aws-cdk-lib

import * as cdk from "../../core"; import * as constructs from "constructs"; import * as cfn_parse from "../../core/lib/helpers-internal"; /** * The `AWS::Cognito::IdentityPool` resource creates an Amazon Cognito identity pool. * * To avoid deleting the resource accidentally from AWS CloudFormation , use [DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) and the [UpdateReplacePolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) to retain the resource on deletion or replacement. * * @cloudformationResource AWS::Cognito::IdentityPool * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html */ export declare class CfnIdentityPool extends cdk.CfnResource implements cdk.IInspectable, cdk.ITaggableV2 { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnIdentityPool from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnIdentityPool; /** * @cloudformationAttribute Id */ readonly attrId: string; /** * The name of the Amazon Cognito identity pool, returned as a string. * * @cloudformationAttribute Name */ readonly attrName: string; /** * Enables the Basic (Classic) authentication flow. */ allowClassicFlow?: boolean | cdk.IResolvable; /** * Specifies whether the identity pool supports unauthenticated logins. */ allowUnauthenticatedIdentities: boolean | cdk.IResolvable; /** * Tag Manager which manages the tags for this resource */ readonly cdkTagManager: cdk.TagManager; /** * The events to configure. */ cognitoEvents?: any | cdk.IResolvable; /** * The Amazon Cognito user pools and their client IDs. */ cognitoIdentityProviders?: Array<CfnIdentityPool.CognitoIdentityProviderProperty | cdk.IResolvable> | cdk.IResolvable; /** * Configuration options for configuring Amazon Cognito streams. */ cognitoStreams?: CfnIdentityPool.CognitoStreamsProperty | cdk.IResolvable; /** * The "domain" Amazon Cognito uses when referencing your users. */ developerProviderName?: string; /** * The name of your Amazon Cognito identity pool. */ identityPoolName?: string; /** * Tags to assign to the identity pool. */ identityPoolTags?: Array<cdk.CfnTag>; /** * The Amazon Resource Names (ARNs) of the OpenID connect providers. */ openIdConnectProviderArns?: Array<string>; /** * The configuration options to be applied to the identity pool. */ pushSync?: cdk.IResolvable | CfnIdentityPool.PushSyncProperty; /** * The Amazon Resource Names (ARNs) of the Security Assertion Markup Language (SAML) providers. */ samlProviderArns?: Array<string>; /** * Key-value pairs that map provider names to provider app IDs. */ supportedLoginProviders?: any | cdk.IResolvable; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props: CfnIdentityPoolProps); protected get cfnProperties(): Record<string, any>; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record<string, any>): Record<string, any>; } export declare namespace CfnIdentityPool { /** * `PushSync` is a property of the [AWS::Cognito::IdentityPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html) resource that defines the configuration options to be applied to an Amazon Cognito identity pool. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-pushsync.html */ interface PushSyncProperty { /** * The ARNs of the Amazon SNS platform applications that could be used by clients. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-pushsync.html#cfn-cognito-identitypool-pushsync-applicationarns */ readonly applicationArns?: Array<string>; /** * An IAM role configured to allow Amazon Cognito to call Amazon SNS on behalf of the developer. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-pushsync.html#cfn-cognito-identitypool-pushsync-rolearn */ readonly roleArn?: string; } /** * `CognitoIdentityProvider` is a property of the [AWS::Cognito::IdentityPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html) resource that represents an Amazon Cognito user pool and its client ID. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html */ interface CognitoIdentityProviderProperty { /** * The client ID for the Amazon Cognito user pool. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html#cfn-cognito-identitypool-cognitoidentityprovider-clientid */ readonly clientId: string; /** * The provider name for an Amazon Cognito user pool. * * For example: `cognito-idp.us-east-2.amazonaws.com/us-east-2_123456789` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html#cfn-cognito-identitypool-cognitoidentityprovider-providername */ readonly providerName: string; /** * TRUE if server-side token validation is enabled for the identity provider’s token. * * After you set the `ServerSideTokenCheck` to TRUE for an identity pool, that identity pool checks with the integrated user pools to make sure the user has not been globally signed out or deleted before the identity pool provides an OIDC token or AWS credentials for the user. * * If the user is signed out or deleted, the identity pool returns a 400 Not Authorized error. