properties": {
"ProviderName": "LoginWithAmazon",
"ProviderType": "LoginWithAmazon",
"UserPoolId": {
"Ref": "OtherPool7DA7F2F7"
},
"AttributeMapping": {
"given_name": "name",
"email": "email",
Expand All @@ -159,14 +154,76 @@
"client_id": "amzn-client-id",
"client_secret": "amzn-client-secret",
"authorize_scopes": "profile"
},
"ProviderName": "LoginWithAmazon",
"ProviderType": "LoginWithAmazon",
"UserPoolId": {
"Ref": "OtherPool7DA7F2F7"
}
}
},
"UserPoolToImport1A7C21D3": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"AccountRecoverySetting": {
"RecoveryMechanisms": [
{
"Name": "verified_phone_number",
"Priority": 1
},
{
"Name": "verified_email",
"Priority": 2
}
]
},
"AdminCreateUserConfig": {
"AllowAdminCreateUserOnly": true
},
"EmailVerificationMessage": "The verification code to your new account is {####}",
"EmailVerificationSubject": "Verify your new account",
"SmsVerificationMessage": "The verification code to your new account is {####}",
"VerificationMessageTemplate": {
"DefaultEmailOption": "CONFIRM_WITH_CODE",
"EmailMessage": "The verification code to your new account is {####}",
"EmailSubject": "Verify your new account",
"SmsMessage": "The verification code to your new account is {####}"
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
"UserPoolToImportclientToImport6885CDF7": {
"Type": "AWS::Cognito::UserPoolClient",
"Properties": {
"AllowedOAuthFlows": [
"implicit",
"code"
],
"AllowedOAuthFlowsUserPoolClient": true,
"AllowedOAuthScopes": [
"profile",
"phone",
"email",
"openid",
"aws.cognito.signin.user.admin"
],
"CallbackURLs": [
"https://example.com"
],
"SupportedIdentityProviders": [
"COGNITO"
],
"UserPoolId": {
"Ref": "UserPoolToImport1A7C21D3"
}
}
},
"identitypoolE2A6D099": {
"Type": "AWS::Cognito::IdentityPool",
"Properties": {
"AllowUnauthenticatedIdentities": false,
"AllowClassicFlow": true,
"AllowUnauthenticatedIdentities": false,
"CognitoIdentityProviders": [
{
"ClientId": {
Expand All @@ -193,6 +250,54 @@
},
"ServerSideTokenCheck": true
},
{
"ClientId": {
"Ref": "UserPoolToImportclientToImport6885CDF7"
},
"ProviderName": {
"Fn::Join": [
"",
[
"cognito-idp.",
{
"Ref": "AWS::Region"
},
".",
{
"Ref": "AWS::URLSuffix"
},
"/",
{
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Fn::GetAtt": [
"UserPoolToImport1A7C21D3",
"Arn"
]
}
]
}
]
}
]
}
]
}
]
]
},
"ServerSideTokenCheck": true
},
{
"ClientId": {
"Ref": "OtherPoolUserPoolAuthenticationProviderClient08F670F8"
Expand Down Expand Up @@ -407,6 +512,69 @@
]
},
"Type": "Token"
},
"importedUserPool": {
"AmbiguousRoleResolution": "Deny",
"IdentityProvider": {
"Fn::Join": [
"",
[
"cognito-idp.",
{
"Fn::Select": [
3,
{
"Fn::Split": [
":",
{
"Fn::GetAtt": [
"UserPoolToImport1A7C21D3",
"Arn"
]
}
]
}
]
},
".",
{
"Ref": "AWS::URLSuffix"
},
"/",
{
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Fn::GetAtt": [
"UserPoolToImport1A7C21D3",
"Arn"
]
}
]
}
]
}
]
}
]
},
":",
{
"Ref": "UserPoolToImportclientToImport6885CDF7"
}
]
]
},
"Type": "Token"
}
},
"Roles": {
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 0fdd6a9

Please sign in to comment.