diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/cdk.out index 1f0068d32659a..91e1a8b9901d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.assets.json index 0e6dbbfea14ce..9a243c27c2043 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.assets.json @@ -1,7 +1,7 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { - "67c61d070926490e79cb63a78f9370d931353c0becc5dfc5426cc038f205bf8a": { + "e776d47f784e5411f051d7d60887df6aae08b994ab6bdd86134b0bfc3977df83": { "source": { "path": "integ-user-pool.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "67c61d070926490e79cb63a78f9370d931353c0becc5dfc5426cc038f205bf8a.json", + "objectKey": "e776d47f784e5411f051d7d60887df6aae08b994ab6bdd86134b0bfc3977df83.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.template.json index ba47fea5474f9..773e81e045096 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.template.json @@ -909,6 +909,7 @@ "AdvancedSecurityMode": "ENFORCED" }, "UserPoolName": "MyUserPool", + "UserPoolTier": "PLUS", "VerificationMessageTemplate": { "DefaultEmailOption": "CONFIRM_WITH_CODE", "EmailMessage": "verification email body from the integ test. Code is {####}.", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ.json index 5cc5f01ad1c5f..644347907d1fa 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "testCases": { "integ.user-pool-explicit-props": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/manifest.json index b1f2c4b32458a..e26f1c0489c36 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "artifacts": { "integ-user-pool.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/67c61d070926490e79cb63a78f9370d931353c0becc5dfc5426cc038f205bf8a.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e776d47f784e5411f051d7d60887df6aae08b994ab6bdd86134b0bfc3977df83.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -34,6 +34,39 @@ "integ-user-pool.assets" ], "metadata": { + "/integ-user-pool/createAuthChallenge": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + } + ], + "/integ-user-pool/createAuthChallenge/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool/createAuthChallenge/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/createAuthChallenge/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -46,6 +79,39 @@ "data": "createAuthChallengeB185B225" } ], + "/integ-user-pool/customMessage": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + } + ], + "/integ-user-pool/customMessage/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool/customMessage/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/customMessage/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -58,6 +124,39 @@ "data": "customMessage52BA91E2" } ], + "/integ-user-pool/defineAuthChallenge": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + } + ], + "/integ-user-pool/defineAuthChallenge/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool/defineAuthChallenge/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/defineAuthChallenge/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -70,6 +169,39 @@ "data": "defineAuthChallengeAE7BCDA1" } ], + "/integ-user-pool/postAuthentication": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + } + ], + "/integ-user-pool/postAuthentication/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool/postAuthentication/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/postAuthentication/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -82,6 +214,39 @@ "data": "postAuthentication741BD8E3" } ], + "/integ-user-pool/postConfirmation": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + } + ], + "/integ-user-pool/postConfirmation/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool/postConfirmation/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/postConfirmation/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -94,6 +259,39 @@ "data": "postConfirmationD5E3F1DD" } ], + "/integ-user-pool/preAuthentication": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + } + ], + "/integ-user-pool/preAuthentication/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool/preAuthentication/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/preAuthentication/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -106,6 +304,39 @@ "data": "preAuthentication56F78C81" } ], + "/integ-user-pool/preSignUp": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + } + ], + "/integ-user-pool/preSignUp/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool/preSignUp/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/preSignUp/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -118,6 +349,39 @@ "data": "preSignUp1934B27C" } ], + "/integ-user-pool/preTokenGeneration": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + } + ], + "/integ-user-pool/preTokenGeneration/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool/preTokenGeneration/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/preTokenGeneration/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -130,6 +394,39 @@ "data": "preTokenGeneration1E968302" } ], + "/integ-user-pool/userMigration": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + } + ], + "/integ-user-pool/userMigration/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool/userMigration/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/userMigration/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -142,6 +439,39 @@ "data": "userMigrationAAA960EC" } ], + "/integ-user-pool/verifyAuthChallengeResponse": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + } + ], + "/integ-user-pool/verifyAuthChallengeResponse/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool/verifyAuthChallengeResponse/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/verifyAuthChallengeResponse/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -154,6 +484,59 @@ "data": "verifyAuthChallengeResponse211FE4A6" } ], + "/integ-user-pool/myuserpool": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy", + "userPoolName": "*", + "userInvitation": { + "emailSubject": "*", + "emailBody": "*", + "smsMessage": "*" + }, + "selfSignUpEnabled": true, + "userVerification": { + "emailBody": "*", + "emailSubject": "*", + "smsMessage": "*" + }, + "signInAliases": { + "username": true, + "email": true + }, + "autoVerify": { + "email": true, + "phone": true + }, + "keepOriginal": { + "email": true, + "phone": true + }, + "standardAttributes": {}, + "customAttributes": "*", + "mfa": "OFF", + "mfaSecondFactor": { + "sms": true, + "otp": true + }, + "passwordPolicy": { + "tempPasswordValidity": "*", + "minLength": "*", + "requireDigits": true, + "requireLowercase": true, + "requireUppercase": true, + "requireSymbols": true + }, + "lambdaTriggers": { + "createAuthChallenge": "*" + }, + "advancedSecurityMode": "ENFORCED", + "featurePlan": "PLUS", + "snsRegion": "*" + } + } + ], "/integ-user-pool/myuserpool/CreateAuthChallengeCognito": [ { "type": "aws:cdk:logicalId", @@ -214,6 +597,24 @@ "data": "myuserpoolVerifyAuthChallengeResponseCognitoAEAB40FD" } ], + "/integ-user-pool/myuserpool/smsRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "inlinePolicies": "*" + } + } + ], + "/integ-user-pool/myuserpool/smsRole/ImportsmsRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool/myuserpool/smsRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -226,6 +627,17 @@ "data": "myuserpool01998219" } ], + "/integ-user-pool/myuserpool/myuserpooldomain": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "userPool": "*", + "cognitoDomain": { + "domainPrefix": "*" + } + } + } + ], "/integ-user-pool/myuserpool/myuserpooldomain/Resource": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/tree.json index 70ae58cd5f1c6..0ad4baa454684 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/tree.json @@ -21,7 +21,10 @@ "path": "integ-user-pool/createAuthChallenge/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -66,7 +69,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -97,7 +113,15 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + ] } }, "customMessage": { @@ -113,7 +137,10 @@ "path": "integ-user-pool/customMessage/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -158,7 +185,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -189,7 +229,15 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + ] } }, "defineAuthChallenge": { @@ -205,7 +253,10 @@ "path": "integ-user-pool/defineAuthChallenge/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -250,7 +301,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -281,7 +345,15 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + ] } }, "postAuthentication": { @@ -297,7 +369,10 @@ "path": "integ-user-pool/postAuthentication/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -342,7 +417,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -373,7 +461,15 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + ] } }, "postConfirmation": { @@ -389,7 +485,10 @@ "path": "integ-user-pool/postConfirmation/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -434,7 +533,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -465,7 +577,15 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + ] } }, "preAuthentication": { @@ -481,7 +601,10 @@ "path": "integ-user-pool/preAuthentication/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -526,7 +649,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -557,7 +693,15 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + ] } }, "preSignUp": { @@ -573,7 +717,10 @@ "path": "integ-user-pool/preSignUp/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -618,7 +765,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -649,7 +809,15 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + ] } }, "preTokenGeneration": { @@ -665,7 +833,10 @@ "path": "integ-user-pool/preTokenGeneration/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -710,7 +881,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -741,7 +925,15 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + ] } }, "userMigration": { @@ -757,7 +949,10 @@ "path": "integ-user-pool/userMigration/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -802,7 +997,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -833,7 +1041,15 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + ] } }, "verifyAuthChallengeResponse": { @@ -849,7 +1065,10 @@ "path": "integ-user-pool/verifyAuthChallengeResponse/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -894,7 +1113,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -925,7 +1157,15 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "functionName": "*", + "handler": "*", + "runtime": "*", + "code": "*" + } + ] } }, "myuserpool": { @@ -1211,7 +1451,10 @@ "path": "integ-user-pool/myuserpool/smsRole/ImportsmsRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -1262,7 +1505,16 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "inlinePolicies": "*" + } + ] } }, "Resource": { @@ -1440,6 +1692,7 @@ "advancedSecurityMode": "ENFORCED" }, "userPoolName": "MyUserPool", + "userPoolTier": "PLUS", "verificationMessageTemplate": { "defaultEmailOption": "CONFIRM_WITH_CODE", "emailMessage": "verification email body from the integ test. Code is {####}.", @@ -1477,13 +1730,71 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_cognito.UserPoolDomain", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "userPool": "*", + "cognitoDomain": { + "domainPrefix": "*" + } + } + ] } } }, "constructInfo": { "fqn": "aws-cdk-lib.aws_cognito.UserPool", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "removalPolicy": "destroy", + "userPoolName": "*", + "userInvitation": { + "emailSubject": "*", + "emailBody": "*", + "smsMessage": "*" + }, + "selfSignUpEnabled": true, + "userVerification": { + "emailBody": "*", + "emailSubject": "*", + "smsMessage": "*" + }, + "signInAliases": { + "username": true, + "email": true + }, + "autoVerify": { + "email": true, + "phone": true + }, + "keepOriginal": { + "email": true, + "phone": true + }, + "standardAttributes": {}, + "customAttributes": "*", + "mfa": "OFF", + "mfaSecondFactor": { + "sms": true, + "otp": true + }, + "passwordPolicy": { + "tempPasswordValidity": "*", + "minLength": "*", + "requireDigits": true, + "requireLowercase": true, + "requireUppercase": true, + "requireSymbols": true + }, + "lambdaTriggers": { + "createAuthChallenge": "*" + }, + "advancedSecurityMode": "ENFORCED", + "featurePlan": "PLUS", + "snsRegion": "*" + } + ] } }, "userpoolId": { @@ -1529,7 +1840,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.ts index d13b30c5a85b5..95a4434e9bdd0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-explicit-props.ts @@ -1,6 +1,6 @@ import { Code, Function, IFunction } from 'aws-cdk-lib/aws-lambda'; import { App, CfnOutput, Duration, RemovalPolicy, Stack } from 'aws-cdk-lib'; -import { AdvancedSecurityMode, BooleanAttribute, DateTimeAttribute, Mfa, NumberAttribute, StringAttribute, UserPool } from 'aws-cdk-lib/aws-cognito'; +import { AdvancedSecurityMode, BooleanAttribute, DateTimeAttribute, FeaturePlan, Mfa, NumberAttribute, StringAttribute, UserPool } from 'aws-cdk-lib/aws-cognito'; import { STANDARD_NODEJS_RUNTIME } from '../../config'; const app = new App(); @@ -75,6 +75,7 @@ const userpool = new UserPool(stack, 'myuserpool', { verifyAuthChallengeResponse: dummyTrigger('verifyAuthChallengeResponse'), }, advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + featurePlan: FeaturePlan.PLUS, snsRegion: Stack.of(stack).region, }); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out index c6e612584e352..91e1a8b9901d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"38.0.1"} \ No newline at end of file +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json index c248f6865cf34..71596ddb0169a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json @@ -1,7 +1,7 @@ { - "version": "38.0.1", + "version": "39.0.0", "files": { - "57ebfe1ab6c8ce5faf8c2370ac901d380e8c968b793c3d82d66a3e6bd99983a8": { + "dede4b21c364166e64241d20b5916270a190b70ec1a4c8a5d848e5ac04ce77d1": { "source": { "path": "integ-user-email-mfa.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "57ebfe1ab6c8ce5faf8c2370ac901d380e8c968b793c3d82d66a3e6bd99983a8.json", + "objectKey": "dede4b21c364166e64241d20b5916270a190b70ec1a4c8a5d848e5ac04ce77d1.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json index 0c32599ce87ee..ca8eb481ab947 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json @@ -97,6 +97,7 @@ "AdvancedSecurityMode": "ENFORCED" }, "UserPoolName": "MyUserPool", + "UserPoolTier": "PLUS", "VerificationMessageTemplate": { "DefaultEmailOption": "CONFIRM_WITH_CODE", "EmailMessage": "The verification code to your new account is {####}", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json index 88212ea89f5c4..f4102c8811f12 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json @@ -1,6 +1,6 @@ { "enableLookups": true, - "version": "38.0.1", + "version": "39.0.0", "testCases": { "integ-user-email-mfa-test/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json index e4126b91762e6..bba999ac61bc5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json @@ -1,5 +1,5 @@ { - "version": "38.0.1", + "version": "39.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json index 05c1c5dc19eee..ca3812a334826 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "38.0.1", + "version": "39.0.0", "artifacts": { "integ-user-email-mfa.assets": { "type": "cdk:asset-manifest", @@ -16,10 +16,9 @@ "templateFile": "integ-user-email-mfa.template.json", "terminationProtection": false, "validateOnSynth": false, - "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/57ebfe1ab6c8ce5faf8c2370ac901d380e8c968b793c3d82d66a3e6bd99983a8.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/dede4b21c364166e64241d20b5916270a190b70ec1a4c8a5d848e5ac04ce77d1.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -35,6 +34,42 @@ "integ-user-email-mfa.assets" ], "metadata": { + "/integ-user-email-mfa/myuserpool": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy", + "userPoolName": "*", + "email": "*", + "mfa": "ON", + "mfaSecondFactor": { + "sms": true, + "otp": false, + "email": true + }, + "advancedSecurityMode": "ENFORCED", + "featurePlan": "PLUS" + } + } + ], + "/integ-user-email-mfa/myuserpool/smsRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "inlinePolicies": "*" + } + } + ], + "/integ-user-email-mfa/myuserpool/smsRole/ImportsmsRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-email-mfa/myuserpool/smsRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -83,7 +118,6 @@ "templateFile": "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json", "terminationProtection": false, "validateOnSynth": false, - "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json index a90269fcaff6c..23eceed103f1a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json @@ -21,7 +21,10 @@ "path": "integ-user-email-mfa/myuserpool/smsRole/ImportsmsRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -72,7 +75,16 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "inlinePolicies": "*" + } + ] } }, "Resource": { @@ -138,6 +150,7 @@ "advancedSecurityMode": "ENFORCED" }, "userPoolName": "MyUserPool", + "userPoolTier": "PLUS", "verificationMessageTemplate": { "defaultEmailOption": "CONFIRM_WITH_CODE", "emailMessage": "The verification code to your new account is {####}", @@ -154,7 +167,22 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_cognito.UserPool", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "removalPolicy": "destroy", + "userPoolName": "*", + "email": "*", + "mfa": "ON", + "mfaSecondFactor": { + "sms": true, + "otp": false, + "email": true + }, + "advancedSecurityMode": "ENFORCED", + "featurePlan": "PLUS" + } + ] } }, "user-pool-id": { @@ -200,7 +228,7 @@ "path": "integ-user-email-mfa-test/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "DeployAssert": { @@ -246,7 +274,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts index 417c70d5ecd2c..711b233460281 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts @@ -1,6 +1,6 @@ import { App, CfnOutput, RemovalPolicy, Stack } from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; -import { AdvancedSecurityMode, Mfa, UserPool, UserPoolEmail } from 