From 0fdd6a92ac7196e5498969be2743019f825b9262 Mon Sep 17 00:00:00 2001 From: sakurai-ryo Date: Thu, 19 Sep 2024 07:17:00 +0900 Subject: [PATCH] fix(cognito-identitypool-alpha): cannot configure roleMappings with imported userPool and client (#30421) ### Issue # (if applicable) Closes #30304 ### Reason for this change Currently, we cannot use imported user pools and clients for role mapping in an identity pool. This is because the `IdentityPoolProviderUrl.userPool` method takes an L2 construct as its argument type instead of Interface (`IUserPool`, `IUserPoolClient`). ```ts const userPool = cognito.UserPool.fromUserPoolArn(this, 'CognitoUserPool', 'arn'); const userPoolClient = cognito.UserPoolClient.fromUserPoolClientId(this, 'UserPoolClientId', 'client-id'); const identityPool = new cognitoidp.IdentityPool(this, 'IdentityPool', { // ~ roleMappings: [ { mappingKey: 'cognito', providerUrl: cognitoidp.IdentityPoolProviderUrl.userPool(userPool, userPoolClient), // ! type error here ! useToken: true } ], allowUnauthenticatedIdentities: false }); ``` ### Description of changes The argument types of the `IdentityPoolProviderUrl.userPool` method are changed to `IUserPool` and `IUserPoolClient`. This method requires the `userPoolProviderName` of the userPool, but since it does not exist for `IUserPool`, a property was added. Since this property is required in the `UserPool` construct, it is also required in `IUserPool`. https://github.com/aws/aws-cdk/blob/c3003ab41f0efc763f39eb2cab490c8a005e146b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts#L902 I add a required attribute to the Interface of the aws-cognito module(stable), but I do not think this to be a breaking change. Please let me know if it is not. ### Description of how you validated changes Unit tests and integ tests are added to verify that the imported userPool and clinet can be used. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../lib/identitypool.ts | 6 +- .../test/identitypool.test.ts | 36 ++ .../integ.identitypool.js.snapshot/cdk.out | 2 +- .../integ-identitypool.assets.json | 6 +- .../integ-identitypool.template.json | 206 +++++++++- .../integ.identitypool.js.snapshot/integ.json | 2 +- .../manifest.json | 38 +- .../integ.identitypool.js.snapshot/tree.json | 358 +++++++++++++++--- .../test/integ.identitypool.ts | 13 +- .../aws-cdk-lib/aws-cognito/lib/user-pool.ts | 12 + .../aws-cognito/test/user-pool.test.ts | 3 + 11 files changed, 583 insertions(+), 99 deletions(-) diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts index 1277bd682013f..c738279822b0a 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts @@ -1,7 +1,7 @@ import { CfnIdentityPool, - UserPool, - UserPoolClient, + IUserPool, + IUserPoolClient, } from 'aws-cdk-lib/aws-cognito'; import { IOpenIdConnectProvider, @@ -158,7 +158,7 @@ export class IdentityPoolProviderUrl { } /** User Pool Provider Url */ - public static userPool(userPool: UserPool, userPoolClient: UserPoolClient): IdentityPoolProviderUrl { + public static userPool(userPool: IUserPool, userPoolClient: IUserPoolClient): IdentityPoolProviderUrl { const url = `${userPool.userPoolProviderName}:${userPoolClient.userPoolClientId}`; return new IdentityPoolProviderUrl(IdentityPoolProviderType.USER_POOL, url); } diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts index 417c848c4407f..d7864e97cfb3f 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/identitypool.test.ts @@ -3,6 +3,7 @@ import { } from 'aws-cdk-lib/assertions'; import { UserPool, + UserPoolClient, UserPoolIdentityProvider, } from 'aws-cdk-lib/aws-cognito'; import { @@ -728,4 +729,39 @@ describe('role mappings', () => { }, }); }); + + test('role mapping with an imported user pool and client', () => { + const stack = new Stack(); + const importedPool = UserPool.fromUserPoolArn(stack, 'ImportedPool', 'arn:aws:cognito-idp:us-east-1:0123456789012:userpool/test-user-pool'); + const importedClient = UserPoolClient.fromUserPoolClientId(stack, 'ImportedPoolClient', 'client-id'); + new IdentityPool(stack, 'TestIdentityPoolRoleMappingRules', { + roleMappings: [{ + mappingKey: 'cognito', + providerUrl: IdentityPoolProviderUrl.userPool(importedPool, importedClient), + useToken: true, + }], + }); + const temp = Template.fromStack(stack); + temp.resourceCountIs('AWS::Cognito::IdentityPoolRoleAttachment', 1); + temp.hasResourceProperties('AWS::Cognito::IdentityPoolRoleAttachment', { + IdentityPoolId: { + Ref: 'TestIdentityPoolRoleMappingRulesC8C07BC3', + }, + RoleMappings: { + cognito: { + IdentityProvider: { + 'Fn::Join': [ + '', + [ + 'cognito-idp.us-east-1.', + { Ref: 'AWS::URLSuffix' }, + '/test-user-pool:client-id', + ], + ], + }, + Type: 'Token', + }, + }, + }); + }); }); diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/cdk.out b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/cdk.out index 588d7b269d34f..4efaa16f29af9 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"20.0.0"} \ No newline at end of file +{"version":"36.0.24"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.assets.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.assets.json index 2d422e5ff0227..c1102a1836ed7 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.assets.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.assets.json @@ -1,7 +1,7 @@ { - "version": "20.0.0", + "version": "36.0.24", "files": { - "ba3fc84048e7b640e5c349fc2c90bc998d6ca8de19283a433e4c860faf487850": { + "95c3270b9957ed0d53e5665bfe7322f80c61e9fecf25b42cd297caf6bee04ddf": { "source": { "path": "integ-identitypool.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ba3fc84048e7b640e5c349fc2c90bc998d6ca8de19283a433e4c860faf487850.json", + "objectKey": "95c3270b9957ed0d53e5665bfe7322f80c61e9fecf25b42cd297caf6bee04ddf.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.template.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.template.json index 2b238e357aaa4..a9e51577a8bd5 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.template.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-identitypool.template.json @@ -34,9 +34,6 @@ "PooltestClientFE8D4935": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { - "UserPoolId": { - "Ref": "PoolD3F588B8" - }, "AllowedOAuthFlows": [ "implicit", "code" @@ -57,17 +54,15 @@ "Ref": "PoolProviderGoogle76A1E8D0" }, "COGNITO" - ] + ], + "UserPoolId": { + "Ref": "PoolD3F588B8" + } } }, "PoolProviderGoogle76A1E8D0": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { - "ProviderName": "Google", - "ProviderType": "Google", - "UserPoolId": { - "Ref": "PoolD3F588B8" - }, "AttributeMapping": { "given_name": "given_name", "family_name": "family_name", @@ -79,6 +74,11 @@ "client_id": "google-client-id", "client_secret": "google-client-secret", "authorize_scopes": "profile" + }, + "ProviderName": "Google", + "ProviderType": "Google", + "UserPoolId": { + "Ref": "PoolD3F588B8" } } }, @@ -116,9 +116,6 @@ "OtherPoolUserPoolAuthenticationProviderClient08F670F8": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { - "UserPoolId": { - "Ref": "OtherPool7DA7F2F7" - }, "AllowedOAuthFlows": [ "implicit", "code" @@ -139,17 +136,15 @@ "Ref": "OtherPoolProviderAmazon4EB0592F" }, "COGNITO" - ] + ], + "UserPoolId": { + "Ref": "OtherPool7DA7F2F7" + } } }, "OtherPoolProviderAmazon4EB0592F": { "Type": "AWS::Cognito::UserPoolIdentityProvider", "Properties": { - "ProviderName": "LoginWithAmazon", - "ProviderType": "LoginWithAmazon", - "UserPoolId": { - "Ref": "OtherPool7DA7F2F7" - }, "AttributeMapping": { "given_name": "name", "email": "email", @@ -159,14 +154,76 @@ "client_id": "amzn-client-id", "client_secret": "amzn-client-secret", "authorize_scopes": "profile" + }, + "ProviderName": "LoginWithAmazon", + "ProviderType": "LoginWithAmazon", + "UserPoolId": { + "Ref": "OtherPool7DA7F2F7" + } + } + }, + "UserPoolToImport1A7C21D3": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] + }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "SmsVerificationMessage": "The verification code to your new account is {####}", + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "UserPoolToImportclientToImport6885CDF7": { + "Type": "AWS::Cognito::UserPoolClient", + "Properties": { + "AllowedOAuthFlows": [ + "implicit", + "code" + ], + "AllowedOAuthFlowsUserPoolClient": true, + "AllowedOAuthScopes": [ + "profile", + "phone", + "email", + "openid", + "aws.cognito.signin.user.admin" + ], + "CallbackURLs": [ + "https://example.com" + ], + "SupportedIdentityProviders": [ + "COGNITO" + ], + "UserPoolId": { + "Ref": "UserPoolToImport1A7C21D3" } } }, "identitypoolE2A6D099": { "Type": "AWS::Cognito::IdentityPool", "Properties": { - "AllowUnauthenticatedIdentities": false, "AllowClassicFlow": true, + "AllowUnauthenticatedIdentities": false, "CognitoIdentityProviders": [ { "ClientId": { @@ -193,6 +250,54 @@ }, "ServerSideTokenCheck": true }, + { + "ClientId": { + "Ref": "UserPoolToImportclientToImport6885CDF7" + }, + "ProviderName": { + "Fn::Join": [ + "", + [ + "cognito-idp.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "UserPoolToImport1A7C21D3", + "Arn" + ] + } + ] + } + ] + } + ] + } + ] + } + ] + ] + }, + "ServerSideTokenCheck": true + }, { "ClientId": { "Ref": "OtherPoolUserPoolAuthenticationProviderClient08F670F8" @@ -407,6 +512,69 @@ ] }, "Type": "Token" + }, + "importedUserPool": { + "AmbiguousRoleResolution": "Deny", + "IdentityProvider": { + "Fn::Join": [ + "", + [ + "cognito-idp.", + { + "Fn::Select": [ + 3, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "UserPoolToImport1A7C21D3", + "Arn" + ] + } + ] + } + ] + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "UserPoolToImport1A7C21D3", + "Arn" + ] + } + ] + } + ] + } + ] + } + ] + }, + ":", + { + "Ref": "UserPoolToImportclientToImport6885CDF7" + } + ] + ] + }, + "Type": "Token" } }, "Roles": { diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ.json index 835feb143da7e..a6da93ace5e11 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "20.0.0", + "version": "36.0.24", "testCases": { "integ.identitypool": { "stacks": [ diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json index abaafd1395aee..143493c68d4b7 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json @@ -1,12 +1,6 @@ { - "version": "20.0.0", + "version": "36.0.24", "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, "integ-identitypool.assets": { "type": "cdk:asset-manifest", "properties": { @@ -20,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "integ-identitypool.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ba3fc84048e7b640e5c349fc2c90bc998d6ca8de19283a433e4c860faf487850.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/95c3270b9957ed0d53e5665bfe7322f80c61e9fecf25b42cd297caf6bee04ddf.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -75,6 +70,18 @@ "data": "OtherPoolProviderAmazon4EB0592F" } ], + "/integ-identitypool/UserPoolToImport/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "UserPoolToImport1A7C21D3" + } + ], + "/integ-identitypool/UserPoolToImport/clientToImport/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "UserPoolToImportclientToImport6885CDF7" + } + ], "/integ-identitypool/identitypool/Resource": [ { "type": "aws:cdk:logicalId", @@ -122,18 +129,15 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "PoolUserPoolAuthenticationProviderClient20F2FFC4": [ - { - "type": "aws:cdk:logicalId", - "data": "PoolUserPoolAuthenticationProviderClient20F2FFC4", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "integ-identitypool" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json index fe5732fa13788..4f98d36a67bea 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json @@ -4,14 +4,6 @@ "id": "App", "path": "", "children": { - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" - } - }, "integ-identitypool": { "id": "integ-identitypool", "path": "integ-identitypool", @@ -53,7 +45,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnUserPool", + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", "version": "0.0.0" } }, @@ -67,9 +59,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolClient", "aws:cdk:cloudformation:props": { - "userPoolId": { - "Ref": "PoolD3F588B8" - }, "allowedOAuthFlows": [ "implicit", "code" @@ -90,23 +79,26 @@ "Ref": "PoolProviderGoogle76A1E8D0" }, "COGNITO" - ] + ], + "userPoolId": { + "Ref": "PoolD3F588B8" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnUserPoolClient", + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolClient", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.UserPoolClient", + "fqn": "aws-cdk-lib.aws_cognito.UserPoolClient", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.UserPool", + "fqn": "aws-cdk-lib.aws_cognito.UserPool", "version": "0.0.0" } }, @@ -120,11 +112,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolIdentityProvider", "aws:cdk:cloudformation:props": { - "providerName": "Google", - "providerType": "Google", - "userPoolId": { - "Ref": "PoolD3F588B8" - }, "attributeMapping": { "given_name": "given_name", "family_name": "family_name", @@ -136,17 +123,22 @@ "client_id": "google-client-id", "client_secret": "google-client-secret", "authorize_scopes": "profile" + }, + "providerName": "Google", + "providerType": "Google", + "userPoolId": { + "Ref": "PoolD3F588B8" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnUserPoolIdentityProvider", + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolIdentityProvider", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.UserPoolIdentityProviderGoogle", + "fqn": "aws-cdk-lib.aws_cognito.UserPoolIdentityProviderGoogle", "version": "0.0.0" } }, @@ -187,7 +179,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnUserPool", + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", "version": "0.0.0" } }, @@ -201,9 +193,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolClient", "aws:cdk:cloudformation:props": { - "userPoolId": { - "Ref": "OtherPool7DA7F2F7" - }, "allowedOAuthFlows": [ "implicit", "code" @@ -224,23 +213,26 @@ "Ref": "OtherPoolProviderAmazon4EB0592F" }, "COGNITO" - ] + ], + "userPoolId": { + "Ref": "OtherPool7DA7F2F7" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnUserPoolClient", + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolClient", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.UserPoolClient", + "fqn": "aws-cdk-lib.aws_cognito.UserPoolClient", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.UserPool", + "fqn": "aws-cdk-lib.aws_cognito.UserPool", "version": "0.0.0" } }, @@ -254,11 +246,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolIdentityProvider", "aws:cdk:cloudformation:props": { - "providerName": "LoginWithAmazon", - "providerType": "LoginWithAmazon", - "userPoolId": { - "Ref": "OtherPool7DA7F2F7" - }, "attributeMapping": { "given_name": "name", "email": "email", @@ -268,17 +255,129 @@ "client_id": "amzn-client-id", "client_secret": "amzn-client-secret", "authorize_scopes": "profile" + }, + "providerName": "LoginWithAmazon", + "providerType": "LoginWithAmazon", + "userPoolId": { + "Ref": "OtherPool7DA7F2F7" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnUserPoolIdentityProvider", + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolIdentityProvider", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.UserPoolIdentityProviderAmazon", + "fqn": "aws-cdk-lib.aws_cognito.UserPoolIdentityProviderAmazon", + "version": "0.0.0" + } + }, + "UserPoolToImport": { + "id": "UserPoolToImport", + "path": "integ-identitypool/UserPoolToImport", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-identitypool/UserPoolToImport/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true + }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "smsVerificationMessage": "The verification code to your new account is {####}", + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", + "version": "0.0.0" + } + }, + "clientToImport": { + "id": "clientToImport", + "path": "integ-identitypool/UserPoolToImport/clientToImport", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-identitypool/UserPoolToImport/clientToImport/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolClient", + "aws:cdk:cloudformation:props": { + "allowedOAuthFlows": [ + "implicit", + "code" + ], + "allowedOAuthFlowsUserPoolClient": true, + "allowedOAuthScopes": [ + "profile", + "phone", + "email", + "openid", + "aws.cognito.signin.user.admin" + ], + "callbackUrLs": [ + "https://example.com" + ], + "supportedIdentityProviders": [ + "COGNITO" + ], + "userPoolId": { + "Ref": "UserPoolToImport1A7C21D3" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolClient", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPoolClient", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPool", + "version": "0.0.0" + } + }, + "ImportedUserPool": { + "id": "ImportedUserPool", + "path": "integ-identitypool/ImportedUserPool", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "ImportedUserPoolClient": { + "id": "ImportedUserPoolClient", + "path": "integ-identitypool/ImportedUserPoolClient", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -292,8 +391,8 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Cognito::IdentityPool", "aws:cdk:cloudformation:props": { - "allowUnauthenticatedIdentities": false, "allowClassicFlow": true, + "allowUnauthenticatedIdentities": false, "cognitoIdentityProviders": [ { "clientId": { @@ -320,6 +419,54 @@ }, "serverSideTokenCheck": true }, + { + "clientId": { + "Ref": "UserPoolToImportclientToImport6885CDF7" + }, + "providerName": { + "Fn::Join": [ + "", + [ + "cognito-idp.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "UserPoolToImport1A7C21D3", + "Arn" + ] + } + ] + } + ] + } + ] + } + ] + } + ] + ] + }, + "serverSideTokenCheck": true + }, { "clientId": { "Ref": "OtherPoolUserPoolAuthenticationProviderClient08F670F8" @@ -354,7 +501,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnIdentityPool", + "fqn": "aws-cdk-lib.aws_cognito.CfnIdentityPool", "version": "0.0.0" } }, @@ -362,6 +509,14 @@ "id": "AuthenticatedRole", "path": "integ-identitypool/identitypool/AuthenticatedRole", "children": { + "ImportAuthenticatedRole": { + "id": "ImportAuthenticatedRole", + "path": "integ-identitypool/identitypool/AuthenticatedRole/ImportAuthenticatedRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "integ-identitypool/identitypool/AuthenticatedRole/Resource", @@ -407,7 +562,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } }, @@ -440,19 +595,19 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", + "fqn": "aws-cdk-lib.aws_iam.Policy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", + "fqn": "aws-cdk-lib.aws_iam.Role", "version": "0.0.0" } }, @@ -460,6 +615,14 @@ "id": "UnauthenticatedRole", "path": "integ-identitypool/identitypool/UnauthenticatedRole", "children": { + "ImportUnauthenticatedRole": { + "id": "ImportUnauthenticatedRole", + "path": "integ-identitypool/identitypool/UnauthenticatedRole/ImportUnauthenticatedRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "integ-identitypool/identitypool/UnauthenticatedRole/Resource", @@ -505,7 +668,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", + "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } }, @@ -538,19 +701,19 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", + "fqn": "aws-cdk-lib.aws_iam.Policy", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", + "fqn": "aws-cdk-lib.aws_iam.Role", "version": "0.0.0" } }, @@ -588,6 +751,69 @@ ] ] } + }, + "importedUserPool": { + "ambiguousRoleResolution": "Deny", + "type": "Token", + "identityProvider": { + "Fn::Join": [ + "", + [ + "cognito-idp.", + { + "Fn::Select": [ + 3, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "UserPoolToImport1A7C21D3", + "Arn" + ] + } + ] + } + ] + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "UserPoolToImport1A7C21D3", + "Arn" + ] + } + ] + } + ] + } + ] + } + ] + }, + ":", + { + "Ref": "UserPoolToImportclientToImport6885CDF7" + } + ] + ] + } } }, "roles": { @@ -607,32 +833,56 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito.CfnIdentityPoolRoleAttachment", + "fqn": "aws-cdk-lib.aws_cognito.CfnIdentityPoolRoleAttachment", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito-identitypool.IdentityPoolRoleAttachment", + "fqn": "@aws-cdk/aws-cognito-identitypool-alpha.IdentityPoolRoleAttachment", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-cognito-identitypool.IdentityPool", + "fqn": "@aws-cdk/aws-cognito-identitypool-alpha.IdentityPool", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-identitypool/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-identitypool/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.85" + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.ts