From f9d6eefd52d5bdc63ff2be844f567e8f1d0b4258 Mon Sep 17 00:00:00 2001 From: Matsuda Date: Wed, 23 Oct 2024 08:12:35 +0900 Subject: [PATCH 1/2] feat(cognito): support email based MFA (#31816) ### Issue # (if applicable) Closes #31815. ### Reason for this change To use email based MFA. ### Description of changes Add email option to [MfaSecondFactor](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.MfaSecondFactor.html). ### Description of how you validated changes Add unit tests and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../cdk.out | 1 + .../integ-user-email-mfa.assets.json | 19 ++ .../integ-user-email-mfa.template.json | 152 +++++++++++ .../integ.json | 14 + ...efaultTestDeployAssertD4C43B3C.assets.json | 19 ++ ...aultTestDeployAssertD4C43B3C.template.json | 36 +++ .../manifest.json | 127 +++++++++ .../tree.json | 258 ++++++++++++++++++ .../test/integ.user-pool-mfa-email.ts | 41 +++ packages/aws-cdk-lib/aws-cognito/README.md | 4 + .../aws-cognito/lib/user-pool-email.ts | 2 +- .../aws-cdk-lib/aws-cognito/lib/user-pool.ts | 34 ++- .../aws-cognito/test/user-pool.test.ts | 80 ++++++ 13 files changed, 782 insertions(+), 5 deletions(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out new file mode 100644 index 0000000000000..c6e612584e352 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"38.0.1"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json new file mode 100644 index 0000000000000..c248f6865cf34 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.assets.json @@ -0,0 +1,19 @@ +{ + "version": "38.0.1", + "files": { + "57ebfe1ab6c8ce5faf8c2370ac901d380e8c968b793c3d82d66a3e6bd99983a8": { + "source": { + "path": "integ-user-email-mfa.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "57ebfe1ab6c8ce5faf8c2370ac901d380e8c968b793c3d82d66a3e6bd99983a8.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json new file mode 100644 index 0000000000000..0c32599ce87ee --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ-user-email-mfa.template.json @@ -0,0 +1,152 @@ +{ + "Resources": { + "myuserpoolsmsRole0E16FDD9": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "integuseremailmfamyuserpool8F31F20B" + } + }, + "Effect": "Allow", + "Principal": { + "Service": "cognito-idp.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "sns-publish" + } + ] + } + }, + "myuserpool01998219": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] + }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailConfiguration": { + "EmailSendingAccount": "DEVELOPER", + "From": "\"myname@mycompany.com\" ", + "ReplyToEmailAddress": "support@*.example.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ses:us-east-1:", + { + "Ref": "AWS::AccountId" + }, + ":identity/*.example.com" + ] + ] + } + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "EnabledMfas": [ + "SMS_MFA", + "EMAIL_OTP" + ], + "MfaConfiguration": "ON", + "SmsConfiguration": { + "ExternalId": "integuseremailmfamyuserpool8F31F20B", + "SnsCallerArn": { + "Fn::GetAtt": [ + "myuserpoolsmsRole0E16FDD9", + "Arn" + ] + } + }, + "SmsVerificationMessage": "The verification code to your new account is {####}", + "UserPoolAddOns": { + "AdvancedSecurityMode": "ENFORCED" + }, + "UserPoolName": "MyUserPool", + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Outputs": { + "userpoolid": { + "Value": { + "Ref": "myuserpool01998219" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json new file mode 100644 index 0000000000000..88212ea89f5c4 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integ.json @@ -0,0 +1,14 @@ +{ + "enableLookups": true, + "version": "38.0.1", + "testCases": { + "integ-user-email-mfa-test/DefaultTest": { + "stacks": [ + "integ-user-email-mfa" + ], + "stackUpdateWorkflow": false, + "assertionStack": "integ-user-email-mfa-test/DefaultTest/DeployAssert", + "assertionStackName": "integuseremailmfatestDefaultTestDeployAssertD4C43B3C" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json new file mode 100644 index 0000000000000..e4126b91762e6 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json @@ -0,0 +1,19 @@ +{ + "version": "38.0.1", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json new file mode 100644 index 0000000000000..05c1c5dc19eee --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/manifest.json @@ -0,0 +1,127 @@ +{ + "version": "38.0.1", + "artifacts": { + "integ-user-email-mfa.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integ-user-email-mfa.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integ-user-email-mfa": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integ-user-email-mfa.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "notificationArns": [], + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/57ebfe1ab6c8ce5faf8c2370ac901d380e8c968b793c3d82d66a3e6bd99983a8.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integ-user-email-mfa.