diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out new file mode 100644 index 0000000000000..c6e612584e352 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"38.0.1"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json new file mode 100644 index 0000000000000..c248f6865cf34 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json @@ -0,0 +1,19 @@ +{ + "version": "38.0.1", + "files": { + "57ebfe1ab6c8ce5faf8c2370ac901d380e8c968b793c3d82d66a3e6bd99983a8": { + "source": { + "path": "integ-user-email-mfa.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "57ebfe1ab6c8ce5faf8c2370ac901d380e8c968b793c3d82d66a3e6bd99983a8.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json new file mode 100644 index 0000000000000..0c32599ce87ee --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json @@ -0,0 +1,152 @@ +{ + "Resources": { + "myuserpoolsmsRole0E16FDD9": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "integuseremailmfamyuserpool8F31F20B" + } + }, + "Effect": "Allow", + "Principal": { + "Service": "cognito-idp.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "sns-publish" + } + ] + } + }, + "myuserpool01998219": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] + }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailConfiguration": { + "EmailSendingAccount": "DEVELOPER", + "From": "\"myname@mycompany.com\" ", + "ReplyToEmailAddress": "support@*.example.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ses:us-east-1:", + { + "Ref": "AWS::AccountId" + }, + ":identity/*.example.com" + ] + ] + } + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "EnabledMfas": [ + "SMS_MFA", + "EMAIL_OTP" + ], + "MfaConfiguration": "ON", + "SmsConfiguration": { + "ExternalId": "integuseremailmfamyuserpool8F31F20B", + "SnsCallerArn": { + "Fn::GetAtt": [ + "myuserpoolsmsRole0E16FDD9", + "Arn" + ] + } + }, + "SmsVerificationMessage": "The verification code to your new account is {####}", + "UserPoolAddOns": { + "AdvancedSecurityMode": "ENFORCED" + }, + "UserPoolName": "MyUserPool", + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Outputs": { + "userpoolid": { + "Value": { + "Ref": "myuserpool01998219" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json new file mode 100644 index 0000000000000..88212ea89f5c4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json @@ -0,0 +1,14 @@ +{ + "enableLookups": true, + "version": "38.0.1", + "testCases": { + "integ-user-email-mfa-test/DefaultTest": { + "stacks": [ + "integ-user-email-mfa" + ], + "stackUpdateWorkflow": false, + "assertionStack": "integ-user-email-mfa-test/DefaultTest/DeployAssert", + "assertionStackName": "integuseremailmfatestDefaultTestDeployAssertD4C43B3C" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json new file mode 100644 index 0000000000000..e4126b91762e6 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json @@ -0,0 +1,19 @@ +{ + "version": "38.0.1", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json new file mode 100644 index 0000000000000..05c1c5dc19eee --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json @@ -0,0 +1,127 @@ +{ + "version": "38.0.1", + "artifacts": { + "integ-user-email-mfa.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integ-user-email-mfa.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integ-user-email-mfa": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integ-user-email-mfa.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "notificationArns": [], + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/57ebfe1ab6c8ce5faf8c2370ac901d380e8c968b793c3d82d66a3e6bd99983a8.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integ-user-email-mfa.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integ-user-email-mfa.assets" + ], + "metadata": { + "/integ-user-email-mfa/myuserpool/smsRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "myuserpoolsmsRole0E16FDD9" + } + ], + "/integ-user-email-mfa/myuserpool/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "myuserpool01998219" + } + ], + "/integ-user-email-mfa/user-pool-id": [ + { + "type": "aws:cdk:logicalId", + "data": "userpoolid" + } + ], + "/integ-user-email-mfa/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-user-email-mfa/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-user-email-mfa" + }, + "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integuseremailmfatestDefaultTestDeployAssertD4C43B3C": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "notificationArns": [], + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets" + ], + "metadata": { + "/integ-user-email-mfa-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-user-email-mfa-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-user-email-mfa-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json new file mode 100644 index 0000000000000..a90269fcaff6c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json @@ -0,0 +1,258 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "integ-user-email-mfa": { + "id": "integ-user-email-mfa", + "path": "integ-user-email-mfa", + "children": { + "myuserpool": { + "id": "myuserpool", + "path": "integ-user-email-mfa/myuserpool", + "children": { + "smsRole": { + "id": "smsRole", + "path": "integ-user-email-mfa/myuserpool/smsRole", + "children": { + "ImportsmsRole": { + "id": "ImportsmsRole", + "path": "integ-user-email-mfa/myuserpool/smsRole/ImportsmsRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "integ-user-email-mfa/myuserpool/smsRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "integuseremailmfamyuserpool8F31F20B" + } + }, + "Effect": "Allow", + "Principal": { + "Service": "cognito-idp.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "policies": [ + { + "policyName": "sns-publish", + "policyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "integ-user-email-mfa/myuserpool/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true + }, + "emailConfiguration": { + "from": "\"myname@mycompany.com\" ", + "replyToEmailAddress": "support@*.example.com", + "emailSendingAccount": "DEVELOPER", + "sourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ses:us-east-1:", + { + "Ref": "AWS::AccountId" + }, + ":identity/*.example.com" + ] + ] + } + }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "enabledMfas": [ + "SMS_MFA", + "EMAIL_OTP" + ], + "mfaConfiguration": "ON", + "smsConfiguration": { + "externalId": "integuseremailmfamyuserpool8F31F20B", + "snsCallerArn": { + "Fn::GetAtt": [ + "myuserpoolsmsRole0E16FDD9", + "Arn" + ] + } + }, + "smsVerificationMessage": "The verification code to your new account is {####}", + "userPoolAddOns": { + "advancedSecurityMode": "ENFORCED" + }, + "userPoolName": "MyUserPool", + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPool", + "version": "0.0.0" + } + }, + "user-pool-id": { + "id": "user-pool-id", + "path": "integ-user-email-mfa/user-pool-id", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnOutput", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-user-email-mfa/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-user-email-mfa/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "integ-user-email-mfa-test": { + "id": "integ-user-email-mfa-test", + "path": "integ-user-email-mfa-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "integ-user-email-mfa-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "integ-user-email-mfa-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "integ-user-email-mfa-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-user-email-mfa-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-user-email-mfa-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts new file mode 100644 index 0000000000000..417c70d5ecd2c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts @@ -0,0 +1,41 @@ +import { App, CfnOutput, RemovalPolicy, Stack } from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { AdvancedSecurityMode, Mfa, UserPool, UserPoolEmail } from 'aws-cdk-lib/aws-cognito'; + +/** + * Before you run test, you must set up SES email identity and set domain to domainName. + */ +const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME; +if (!domainName) throw new Error('For this test you must provide your own DomainName as an env var "DOMAIN_NAME".'); + +const app = new App(); +const stack = new Stack(app, 'integ-user-email-mfa'); + +const userpool = new UserPool(stack, 'myuserpool', { + removalPolicy: RemovalPolicy.DESTROY, + userPoolName: 'MyUserPool', + email: UserPoolEmail.withSES({ + sesRegion: 'us-east-1', + fromEmail: `noreply@${domainName}`, + fromName: 'myname@mycompany.com', + replyTo: `support@${domainName}`, + sesVerifiedDomain: domainName, + }), + mfa: Mfa.REQUIRED, + mfaSecondFactor: { + sms: true, + otp: false, + email: true, + }, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, +}); + +new CfnOutput(stack, 'user-pool-id', { + value: userpool.userPoolId, +}); + +new IntegTest(app, 'integ-user-email-mfa-test', { + testCases: [stack], + enableLookups: true, + stackUpdateWorkflow: false, +}); diff --git a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts index effe57b512010..18de3869296b5 100644 --- a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts +++ b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts @@ -125,6 +125,9 @@ export class FoundationModelIdentifier { /** Base model "anthropic.claude-3-5-sonnet-20240620-v1:0" */ public static readonly ANTHROPIC_CLAUDE_3_5_SONNET_20240620_V1_0 = new FoundationModelIdentifier('anthropic.claude-3-5-sonnet-20240620-v1:0'); + /** Base model "anthropic.claude-3-5-sonnet-20241022-v2:0" */ + public static readonly ANTHROPIC_CLAUDE_3_5_SONNET_20241022_V2_0 = new FoundationModelIdentifier('anthropic.claude-3-5-sonnet-20241022-v2:0'); + /** Base model "anthropic.claude-3-haiku-20240307-v1:0". */ public static readonly ANTHROPIC_CLAUDE_3_HAIKU_20240307_V1_0 = new FoundationModelIdentifier('anthropic.claude-3-haiku-20240307-v1:0'); diff --git a/packages/aws-cdk-lib/aws-cognito/README.md b/packages/aws-cdk-lib/aws-cognito/README.md index 35df1769e41ac..7a4ae282ace23 100644 --- a/packages/aws-cdk-lib/aws-cognito/README.md +++ b/packages/aws-cdk-lib/aws-cognito/README.md @@ -306,6 +306,9 @@ configure an MFA token and use it for sign in. It also allows for the users to u [time-based one time password (TOTP)](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html). +If you want to enable email-based MFA, set `email` propety to the Amazon SES email-sending configuration and set `advancedSecurityMode` to `AdvancedSecurity.ENFORCED` or `AdvancedSecurity.AUDIT`. +For more information, see [Email MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security-email-mfa.html). + ```ts new cognito.UserPool(this, 'myuserpool', { // ... @@ -313,6 +316,7 @@ new cognito.UserPool(this, 'myuserpool', { mfaSecondFactor: { sms: true, otp: true, + email: false, // email-based MFA }, }); ``` diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-email.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-email.ts index 4941dff664b28..332570faadd74 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-email.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-email.ts @@ -66,7 +66,7 @@ export interface UserPoolSESOptions { /** * Result of binding email settings with a user pool */ -interface UserPoolEmailConfig { +export interface UserPoolEmailConfig { /** * The name of the configuration set in SES. * diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts index ede93a84af1f0..8d8adfc65ba17 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts @@ -5,7 +5,7 @@ import { StandardAttributeNames } from './private/attr-names'; import { ICustomAttribute, StandardAttribute, StandardAttributes } from './user-pool-attr'; import { UserPoolClient, UserPoolClientOptions } from './user-pool-client'; import { UserPoolDomain, UserPoolDomainOptions } from './user-pool-domain'; -import { UserPoolEmail } from './user-pool-email'; +import { UserPoolEmail, UserPoolEmailConfig } from './user-pool-email'; import { IUserPoolIdentityProvider } from './user-pool-idp'; import { UserPoolResourceServer, UserPoolResourceServerOptions } from './user-pool-resource-server'; import { Grant, IGrantable, IRole, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from '../../aws-iam'; @@ -391,7 +391,7 @@ export enum Mfa { export interface MfaSecondFactor { /** * The MFA token is sent to the user via SMS to their verified phone numbers - * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-text-message.html + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html * @default true */ readonly sms: boolean; @@ -402,6 +402,17 @@ export interface MfaSecondFactor { * @default false */ readonly otp: boolean; + + /** + * The MFA token is sent to the user via EMAIL + * + * To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration + * and set `advancedSecurityMode` to `AdvancedSecurity.ENFORCED` or `AdvancedSecurity.AUDIT` + * + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html + * @default false + */ + readonly email?: boolean; } /** @@ -671,8 +682,8 @@ export interface UserPoolProps { /** * Configure the MFA types that