UNPKG

@aws/pdk

Version:

All documentation is located at: https://aws.github.io/aws-pdk

github.com/aws/aws-pdk

aws/aws-pdk

102 lines 11 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
"use strict"; var _a; Object.defineProperty(exports, "__esModule", { value: true }); exports.UserPoolWithMfa = exports.USE_LEGACY_MFA_PROPS_CONTEXT_KEY = void 0; const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti"); /*! Copyright [Amazon.com](http://amazon.com/), Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ const pdk_nag_1 = require("../pdk-nag"); const aws_cdk_lib_1 = require("aws-cdk-lib"); const aws_cognito_1 = require("aws-cdk-lib/aws-cognito"); /** * Boolean context to indicate whether legacy MFA props should be used. * * @deprecated */ exports.USE_LEGACY_MFA_PROPS_CONTEXT_KEY = "@aws/identity:useLegacyMFAProps"; /** * Legacy Userpool Props which configures MFA for SMS only. */ const LEGACY_DEFAULT_PROPS = { deletionProtection: true, passwordPolicy: { minLength: 8, requireLowercase: true, requireUppercase: true, requireDigits: true, requireSymbols: true, tempPasswordValidity: aws_cdk_lib_1.Duration.days(3), }, advancedSecurityMode: aws_cognito_1.AdvancedSecurityMode.ENFORCED, mfa: aws_cognito_1.Mfa.REQUIRED, accountRecovery: aws_cognito_1.AccountRecovery.EMAIL_ONLY, autoVerify: { email: true, }, }; /** * Userpool default props which configure MFA across SMS/TOTP. */ const DEFAULT_PROPS = { deletionProtection: true, passwordPolicy: { minLength: 8, requireLowercase: true, requireUppercase: true, requireDigits: true, requireSymbols: true, tempPasswordValidity: aws_cdk_lib_1.Duration.days(3), }, mfa: aws_cognito_1.Mfa.REQUIRED, mfaSecondFactor: { sms: true, otp: true }, signInCaseSensitive: false, advancedSecurityMode: aws_cognito_1.AdvancedSecurityMode.ENFORCED, signInAliases: { username: true, email: true }, accountRecovery: aws_cognito_1.AccountRecovery.EMAIL_ONLY, selfSignUpEnabled: false, standardAttributes: { phoneNumber: { required: false }, email: { required: true }, givenName: { required: true }, familyName: { required: true }, }, autoVerify: { email: true, phone: true, }, keepOriginal: { email: true, phone: true, }, }; /** * Configures a UserPool with MFA across SMS/TOTP using sane defaults. */ class UserPoolWithMfa extends aws_cognito_1.UserPool { constructor(scope, id, props) { super(scope, id, { ...