diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts index db3f08ac869fd..e570f799abaed 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts @@ -440,7 +440,7 @@ export class IdentityPool extends Resource implements IIdentityPool { /** * Role Provider for the default Role for authenticated users */ - private readonly roleAttachment: CfnIdentityPoolRoleAttachment; + private readonly roleAttachment: IdentityPoolRoleAttachment; /** * List of Identity Providers added in constructor for use with property overrides @@ -495,18 +495,11 @@ export class IdentityPool extends Resource implements IIdentityPool { this.unauthenticatedRole = props.unauthenticatedRole ? props.unauthenticatedRole : this.configureDefaultRole('Unauthenticated'); // Set up Role Attachment - const mappings = props.roleMappings || []; - let roleMappings: any = undefined; - if (mappings) { - roleMappings = this.configureRoleMappings(...mappings); - } - this.roleAttachment = new CfnIdentityPoolRoleAttachment(this, 'DefaultRoleAttachment', { - identityPoolId: this.identityPoolId, - roles: { - authenticated: this.authenticatedRole.roleArn, - unauthenticated: this.unauthenticatedRole.roleArn, - }, - roleMappings, + this.roleAttachment = new IdentityPoolRoleAttachment(this, 'DefaultRoleAttachment', { + identityPool: this, + authenticatedRole: this.authenticatedRole, + unauthenticatedRole: this.unauthenticatedRole, + roleMappings: props.roleMappings, }); Array.isArray(this.roleAttachment); @@ -544,6 +537,79 @@ export class IdentityPool extends Resource implements IIdentityPool { }, }, 'sts:AssumeRoleWithWebIdentity'); } +} + +/** + * Represents an Identity Pool Role Attachment + */ +interface IIdentityPoolRoleAttachment extends IResource { + /** + * ID of the Attachment's underlying Identity Pool + */ + readonly identityPoolId: string; +} + +/** + * Props for an Identity Pool Role Attachment + */ +interface IdentityPoolRoleAttachmentProps { + + /** + * ID of the Attachment's underlying Identity Pool + */ + readonly identityPool: IIdentityPool; + + /** + * Default authenticated (User) Role + * @default - No default authenticated Role will be added + */ + readonly authenticatedRole?: IRole; + + /** + * Default unauthenticated (Guest) Role + * @default - No default unauthenticated Role will be added + */ + readonly unauthenticatedRole?: IRole; + + /** + * Rules for mapping roles to users + * @default - No role mappings + */ + readonly roleMappings?: IdentityPoolRoleMapping[]; +} + +/** + * Defines an Identity Pool Role Attachment + * + * @resource AWS::Cognito::IdentityPoolRoleAttachment + */ +class IdentityPoolRoleAttachment extends Resource implements IIdentityPoolRoleAttachment { + /** + * ID of the underlying Identity Pool + */ + public readonly identityPoolId: string; + + constructor(scope: Construct, id: string, props: IdentityPoolRoleAttachmentProps) { + super(scope, id); + // Enhanced CDK Analytics Telemetry + addConstructMetadata(this, props); + this.identityPoolId = props.identityPool.identityPoolId; + const mappings = props.roleMappings || []; + let roles: any = undefined, roleMappings: any = undefined; + if (props.authenticatedRole || props.unauthenticatedRole) { + roles = {}; + if (props.authenticatedRole) roles.authenticated = props.authenticatedRole.roleArn; + if (props.unauthenticatedRole) roles.unauthenticated = props.unauthenticatedRole.roleArn; + } + if (mappings) { + roleMappings = this.configureRoleMappings(...mappings); + } + new CfnIdentityPoolRoleAttachment(this, 'Resource', { + identityPoolId: this.identityPoolId, + roles, + roleMappings, + }); + } /** * Configures role mappings for the Identity Pool Role Attachment diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-idp.assets.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-idp.assets.json index ac47c428fb7fb..f8d1ca2c0289a 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-idp.assets.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-idp.assets.json @@ -1,7 +1,7 @@ { "version": "39.0.0", "files": { - "a1046e71985bf782ff94088f68b0116dad15f432b81341e2a619fa0bb2092120": { + "70b2a5399ace42fab2c709a754a83c5d69ab9cb57dbae0e37e2beba80a9fc87d": { "source": { "path": "integ-idp.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "a1046e71985bf782ff94088f68b0116dad15f432b81341e2a619fa0bb2092120.json", + "objectKey": "70b2a5399ace42fab2c709a754a83c5d69ab9cb57dbae0e37e2beba80a9fc87d.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-idp.template.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-idp.template.json index 7028e958d28de..2b1d872194716 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-idp.template.