-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cognito): support UserPoolGroup #31351
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
While working on #31351, I discovered. The test case name for `User Pool Domain` was incorrectly set as `User Pool Client`. It's likely that when the code was reused from `user-pool-client.test.ts`, the test case name wasn't updated. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
While working on aws#31351, I discovered. The test case name for `User Pool Domain` was incorrectly set as `User Pool Client`. It's likely that when the code was reused from `user-pool-client.test.ts`, the test case name wasn't updated. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
While working on aws#31351, I discovered. The test case name for `User Pool Domain` was incorrectly set as `User Pool Client`. It's likely that when the code was reused from `user-pool-client.test.ts`, the test case name wasn't updated. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
/** | ||
* Represents a user pool group. | ||
*/ | ||
export interface IUserPoolGroup extends IResource { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mazyu36 thanks for this PR - I'm curious why you added this base interface and if it is necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This follows the design guidelines.
I recognize that Interfaces are essential as they are implemented across almost all resources.
https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md#construct-interface
const app = new App(); | ||
const stack = new TestStack(app, 'user-pool-group-stack'); | ||
|
||
new IntegTest(app, 'integ-user-pool-group', { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add any assertions on the integ test to make sure the UserPoolGroup
works as expected?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to implement an assertion to verify that UserGroups
are attached to the UserPool
.
test.assertions.awsApiCall('cognito-identity-provider', 'ListGroupsCommand', { UserPoolId: stack.userPool.userPoolId })
.expect(ExpectedResult.objectLike({
Groups: [
{
GroupName: stack.userPoolGroup.groupName,
UserPoolId: stack.userPool.userPoolId,
Precedence: 1,
Description: 'My user pool group',
RoleArn: stack.role.roleArn,
},
{
GroupName: stack.anotherUserPoolGroup.groupName,
UserPoolId: stack.userPool.userPoolId,
},
],
}));
However, since the order of items in the result list is non-deterministic, the integration tests sometimes fail.
I think this is problematic.
Based on the assertion guidelines, I think assertion is not mandatory in this case.
What do you think?
Some things you should look for in deciding if the test needs an assertion:
- Integrations between services (i.e. integration libraries like `aws-cdk-lib/aws-lambda-destinations`, `aws-cdk-lib/aws-stepfunctions-tasks`, etc).
- All custom resources. Must assert the expected behavior of the lambda is correct.
- Anything that bundles or deploys custom code (i.e. does a Lambda function bundled with `aws-cdk-lib/aws-lambda-nodejs` still invoke or did we break bundling behavior).
- IAM/Networking connections.
- This one is a bit of a judgement call. Most things do not need assertions, but sometimes we handle complicated configurations involving IAM permissions or
Networking access.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mazyu36 thank you for the detailed clarification
userPool: userPool, | ||
groupName: 'test-group', | ||
description: 'My user pool group', | ||
precedence: 0, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe overkill, but can we also add an integ test to confirm that a UserPoolGroup
without precedence
passed in deploys?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. I modified AnotherUserPoolGroup
to deploy without precedence
.
if ( | ||
props.groupName !== undefined && | ||
!Token.isUnresolved(props.groupName) && | ||
!/^[\p{L}\p{M}\p{S}\p{N}\p{P}]{1,128}$/u.test(props.groupName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious, is this how we normally perform string validations in CDK? Do you have any similar examples that use this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The following is the similar implementation:
const defaultRedirectUriPattern = /^(?=.{1,1024}$)[\p{L}\p{M}\p{S}\p{N}\p{P}]+$/u; |
Regex pattern is quoted from CFn Doucument.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html#cfn-cognito-userpoolgroup-groupname
|
||
Support for groups in Amazon Cognito user pools enables you to create and manage groups, add users to groups, and remove users from groups. | ||
Use groups to create collections of users to manage their permissions or to represent different types of users. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR @mazyu36 - one followup question, you mention in the README here that user pools enable you to also remove users from groups as well, but I don't see any functions that do this? Can you clarify? (My understanding might be off here)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks.
I've updated README.
Since there is no remove method, I have deleted it.
A remove method is unnecessary because users can be deleted by deleting the add method from implementation.
Other add methods also do not have corresponding remove methods.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @mazyu36 - overall API design looks good to me.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Closes #21026.
Reason for this change
To support UserPool Group L2 Construct.
Description of changes
Add
UserPoolGroup
class.Description of how you validated changes
Add unit tests and integ tests.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license