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html#cfn-cognito-identitypool-cognitoidentityprovider-serversidetokencheck */ readonly serverSideTokenCheck?: boolean | cdk.IResolvable; } /** * `CognitoStreams` is a property of the [AWS::Cognito::IdentityPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html) resource that defines configuration options for Amazon Cognito streams. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitostreams.html */ interface CognitoStreamsProperty { /** * The Amazon Resource Name (ARN) of the role Amazon Cognito can assume to publish to the stream. * * This role must grant access to Amazon Cognito (cognito-sync) to invoke `PutRecord` on your Amazon Cognito stream. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitostreams.html#cfn-cognito-identitypool-cognitostreams-rolearn */ readonly roleArn?: string; /** * Status of the Amazon Cognito streams. * * Valid values are: `ENABLED` or `DISABLED` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitostreams.html#cfn-cognito-identitypool-cognitostreams-streamingstatus */ readonly streamingStatus?: string; /** * The name of the Amazon Cognito stream to receive updates. * * This stream must be in the developer's account and in the same Region as the identity pool. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitostreams.html#cfn-cognito-identitypool-cognitostreams-streamname */ readonly streamName?: string; } } /** * Properties for defining a `CfnIdentityPool` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html */ export interface CfnIdentityPoolProps { /** * Enables the Basic (Classic) authentication flow. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-allowclassicflow */ readonly allowClassicFlow?: boolean | cdk.IResolvable; /** * Specifies whether the identity pool supports unauthenticated logins. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-allowunauthenticatedidentities */ readonly allowUnauthenticatedIdentities: boolean | cdk.IResolvable; /** * The events to configure. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-cognitoevents */ readonly cognitoEvents?: any | cdk.IResolvable; /** * The Amazon Cognito user pools and their client IDs. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-cognitoidentityproviders */ readonly cognitoIdentityProviders?: Array<CfnIdentityPool.CognitoIdentityProviderProperty | cdk.IResolvable> | cdk.IResolvable; /** * Configuration options for configuring Amazon Cognito streams. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-cognitostreams */ readonly cognitoStreams?: CfnIdentityPool.CognitoStreamsProperty | cdk.IResolvable; /** * The "domain" Amazon Cognito uses when referencing your users. * * This name acts as a placeholder that allows your backend and the Amazon Cognito service to communicate about the developer provider. For the `DeveloperProviderName` , you can use letters and periods (.), underscores (_), and dashes (-). * * *Minimum length* : 1 * * *Maximum length* : 100 * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-developerprovidername */ readonly developerProviderName?: string; /** * The name of your Amazon Cognito identity pool. * * *Minimum length* : 1 * * *Maximum length* : 128 * * *Pattern* : `[\w\s+=,.@-]+` * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-identitypoolname */ readonly identityPoolName?: string; /** * Tags to assign to the identity pool. * * A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-identitypooltags */ readonly identityPoolTags?: Array<cdk.CfnTag>; /** * The Amazon Resource Names (ARNs) of the OpenID connect providers. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-openidconnectproviderarns */ readonly openIdConnectProviderArns?: Array<string>; /** * The configuration options to be applied to the identity pool. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-pushsync */ readonly pushSync?: cdk.IResolvable | CfnIdentityPool.PushSyncProperty; /** * The Amazon Resource Names (ARNs) of the Security Assertion Markup Language (SAML) providers. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-samlproviderarns */ readonly samlProviderArns?: Array<string>; /** * Key-value pairs that map provider names to provider app IDs. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-supportedloginproviders */ readonly supportedLoginProviders?: any | cdk.IResolvable; } /** * A list of the identity pool principal tag assignments for attributes for access control. * * @cloudformationResource AWS::Cognito::IdentityPoolPrincipalTag * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html */ export declare class CfnIdentityPoolPrincipalTag extends cdk.CfnResource implements cdk.IInspectable { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnIdentityPoolPrincipalTag from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnIdentityPoolPrincipalTag; /** * The identity pool that you want to associate with this principal tag map. */ identityPoolId: string; /** * The identity pool identity provider (IdP) that you want to associate with this principal tag map. */ identityProviderName: string; /** * A JSON-formatted list of user claims and the principal tags that you want to associate with them. */ principalTags?: any | cdk.IResolvable; /** * Use a default set of mappings between claims and tags for this provider, instead of a custom map. */ useDefaults?: boolean | cdk.IResolvable; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props: CfnIdentityPoolPrincipalTagProps); protected get cfnProperties(): Record<string, any>; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record<string, any>): Record<string, any>; } /** * Properties for defining a `CfnIdentityPoolPrincipalTag` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html */ export interface CfnIdentityPoolPrincipalTagProps { /** * The identity pool that you want to associate with this principal tag map. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html#cfn-cognito-identitypoolprincipaltag-identitypoolid */ readonly identityPoolId: string; /** * The identity pool identity provider (IdP) that you want to associate with this principal tag map. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html#cfn-cognito-identitypoolprincipaltag-identityprovidername */ readonly identityProviderName: string; /** * A JSON-formatted list of user claims and the principal tags that you want to associate with them. * * When Amazon Cognito requests credentials, it sets the value of the principal tag to the value of the user's claim. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html#cfn-cognito-identitypoolprincipaltag-principaltags */ readonly principalTags?: any | cdk.IResolvable; /** * Use a default set of mappings between claims and tags for this provider, instead of a custom map. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html#cfn-cognito-identitypoolprincipaltag-usedefaults */ readonly useDefaults?: boolean | cdk.IResolvable; } /** * The `AWS::Cognito::IdentityPoolRoleAttachment` resource manages the role configuration for an Amazon Cognito identity pool. * * @cloudformationResource AWS::Cognito::IdentityPoolRoleAttachment * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html */ export declare class CfnIdentityPoolRoleAttachment extends cdk.CfnResource implements cdk.IInspectable { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnIdentityPoolRoleAttachment from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnIdentityPoolRoleAttachment; /** * The resource ID. * * @cloudformationAttribute Id */ readonly attrId: string; /** * An identity pool ID in the format `REGION:GUID` . */ identityPoolId: string; /** * How users for a specific identity provider are mapped to roles. */ roleMappings?: cdk.IResolvable | Record<string, cdk.IResolvable | CfnIdentityPoolRoleAttachment.RoleMappingProperty>; /** * The map of the roles associated with this pool. */ roles?: any | cdk.IResolvable; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props: CfnIdentityPoolRoleAttachmentProps); protected get cfnProperties(): Record<string, any>; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record<string, any>): Record<string, any>; } export declare namespace CfnIdentityPoolRoleAttachment { /** * One of a set of `RoleMappings` , a property of the [AWS::Cognito::IdentityPoolRoleAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html) resource that defines the role-mapping attributes of an Amazon Cognito identity pool. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html */ interface RoleMappingProperty { /** * If you specify Token or Rules as the `Type` , `AmbiguousRoleResolution` is required. * * Specifies the action to be taken if either no rules match the claim value for the `Rules` type, or there is no `cognito:preferred_role` claim and there are multiple `cognito:roles` matches for the `Token` type. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-ambiguousroleresolution */ readonly ambiguousRoleResolution?: string; /** * Identifier for the identity provider for which the role is mapped. * * For example: `graph.facebook.com` or `cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id (http://cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id)` . This is the identity provider that is used by the user for authentication. * * If the identity provider property isn't provided, the key of the entry in the `RoleMappings` map is used as the identity provider. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-identityprovider */ readonly identityProvider?: string; /** * The rules to be used for mapping users to roles. * * If you specify "Rules" as the role-mapping type, RulesConfiguration is required. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-rulesconfiguration */ readonly rulesConfiguration?: cdk.IResolvable | CfnIdentityPoolRoleAttachment.RulesConfigurationTypeProperty; /** * The role mapping type. * * Token will use `cognito:roles` and `cognito:preferred_role` claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-type */ readonly type: string; } /** * `RulesConfigurationType` is a subproperty of the [RoleMapping](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html) property that defines the rules to be used for mapping users to roles. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rulesconfigurationtype.html */ interface RulesConfigurationTypeProperty { /** * The rules. * * You can specify up to 25 rules per identity provider. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rulesconfigurationtype.html#cfn-cognito-identitypoolroleattachment-rulesconfigurationtype-rules */ readonly rules: Array<cdk.IResolvable | CfnIdentityPoolRoleAttachment.MappingRuleProperty> | cdk.IResolvable; } /** * Defines how to map a claim to a role ARN. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-mappingrule.html */ interface MappingRuleProperty { /** * The claim name that must be present in the token. * * For example: "isAdmin" or "paid". * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-mappingrule.html#cfn-cognito-identitypoolroleattachment-mappingrule-claim */ readonly claim: string; /** * The match condition that specifies how closely the claim value in the IdP token must match `Value` . * * Valid values are: `Equals` , `Contains` , `StartsWith` , and `NotEqual` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-mappingrule.html#cfn-cognito-identitypoolroleattachment-mappingrule-matchtype */ readonly matchType: string; /** * The Amazon Resource Name (ARN) of the role. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-mappingrule.html#cfn-cognito-identitypoolroleattachment-mappingrule-rolearn */ readonly roleArn: string; /** * A brief string that the claim must match. * * For example, "paid" or "yes". * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-mappingrule.html#cfn-cognito-identitypoolroleattachment-mappingrule-value */ readonly value: string; } } /** * Properties for defining a `CfnIdentityPoolRoleAttachment` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html */ export interface CfnIdentityPoolRoleAttachmentProps { /** * An identity pool ID in the format `REGION:GUID` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html#cfn-cognito-identitypoolroleattachment-identitypoolid */ readonly identityPoolId: string; /** * How users for a specific identity provider are mapped to roles. * * This is a string to the `RoleMapping` object map. The string identifies the identity provider. For example: `graph.facebook.com` or `cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id` . * * If the `IdentityProvider` field isn't provided in this object, the string is used as the identity provider name. * * For more information, see the [RoleMapping property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html) . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html#cfn-cognito-identitypoolroleattachment-rolemappings */ readonly roleMappings?: cdk.IResolvable | Record<string, cdk.IResolvable | CfnIdentityPoolRoleAttachment.RoleMappingProperty>; /** * The map of the roles associated with this pool. * * For a given role, the key is either "authenticated" or "unauthenticated". The value is the role ARN. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html#cfn-cognito-identitypoolroleattachment-roles */ readonly roles?: any | cdk.IResolvable; } /** * The `AWS::Cognito::UserPool` resource creates an Amazon Cognito user pool. * * For more information on working with Amazon Cognito user pools, see [Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) and [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) . * * > If you don't specify a value for a parameter, Amazon Cognito sets it to a default value. * * @cloudformationResource AWS::Cognito::UserPool * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html */ export declare class CfnUserPool extends cdk.CfnResource implements cdk.IInspectable, cdk.ITaggable { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnUserPool from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnUserPool; /** * The Amazon Resource Name (ARN) of the user pool, such as `arn:aws:cognito-idp:us-east-1:123412341234:userpool/us-east-1_123412341` . * * @cloudformationAttribute Arn */ readonly attrArn: string; /** * A friendly name for the IdP. * * @cloudformationAttribute ProviderName */ readonly attrProviderName: string; /** * The URL of the provider of the Amazon Cognito user pool, specified as a `String` . * * @cloudformationAttribute ProviderURL */ readonly attrProviderUrl: string; /** * The ID of the user pool. * * @cloudformationAttribute UserPoolId */ readonly attrUserPoolId: string; /** * The available verified method a user can use to recover their password when they call `ForgotPassword` . */ accountRecoverySetting?: CfnUserPool.AccountRecoverySettingProperty | cdk.IResolvable; /** * The settings for administrator creation of users in a user pool. */ adminCreateUserConfig?: CfnUserPool.AdminCreateUserConfigProperty | cdk.IResolvable; /** * Attributes supported as an alias for this user pool. */ aliasAttributes?: Array<string>; /** * The attributes that you want your user pool to automatically verify. */ autoVerifiedAttributes?: Array<string>; /** * When active, `DeletionProtection` prevents accidental deletion of your user pool. */ deletionProtection?: string; /** * The device-remembering configuration for a user pool. */ deviceConfiguration?: CfnUserPool.DeviceConfigurationProperty | cdk.IResolvable; emailAuthenticationMessage?: string; emailAuthenticationSubject?: string; /** * The email configuration of your user pool. */ emailConfiguration?: CfnUserPool.EmailConfigurationProperty | cdk.IResolvable; /** * This parameter is no longer used. */ emailVerificationMessage?: string; /** * This parameter is no longer used. */ emailVerificationSubject?: string; /** * Set enabled MFA options on a specified user pool. */ enabledMfas?: Array<string>; /** * A collection of user pool Lambda triggers. */ lambdaConfig?: cdk.IResolvable | CfnUserPool.LambdaConfigProperty; /** * Displays the state of multi-factor authentication (MFA) as on, off, or optional. */ mfaConfiguration?: string; /** * A list of user pool policies. */ policies?: cdk.IResolvable | CfnUserPool.PoliciesProperty; /** * An array of attributes for the new user pool. */ schema?: Array<cdk.IResolvable | CfnUserPool.SchemaAttributeProperty> | cdk.IResolvable; /** * The contents of the SMS authentication message. */ smsAuthenticationMessage?: string; /** * The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service. */ smsConfiguration?: cdk.IResolvable | CfnUserPool.SmsConfigurationProperty; /** * This parameter is no longer used. */ smsVerificationMessage?: string; /** * Tag Manager which manages the tags for this resource */ readonly tags: cdk.TagManager; /** * The settings for updates to user attributes. */ userAttributeUpdateSettings?: cdk.IResolvable | CfnUserPool.UserAttributeUpdateSettingsProperty; /** * Specifies whether a user can use an email address or phone number as a username when they sign up. */ usernameAttributes?: Array<string>; /** * Sets the case sensitivity option for sign-in usernames. */ usernameConfiguration?: cdk.IResolvable | CfnUserPool.UsernameConfigurationProperty; /** * Contains settings for activation of threat protection, including the operating mode and additional authentication types. */ userPoolAddOns?: cdk.IResolvable | CfnUserPool.UserPoolAddOnsProperty; /** * A friendly name for your user pool. */ userPoolName?: string; /** * The tag keys and values to assign to the user pool. */ userPoolTagsRaw?: any; /** * The user pool [feature plan](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html) , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to `ESSENTIALS` . */ userPoolTier?: string; /** * The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. */ verificationMessageTemplate?: cdk.IResolvable | CfnUserPool.VerificationMessageTemplateProperty; /** * Sets or displays the authentication domain, typically your user pool domain, that passkey providers must use as a relying party (RP) in their configuration. */ webAuthnRelyingPartyId?: string; /** * When `required` , users can only register and sign in users with passkeys that are capable of [user verification](https://docs.aws.amazon.com/https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement) . When `preferred` , your user pool doesn't require the use of authenticators with user verification but encourages it. */ webAuthnUserVerification?: string; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props?: CfnUserPoolProps); protected get cfnProperties(): Record<string, any>; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record<string, any>): Record<string, any>; } export declare namespace CfnUserPool { /** * A list of user pool policies. * * Contains the policy that sets password-complexity requirements. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html */ interface PoliciesProperty { /** * The password policy settings for a user pool, including complexity, history, and length requirements. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html#cfn-cognito-userpool-policies-passwordpolicy */ readonly passwordPolicy?: cdk.IResolvable | CfnUserPool.PasswordPolicyProperty; /** * The policy for allowed types of authentication in a user pool. * * To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html#cfn-cognito-userpool-policies-signinpolicy */ readonly signInPolicy?: cdk.IResolvable | CfnUserPool.SignInPolicyProperty; } /** * The password policy settings for a user pool, including complexity, history, and length requirements. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html */ interface PasswordPolicyProperty { /** * The minimum length of the password in the policy that you have set. * * This value can't be less than 6. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-minimumlength */ readonly minimumLength?: number; /** * The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. * * Users can't set a password that matches any of `n` previous passwords, where `n` is the value of `PasswordHistorySize` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-passwordhistorysize */ readonly passwordHistorySize?: number; /** * The requirement in a password policy that users must include at least one lowercase letter in their password. