diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/cdk.out new file mode 100644 index 0000000000000..91e1a8b9901d5 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/integ-user-pool-password-history-size.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/integ-user-pool-password-history-size.assets.json new file mode 100644 index 0000000000000..4e40c34d9c3e3 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/integ-user-pool-password-history-size.assets.json @@ -0,0 +1,19 @@ +{ + "version": "39.0.0", + "files": { + "c5b6aa16b6bac960a7a3ed7d6c8b0e73fe65651b4a8796cf31d88273baabcec1": { + "source": { + "path": "integ-user-pool-password-history-size.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "c5b6aa16b6bac960a7a3ed7d6c8b0e73fe65651b4a8796cf31d88273baabcec1.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/integ-user-pool-password-history-size.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/integ-user-pool-password-history-size.template.json new file mode 100644 index 0000000000000..96fb0efcb370f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/integ-user-pool-password-history-size.template.json @@ -0,0 +1,75 @@ +{ + "Resources": { + "PoolD3F588B8": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] + }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "Policies": { + "PasswordPolicy": { + "MinimumLength": 8, + "PasswordHistorySize": 3 + } + }, + "SmsVerificationMessage": "The verification code to your new account is {####}", + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/integ.json new file mode 100644 index 0000000000000..2d154adfd359f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "39.0.0", + "testCases": { + "password-history-size-test/DefaultTest": { + "stacks": [ + "integ-user-pool-password-history-size" + ], + "assertionStack": "password-history-size-test/DefaultTest/DeployAssert", + "assertionStackName": "passwordhistorysizetestDefaultTestDeployAssert64FCD5B1" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/manifest.json new file mode 100644 index 0000000000000..56911a8a11497 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/manifest.json @@ -0,0 +1,113 @@ +{ + "version": "39.0.0", + "artifacts": { + "integ-user-pool-password-history-size.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integ-user-pool-password-history-size.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integ-user-pool-password-history-size": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integ-user-pool-password-history-size.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c5b6aa16b6bac960a7a3ed7d6c8b0e73fe65651b4a8796cf31d88273baabcec1.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integ-user-pool-password-history-size.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integ-user-pool-password-history-size.assets" + ], + "metadata": { + "/integ-user-pool-password-history-size/Pool/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "PoolD3F588B8" + } + ], + "/integ-user-pool-password-history-size/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-user-pool-password-history-size/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-user-pool-password-history-size" + }, + "passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "passwordhistorysizetestDefaultTestDeployAssert64FCD5B1": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.assets" + ], + "metadata": { + "/password-history-size-test/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/password-history-size-test/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "password-history-size-test/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.assets.json new file mode 100644 index 0000000000000..edde913d24f1c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.assets.json @@ -0,0 +1,19 @@ +{ + "version": "39.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/passwordhistorysizetestDefaultTestDeployAssert64FCD5B1.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/tree.json new file mode 100644 index 0000000000000..f455179a95dd7 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.js.snapshot/tree.json @@ -0,0 +1,154 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "integ-user-pool-password-history-size": { + "id": "integ-user-pool-password-history-size", + "path": "integ-user-pool-password-history-size", + "children": { + "Pool": { + "id": "Pool", + "path": "integ-user-pool-password-history-size/Pool", + "children": { + "Resource": { + "id": "Resource", + "path": "integ-user-pool-password-history-size/Pool/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true + }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "policies": { + "passwordPolicy": { + "minimumLength": 8, + "passwordHistorySize": 3 + } + }, + "smsVerificationMessage": "The verification code to your new account is {####}", + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "integ-user-pool-password-history-size/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "integ-user-pool-password-history-size/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + }, + "password-history-size-test": { + "id": "password-history-size-test", + "path": "password-history-size-test", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "password-history-size-test/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "password-history-size-test/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "password-history-size-test/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "password-history-size-test/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "password-history-size-test/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.ts