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integ-user-email-mfa.assets" + ], + "metadata": { + "/integ-user-email-mfa/myuserpool/smsRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "myuserpoolsmsRole0E16FDD9" + } + ], + "/integ-user-email-mfa/myuserpool/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "myuserpool01998219" + } + ], + "/integ-user-email-mfa/user-pool-id": [ + { + "type": "aws:cdk:logicalId", + "data": "userpoolid" + } + ], + "/integ-user-email-mfa/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-user-email-mfa/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-user-email-mfa" + }, + "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integuseremailmfatestDefaultTestDeployAssertD4C43B3C": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "notificationArns": [], + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integuseremailmfatestDefaultTestDeployAssertD4C43B3C.assets" + ], + "metadata": { + "/integ-user-email-mfa-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-user-email-mfa-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-user-email-mfa-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json new file mode 100644 index 0000000000000..a90269fcaff6c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.js.snapshot/tree.json @@ -0,0 +1,258 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "integ-user-email-mfa": { + "id": "integ-user-email-mfa", + "path": "integ-user-email-mfa", + "children": { + "myuserpool": { + "id": "myuserpool", + "path": "integ-user-email-mfa/myuserpool", + "children": { + "smsRole": { + "id": "smsRole", + "path": "integ-user-email-mfa/myuserpool/smsRole", + "children": { + "ImportsmsRole": { + "id": "ImportsmsRole", + "path": "integ-user-email-mfa/myuserpool/smsRole/ImportsmsRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "integ-user-email-mfa/myuserpool/smsRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "integuseremailmfamyuserpool8F31F20B" + } + }, + "Effect": "Allow", + "Principal": { + "Service": "cognito-idp.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "policies": [ + { + "policyName": "sns-publish", + "policyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "integ-user-email-mfa/myuserpool/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true + }, + "emailConfiguration": { + "from": "\"myname@mycompany.com\" ", + "replyToEmailAddress": "support@*.example.com", + "emailSendingAccount": "DEVELOPER", + "sourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ses:us-east-1:", + { + "Ref": "AWS::AccountId" + }, + ":identity/*.example.com" + ] + ] + } + }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "enabledMfas": [ + "SMS_MFA", + "EMAIL_OTP" + ], + "mfaConfiguration": "ON", + "smsConfiguration": { + "externalId": "integuseremailmfamyuserpool8F31F20B", + "snsCallerArn": { + "Fn::GetAtt": [ + "myuserpoolsmsRole0E16FDD9", + "Arn" + ] + } + }, + "smsVerificationMessage": "The verification code to your new account is {####}", + "userPoolAddOns": { + "advancedSecurityMode": "ENFORCED" + }, + "userPoolName": "MyUserPool", + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.UserPool", + "version": "0.0.0" + } + }, + "user-pool-id": { + "id": "user-pool-id", + "path": "integ-user-email-mfa/user-pool-id", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnOutput", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-user-email-mfa/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-user-email-mfa/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "integ-user-email-mfa-test": { + "id": "integ-user-email-mfa-test", + "path": "integ-user-email-mfa-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "integ-user-email-mfa-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "integ-user-email-mfa-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "integ-user-email-mfa-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-user-email-mfa-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-user-email-mfa-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts new file mode 100644 index 0000000000000..417c70d5ecd2c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-mfa-email.ts @@ -0,0 +1,41 @@ +import { App, CfnOutput, RemovalPolicy, Stack } from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { AdvancedSecurityMode, Mfa, UserPool, UserPoolEmail } from 'aws-cdk-lib/aws-cognito'; + +/** + * Before you run test, you must set up SES email identity and set domain to domainName. + */ +const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME; +if (!domainName) throw new Error('For this test you must provide your own DomainName as an env var "DOMAIN_NAME".'); + +const app = new App(); +const stack = new Stack(app, 'integ-user-email-mfa'); + +const userpool = new UserPool(stack, 'myuserpool', { + removalPolicy: RemovalPolicy.DESTROY, + userPoolName: 'MyUserPool', + email: UserPoolEmail.withSES({ + sesRegion: 'us-east-1', + fromEmail: `noreply@${domainName}`, + fromName: 'myname@mycompany.com', + replyTo: `support@${domainName}`, + sesVerifiedDomain: domainName, + }), + mfa: Mfa.REQUIRED, + mfaSecondFactor: { + sms: true, + otp: false, + email: true, + }, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, +}); + +new CfnOutput(stack, 'user-pool-id', { + value: userpool.userPoolId, +}); + +new IntegTest(app, 'integ-user-email-mfa-test', { + testCases: [stack], + enableLookups: true, + stackUpdateWorkflow: false, +}); diff --git a/packages/aws-cdk-lib/aws-cognito/README.md b/packages/aws-cdk-lib/aws-cognito/README.md index 35df1769e41ac..7a4ae282ace23 100644 --- a/packages/aws-cdk-lib/aws-cognito/README.md +++ b/packages/aws-cdk-lib/aws-cognito/README.md @@ -306,6 +306,9 @@ configure an MFA token and use it for sign in. It also allows for the users to u [time-based one time password (TOTP)](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html). +If you want to enable email-based MFA, set `email` propety to the Amazon SES email-sending configuration and set `advancedSecurityMode` to `AdvancedSecurity.ENFORCED` or `AdvancedSecurity.AUDIT`. +For more information, see [Email MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security-email-mfa.html). + ```ts new cognito.UserPool(this, 'myuserpool', { // ... @@ -313,6 +316,7 @@ new cognito.UserPool(this, 'myuserpool', { mfaSecondFactor: { sms: true, otp: true, + email: false, // email-based MFA }, }); ``` diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-email.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-email.ts index 4941dff664b28..332570faadd74 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-email.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-email.ts @@ -66,7 +66,7 @@ export interface UserPoolSESOptions { /** * Result of binding email settings with a user pool */ -interface UserPoolEmailConfig { +export interface UserPoolEmailConfig { /** * The name of the configuration set in SES. * diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts index ede93a84af1f0..8d8adfc65ba17 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts @@ -5,7 +5,7 @@ import { StandardAttributeNames } from './private/attr-names'; import { ICustomAttribute, StandardAttribute, StandardAttributes } from './user-pool-attr'; import { UserPoolClient, UserPoolClientOptions } from './user-pool-client'; import { UserPoolDomain, UserPoolDomainOptions } from './user-pool-domain'; -import { UserPoolEmail } from './user-pool-email'; +import { UserPoolEmail, UserPoolEmailConfig } from './user-pool-email'; import { IUserPoolIdentityProvider } from './user-pool-idp'; import { UserPoolResourceServer, UserPoolResourceServerOptions } from './user-pool-resource-server'; import { Grant, IGrantable, IRole, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from '../../aws-iam'; @@ -391,7 +391,7 @@ export enum Mfa { export interface MfaSecondFactor { /** * The MFA token is sent to the user via SMS to their verified phone numbers - * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-text-message.html + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html * @default true */ readonly sms: boolean; @@ -402,6 +402,17 @@ export interface MfaSecondFactor { * @default false */ readonly otp: boolean; + + /** + * The MFA token is sent to the user via EMAIL + * + * To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration + * and set `advancedSecurityMode` to `AdvancedSecurity.ENFORCED` or `AdvancedSecurity.AUDIT` + * + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html + * @default false + */ + readonly email?: boolean; } /** @@ -671,8 +682,8 @@ export interface UserPoolProps { /** * Configure the MFA types that users can use in this user pool. Ignored if `mfa` is set to `OFF`. * - * @default - { sms: true, otp: false }, if `mfa` is set to `OPTIONAL` or `REQUIRED`. - * { sms: false, otp: false }, otherwise + * @default - { sms: true, otp: false, email: false }, if `mfa` is set to `OPTIONAL` or `REQUIRED`. + * { sms: false, otp: false, email:false }, otherwise */ readonly mfaSecondFactor?: MfaSecondFactor; @@ -920,6 +931,7 @@ export class UserPool extends UserPoolBase { public readonly userPoolProviderUrl: string; private triggers: CfnUserPool.LambdaConfigProperty = {}; + private emailConfiguration: UserPoolEmailConfig | undefined; constructor(scope: Construct, id: string, props: UserPoolProps = {}) { super(scope, id); @@ -989,6 +1001,7 @@ export class UserPool extends UserPoolBase { from: encodePuny(props.emailSettings?.from), replyToEmailAddress: encodePuny(props.emailSettings?.replyTo), }); + this.emailConfiguration = emailConfiguration; const userPool = new CfnUserPool(this, 'Resource', { userPoolName: props.userPoolName, @@ -1237,6 +1250,9 @@ export class UserPool extends UserPoolBase { } if (props.mfaSecondFactor!.otp) { enabledMfas.push('SOFTWARE_TOKEN_MFA'); + } if (props.mfaSecondFactor!.email) { + this.validateEmailMfa(props); + enabledMfas.push('EMAIL_OTP'); } return enabledMfas; } @@ -1364,6 +1380,16 @@ export class UserPool extends UserPoolBase { attributesRequireVerificationBeforeUpdate, }; } + + private validateEmailMfa(props: UserPoolProps) { + if (props.email === undefined || this.emailConfiguration?.emailSendingAccount !