Merge branch 'shivlaks/revert-apigwatewayv2-integrations' of https://…

…github.com/aws/aws-cdk into shivlaks/revert-apigwatewayv2-integrations
aws · Oct 23, 2020 · 0f8ed7c · 0f8ed7c
2 parents c81c2d1 + b2e0a5f
commit 0f8ed7c
Show file tree

Hide file tree

Showing 7 changed files with 67 additions and 15 deletions.
diff --git a/packages/@aws-cdk/aws-cognito/README.md b/packages/@aws-cdk/aws-cognito/README.md
@@ -38,6 +38,7 @@ This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aw
     - [Account Recovery Settings](#account-recovery-settings)
   - [Emails](#emails)
   - [Lambda Triggers](#lambda-triggers)
+    - [Trigger Permissions](#trigger-permissions)
   - [Import](#importing-user-pools)
   - [Identity Providers](#identity-providers)
   - [App Clients](#app-clients)
@@ -58,6 +59,10 @@ new cognito.UserPool(this, 'myuserpool', {
 });
 ```
 
+The default set up for the user pool is configured such that only administrators will be allowed
+to create users. Features such as Multi-factor authentication (MFAs) and Lambda Triggers are not
+configured by default.
+
 ### Sign Up
 
 Users can either be signed up by the app's administrators or can sign themselves up. Once a user has signed up, their
@@ -131,6 +136,8 @@ used additionally; or it can be configured so that email and/or phone numbers ar
 sign in. Read more about this
 [here](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases-settings).
 
+⚠️ The Cognito service prevents changing the `signInAlias` property for an existing user pool.
+
 To match with 'Option 1' in the above link, with a verified email, `signInAliases` should be set to
 `{ username: true, email: true }`. To match with 'Option 2' in the above link with both a verified
 email and phone number, this property should be set to `{ email: true, phone: true }`.
@@ -288,6 +295,9 @@ new cognito.UserPool(this, 'UserPool', {
 })
 ```
 
+The default for account recovery is by phone if available and by email otherwise.
+A user will not be allowed to reset their password via phone if they are also using it for MFA.
+
 ### Emails
 
 Cognito sends emails to users in the user pool, when particular actions take place, such as welcome emails, invitation
@@ -345,6 +355,27 @@ The following table lists the set of triggers available, and their corresponding
 For more information on the function of these triggers and how to configure them, read [User Pool Workflows with
 Triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html).
 
+#### Trigger Permissions
+
+The `function.attachToRolePolicy()` API can be used to add additional IAM permissions to the lambda trigger
+as necessary.
+
+⚠️ Using the `attachToRolePolicy` API to provide permissions to your user pool will result in a circular dependency. See [aws/aws-cdk#7016](https://github.com/aws/aws-cdk/issues/7016).
+Error message when running `cdk synth` or `cdk deploy`:
+> Circular dependency between resources: [pool056F3F7E, fnPostAuthFnCognitoA630A2B1, ...]
+
+To work around the circular dependency issue, use the `attachInlinePolicy()` API instead, as shown below.
+
+```ts fixture=with-lambda-trigger
+// provide permissions to describe the user pool scoped to the ARN the user pool
+postAuthFn.role?.attachInlinePolicy(new iam.Policy(this, 'userpool-policy', {
+  statements: [new iam.PolicyStatement({
+    actions: ['cognito-idp:DescribeUserPool'],
+    resources: [userpool.userPoolArn],
+  })],
+}));
+```
+
 ### Importing User Pools
 
 Any user pool that has been created outside of this stack, can be imported into the CDK app. Importing a user pool
@@ -370,7 +401,7 @@ identity provider. Once configured, the Cognito backend will take care of integr
 Read more about [Adding User Pool Sign-in Through a Third
 Party](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html).
 
-The following third-party identity providers are currentlhy supported in the CDK -
+The following third-party identity providers are currently supported in the CDK -
 