'aws-cdk-lib/aws-cognito'; +import { AdvancedSecurityMode, FeaturePlan, Mfa, UserPool, UserPoolEmail } from 'aws-cdk-lib/aws-cognito'; /** * Before you run test, you must set up SES email identity and set domain to domainName. @@ -28,6 +28,7 @@ const userpool = new UserPool(stack, 'myuserpool', { email: true, }, advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + featurePlan: FeaturePlan.PLUS, }); new CfnOutput(stack, 'user-pool-id', { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/cdk.out index 1f0068d32659a..91e1a8b9901d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.assets.json index e4880cdbd3418..ad195d603deb8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.assets.json @@ -1,7 +1,7 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { - "99c1cd9f462b0eb4468998585bd7b2a90a4d3c254b5390023fb0414afc4e2279": { + "1cdb32097246d178618be8053189f6c775342d392a655a940b5884cf880491e6": { "source": { "path": "integ-user-pool-pre-token-generation-v2.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "99c1cd9f462b0eb4468998585bd7b2a90a4d3c254b5390023fb0414afc4e2279.json", + "objectKey": "1cdb32097246d178618be8053189f6c775342d392a655a940b5884cf880491e6.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.template.json index f0ee11466857e..6e124fae151c2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ-user-pool-pre-token-generation-v2.template.json @@ -85,6 +85,7 @@ "UserPoolAddOns": { "AdvancedSecurityMode": "ENFORCED" }, + "UserPoolTier": "PLUS", "VerificationMessageTemplate": { "DefaultEmailOption": "CONFIRM_WITH_CODE", "EmailMessage": "The verification code to your new account is {####}", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ.json index 8e9a275cc78c0..0663b4208daed 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "testCases": { "preTokenGenerationIntegTest/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/manifest.json index 77d0b18fac852..cc68d6bdb985b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "artifacts": { "integ-user-pool-pre-token-generation-v2.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/99c1cd9f462b0eb4468998585bd7b2a90a4d3c254b5390023fb0414afc4e2279.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/1cdb32097246d178618be8053189f6c775342d392a655a940b5884cf880491e6.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -34,6 +34,38 @@ "integ-user-pool-pre-token-generation-v2.assets" ], "metadata": { + "/integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "runtime": "*", + "handler": "*", + "code": "*" + } + } + ], + "/integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -46,6 +78,26 @@ "data": "preTokenGenerationLambda1F130400" } ], + "/integ-user-pool-pre-token-generation-v2/pool": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy", + "advancedSecurityMode": "ENFORCED", + "featurePlan": "PLUS" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addTrigger": [ + {}, + "*", + "V2_0" + ] + } + } + ], "/integ-user-pool-pre-token-generation-v2/pool/Resource": [ { "type": "aws:cdk:logicalId", @@ -58,6 +110,17 @@ "data": "poolPreTokenGenerationConfigCognito310B2A58" } ], + "/integ-user-pool-pre-token-generation-v2/pool/client": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "userPool": "*", + "authFlows": { + "userSrp": true + } + } + } + ], "/integ-user-pool-pre-token-generation-v2/pool/client/Resource": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets.json index fcccc235f36ff..6974536cd1463 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/preTokenGenerationIntegTestDefaultTestDeployAssertF6CAA89D.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/tree.json index 12c8bf51d5406..1a0175741f3e7 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.js.snapshot/tree.json @@ -21,7 +21,10 @@ "path": "integ-user-pool-pre-token-generation-v2/preTokenGenerationLambda/ServiceRole/ImportServiceRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "Resource": { @@ -66,7 +69,20 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + ] } }, "Resource": { @@ -96,7 +112,14 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "runtime": "*", + "handler": "*", + "code": "*" + } + ] } }, "pool": { @@ -141,6 +164,7 @@ "userPoolAddOns": { "advancedSecurityMode": "ENFORCED" }, + "userPoolTier": "PLUS", "verificationMessageTemplate": { "defaultEmailOption": "CONFIRM_WITH_CODE", "emailMessage": "The verification code to your new account is {####}", @@ -226,13 +250,35 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_cognito.UserPoolClient", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "userPool": "*", + "authFlows": { + "userSrp": true + } + } + ] } } }, "constructInfo": { "fqn": "aws-cdk-lib.aws_cognito.UserPool", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "removalPolicy": "destroy", + "advancedSecurityMode": "ENFORCED", + "featurePlan": "PLUS" + }, + { + "addTrigger": [ + {}, + "*", + "V2_0" + ] + } + ] } }, "BootstrapVersion": { @@ -270,7 +316,7 @@ "path": "preTokenGenerationIntegTest/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "DeployAssert": { @@ -316,7 +362,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.ts index 59e108b8af80e..fec618f67fa7e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-pre-token-generation-v2.ts @@ -1,6 +1,6 @@ import * as lambda from 'aws-cdk-lib/aws-lambda'; import { App, RemovalPolicy, Stack } from 'aws-cdk-lib'; -import { AdvancedSecurityMode, LambdaVersion, UserPool, UserPoolOperation } from 'aws-cdk-lib/aws-cognito'; +import { AdvancedSecurityMode, FeaturePlan, LambdaVersion, UserPool, UserPoolOperation } from 'aws-cdk-lib/aws-cognito'; import { STANDARD_NODEJS_RUNTIME } from '../../config'; import * as integ from '@aws-cdk/integ-tests-alpha'; @@ -16,6 +16,7 @@ const triggerLambda = new lambda.Function(stack, 'preTokenGenerationLambda', { const userpool = new UserPool(stack, 'pool', { removalPolicy: RemovalPolicy.DESTROY, advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + featurePlan: FeaturePlan.PLUS, }); userpool.addTrigger(UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, triggerLambda, LambdaVersion.V2_0); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.assets.json new file mode 100644 index 0000000000000..7fc0c7c6c51ec --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.assets.json @@ -0,0 +1,19 @@ +{ + "version": "39.