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requirelowercase */ readonly requireLowercase?: boolean | cdk.IResolvable; /** * The requirement in a password policy that users must include at least one number in their password. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requirenumbers */ readonly requireNumbers?: boolean | cdk.IResolvable; /** * The requirement in a password policy that users must include at least one symbol in their password. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requiresymbols */ readonly requireSymbols?: boolean | cdk.IResolvable; /** * The requirement in a password policy that users must include at least one uppercase letter in their password. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requireuppercase */ readonly requireUppercase?: boolean | cdk.IResolvable; /** * The number of days a temporary password is valid in the password policy. * * If the user doesn't sign in during this time, an administrator must reset their password. Defaults to `7` . If you submit a value of `0` , Amazon Cognito treats it as a null value and sets `TemporaryPasswordValidityDays` to its default value. * * > When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-temporarypasswordvaliditydays */ readonly temporaryPasswordValidityDays?: number; } /** * The policy for allowed types of authentication in a user pool. * * To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html */ interface SignInPolicyProperty { /** * The sign-in methods that a user pool supports as the first factor. * * You can permit users to start authentication with a standard username and password, or with other one-time password and hardware factors. * * Supports values of `EMAIL_OTP` , `SMS_OTP` , `WEB_AUTHN` and `PASSWORD` , * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html#cfn-cognito-userpool-signinpolicy-allowedfirstauthfactors */ readonly allowedFirstAuthFactors?: Array<string>; } /** * The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html */ interface VerificationMessageTemplateProperty { /** * The configuration of verification emails to contain a clickable link or a verification code. * * For link, your template body must contain link text in the format `{##Click here##}` . "Click here" in the example is a customizable string. For code, your template body must contain a code placeholder in the format `{####}` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-defaultemailoption */ readonly defaultEmailOption?: string; /** * The template for email messages that Amazon Cognito sends to your users. * * You can set an `EmailMessage` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-emailmessage */ readonly emailMessage?: string; /** * The email message template for sending a confirmation link to the user. * * You can set an `EmailMessageByLink` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-emailmessagebylink */ readonly emailMessageByLink?: string; /** * The subject line for the email message template. * * You can set an `EmailSubject` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-emailsubject */ readonly emailSubject?: string; /** * The subject line for the email message template for sending a confirmation link to the user. * * You can set an `EmailSubjectByLink` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-emailsubjectbylink */ readonly emailSubjectByLink?: string; /** * The template for SMS messages that Amazon Cognito sends to your users. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-smsmessage */ readonly smsMessage?: string; } /** * A list of the user attributes and their properties in your user pool. * * The attribute schema contains standard attributes, custom attributes with a `custom:` prefix, and developer attributes with a `dev:` prefix. For more information, see [User pool attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html) . * * Developer-only `dev:` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html */ interface SchemaAttributeProperty { /** * The data format of the values for your attribute. * * When you choose an `AttributeDataType` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example `"custom:isMember" : "true"` or `"custom:YearsAsMember" : "12"` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html#cfn-cognito-userpool-schemaattribute-attributedatatype */ readonly attributeDataType?: string; /** * > You should use [WriteAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes) in the user pool client to control how attributes can be mutated for new use cases instead of using `DeveloperOnlyAttribute` . * * Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users won't be able to modify this attribute using their access token. For example, `DeveloperOnlyAttribute` can be modified using AdminUpdateUserAttributes but can't be updated using UpdateUserAttributes. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html#cfn-cognito-userpool-schemaattribute-developeronlyattribute */ readonly developerOnlyAttribute?: boolean | cdk.IResolvable; /** * Specifies whether the value of the attribute can be changed. * * Any user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/de