in packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts [1128:1278]
constructor(scope: Construct, id: string, props: UserPoolProps = {}) {
super(scope, id);
// Enhanced CDK Analytics Telemetry
addConstructMetadata(this, props);
const signIn = this.signInConfiguration(props);
if (props.customSenderKmsKey) {
const kmsKey = props.customSenderKmsKey;
(this.triggers as any).kmsKeyId = kmsKey.keyArn;
}
if (props.lambdaTriggers) {
for (const t of Object.keys(props.lambdaTriggers)) {
let trigger: lambda.IFunction | undefined;
switch (t) {
case 'customSmsSender':
case 'customEmailSender':
if (!this.triggers.kmsKeyId) {
throw new ValidationError('you must specify a KMS key if you are using customSmsSender or customEmailSender.', this);
}
trigger = props.lambdaTriggers[t];
const version = 'V1_0';
if (trigger !== undefined) {
this.addLambdaPermission(trigger as lambda.IFunction, t);
(this.triggers as any)[t] = {
lambdaArn: trigger.functionArn,
lambdaVersion: version,
};
}
break;
default:
trigger = props.lambdaTriggers[t] as lambda.IFunction | undefined;
if (trigger !== undefined) {
this.addLambdaPermission(trigger as lambda.IFunction, t);
(this.triggers as any)[t] = (trigger as lambda.IFunction).functionArn;
}
break;
}
}
}
const verificationMessageTemplate = this.verificationMessageConfiguration(props);
let emailVerificationMessage;
let emailVerificationSubject;
if (verificationMessageTemplate.defaultEmailOption === VerificationEmailStyle.CODE) {
emailVerificationMessage = verificationMessageTemplate.emailMessage;
emailVerificationSubject = verificationMessageTemplate.emailSubject;
}
const smsVerificationMessage = verificationMessageTemplate.smsMessage;
const inviteMessageTemplate: CfnUserPool.InviteMessageTemplateProperty = {
emailMessage: props.userInvitation?.emailBody,
emailSubject: props.userInvitation?.emailSubject,
smsMessage: props.userInvitation?.smsMessage,
};
const selfSignUpEnabled = props.selfSignUpEnabled ?? false;
const adminCreateUserConfig: CfnUserPool.AdminCreateUserConfigProperty = {
allowAdminCreateUserOnly: !selfSignUpEnabled,
inviteMessageTemplate: props.userInvitation !== undefined ? inviteMessageTemplate : undefined,
};
const passwordPolicy = this.configurePasswordPolicy(props);
const signInPolicy = this.configureSignInPolicy(props);
if (props.passkeyRelyingPartyId !== undefined && !Token.isUnresolved(props.passkeyRelyingPartyId)) {
if (props.passkeyRelyingPartyId.length < 1 || props.passkeyRelyingPartyId.length > 63) {
throw new ValidationError(`passkeyRelyingPartyId length must be (inclusively) between 1 and 63, got ${props.passkeyRelyingPartyId.length}`, this);
}
}
if (props.email && props.emailSettings) {
throw new ValidationError('you must either provide "email" or "emailSettings", but not both', this);
}
const emailConfiguration = props.email ? props.email._bind(this) : undefinedIfNoKeys({
from: encodePuny(props.emailSettings?.from),
replyToEmailAddress: encodePuny(props.emailSettings?.replyTo),
});
this.emailConfiguration = emailConfiguration;
if (
props.featurePlan !== FeaturePlan.PLUS &&
(props.advancedSecurityMode && (props.advancedSecurityMode !== AdvancedSecurityMode.OFF))
) {
throw new ValidationError('you cannot enable Advanced Security when feature plan is not Plus.', this);
}
const advancedSecurityAdditionalFlows = undefinedIfNoKeys({
customAuthMode: props.customThreatProtectionMode,
});
if (
(props.featurePlan !== FeaturePlan.PLUS) &&
(props.standardThreatProtectionMode && (props.standardThreatProtectionMode !== StandardThreatProtectionMode.NO_ENFORCEMENT) ||
advancedSecurityAdditionalFlows)
) {
throw new ValidationError('you cannot enable Threat Protection when feature plan is not Plus.', this);
}
if (
props.advancedSecurityMode &&
(props.standardThreatProtectionMode || advancedSecurityAdditionalFlows)
) {
throw new ValidationError('you cannot set Threat Protection and Advanced Security Mode at the same time. Advanced Security Mode is deprecated and should be replaced with Threat Protection instead.', this);
}
let chosenSecurityMode = props.advancedSecurityMode ?? props.standardThreatProtectionMode;
if (advancedSecurityAdditionalFlows) {
chosenSecurityMode = props.advancedSecurityMode ?? props.standardThreatProtectionMode ?? StandardThreatProtectionMode.NO_ENFORCEMENT;
}
const userPool = new CfnUserPool(this, 'Resource', {
userPoolName: props.userPoolName,
usernameAttributes: signIn.usernameAttrs,
aliasAttributes: signIn.aliasAttrs,
autoVerifiedAttributes: signIn.autoVerifyAttrs,
lambdaConfig: Lazy.any({ produce: () => undefinedIfNoKeys(this.triggers) }),
smsAuthenticationMessage: this.mfaMessage(props),
smsConfiguration: this.smsConfiguration(props),
adminCreateUserConfig,
emailVerificationMessage,
emailVerificationSubject,
smsVerificationMessage,
verificationMessageTemplate,
userPoolAddOns: undefinedIfNoKeys({
advancedSecurityAdditionalFlows: advancedSecurityAdditionalFlows,
advancedSecurityMode: chosenSecurityMode,
}),
schema: this.schemaConfiguration(props),
mfaConfiguration: props.mfa,
enabledMfas: this.mfaConfiguration(props),
policies: undefinedIfNoKeys({ passwordPolicy, signInPolicy }),
webAuthnRelyingPartyId: props.passkeyRelyingPartyId,
webAuthnUserVerification: props.passkeyUserVerification,
emailConfiguration,
usernameConfiguration: undefinedIfNoKeys({
caseSensitive: props.signInCaseSensitive,
}),
accountRecoverySetting: this.accountRecovery(props),
deviceConfiguration: props.deviceTracking,
userAttributeUpdateSettings: this.configureUserAttributeChanges(props),
userPoolTier: props.featurePlan,
deletionProtection: defaultDeletionProtection(props.deletionProtection),
});
userPool.applyRemovalPolicy(props.removalPolicy);
this.userPoolId = userPool.ref;
this.userPoolArn = userPool.attrArn;
this.userPoolProviderName = userPool.attrProviderName;
this.userPoolProviderUrl = userPool.attrProviderUrl;
}