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "IntegTestDefaultTestDeployAssertE3E7D2A4.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/cdk.out new file mode 100644 index 0000000000000..91e1a8b9901d5 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/integ-user-pool-threat-protection.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/integ-user-pool-threat-protection.assets.json new file mode 100644 index 0000000000000..1249242dbefa2 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/integ-user-pool-threat-protection.assets.json @@ -0,0 +1,19 @@ +{ + "version": "39.0.0", + "files": { + "04266265e7d8e908782d2d5c8252db65dd44513836a96f3c79f224f2ce316fb5": { + "source": { + "path": "integ-user-pool-threat-protection.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "04266265e7d8e908782d2d5c8252db65dd44513836a96f3c79f224f2ce316fb5.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/integ-user-pool-threat-protection.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/integ-user-pool-threat-protection.template.json new file mode 100644 index 0000000000000..48891c75c4a0b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/integ-user-pool-threat-protection.template.json @@ -0,0 +1,111 @@ +{ + "Resources": { + "userpoolstandardthreatprotection0937AC57": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] + }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "SmsVerificationMessage": "The verification code to your new account is {####}", + "UserPoolAddOns": { + "AdvancedSecurityMode": "ENFORCED" + }, + "UserPoolTier": "PLUS", + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "userpoolcustomthreatprotection2B795E28": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] + }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "SmsVerificationMessage": "The verification code to your new account is {####}", + "UserPoolAddOns": { + "AdvancedSecurityAdditionalFlows": { + "CustomAuthMode": "ENFORCED" + }, + "AdvancedSecurityMode": "OFF" + }, + "UserPoolTier": "PLUS", + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/integ.json new file mode 100644 index 0000000000000..ad3d99b58c2b7 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "39.0.0", + "testCases": { + "IntegTest/DefaultTest": { + "stacks": [ + "integ-user-pool-threat-protection" + ], + "assertionStack": "IntegTest/DefaultTest/DeployAssert", + "assertionStackName": "IntegTestDefaultTestDeployAssertE3E7D2A4" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/manifest.json new file mode 100644 index 0000000000000..eb14f3d04638f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/manifest.json @@ -0,0 +1,137 @@ +{ + "version": "39.0.0", + "artifacts": { + "integ-user-pool-threat-protection.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integ-user-pool-threat-protection.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integ-user-pool-threat-protection": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integ-user-pool-threat-protection.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/04266265e7d8e908782d2d5c8252db65dd44513836a96f3c79f224f2ce316fb5.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integ-user-pool-threat-protection.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integ-user-pool-threat-protection.assets" + ], + "metadata": { + "/integ-user-pool-threat-protection/userpool-standard-threat-protection": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "featurePlan": "PLUS", + "removalPolicy": "destroy" + } + } + ], + "/integ-user-pool-threat-protection/userpool-standard-threat-protection/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "userpoolstandardthreatprotection0937AC57" + } + ], + "/integ-user-pool-threat-protection/userpool-custom-threat-protection": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "featurePlan": "PLUS", + "removalPolicy": "destroy" + } + } + ], + "/integ-user-pool-threat-protection/userpool-custom-threat-protection/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "userpoolcustomthreatprotection2B795E28" + } + ], + "/integ-user-pool-threat-protection/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-user-pool-threat-protection/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-user-pool-threat-protection" + }, + "IntegTestDefaultTestDeployAssertE3E7D2A4.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "IntegTestDefaultTestDeployAssertE3E7D2A4.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "IntegTestDefaultTestDeployAssertE3E7D2A4": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "IntegTestDefaultTestDeployAssertE3E7D2A4.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "IntegTestDefaultTestDeployAssertE3E7D2A4.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "IntegTestDefaultTestDeployAssertE3E7D2A4.assets" + ], + "metadata": { + "/IntegTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/IntegTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "IntegTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/tree.json new file mode 100644 index 0000000000000..1ccfd7cfe81bd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.js.snapshot/tree.json @@ -0,0 +1,218 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "integ-user-pool-threat-protection": { + "id": "integ-user-pool-threat-protection", + "path": "integ-user-pool-threat-protection", + "children": { + "userpool-standard-threat-protection": { + "id": "userpool-standard-threat-protection", + "path": "integ-user-pool-threat-protection/userpool-standard-threat-protection", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-user-pool-threat-protection/userpool-standard-threat-protection/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true + }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "smsVerificationMessage": "The verification code to your new account