 * [Login With Amazon](https://developer.amazon.com/apps-and-games/login-with-amazon)
 * [Facebook Login](https://developers.facebook.com/docs/facebook-login/)
@@ -580,4 +611,4 @@ Existing domains can be imported into CDK apps using `UserPoolDomain.fromDomainN
 
 ```ts
 const myUserPoolDomain = cognito.UserPoolDomain.fromDomainName(this, 'my-user-pool-domain', 'domain-name');
-```
+```
diff --git a/packages/@aws-cdk/aws-cognito/rosetta/with-lambda-trigger.ts-fixture b/packages/@aws-cdk/aws-cognito/rosetta/with-lambda-trigger.ts-fixture
@@ -0,0 +1,26 @@
+// Fixture with packages imported, but nothing else
+import { Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import * as cognito from '@aws-cdk/aws-cognito';
+import * as iam from '@aws-cdk/aws-iam';
+import * as lambda from '@aws-cdk/aws-lambda';
+
+class Fixture extends Stack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    const postAuthFn = new lambda.Function(this, 'postAuthFn', {
+      code: lambda.Code.fromInline('post authentication'),
+      runtime: lambda.Runtime.NODEJS_12_X,
+      handler: 'index.handler',
+    });
+
+    const userpool = new cognito.UserPool(this, 'myuserpool', {
+      lambdaTriggers: {
+        postAuthentication: postAuthFn,
+      },
+    });
+
+    /// here
+  }
+}
diff --git a/packages/@aws-cdk/cloud-assembly-schema/package.json b/packages/@aws-cdk/cloud-assembly-schema/package.json
@@ -82,7 +82,7 @@
     "exclude": []
   },
   "dependencies": {
-    "jsonschema": "^1.2.10",
+    "jsonschema": "^1.4.0",
     "semver": "^7.3.2"
   },
   "awscdkio": {

diff --git a/packages/aws-cdk-lib/package.json b/packages/aws-cdk-lib/package.json
@@ -88,7 +88,7 @@
   "dependencies": {
     "case": "1.6.3",
     "fs-extra": "^9.0.1",
-    "jsonschema": "^1.2.10",
+    "jsonschema": "^1.4.0",
     "minimatch": "^3.0.4",
     "semver": "^7.3.2",
     "yaml": "1.10.0"

diff --git a/packages/decdk/package.json b/packages/decdk/package.json
@@ -190,7 +190,7 @@
     "constructs": "^3.0.4",
     "fs-extra": "^9.0.1",
     "jsii-reflect": "^1.13.0",
-    "jsonschema": "^1.2.10",
+    "jsonschema": "^1.4.0",
     "yaml": "1.10.0",
     "yargs": "^16.1.0"
   },

diff --git a/packages/monocdk/package.json b/packages/monocdk/package.json
@@ -87,7 +87,7 @@
   "dependencies": {
     "case": "1.6.3",
     "fs-extra": "^9.0.1",
-    "jsonschema": "^1.2.10",
+    "jsonschema": "^1.4.0",
     "minimatch": "^3.0.4",
     "semver": "^7.3.2",
     "yaml": "1.10.0"

diff --git a/yarn.lock b/yarn.lock
@@ -8728,15 +8728,10 @@ jsonparse@^1.2.0:
   resolved "https://registry.yarnpkg.com/jsonparse/-/jsonparse-1.3.1.tgz#3f4dae4a91fac315f71062f8521cc239f1366280"
   integrity sha1-P02uSpH6wxX3EGL4UhzCOfE2YoA=
 
-jsonschema@^1.2.10:
-  version "1.2.10"
-  resolved "https://registry.yarnpkg.com/jsonschema/-/jsonschema-1.2.10.tgz#38dc18b63839e8f07580df015e37d959f20d1eda"
-  integrity sha512-CoRSun5gmvgSYMHx5msttse19SnQpaHoPzIqULwE7B9KtR4Od1g70sBqeUriq5r8b9R3ptDc0o7WKpUDjUgLgg==
-
-jsonschema@^1.2.7:
-  version "1.2.7"
-  resolved "https://registry.yarnpkg.com/jsonschema/-/jsonschema-1.2.7.tgz#4e6d6dc4d83dc80707055ba22c00ec6152c0e6e9"
-  integrity sha512-3dFMg9hmI9LdHag/BRIhMefCfbq1hicvYMy8YhZQorAdzOzWz7NjniSpn39yjpzUAMIWtGyyZuH2KNBloH7ZLw==
+jsonschema@^1.2.7, jsonschema@^1.4.0:
+  version "1.4.0"
+  resolved "https://registry.yarnpkg.com/jsonschema/-/jsonschema-1.4.0.tgz#1afa34c4bc22190d8e42271ec17ac8b3404f87b2"
+  integrity sha512-/YgW6pRMr6M7C+4o8kS+B/2myEpHCrxO4PEWnqJNBFMjn7EWXqlQ4tGwL6xTHeRplwuZmcAncdvfOad1nT2yMw==
 
 jsprim@^1.2.2:
   version "1.4.1"