index e2d1ff3b4528c..02e2aaa8069ec 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.ts +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.ts @@ -3,6 +3,7 @@ import { UserPoolIdentityProviderGoogle, UserPoolIdentityProviderAmazon, ProviderAttribute, + UserPoolClient, } from 'aws-cdk-lib/aws-cognito'; import { Effect, @@ -52,10 +53,15 @@ new UserPoolIdentityProviderAmazon(stack, 'OtherPoolProviderAmazon', { }, }); const client = userPool.addClient('testClient'); +const userPoolToImport = new UserPool(stack, 'UserPoolToImport'); +const clientToImport = userPoolToImport.addClient('clientToImport'); +const importedUserPool = UserPool.fromUserPoolArn(stack, 'ImportedUserPool', userPoolToImport.userPoolArn); +const importedUserPoolClient = UserPoolClient.fromUserPoolClientId(stack, 'ImportedUserPoolClient', clientToImport.userPoolClientId); const provider = new UserPoolAuthenticationProvider({ userPool, userPoolClient: client }); +const importedProvider = new UserPoolAuthenticationProvider({ userPool: importedUserPool, userPoolClient: importedUserPoolClient }); const idPool = new IdentityPool(stack, 'identitypool', { authenticationProviders: { - userPools: [provider], + userPools: [provider, importedProvider], amazon: { appId: 'amzn1.application.12312k3j234j13rjiwuenf' }, google: { clientId: '12345678012.apps.googleusercontent.com' }, }, @@ -65,6 +71,11 @@ const idPool = new IdentityPool(stack, 'identitypool', { providerUrl: IdentityPoolProviderUrl.userPool(userPool, client), useToken: true, }, + { + mappingKey: 'importedUserPool', + providerUrl: IdentityPoolProviderUrl.userPool(importedUserPool, importedUserPoolClient), + useToken: true, + }, ], allowClassicFlow: true, identityPoolName: 'my-id-pool', diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts index 0778024aa2c26..ede93a84af1f0 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts @@ -767,6 +767,13 @@ export interface IUserPool extends IResource { */ readonly userPoolArn: string; + /** + * The provider name of this user pool resource + * + * @attribute + */ + readonly userPoolProviderName: string; + /** * Get all identity providers registered with this user pool. */ @@ -805,6 +812,7 @@ export interface IUserPool extends IResource { abstract class UserPoolBase extends Resource implements IUserPool { public abstract readonly userPoolId: string; public abstract readonly userPoolArn: string; + public abstract readonly userPoolProviderName: string; public readonly identityProviders: IUserPoolIdentityProvider[] = []; public addClient(id: string, options?: UserPoolClientOptions): UserPoolClient { @@ -870,10 +878,14 @@ export class UserPool extends UserPoolBase { } const userPoolId = arnParts.resourceName; + // ex) cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi + const providerName = `cognito-idp.${arnParts.region}.${Stack.of(scope).urlSuffix}/${userPoolId}`;; class ImportedUserPool extends UserPoolBase { public readonly userPoolArn = userPoolArn; public readonly userPoolId = userPoolId; + public readonly userPoolProviderName = providerName; + constructor() { super(scope, id, { account: arnParts.account, diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts index 934f6a312c81b..d44a0c4e35e61 100644 --- a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts +++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts @@ -300,6 +300,9 @@ describe('User Pool', () => { const pool = UserPool.fromUserPoolArn(stack, 'userpool', userPoolArn); expect(pool.userPoolId).toEqual('test-user-pool'); expect(stack.resolve(pool.userPoolArn)).toEqual('arn:aws:cognito-idp:us-east-1:0123456789012:userpool/test-user-pool'); + expect(stack.resolve(pool.userPoolProviderName)).toEqual( + { 'Fn::Join': ['', ['cognito-idp.us-east-1.', { Ref: 'AWS::URLSuffix' }, '/test-user-pool']] }, + ); }); test('import using arn without resourceName fails', () => {