is {####}", + "userPoolAddOns": { + "advancedSecurityMode": "ENFORCED" + }, + "userPoolTier": "PLUS", + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPool", + "version": "0.0.0", + "metadata": [ + { + "featurePlan": "PLUS", + "removalPolicy": "destroy" + } + ] + } + }, + "userpool-custom-threat-protection": { + "id": "userpool-custom-threat-protection", + "path": "integ-user-pool-threat-protection/userpool-custom-threat-protection", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-user-pool-threat-protection/userpool-custom-threat-protection/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true + }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "smsVerificationMessage": "The verification code to your new account is {####}", + "userPoolAddOns": { + "advancedSecurityAdditionalFlows": { + "customAuthMode": "ENFORCED" + }, + "advancedSecurityMode": "OFF" + }, + "userPoolTier": "PLUS", + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPool", + "version": "0.0.0", + "metadata": [ + { + "featurePlan": "PLUS", + "removalPolicy": "destroy" + } + ] + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-user-pool-threat-protection/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-user-pool-threat-protection/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "IntegTest": { + "id": "IntegTest", + "path": "IntegTest", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "IntegTest/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "IntegTest/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "IntegTest/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "IntegTest/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "IntegTest/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.ts new file mode 100644 index 0000000000000..49887162b8b4d --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-threat-protection.ts @@ -0,0 +1,20 @@ +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { App, RemovalPolicy, Stack } from 'aws-cdk-lib'; +import { UserPool, FeaturePlan, StandardThreatProtectionMode, CustomThreatProtectionMode } from 'aws-cdk-lib/aws-cognito'; + +const app = new App(); +const stack = new Stack(app, 'integ-user-pool-threat-protection'); + +new UserPool(stack, 'userpool-standard-threat-protection', { + featurePlan: FeaturePlan.PLUS, + standardThreatProtectionMode: StandardThreatProtectionMode.FULL_FUNCTION, + removalPolicy: RemovalPolicy.DESTROY, +}); + +new UserPool(stack, 'userpool-custom-threat-protection', { + featurePlan: FeaturePlan.PLUS, + customThreatProtectionMode: CustomThreatProtectionMode.FULL_FUNCTION, + removalPolicy: RemovalPolicy.DESTROY, +}); + +new IntegTest(app, 'IntegTest', { testCases: [stack] }); diff --git a/packages/aws-cdk-lib/aws-cognito/README.md b/packages/aws-cdk-lib/aws-cognito/README.md index f63ed127718dd..c182b0119614d 100644 --- a/packages/aws-cdk-lib/aws-cognito/README.md +++ b/packages/aws-cdk-lib/aws-cognito/README.md @@ -30,6 +30,7 @@ This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aw - [Multi-factor Authentication (MFA)](#multi-factor-authentication-mfa) - [Account Recovery Settings](#account-recovery-settings) - [Advanced Security Mode](#advanced-security-mode) + - [Threat Protection](#threat-protection) - [Emails](#emails) - [Device Tracking](#device-tracking) - [Lambda Triggers](#lambda-triggers) @@ -466,7 +467,7 @@ A user will not be allowed to reset their password via phone if they are also us #### Advanced Security Mode -⚠️ Advanced Security Mode is deprecated in favor of [user pool feature plans](#user-pool-feature-plans). +⚠️ Advanced Security Mode is deprecated in favor of [Threat Protection](#threat-protection). User pools can be configured to use Advanced security. You can turn the user pool advanced security features on, and customize the actions that are taken in response to different risks. Or you can use audit mode to gather metrics on detected risks without taking action. In audit mode, the advanced security features publish metrics to Amazon CloudWatch. See the [documentation on Advanced security](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) to learn more. @@ -477,6 +478,16 @@ new cognito.UserPool(this, 'myuserpool', { }); ``` +### Threat Protection + +This feature is only available if your Feature Plan is set to PLUS. + +Threat Protection can be set to configure enforcement levels and automatic responses for users in password-based and custom-challenge authentication flows. +For configuration, there are 2 options for standard authentication and custom authentication. +These are represented with properties `standardThreatProtectionMode` and `customThreatProtectionMode`. +See the [documentation on Threat Protection](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html) + + ### Emails Cognito sends emails to users in the user pool, when particular actions take place, such as welcome emails, invitation diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts index 14ea16adb5921..a84684dd3cb72 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts @@ -602,8 +602,8 @@ export interface DeviceTracking { /** * The different ways in which a user pool's Advanced Security Mode can be configured. - * @deprecated Advanced Security Mode is deprecated in favor of user pool feature plans. - * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode + * @deprecated Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html */ export enum AdvancedSecurityMode { /** Enable advanced security mode */ @@ -627,6 +627,40 @@ export enum FeaturePlan { PLUS = 'PLUS', } +/** + * The Type of Threat Protection Enabled for Standard Authentication + * + * This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html + * + * Acceptable values are strings with values 'ENFORCED', 'AUDIT', or 'OFF' + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html + */ +export enum StandardThreatProtectionMode { + /** Cognito automatically takes preventative actions in response to different levels of risk that you configure for your user pool */ + FULL_FUNCTION = 'ENFORCED', + /** Cognito