== 'DEVELOPER') { + throw new Error('To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration.'); + } + + if (props.advancedSecurityMode === AdvancedSecurityMode.OFF) { + throw new Error('To enable email-based MFA, set `advancedSecurityMode` to `AdvancedSecurity.ENFORCED` or `AdvancedSecurity.AUDIT`.'); + } + } } function undefinedIfNoKeys(struct: object): object | undefined { diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts index d44a0c4e35e61..bcf69ec7948e9 100644 --- a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts +++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts @@ -2223,6 +2223,86 @@ test('advanced security is not present if option is not provided', () => { }); }); +describe('email MFA test', () => { + test('email MFA enabled', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + new UserPool(stack, 'myuserpool', { + email: UserPoolEmail.withSES({ + sesRegion: 'us-east-1', + fromEmail: 'noreply@example.com', + fromName: 'myname@mycompany.com', + replyTo: 'support@example.com', + sesVerifiedDomain: 'example.com', + }), + mfa: Mfa.REQUIRED, + mfaSecondFactor: { + sms: true, + otp: false, + email: true, + }, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', { + EnabledMfas: ['SMS_MFA', 'EMAIL_OTP'], + }); + }); + + test('throws when email MFA is enabled with no email settings.', () => { + const stack = new Stack(); + + expect(() => new UserPool(stack, 'Pool1', { + mfa: Mfa.REQUIRED, + mfaSecondFactor: { + sms: true, + otp: false, + email: true, + }, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + })).toThrow('To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration.'); + }); + + test('throws when email MFA is enabled with not SES email settings.', () => { + const stack = new Stack(); + + expect(() => new UserPool(stack, 'Pool1', { + mfa: Mfa.REQUIRED, + email: UserPoolEmail.withCognito(), + mfaSecondFactor: { + sms: true, + otp: false, + email: true, + }, + advancedSecurityMode: AdvancedSecurityMode.ENFORCED, + })).toThrow('To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration.'); + }); + + test('set Email MFA', () => { + const stack = new Stack(); + + expect(() => new UserPool(stack, 'Pool1', { + email: UserPoolEmail.withSES({ + sesRegion: 'us-east-1', + fromEmail: 'noreply@example.com', + fromName: 'myname@mycompany.com', + replyTo: 'support@example.com', + sesVerifiedDomain: 'example.com', + }), + mfa: Mfa.REQUIRED, + mfaSecondFactor: { + sms: true, + otp: false, + email: true, + }, + advancedSecurityMode: AdvancedSecurityMode.OFF, + })).toThrow('To enable email-based MFA, set `advancedSecurityMode` to `AdvancedSecurity.ENFORCED` or `AdvancedSecurity.AUDIT`.'); + }); +}); + function fooFunction(scope: Construct, name: string): lambda.IFunction { return new lambda.Function(scope, name, { functionName: name, From 2a48358fa7cb977961c19dd33cfa3985d8280326 Mon Sep 17 00:00:00 2001 From: Pahud Hsieh Date: Tue, 22 Oct 2024 19:44:51 -0400 Subject: [PATCH 2/2] chore(bedrock): add claude 3.5 sonnet v2 (#31857) Add Anthropic's Claude 3.5 Sonnet V2 model. - https://aws.amazon.com/blogs/aws/upgraded-claude-3-5-sonnet-from-anthropic-available-now-computer-use-public-beta-and-claude-3-5-haiku-coming-soon-in-amazon-bedrock/ - The upgraded [Claude 3.5 Sonnet](https://aws.amazon.com/bedrock/claude/) is available today in [Amazon Bedrock](https://aws.amazon.com/bedrock/) in the US West (Oregon). ``` % AWS_REGION=us-west-2 AWS_PROFILE=pahud aws bedrock li st-foundation-models | jq -r '.modelSummaries[] | select(.modelId | startswith("anthropic.claude-3-5")) | .modelId' anthropic.claude-3-5-sonnet-20241022-v2:0 anthropic.claude-3-5-sonnet-20240620-v1:0:18k anthropic.claude-3-5-sonnet-20240620-v1:0:51k anthropic.claude-3-5-sonnet-20240620-v1:0:200k anthropic.claude-3-5-sonnet-20240620-v1:0 ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts index effe57b512010..18de3869296b5 100644 --- a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts +++ b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts @@ -125,6 +125,9 @@ export class FoundationModelIdentifier { /** Base model "anthropic.claude-3-5-sonnet-20240620-v1:0" */ public static readonly ANTHROPIC_CLAUDE_3_5_SONNET_20240620_V1_0 = new FoundationModelIdentifier('anthropic.claude-3-5-sonnet-20240620-v1:0'); + /** Base model "anthropic.claude-3-5-sonnet-20241022-v2:0" */ + public static readonly ANTHROPIC_CLAUDE_3_5_SONNET_20241022_V2_0 = new FoundationModelIdentifier('anthropic.claude-3-5-sonnet-20241022-v2:0'); + /** Base model "anthropic.claude-3-haiku-20240307-v1:0". */ public static readonly ANTHROPIC_CLAUDE_3_HAIKU_20240307_V1_0 = new FoundationModelIdentifier('anthropic.claude-3-haiku-20240307-v1:0');