(shouldUseLegacyProps(scope) ? LEGACY_DEFAULT_PROPS : DEFAULT_PROPS), ...props, }); const stack = aws_cdk_lib_1.Stack.of(this); ["AwsSolutions-IAM5", "AwsPrototyping-IAMNoWildcardPermissions"].forEach((RuleId) => { pdk_nag_1.PDKNag.addResourceSuppressionsByPathNoThrow(stack, `${pdk_nag_1.PDKNag.getStackPrefix(stack)}${id}/UserPool/smsRole/Resource`, [ { id: RuleId, reason: "MFA requires sending a text to a users phone number which cannot be known at deployment time.", appliesTo: ["Resource::*"], }, ]); }); } } exports.UserPoolWithMfa = UserPoolWithMfa; _a = JSII_RTTI_SYMBOL_1; UserPoolWithMfa[_a] = { fqn: "@aws/pdk.identity.UserPoolWithMfa", version: "0.26.14" }; /** * Determines if legacy props should be used by looking at the control flag in cdk context. * * @param scope construct scope. */ const shouldUseLegacyProps = (scope) => scope.node.tryGetContext(exports.USE_LEGACY_MFA_PROPS_CONTEXT_KEY); //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidXNlcnBvb2wtd2l0aC1tZmEuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJ1c2VycG9vbC13aXRoLW1mYS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQUFBO3NDQUNzQztBQUN0QywwQ0FBc0M7QUFDdEMsNkNBQThDO0FBQzlDLHlEQU1pQztBQUdqQzs7OztHQUlHO0FBQ1UsUUFBQSxnQ0FBZ0MsR0FDM0MsaUNBQWlDLENBQUM7QUFFcEM7O0dBRUc7QUFDSCxNQUFNLG9CQUFvQixHQUFrQjtJQUMxQyxrQkFBa0IsRUFBRSxJQUFJO0lBQ3hCLGNBQWMsRUFBRTtRQUNkLFNBQVMsRUFBRSxDQUFDO1FBQ1osZ0JBQWdCLEVBQUUsSUFBSTtRQUN0QixnQkFBZ0IsRUFBRSxJQUFJO1FBQ3RCLGFBQWEsRUFBRSxJQUFJO1FBQ25CLGNBQWMsRUFBRSxJQUFJO1FBQ3BCLG9CQUFvQixFQUFFLHNCQUFRLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQztLQUN2QztJQUNELG9CQUFvQixFQUFFLGtDQUFvQixDQUFDLFFBQVE7SUFDbkQsR0FBRyxFQUFFLGlCQUFHLENBQUMsUUFBUTtJQUNqQixlQUFlLEVBQUUsNkJBQWUsQ0FBQyxVQUFVO0lBQzNDLFVBQVUsRUFBRTtRQUNWLEtBQUssRUFBRSxJQUFJO0tBQ1o7Q0FDRixDQUFDO0FBRUY7O0dBRUc7QUFDSCxNQUFNLGFBQWEsR0FBa0I7SUFDbkMsa0JBQWtCLEVBQUUsSUFBSTtJQUN4QixjQUFjLEVBQUU7UUFDZCxTQUFTLEVBQUUsQ0FBQztRQUNaLGdCQUFnQixFQUFFLElBQUk7UUFDdEIsZ0JBQWdCLEVBQUUsSUFBSTtRQUN0QixhQUFhLEVBQUUsSUFBSTtRQUNuQixjQUFjLEVBQUUsSUFBSTtRQUNwQixvQkFBb0IsRUFBRSxzQkFBUSxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUM7S0FDdkM7SUFDRCxHQUFHLEVBQUUsaUJBQUcsQ0FBQyxRQUFRO0lBQ2pCLGVBQWUsRUFBRSxFQUFFLEdBQUcsRUFBRSxJQUFJLEVBQUUsR0FBRyxFQUFFLElBQUksRUFBRTtJQUN6QyxtQkFBbUIsRUFBRSxLQUFLO0lBQzFCLG9CQUFvQixFQUFFLGtDQUFvQixDQUFDLFFBQVE7SUFDbkQsYUFBYSxFQUFFLEVBQUUsUUFBUSxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsSUFBSSxFQUFFO0lBQzlDLGVBQWUsRUFBRSw2QkFBZSxDQUFDLFVBQVU7SUFDM0MsaUJBQWlCLEVBQUUsS0FBSztJQUN4QixrQkFBa0IsRUFBRTtRQUNsQixXQUFXLEVBQUUsRUFBRSxRQUFRLEVBQUUsS0FBSyxFQUFFO1FBQ2hDLEtBQUssRUFBRSxFQUFFLFFBQVEsRUFBRSxJQUFJLEVBQUU7UUFDekIsU0FBUyxFQUFFLEVBQUUsUUFBUSxFQUFFLElBQUksRUFBRTtRQUM3QixVQUFVLEVBQUUsRUFBRSxRQUFRLEVBQUUsSUFBSSxFQUFFO0tBQy9CO0lBQ0QsVUFBVSxFQUFFO1FBQ1YsS0FBSyxFQUFFLElBQUk7UUFDWCxLQUFLLEVBQUUsSUFBSTtLQUNaO0lBQ0QsWUFBWSxFQUFFO1FBQ1osS0FBSyxFQUFFLElBQUk7UUFDWCxLQUFLLEVBQUUsSUFBSTtLQUNaO0NBQ0YsQ0FBQztBQU9GOztHQUVHO0FBQ0gsTUFBYSxlQUFnQixTQUFRLHNCQUFRO0lBQzNDLFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBNEI7UUFDcEUsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLEVBQUU7WUFDZixHQUFHLENBQUMsb0JBQW9CLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLG9CQUFvQixDQUFDLENBQUMsQ0FBQyxhQUFhLENBQUM7WUFDdkUsR0FBRyxLQUFLO1NBQ1QsQ0FBQyxDQUFDO1FBRUgsTUFBTSxLQUFLLEdBQUcsbUJBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUM7UUFFN0IsQ0FBQyxtQkFBbUIsRUFBRSx5Q0FBeUMsQ0FBQyxDQUFDLE9BQU8sQ0FDdEUsQ0FBQyxNQUFNLEVBQUUsRUFBRTtZQUNULGdCQUFNLENBQUMsb0NBQW9DLENBQ3pDLEtBQUssRUFDTCxHQUFHLGdCQUFNLENBQUMsY0FBYyxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUUsNEJBQTRCLEVBQ2hFO2dCQUNFO29CQUNFLEVBQUUsRUFBRSxNQUFNO29CQUNWLE1BQU0sRUFDSiwrRkFBK0Y7b0JBQ2pHLFNBQVMsRUFBRSxDQUFDLGFBQWEsQ0FBQztpQkFDM0I7YUFDRixDQUNGLENBQUM7UUFDSixDQUFDLENBQ0YsQ0FBQztJQUNKLENBQUM7O0FBekJILDBDQTBCQzs7O0FBRUQ7Ozs7R0FJRztBQUNILE1BQU0sb0JBQW9CLEdBQUcsQ0FBQyxLQUFnQixFQUFFLEVBQUUsQ0FDaEQsS0FBSyxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsd0NBQWdDLENBQUMsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8qISBDb3B5cmlnaHQgW0FtYXpvbi5jb21dKGh0dHA6Ly9hbWF6b24uY29tLyksIEluYy4gb3IgaXRzIGFmZmlsaWF0ZXMuIEFsbCBSaWdodHMgUmVzZXJ2ZWQuXG5TUERYLUxpY2Vuc2UtSWRlbnRpZmllcjogQXBhY2hlLTIuMCAqL1xuaW1wb3J0IHsgUERLTmFnIH0gZnJvbSBcIkBhd3MvcGRrLW5hZ1wiO1xuaW1wb3J0IHsgRHVyYXRpb24sIFN0YWNrIH0gZnJvbSBcImF3cy1jZGstbGliXCI7XG5pbXBvcnQge1xuICBBY2NvdW50UmVjb3ZlcnksXG4gIEFkdmFuY2VkU2VjdXJpdHlNb2RlLFxuICBNZmEsXG4gIFVzZXJQb29sLFxuICBVc2VyUG9vbFByb3BzLFxufSBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWNvZ25pdG9cIjtcbmltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gXCJjb25zdHJ1Y3RzXCI7XG5cbi8qKlxuICogQm9vbGVhbiBjb250ZXh0IHRvIGluZGljYXRlIHdoZXRoZXIgbGVnYWN5IE1GQSBwcm9wcyBzaG91bGQgYmUgdXNlZC5cbiAqXG4gKiBAZGVwcmVjYXRlZFxuICovXG5leHBvcnQgY29uc3QgVVNFX0xFR0FDWV9NRkFfUFJPUFNfQ09OVEVYVF9LRVkgPVxuICBcIkBhd3MvaWRlbnRpdHk6dXNlTGVnYWN5TUZBUHJvcHNcIjtcblxuLyoqXG4gKiBMZWdhY3kgVXNlcnBvb2wgUHJvcHMgd2hpY2ggY29uZmlndXJlcyBNRkEgZm9yIFNNUyBvbmx5LlxuICovXG5jb25zdCBMRUdBQ1lfREVGQVVMVF9QUk9QUzogVXNlclBvb2xQcm9wcyA9IHtcbiAgZGVsZXRpb25Qcm90ZWN0aW9uOiB0cnVlLFxuICBwYXNzd29yZFBvbGljeToge1xuICAgIG1pbkxlbmd0aDogOCxcbiAgICByZXF1aXJlTG93ZXJjYXNlOiB0cnVlLFxuICAgIHJlcXVpcmVVcHBlcmNhc2U6IHRydWUsXG4gICAgcmVxdWlyZURpZ2l0czogdHJ1ZSxcbiAgICByZXF1aXJlU3ltYm9sczogdHJ1ZSxcbiAgICB0ZW1wUGFzc3dvcmRWYWxpZGl0eTogRHVyYXRpb24uZGF5cygzKSxcbiAgfSxcbiAgYWR2YW5jZWRTZWN1cml0eU1vZGU6IEFkdmFuY2VkU2VjdXJpdHlNb2RlLkVORk9SQ0VELFxuICBtZmE6IE1mYS5SRVFVSVJFRCxcbiAgYWNjb3VudFJlY292ZXJ5OiBBY2NvdW50UmVjb3ZlcnkuRU1BSUxfT05MWSxcbiAgYXV0b1ZlcmlmeToge1xuICAgIGVtYWlsOiB0cnVlLFxuICB9LFxufTtcblxuLyoqXG4gKiBVc2VycG9vbCBkZWZhdWx0IHByb3BzIHdoaWNoIGNvbmZpZ3VyZSBNRkEgYWNyb3NzIFNNUy9UT1RQLlxuICovXG5jb25zdCBERUZBVUxUX1BST1BTOiBVc2VyUG9vbFByb3BzID0ge1xuICBkZWxldGlvblByb3RlY3Rpb246IHRydWUsXG4gIHBhc3N3b3JkUG9saWN5OiB7XG4gICAgbWluTGVuZ3RoOiA4LFxuICAgIHJlcXVpcmVMb3dlcmNhc2U6IHRydWUsXG4gICAgcmVxdWlyZVVwcGVyY2FzZTogdHJ1ZSxcbiAgICByZXF1aXJlRGlnaXRzOiB0cnVlLFxuICAgIHJlcXVpcmVTeW1ib2xzOiB0cnVlLFxuICAgIHRlbXBQYXNzd29yZFZhbGlkaXR5OiBEdXJhdGlvbi5kYXlzKDMpLFxuICB9LFxuICBtZmE6IE1mYS5SRVFVSVJFRCxcbiAgbWZhU2Vjb25kRmFjdG9yOiB7IHNtczogdHJ1ZSwgb3RwOiB0cnVlIH0sXG4gIHNpZ25JbkNhc2VTZW5zaXRpdmU6IGZhbHNlLFxuICBhZHZhbmNlZFNlY3VyaXR5TW9kZTogQWR2YW5jZWRTZWN1cml0eU1vZGUuRU5GT1JDRUQsXG4gIHNpZ25JbkFsaWFzZXM6IHsgdXNlcm5hbWU6IHRydWUsIGVtYWlsOiB0cnVlIH0sXG4gIGFjY291bnRSZWNvdmVyeTogQWNjb3VudFJlY292ZXJ5LkVNQUlMX09OTFksXG4gIHNlbGZTaWduVXBFbmFibGVkOiBmYWxzZSxcbiAgc3RhbmRhcmRBdHRyaWJ1dGVzOiB7XG4gICAgcGhvbmVOdW1iZXI6IHsgcmVxdWlyZWQ6IGZhbHNlIH0sXG4gICAgZW1haWw6IHsgcmVxdWlyZWQ6IHRydWUgfSxcbiAgICBnaXZlbk5hbWU6IHsgcmVxdWlyZWQ6IHRydWUgfSxcbiAgICBmYW1pbHlOYW1lOiB7IHJlcXVpcmVkOiB0cnVlIH0sXG4gIH0sXG4gIGF1dG9WZXJpZnk6IHtcbiAgICBlbWFpbDogdHJ1ZSxcbiAgICBwaG9uZTogdHJ1ZSxcbiAgfSxcbiAga2VlcE9yaWdpbmFsOiB7XG4gICAgZW1haWw6IHRydWUsXG4gICAgcGhvbmU6IHRydWUsXG4gIH0sXG59O1xuXG4vKipcbiAqIFVzZXJQb29sV2l0aE1mYSBwcm9wcy5cbiAqL1xuZXhwb3J0IGludGVyZmFjZSBVc2VyUG9vbFdpdGhNZmFQcm9wcyBleHRlbmRzIFVzZXJQb29sUHJvcHMge31cblxuLyoqXG4gKiBDb25maWd1cmVzIGEgVXNlclBvb2wgd2l0aCBNRkEgYWNyb3NzIFNNUy9UT1RQIHVzaW5nIHNhbmUgZGVmYXVsdHMuXG4gKi9cbmV4cG9ydCBjbGFzcyBVc2VyUG9vbFdpdGhNZmEgZXh0ZW5kcyBVc2VyUG9vbCB7XG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzPzogVXNlclBvb2xXaXRoTWZhUHJvcHMpIHtcbiAgICBzdXBlcihzY29wZSwgaWQsIHtcbiAgICAgIC4uLihzaG91bGRVc2VMZWdhY3lQcm9wcyhzY29wZSkgPyBMRUdBQ1lfREVGQVVMVF9QUk9QUyA6IERFRkFVTFRfUFJPUFMpLFxuICAgICAgLi4ucHJvcHMsXG4gICAgfSk7XG5cbiAgICBjb25zdCBzdGFjayA9IFN0YWNrLm9mKHRoaXMpO1xuXG4gICAgW1wiQXdzU29sdXRpb25zLUlBTTVcIiwgXCJBd3NQcm90b3R5cGluZy1JQU1Ob1dpbGRjYXJkUGVybWlzc2lvbnNcIl0uZm9yRWFjaChcbiAgICAgIChSdWxlSWQpID0+IHtcbiAgICAgICAgUERLTmFnLmFkZFJlc291cmNlU3VwcHJlc3Npb25zQnlQYXRoTm9UaHJvdyhcbiAgICAgICAgICBzdGFjayxcbiAgICAgICAgICBgJHtQREtOYWcuZ2V0U3RhY2tQcmVmaXgoc3RhY2spfSR7aWR9L1VzZXJQb29sL3Ntc1JvbGUvUmVzb3VyY2VgLFxuICAgICAgICAgIFtcbiAgICAgICAgICAgIHtcbiAgICAgICAgICAgICAgaWQ6IFJ1bGVJZCxcbiAgICAgICAgICAgICAgcmVhc29uOlxuICAgICAgICAgICAgICAgIFwiTUZBIHJlcXVpcmVzIHNlbmRpbmcgYSB0ZXh0IHRvIGEgdXNlcnMgcGhvbmUgbnVtYmVyIHdoaWNoIGNhbm5vdCBiZSBrbm93biBhdCBkZXBsb3ltZW50IHRpbWUuXCIsXG4gICAgICAgICAgICAgIGFwcGxpZXNUbzogW1wiUmVzb3VyY2U6OipcIl0sXG4gICAgICAgICAgICB9LFxuICAgICAgICAgIF1cbiAgICAgICAgKTtcbiAgICAgIH1cbiAgICApO1xuICB9XG59XG5cbi8qKlxuICogRGV0ZXJtaW5lcyBpZiBsZWdhY3kgcHJvcHMgc2hvdWxkIGJlIHVzZWQgYnkgbG9va2luZyBhdCB0aGUgY29udHJvbCBmbGFnIGluIGNkayBjb250ZXh0LlxuICpcbiAqIEBwYXJhbSBzY29wZSBjb25zdHJ1Y3Qgc2NvcGUuXG4gKi9cbmNvbnN0IHNob3VsZFVzZUxlZ2FjeVByb3BzID0gKHNjb3BlOiBDb25zdHJ1Y3QpID0+XG4gIHNjb3BlLm5vZGUudHJ5R2V0Q29udGV4dChVU0VfTEVHQUNZX01GQV9QUk9QU19DT05URVhUX0tFWSk7XG4iXX0=