users can use in this user pool. Ignored if `mfa` is set to `OFF`. * - * @default - { sms: true, otp: false }, if `mfa` is set to `OPTIONAL` or `REQUIRED`. - * { sms: false, otp: false }, otherwise + * @default - { sms: true, otp: false, email: false }, if `mfa` is set to `OPTIONAL` or `REQUIRED`. + * { sms: false, otp: false, email:false }, otherwise */ readonly mfaSecondFactor?: MfaSecondFactor; @@ -920,6 +931,7 @@ export class UserPool extends UserPoolBase { public readonly userPoolProviderUrl: string; private triggers: CfnUserPool.LambdaConfigProperty = {}; + private emailConfiguration: UserPoolEmailConfig | undefined; constructor(scope: Construct, id: string, props: UserPoolProps = {}) { super(scope, id); @@ -989,6 +1001,7 @@ export class UserPool extends UserPoolBase { from: encodePuny(props.emailSettings?.from), replyToEmailAddress: encodePuny(props.emailSettings?.replyTo), }); + this.emailConfiguration = emailConfiguration; const userPool = new CfnUserPool(this, 'Resource', { userPoolName: props.userPoolName, @@ -1237,6 +1250,9 @@ export class UserPool extends UserPoolBase { } if (props.mfaSecondFactor!.otp) { enabledMfas.push('SOFTWARE_TOKEN_MFA'); + } if (props.mfaSecondFactor!.email) { + this.validateEmailMfa(props); + enabledMfas.push('EMAIL_OTP'); } return enabledMfas; } @@ -1364,6 +1380,16 @@ export class UserPool extends UserPoolBase { attributesRequireVerificationBeforeUpdate, }; } + + private validateEmailMfa(props: UserPoolProps) { + if (props.email === undefined || this.emailConfiguration?.emailSendingAccount !== 'DEVELOPER') { + throw new Error('To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration.'); + } + + if (props.advancedSecurityMode === AdvancedSecurityMode.OFF) { + throw new Error('To enable email-based MFA, set `advancedSecurityMode` to `AdvancedSecurity.ENFORCED` or `AdvancedSecurity.AUDIT`.'); + } + } } function undefinedIfNoKeys(struct: object): object | undefined { diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts index d44a0c4e35e61..bcf69ec7948e9 100644 --- a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts +++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts @@ -2223,6 +2223,86 @@ test('advanced security is not present if option is not provided', () => { }); }); +describe('email MFA test', () => { + test('email MFA enabled', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + new UserPool(stack, 'myuserpool', { + email: UserPoolEmail.withSES({ + sesRegion: 'us-east-1', + fromEmail: 'noreply@example.com', + fromName: 'myname@mycompany.com', + replyTo: 'support@example.com', + sesVerifiedDomain: 'example.com', + }), + mfa: Mfa.REQUIRED, + mfaSecondFactor: { + sms: true, + otp: false, + email: true, + }, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', { + EnabledMfas: ['SMS_MFA', 'EMAIL_OTP'], + }); + }); + + test('throws when email MFA is enabled with no email settings.', () => { + const stack = new Stack(); + + expect(() => new UserPool(stack, 'Pool1', { + mfa: Mfa.REQUIRED, + mfaSecondFactor: { + sms: true, + otp: false, + email: true, + }, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + })).toThrow('To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration.'); + }); + + test('throws when email MFA is enabled with not SES email settings.', () => { + const stack = new Stack(); + + expect(() => new UserPool(stack, 'Pool1', { + mfa: Mfa.REQUIRED, + email: UserPoolEmail.withCognito(), + mfaSecondFactor: { + sms: true, + otp: false, + email: true, + }, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + })).toThrow('To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration.'); + }); + + test('set Email MFA', () => { + const stack = new Stack(); + + expect(() => new UserPool(stack, 'Pool1', { + email: UserPoolEmail.withSES({ + sesRegion: 'us-east-1', + fromEmail: 'noreply@example.com', + fromName: 'myname@mycompany.com', + replyTo: 'support@example.com', + sesVerifiedDomain: 'example.com', + }), + mfa: Mfa.REQUIRED, + mfaSecondFactor: { + sms: true, + otp: false, + email: true, + }, + advancedSecurityMode: AdvancedSecurityMode.OFF, + })).toThrow('To enable email-based MFA, set `advancedSecurityMode` to `AdvancedSecurity.ENFORCED` or `AdvancedSecurity.AUDIT`.'); + }); +}); + function fooFunction(scope: Construct, name: string): lambda.IFunction { return new lambda.Function(scope, name, { functionName: name,