gathers metrics on detected risks, but doesn't take automatic action */ + AUDIT_ONLY = 'AUDIT', + /** Cognito doesn't gather metrics on detected risks or automatically take preventative actions */ + NO_ENFORCEMENT = 'OFF', +} + +/** + * The Type of Threat Protection Enabled for Custom Authentication + * + * This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html + * + * Acceptable values are strings with values 'ENFORCED', or 'AUDIT'. For 'OFF' behavior, don't define this value + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html + */ +export enum CustomThreatProtectionMode { + /** Cognito automatically takes preventative actions in response to different levels of risk that you configure for your user pool */ + FULL_FUNCTION = 'ENFORCED', + /** Cognito gathers metrics on detected risks, but doesn't take automatic action */ + AUDIT_ONLY = 'AUDIT', +} + /** * Props for the UserPool construct */ @@ -861,7 +895,7 @@ export interface UserPoolProps { /** * The user pool's Advanced Security Mode - * @deprecated Advanced Security Mode is deprecated in favor of user pool feature plans. + * @deprecated Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level. * @default - no value */ readonly advancedSecurityMode?: AdvancedSecurityMode; @@ -873,6 +907,32 @@ export interface UserPoolProps { * @default - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise */ readonly featurePlan?: FeaturePlan; + + /** + * The Type of Threat Protection Enabled for Standard Authentication + * + * This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html + * + * Acceptable values are strings with values 'ENFORCED', 'AUDIT', or 'OFF' + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html + * + * @default - StandardThreatProtectionMode.NO_ENFORCEMENT + */ + readonly standardThreatProtectionMode?: StandardThreatProtectionMode; + + /** + * The Type of Threat Protection Enabled for Custom Authentication + * + * This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html + * + * Acceptable values are strings with values 'ENFORCED', or 'AUDIT'. For 'OFF' behavior, don't define this value + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html + * + * @default - no value + */ + readonly customThreatProtectionMode?: CustomThreatProtectionMode; } /** @@ -1139,10 +1199,34 @@ export class UserPool extends UserPoolBase { this.emailConfiguration = emailConfiguration; if ( - props.featurePlan && props.featurePlan !== FeaturePlan.LITE && - props.advancedSecurityMode && props.advancedSecurityMode !== AdvancedSecurityMode.OFF + props.featurePlan !== FeaturePlan.PLUS && + (props.advancedSecurityMode && (props.advancedSecurityMode !== AdvancedSecurityMode.OFF)) + ) { + throw new ValidationError('you cannot enable Advanced Security when feature plan is not Plus.', this); + } + + const advancedSecurityAdditionalFlows = undefinedIfNoKeys({ + customAuthMode: props.customThreatProtectionMode, + }); + + if ( + (props.featurePlan !== FeaturePlan.PLUS) && + (props.standardThreatProtectionMode && (props.standardThreatProtectionMode !== StandardThreatProtectionMode.NO_ENFORCEMENT) || + advancedSecurityAdditionalFlows) + ) { + throw new ValidationError('you cannot enable Threat Protection when feature plan is not Plus.', this); + } + + if ( + props.advancedSecurityMode && + (props.standardThreatProtectionMode || advancedSecurityAdditionalFlows) ) { - throw new ValidationError('you cannot enable Advanced Security Mode when feature plan is Essentials or higher.', this); + throw new ValidationError('you cannot set Threat Protection and Advanced Security Mode at the same time. Advanced Security Mode is deprecated and should be replaced with Threat Protection instead.', this); + } + + let chosenSecurityMode = props.advancedSecurityMode ?? props.standardThreatProtectionMode; + if (advancedSecurityAdditionalFlows) { + chosenSecurityMode = props.advancedSecurityMode ?? props.standardThreatProtectionMode ?? StandardThreatProtectionMode.NO_ENFORCEMENT; } const userPool = new CfnUserPool(this, 'Resource', { @@ -1159,7 +1243,8 @@ export class UserPool extends UserPoolBase { smsVerificationMessage, verificationMessageTemplate, userPoolAddOns: undefinedIfNoKeys({ - advancedSecurityMode: props.advancedSecurityMode, + advancedSecurityAdditionalFlows: advancedSecurityAdditionalFlows, + advancedSecurityMode: chosenSecurityMode, }), schema: this.schemaConfiguration(props), mfaConfiguration: props.mfa, @@ -1577,7 +1662,7 @@ export class UserPool extends UserPoolBase { throw new ValidationError('To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration.', this); } - if (props.featurePlan === FeaturePlan.LITE && (!props.advancedSecurityMode || props.advancedSecurityMode === AdvancedSecurityMode.OFF)) { + if (props.featurePlan === FeaturePlan.LITE) { throw new ValidationError('To enable email-based MFA, set `featurePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`.', this); } } diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts index 47e09e4c1c49a..f04fcfd8e4cca 100644 --- a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts +++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts @@ -5,7 +5,7 @@ import { Role, ServicePrincipal } from '../../aws-iam'; import * as kms from '../../aws-kms'; import * as lambda from '../../aws-lambda'; import { CfnParameter, Duration, Stack, Tags } from '../../core'; -import { AccountRecovery, Mfa, NumberAttribute, StringAttribute, UserPool, UserPoolIdentityProvider, UserPoolOperation, VerificationEmailStyle, UserPoolEmail, AdvancedSecurityMode, LambdaVersion, FeaturePlan, PasskeyUserVerification } from '../lib'; +import { AccountRecovery, Mfa, NumberAttribute, StringAttribute, UserPool, UserPoolIdentityProvider, UserPoolOperation, VerificationEmailStyle, UserPoolEmail, AdvancedSecurityMode, LambdaVersion, FeaturePlan, PasskeyUserVerification, StandardThreatProtectionMode, CustomThreatProtectionMode } from '../lib'; describe('User Pool', () => { test('default setup', () => { @@ -522,6 +522,7 @@ describe('User Pool', () => { const pool = new UserPool(stack, 'Pool', { customSenderKmsKey: kmsKey, advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + featurePlan: FeaturePlan.PLUS, }); pool.addTrigger(UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, preTokenGeneration); @@ -557,6 +558,7 @@ describe('User Pool', () => { const pool = new UserPool(stack, 'Pool', { customSenderKmsKey: kmsKey, advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + featurePlan: FeaturePlan.PLUS, }); pool.addTrigger(UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, preTokenGeneration, LambdaVersion.V2_0); @@ -590,6 +592,7 @@ describe('User Pool', () => { // WHEN const pool = new UserPool(stack, 'Pool', { advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + featurePlan: FeaturePlan.PLUS, }); expect(() => { pool.addTrigger( @@ -2364,16 +2367,18 @@ test('feature plan is not present if option is not provided', () => { test.each( [ - [AdvancedSecurityMode.ENFORCED, 'ENFORCED'], - [AdvancedSecurityMode.AUDIT, 'AUDIT'], - [AdvancedSecurityMode.OFF, 'OFF'], - ])('advanced security is configured correctly when set to (%s)', (advancedSecurityMode, compareString) => { + [AdvancedSecurityMode.ENFORCED, 'ENFORCED', FeaturePlan.PLUS], + [AdvancedSecurityMode.AUDIT, 'AUDIT', FeaturePlan.PLUS], + [AdvancedSecurityMode.OFF, 'OFF', FeaturePlan.LITE], + [AdvancedSecurityMode.OFF, 'OFF', FeaturePlan.ESSENTIALS], + ])('advanced security is configured correctly when set to (%s)', (advancedSecurityMode, compareString, featurePlan) => { // GIVEN const stack = new Stack(); // WHEN new UserPool(stack, 'Pool', { advancedSecurityMode: advancedSecurityMode, + featurePlan: featurePlan, }); // THEN @@ -2384,7 +2389,7 @@ test.each( }); }); -test('advanced security is not present if option is not provided', () => { +test('advanced security defaults when no option provided', () => { // GIVEN const stack = new Stack(); @@ -2392,16 +2397,14 @@ test('advanced security is not present if option is not provided', () => { new UserPool(stack, 'Pool', {}); // THEN - Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', { - UserPoolAddOns: Match.absent(), - }); + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', {}); }); test.each([ [FeaturePlan.ESSENTIALS, AdvancedSecurityMode.AUDIT], [FeaturePlan.ESSENTIALS, AdvancedSecurityMode.ENFORCED], - [FeaturePlan.PLUS, AdvancedSecurityMode.AUDIT], - [FeaturePlan.PLUS, AdvancedSecurityMode.ENFORCED], + [FeaturePlan.LITE, AdvancedSecurityMode.AUDIT], + [FeaturePlan.LITE, AdvancedSecurityMode.ENFORCED], ])('throws when feature plan is %s and advanced security mode is %s', (featurePlan, advancedSecurityMode) => { // GIVEN const stack = new Stack(); @@ -2409,7 +2412,65 @@ test.each([ // WHEN expect(() => { new UserPool(stack, 'Pool', { featurePlan, advancedSecurityMode }); - }).toThrow('you cannot enable Advanced Security Mode when feature plan is Essentials or higher.'); + }).toThrow('you cannot enable Advanced Security when feature plan is not Plus.'); +}); + +test.each([ + [FeaturePlan.ESSENTIALS, StandardThreatProtectionMode.AUDIT_ONLY], + [FeaturePlan.ESSENTIALS, StandardThreatProtectionMode.FULL_FUNCTION], + [FeaturePlan.LITE, StandardThreatProtectionMode.AUDIT_ONLY], + [FeaturePlan.LITE, StandardThreatProtectionMode.FULL_FUNCTION], +])('throws when feature plan is %s and standard threat protection mode is %s', (featurePlan, standardThreatProtectionMode) => { + // GIVEN + const stack = new Stack(); + + // WHEN + expect(() => { + new UserPool(stack, 'Pool', { featurePlan, standardThreatProtectionMode }); + }).toThrow('you cannot enable Threat Protection when feature plan is not Plus.'); +}); + +test.each([ + [FeaturePlan.ESSENTIALS, CustomThreatProtectionMode.AUDIT_ONLY], + [FeaturePlan.ESSENTIALS, CustomThreatProtectionMode.FULL_FUNCTION], + [FeaturePlan.LITE, CustomThreatProtectionMode.AUDIT_ONLY], + [FeaturePlan.LITE, CustomThreatProtectionMode.FULL_FUNCTION], +])('throws when feature plan is %s and custom threat protection mode is %s', (featurePlan, customThreatProtectionMode) => { + // GIVEN + const stack = new Stack(); + + // WHEN + expect(() => { + new UserPool(stack, 'Pool', { featurePlan, customThreatProtectionMode }); + }).toThrow('you cannot enable Threat Protection when feature plan is not Plus.'); +}); + +test('throws when deprecated property AdvancedSecurityMode and StandardThreatProtectionMode are specified at the same time.', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + expect(() => { + new UserPool(stack, 'Pool', { + featurePlan: FeaturePlan.PLUS, + advancedSecurityMode: AdvancedSecurityMode.AUDIT, + standardThreatProtectionMode: StandardThreatProtectionMode.AUDIT_ONLY, + }); + }).toThrow('you cannot set Threat Protection and Advanced Security Mode at the same time. Advanced Security Mode is deprecated and should be replaced with Threat Protection instead.'); +}); + +test('throws when deprecated property AdvancedSecurityMode and CustomThreatProtectionMode are specified at the same time.', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + expect(() => { + new UserPool(stack, 'Pool', { + featurePlan: FeaturePlan.PLUS, + advancedSecurityMode: AdvancedSecurityMode.AUDIT, + customThreatProtectionMode: CustomThreatProtectionMode.AUDIT_ONLY, + }); + }).toThrow('you cannot set Threat Protection and Advanced Security Mode at the same time. Advanced Security Mode is deprecated and should be replaced with Threat Protection instead.'); }); describe('email MFA test', () => { @@ -2473,7 +2534,7 @@ describe('email MFA test', () => { test.each([ AdvancedSecurityMode.AUDIT, AdvancedSecurityMode.ENFORCED, - ])('email MFA with Lite feature plan and %s Advanced Security Mode', (advancedSecurityMode) => { + ])('email MFA with PLUS feature plan and %s Advanced Security Mode', (advancedSecurityMode) => { const stack = new Stack(); expect(() => new UserPool(stack, 'Pool1', { @@ -2490,7 +2551,7 @@ describe('email MFA test', () => { otp: false, email: true, }, - featurePlan: FeaturePlan.LITE, + featurePlan: FeaturePlan.PLUS, advancedSecurityMode, })).not.toThrow(); });