import os import boto3 import cfnresponse USER_POOL_ID = os.environ['USER_POOL_ID'] cognito = boto3.client('cognito-idp') def handler(event, context): """Custom resource to implement the functionality to add triggers to existing Cognito user pools. Because CloudFormation does not provide that functionality. """ request_type = event['RequestType'] physical_resource_id = event.get('PhysicalResourceId') or f'{USER_POOL_ID}-triggers' resource_properties = event['ResourceProperties'] triggers = resource_properties['Triggers'] try: if request_type == 'Create': response = cognito.describe_user_pool(UserPoolId=USER_POOL_ID) attr = response['UserPool'] lambda_config = attr.get('LambdaConfig', {}) update_user_pool_lambda_config(USER_POOL_ID, attr, lambda_config={ **lambda_config, **triggers, }) physical_resource_id = f'{USER_POOL_ID}-triggers' cfnresponse.send(event, context, cfnresponse.SUCCESS, resource_properties, physical_resource_id) elif request_type == 'Update': response = cognito.describe_user_pool(UserPoolId=USER_POOL_ID) attr = response['UserPool'] lambda_config = attr.get('LambdaConfig', {}) old_resource_properties = event['OldResourceProperties'] old_triggers = old_resource_properties['Triggers'] update_user_pool_lambda_config(USER_POOL_ID, attr, lambda_config={ **{ k: v for k, v in lambda_config.items() if k not in old_triggers.keys() }, **triggers, }) physical_resource_id = f'{USER_POOL_ID}-triggers' cfnresponse.send(event, context, cfnresponse.SUCCESS, resource_properties, physical_resource_id) elif request_type == 'Delete': response = cognito.describe_user_pool(UserPoolId=USER_POOL_ID) attr = response['UserPool'] lambda_config = attr.get('LambdaConfig', {}) update_user_pool_lambda_config(USER_POOL_ID, attr, lambda_config={ k: v for k, v in lambda_config.items() if k not in triggers.keys() }) cfnresponse.send(event, context, cfnresponse.SUCCESS, None, physical_resource_id) except Exception as err: print(err) cfnresponse.send(event, context, cfnresponse.FAILED, None, physical_resource_id) def update_user_pool_lambda_config(user_pool_id, attr, lambda_config): if 'TemporaryPasswordValidityDays' in attr.get('Policies', {}).get('PasswordPolicy', {}): attr.get('AdminCreateUserConfig', {}).pop('UnusedAccountValidityDays', None) cognito.update_user_pool( UserPoolId=user_pool_id, **{ k: v for k, v in attr.items() if k in [ 'Policies', 'DeletionProtection', 'AutoVerifiedAttributes', 'SmsVerificationMessage', 'EmailVerificationMessage', 'EmailVerificationSubject', 'VerificationMessageTemplate', 'SmsAuthenticationMessage', 'UserAttributeUpdateSettings', 'MfaConfiguration', 'DeviceConfiguration', 'EmailConfiguration', 'SmsConfiguration', 'UserPoolTags', 'AdminCreateUserConfig', 'UserPoolAddOns', 'AccountRecoverySetting', ] }, LambdaConfig=lambda_config, )