UNPKG

@pulumi/aws

Version:

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.

pulumi.io

pulumi/pulumi-aws

380 lines (379 loc) • 20.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Use the `aws.cognito.UserPoolClient` resource to manage a Cognito User Pool Client. * * **This resource is advanced** and has special caveats to consider before use. Please read this document completely before using the resource. * * Use the `aws.cognito.ManagedUserPoolClient` resource to manage a Cognito User Pool Client that is automatically created by an AWS service. For instance, when [configuring an OpenSearch Domain to use Cognito authentication](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cognito-auth.html), the OpenSearch service creates the User Pool Client during setup and removes it when it is no longer required. As a result, the `aws.cognito.ManagedUserPoolClient` resource does not create or delete this resource, but instead assumes management of it. * * Use the `aws.cognito.UserPoolClient` resource to manage Cognito User Pool Clients for normal use cases. * * ## Example Usage * * ### Using Name Pattern * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.cognito.ManagedUserPoolClient("example", { * namePattern: "^AmazonOpenSearchService-example-(\\w+)$", * userPoolId: exampleAwsCognitoUserPool.id, * }); * ``` * * ## Import * * Using `pulumi import`, import Cognito User Pool Clients using the `id` of the Cognito User Pool and the `id` of the Cognito User Pool Client. For example: * * ```sh * $ pulumi import aws:cognito/managedUserPoolClient:ManagedUserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpko * ``` */ export declare class ManagedUserPoolClient extends pulumi.CustomResource { /** * Get an existing ManagedUserPoolClient resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ManagedUserPoolClientState, opts?: pulumi.CustomResourceOptions): ManagedUserPoolClient; /** * Returns true if the given object is an instance of ManagedUserPoolClient. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is ManagedUserPoolClient; /** * Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`. */ readonly accessTokenValidity: pulumi.Output<number>; /** * List of allowed OAuth flows, including `code`, `implicit`, and `clientCredentials`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ readonly allowedOauthFlows: pulumi.Output<string[]>; /** * Whether the client is allowed to use OAuth 2.0 features. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure the following arguments: `callbackUrls`, `logoutUrls`, `allowedOauthScopes` and `allowedOauthFlows`. */ readonly allowedOauthFlowsUserPoolClient: pulumi.Output<boolean>; /** * List of allowed OAuth scopes, including `phone`, `email`, `openid`, `profile`, and `aws.cognito.signin.user.admin`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ readonly allowedOauthScopes: pulumi.Output<string[]>; /** * Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below. */ readonly analyticsConfiguration: pulumi.Output<outputs.cognito.ManagedUserPoolClientAnalyticsConfiguration | undefined>; /** * Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`. */ readonly authSessionValidity: pulumi.Output<number>; /** * List of allowed callback URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ readonly callbackUrls: pulumi.Output<string[]>; /** * Client secret of the user pool client. */ readonly clientSecret: pulumi.Output<string>; /** * Default redirect URI and must be included in the list of callback URLs. */ readonly defaultRedirectUri: pulumi.Output<string>; /** * Enables the propagation of additional user context data. */ readonly enablePropagateAdditionalUserContextData: pulumi.Output<boolean>; /** * Enables or disables token revocation. */ readonly enableTokenRevocation: pulumi.Output<boolean>; /** * List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH. */ readonly explicitAuthFlows: pulumi.Output<string[]>; /** * Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`. */ readonly idTokenValidity: pulumi.Output<number>; /** * List of allowed logout URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ readonly logoutUrls: pulumi.Output<string[]>; /** * Name of the user pool client. */ readonly name: pulumi.Output<string>; /** * Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client. */ readonly namePattern: pulumi.Output<string | undefined>; /** * String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client. * * The following arguments are optional: */ readonly namePrefix: pulumi.Output<string | undefined>; /** * Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery. */ readonly preventUserExistenceErrors: pulumi.Output<string>; /** * List of user pool attributes that the application client can read from. */ readonly readAttributes: pulumi.Output<string[]>; /** * A block that specifies the configuration of refresh token rotation. Detailed below. */ readonly refreshTokenRotation: pulumi.Output<outputs.cognito.ManagedUserPoolClientRefreshTokenRotation | undefined>; /** * Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`. */ readonly refreshTokenValidity: pulumi.Output<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ readonly region: pulumi.Output<string>; /** * List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `aws.cognito.IdentityProvider` resource(s), or the equivalent string(s). */ readonly supportedIdentityProviders: pulumi.Output<string[]>; /** * Configuration block for representing the validity times in units. See details below. Detailed below. */ readonly tokenValidityUnits: pulumi.Output<outputs.cognito.ManagedUserPoolClientTokenValidityUnits | undefined>; /** * User pool that the client belongs to. */ readonly userPoolId: pulumi.Output<string>; /** * List of user pool attributes that the application client can write to. */ readonly writeAttributes: pulumi.Output<string[]>; /** * Create a ManagedUserPoolClient resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: ManagedUserPoolClientArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering ManagedUserPoolClient resources. */ export interface ManagedUserPoolClientState { /** * Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`. */ accessTokenValidity?: pulumi.Input<number>; /** * List of allowed OAuth flows, including `code`, `implicit`, and `clientCredentials`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ allowedOauthFlows?: pulumi.Input<pulumi.Input<string>[]>; /** * Whether the client is allowed to use OAuth 2.0 features. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure the following arguments: `callbackUrls`, `logoutUrls`, `allowedOauthScopes` and `allowedOauthFlows`. */ allowedOauthFlowsUserPoolClient?: pulumi.Input<boolean>; /** * List of allowed OAuth scopes, including `phone`, `email`, `openid`, `profile`, and `aws.cognito.signin.user.admin`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ allowedOauthScopes?: pulumi.Input<pulumi.Input<string>[]>; /** * Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below. */ analyticsConfiguration?: pulumi.Input<inputs.cognito.ManagedUserPoolClientAnalyticsConfiguration>; /** * Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`. */ authSessionValidity?: pulumi.Input<number>; /** * List of allowed callback URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ callbackUrls?: pulumi.Input<pulumi.Input<string>[]>; /** * Client secret of the user pool client. */ clientSecret?: pulumi.Input<string>; /** * Default redirect URI and must be included in the list of callback URLs. */ defaultRedirectUri?: pulumi.Input<string>; /** * Enables the propagation of additional user context data. */ enablePropagateAdditionalUserContextData?: pulumi.Input<boolean>; /** * Enables or disables token revocation. */ enableTokenRevocation?: pulumi.Input<boolean>; /** * List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH. */ explicitAuthFlows?: pulumi.Input<pulumi.Input<string>[]>; /** * Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`. */ idTokenValidity?: pulumi.Input<number>; /** * List of allowed logout URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ logoutUrls?: pulumi.Input<pulumi.Input<string>[]>; /** * Name of the user pool client. */ name?: pulumi.Input<string>; /** * Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client. */ namePattern?: pulumi.Input<string>; /** * String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client. * * The following arguments are optional: */ namePrefix?: pulumi.Input<string>; /** * Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery. */ preventUserExistenceErrors?: pulumi.Input<string>; /** * List of user pool attributes that the application client can read from. */ readAttributes?: pulumi.Input<pulumi.Input<string>[]>; /** * A block that specifies the configuration of refresh token rotation. Detailed below. */ refreshTokenRotation?: pulumi.Input<inputs.cognito.ManagedUserPoolClientRefreshTokenRotation>; /** * Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`. */ refreshTokenValidity?: pulumi.Input<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; /** * List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `aws.cognito.IdentityProvider` resource(s), or the equivalent string(s). */ supportedIdentityProviders?: pulumi.Input<pulumi.Input<string>[]>; /** * Configuration block for representing the validity times in units. See details below. Detailed below. */ tokenValidityUnits?: pulumi.Input<inputs.cognito.ManagedUserPoolClientTokenValidityUnits>; /** * User pool that the client belongs to. */ userPoolId?: pulumi.Input<string>; /** * List of user pool attributes that the application client can write to. */ writeAttributes?: pulumi.Input<pulumi.Input<string>[]>; } /** * The set of arguments for constructing a ManagedUserPoolClient resource. */ export interface ManagedUserPoolClientArgs { /** * Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`. */ accessTokenValidity?: pulumi.Input<number>; /** * List of allowed OAuth flows, including `code`, `implicit`, and `clientCredentials`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ allowedOauthFlows?: pulumi.Input<pulumi.Input<string>[]>; /** * Whether the client is allowed to use OAuth 2.0 features. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure the following arguments: `callbackUrls`, `logoutUrls`, `allowedOauthScopes` and `allowedOauthFlows`. */ allowedOauthFlowsUserPoolClient?: pulumi.Input<boolean>; /** * List of allowed OAuth scopes, including `phone`, `email`, `openid`, `profile`, and `aws.cognito.signin.user.admin`. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ allowedOauthScopes?: pulumi.Input<pulumi.Input<string>[]>; /** * Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below. */ analyticsConfiguration?: pulumi.Input<inputs.cognito.ManagedUserPoolClientAnalyticsConfiguration>; /** * Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`. */ authSessionValidity?: pulumi.Input<number>; /** * List of allowed callback URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ callbackUrls?: pulumi.Input<pulumi.Input<string>[]>; /** * Default redirect URI and must be included in the list of callback URLs. */ defaultRedirectUri?: pulumi.Input<string>; /** * Enables the propagation of additional user context data. */ enablePropagateAdditionalUserContextData?: pulumi.Input<boolean>; /** * Enables or disables token revocation. */ enableTokenRevocation?: pulumi.Input<boolean>; /** * List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH. */ explicitAuthFlows?: pulumi.Input<pulumi.Input<string>[]>; /** * Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`. */ idTokenValidity?: pulumi.Input<number>; /** * List of allowed logout URLs for the identity providers. `allowedOauthFlowsUserPoolClient` must be set to `true` before you can configure this option. */ logoutUrls?: pulumi.Input<pulumi.Input<string>[]>; /** * Regular expression that matches the name of the existing User Pool Client to be managed. It must only match one User Pool Client. */ namePattern?: pulumi.Input<string>; /** * String that matches the beginning of the name of the existing User Pool Client to be managed. It must match only one User Pool Client. * * The following arguments are optional: */ namePrefix?: pulumi.Input<string>; /** * Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery. */ preventUserExistenceErrors?: pulumi.Input<string>; /** * List of user pool attributes that the application client can read from. */ readAttributes?: pulumi.Input<pulumi.Input<string>[]>; /** * A block that specifies the configuration of refresh token rotation. Detailed below. */ refreshTokenRotation?: pulumi.Input<inputs.cognito.ManagedUserPoolClientRefreshTokenRotation>; /** * Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`. */ refreshTokenValidity?: pulumi.Input<number>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; /** * List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `aws.cognito.IdentityProvider` resource(s), or the equivalent string(s). */ supportedIdentityProviders?: pulumi.Input<pulumi.Input<string>[]>; /** * Configuration block for representing the validity times in units. See details below. Detailed below. */ tokenValidityUnits?: pulumi.Input<inputs.cognito.ManagedUserPoolClientTokenValidityUnits>; /** * User pool that the client belongs to. */ userPoolId: pulumi.Input<string>; /** * List of user pool attributes that the application client can write to. */ writeAttributes?: pulumi.Input<pulumi.Input<string>[]>; }