new file mode 100644 index 0000000000000..6cd338da99e9a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-password-history-size.ts @@ -0,0 +1,16 @@ +import { App, Stack } from 'aws-cdk-lib'; +import { UserPool } from 'aws-cdk-lib/aws-cognito'; +import * as integ from '@aws-cdk/integ-tests-alpha'; + +const app = new App(); +const stack = new Stack(app, 'integ-user-pool-password-history-size'); + +new UserPool(stack, 'Pool', { + passwordPolicy: { + passwordHistorySize: 3, + }, +}); + +new integ.IntegTest(app, 'password-history-size-test', { + testCases: [stack], +}); diff --git a/packages/aws-cdk-lib/aws-cognito/README.md b/packages/aws-cdk-lib/aws-cognito/README.md index b043f324ae018..f992de22c176b 100644 --- a/packages/aws-cdk-lib/aws-cognito/README.md +++ b/packages/aws-cdk-lib/aws-cognito/README.md @@ -345,6 +345,10 @@ Further to this, it can also be configured with the validity of the auto-generat password is generated by the user pool either when an admin signs up a user or when a password reset is requested. The validity of this password dictates how long to give the user to use this password before expiring it. +You can also set a policy for password reuse by setting the `passwordHistorySize` property. +You can prevent a user from resetting their password to a new password that matches their current password or any of up to 23 additional previous passwords, for a maximum total of 24. +The `passwordHistorySize` property can not be set when `featurePlan` is `FeaturePlan.LITE`. + The following code snippet configures these properties - ```ts diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts index 03f3c3ff15f10..94f4ed75449ba 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts @@ -13,6 +13,7 @@ import { Grant, IGrantable, IRole, PolicyDocument, PolicyStatement, Role, Servic import { IKey } from '../../aws-kms'; import * as lambda from '../../aws-lambda'; import { ArnFormat, Duration, IResource, Lazy, Names, RemovalPolicy, Resource, Stack, Token } from '../../core'; +import { ValidationError } from '../../core/lib/errors'; /** * The different ways in which users of this pool can sign up or sign in. @@ -457,6 +458,15 @@ export interface PasswordPolicy { * @default true */ readonly requireSymbols?: boolean; + + /** + * The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. + * + * `passwordHistorySize` can not be set when `featurePlan` is `FeaturePlan.LITE`. + * + * @default undefined - Cognito default setting is no restriction + */ + readonly passwordHistorySize?: number; } /** @@ -1312,6 +1322,15 @@ export class UserPool extends UserPoolBase { if (minLength !== undefined && (minLength < 6 || minLength > 99)) { throw new Error(`minLength for password must be between 6 and 99 (received: ${minLength})`); } + const passwordHistorySize = props.passwordPolicy?.passwordHistorySize; + if (passwordHistorySize !== undefined) { + if (props.featurePlan === FeaturePlan.LITE) { + throw new ValidationError('`passwordHistorySize` can not be set when `featurePlan` is `FeaturePlan.LITE`.', this); + } + if (passwordHistorySize < 0 || passwordHistorySize > 24) { + throw new ValidationError(`\`passwordHistorySize\` must be between 0 and 24 (received: ${passwordHistorySize}).`, this); + } + } return undefinedIfNoKeys({ temporaryPasswordValidityDays: tempPasswordValidity?.toDays({ integral: true }), minimumLength: minLength, @@ -1319,6 +1338,7 @@ export class UserPool extends UserPoolBase { requireUppercase: props.passwordPolicy?.requireUppercase, requireNumbers: props.passwordPolicy?.requireDigits, requireSymbols: props.passwordPolicy?.requireSymbols, + passwordHistorySize: props.passwordPolicy?.passwordHistorySize, }); } diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts index d1d51e408700e..4df09913b3ee8 100644 --- a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts +++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts @@ -2371,6 +2371,50 @@ describe('email MFA test', () => { featurePlan: FeaturePlan.LITE, })).toThrow('To enable email-based MFA, set `featurePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`.'); }); + + describe('test passwordHistorySize', () => { + test('correctly set passwordHistorySize', () => { + // GIVEN + const stack = new Stack(); + + // WHEN + new UserPool(stack, 'Pool', { + passwordPolicy: { + passwordHistorySize: 3, + }, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', { + Policies: { + PasswordPolicy: { + PasswordHistorySize: 3, + }, + }, + }); + }); + + test('throws an error when email passwordHistorySize is set with FaturePlan.LITE', () => { + const stack = new Stack(); + + expect(() => new UserPool(stack, 'Pool', { + passwordPolicy: { + passwordHistorySize: 3, + }, + featurePlan: FeaturePlan.LITE, + })).toThrow('`passwordHistorySize` can not be set when `featurePlan` is `FeaturePlan.LITE`.'); + }); + + test.each([-1, 25])('throws an error when email passwordHistorySize is invalid', (passwordHistorySize) => { + const stack = new Stack(); + + expect(() => new UserPool(stack, 'Pool', { + passwordPolicy: { + passwordHistorySize, + }, + })).toThrow(`\`passwordHistorySize\` must be between 0 and 24 (received: ${passwordHistorySize}).`); + }); + }); }); function fooFunction(scope: Construct, name: string): lambda.IFunction {