in source/idea/idea-administrator/src/ideaadministrator/app/cdk/constructs/directory_service.py [0:0]
def build_user_pool(self, props: cognito.UserPoolProps):
account_recovery = props.account_recovery
if account_recovery is None:
account_recovery = cognito.AccountRecovery.EMAIL_ONLY
auto_verify = props.auto_verify
if auto_verify is None:
auto_verify = cognito.AutoVerifiedAttrs(email=True, phone=False)
custom_attributes = props.custom_attributes
if custom_attributes is None:
custom_attributes = {
'cluster_name': cognito.StringAttribute(mutable=True),
'aws_region': cognito.StringAttribute(mutable=True),
'password_last_set': cognito.NumberAttribute(mutable=True),
'password_max_age': cognito.NumberAttribute(mutable=True),
f"{constants.COGNITO_UID_ATTRIBUTE}": cognito.NumberAttribute(
min=constants.COGNITO_MIN_ID_INCLUSIVE,
max=constants.COGNITO_MAX_ID_INCLUSIVE
)
}
mfa = props.mfa
if mfa is None:
mfa = cognito.Mfa.OPTIONAL
mfa_second_factor = props.mfa_second_factor
if mfa_second_factor is None:
mfa_second_factor = cognito.MfaSecondFactor(otp=True, sms=False)
password_policy = props.password_policy
if password_policy is None:
password_policy = cognito.PasswordPolicy(
min_length=8,
require_digits=True,
require_lowercase=True,
require_symbols=True,
require_uppercase=True,
temp_password_validity=cdk.Duration.days(7)
)
removal_policy = props.removal_policy
if removal_policy is None:
removal_policy = cdk.RemovalPolicy.DESTROY
self_sign_up_enabled = props.self_sign_up_enabled
if self_sign_up_enabled is None:
self_sign_up_enabled = False
sign_in_aliases = props.sign_in_aliases
if sign_in_aliases is None:
sign_in_aliases = cognito.SignInAliases(
username=True,
preferred_username=False,
phone=False,
email=True
)
sign_in_case_sensitive = props.sign_in_case_sensitive
if sign_in_case_sensitive is None:
sign_in_case_sensitive = False
standard_attributes = props.standard_attributes
if standard_attributes is None:
standard_attributes = cognito.StandardAttributes(
email=cognito.StandardAttribute(mutable=True, required=True)
)
user_invitation = props.user_invitation
if user_invitation is None:
user_invitation = cognito.UserInvitationConfig(
email_subject=f'({self.cluster_name}) Your IDEA Account',
email_body=f'''
Hello <b>{{username}}</b>,
<br/><br/>
You have been invited to join the {self.cluster_name} cluster.
<br/>
Your temporary password is <b>{{####}}</b>
'''
)
user_pool_name = props.user_pool_name
if user_pool_name is None:
user_pool_name = f'{self.cluster_name}-user-pool'
advanced_security_mode = None
if self.context.aws().aws_region() in Utils.get_value_as_list('COGNITO_ADVANCED_SECURITY_UNAVAIL_REGION_LIST', constants.CAVEATS):
self.context.warning(f'Cognito Advanced security NOT SET - Not available in this region ({self.context.aws().aws_region()})')
advanced_security_mode = None
else:
advanced_security_mode_cfg = self.context.config().get_string('identity-provider.cognito.advanced_security_mode', default='AUDIT')
if advanced_security_mode_cfg.upper() == 'AUDIT':
advanced_security_mode = cognito.AdvancedSecurityMode.AUDIT
elif advanced_security_mode_cfg.upper() == 'ENFORCED':
advanced_security_mode = cognito.AdvancedSecurityMode.ENFORCED
else:
advanced_security_mode = cognito.AdvancedSecurityMode.OFF
self.user_pool = cognito.UserPool(
scope=self.scope,
id=user_pool_name,
account_recovery=account_recovery,
advanced_security_mode=advanced_security_mode,
auto_verify=auto_verify,
custom_attributes=custom_attributes,
custom_sender_kms_key=props.custom_sender_kms_key,
deletion_protection=True,
device_tracking=props.device_tracking,
email=props.email,
enable_sms_role=props.enable_sms_role,
lambda_triggers=props.lambda_triggers,
mfa=mfa,
mfa_message=props.mfa_message,
mfa_second_factor=mfa_second_factor,
password_policy=password_policy,
removal_policy=removal_policy,
self_sign_up_enabled=self_sign_up_enabled,
sign_in_aliases=sign_in_aliases,
sign_in_case_sensitive=sign_in_case_sensitive,
sms_role=props.sms_role,
sms_role_external_id=props.sms_role_external_id,
standard_attributes=standard_attributes,
user_invitation=user_invitation,
user_pool_name=user_pool_name,
user_verification=props.user_verification
)
self.add_common_tags(self.user_pool)
# MFA
self.add_nag_suppression(construct=self.user_pool, suppressions=[
IdeaNagSuppression(rule_id='AwsSolutions-COG2', reason='Suppress MFA warning. MFA provided by customer IdP/SSO methods.')
])
# advanced security mode suppression
self.add_nag_suppression(construct=self.user_pool, suppressions=[
IdeaNagSuppression(rule_id='AwsSolutions-COG3', reason='suppress advanced security rule 1/to save cost, 2/Not supported in GovCloud')
])
domain_url = self.context.config().get_string('identity-provider.cognito.domain_url')
if Utils.is_not_empty(domain_url):
domain_prefix = domain_url.replace('https://', '').split('.')[0]
else:
domain_prefix = f'{self.cluster_name}-{Utils.uuid()}'
self.domain = self.user_pool.add_domain(
id='domain',