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integ-idp.template.json @@ -485,7 +485,7 @@ "PooltestClientFE8D4935" ] }, - "identitypoolDefaultRoleAttachment9339A8E5": { + "identitypoolDefaultRoleAttachment6BCAB114": { "Type": "AWS::Cognito::IdentityPoolRoleAttachment", "Properties": { "IdentityPoolId": { diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integidentitypoolDefaultTestDeployAssert8F0BD226.assets.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integidentitypoolDefaultTestDeployAssert8F0BD226.assets.json index 30ca7f140fa58..2352692605276 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integidentitypoolDefaultTestDeployAssert8F0BD226.assets.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integidentitypoolDefaultTestDeployAssert8F0BD226.assets.json @@ -14,7 +14,7 @@ } } }, - "0287cda156a4079c8e7a287fbaead933922e19863be4c2afc433c3ddf61851eb": { + "3b179a1b94294b0966e9bc3d082ffa7eb3e09e18525bb6a27b894f3aaeea56b0": { "source": { "path": "integidentitypoolDefaultTestDeployAssert8F0BD226.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "0287cda156a4079c8e7a287fbaead933922e19863be4c2afc433c3ddf61851eb.json", + "objectKey": "3b179a1b94294b0966e9bc3d082ffa7eb3e09e18525bb6a27b894f3aaeea56b0.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integidentitypoolDefaultTestDeployAssert8F0BD226.template.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integidentitypoolDefaultTestDeployAssert8F0BD226.template.json index 41c27dd4d93c6..d21bc613b18cc 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integidentitypoolDefaultTestDeployAssert8F0BD226.template.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/integidentitypoolDefaultTestDeployAssert8F0BD226.template.json @@ -42,7 +42,7 @@ } }, "flattenResponse": "false", - "salt": "1740157917028" + "salt": "1740678743955" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" @@ -171,7 +171,7 @@ } }, "flattenResponse": "false", - "salt": "1740157917028" + "salt": "1740678743956" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json index 1112cbb94ae19..0984d76128475 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a1046e71985bf782ff94088f68b0116dad15f432b81341e2a619fa0bb2092120.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/70b2a5399ace42fab2c709a754a83c5d69ab9cb57dbae0e37e2beba80a9fc87d.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -321,9 +321,15 @@ } ], "/integ-idp/identitypool/DefaultRoleAttachment": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/integ-idp/identitypool/DefaultRoleAttachment/Resource": [ { "type": "aws:cdk:logicalId", - "data": "identitypoolDefaultRoleAttachment9339A8E5" + "data": "identitypoolDefaultRoleAttachment6BCAB114" } ], "/integ-idp/Exports/Output{\"Ref\":\"identitypoolE2A6D099\"}": [ @@ -382,7 +388,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0287cda156a4079c8e7a287fbaead933922e19863be4c2afc433c3ddf61851eb.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3b179a1b94294b0966e9bc3d082ffa7eb3e09e18525bb6a27b894f3aaeea56b0.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json index 0cd736ef1fb5e..b24d4634db27c 100644 --- a/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-cognito-identitypool-alpha/test/integ.identitypool.js.snapshot/tree.json @@ -842,79 +842,85 @@ "DefaultRoleAttachment": { "id": "DefaultRoleAttachment", "path": "integ-idp/identitypool/DefaultRoleAttachment", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::Cognito::IdentityPoolRoleAttachment", - "aws:cdk:cloudformation:props": { - "identityPoolId": { - "Ref": "identitypoolE2A6D099" - }, - "roleMappings": { - "theKey": { - "ambiguousRoleResolution": "Deny", - "type": "Token", - "identityProvider": { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PoolD3F588B8", - "ProviderName" + "children": { + "Resource": { + "id": "Resource", + "path": "integ-idp/identitypool/DefaultRoleAttachment/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::IdentityPoolRoleAttachment", + "aws:cdk:cloudformation:props": { + "identityPoolId": { + "Ref": "identitypoolE2A6D099" + }, + "roleMappings": { + "theKey": { + "ambiguousRoleResolution": "Deny", + "type": "Token", + "identityProvider": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PoolD3F588B8", + "ProviderName" + ] + }, + ":", + { + "Ref": "PooltestClientFE8D4935" + } ] - }, - ":", - { - "Ref": "PooltestClientFE8D4935" - } - ] - ] - } - }, - "importedUserPool": { - "ambiguousRoleResolution": "Deny", - "type": "Token", - "identityProvider": { - "Fn::Join": [ - "", - [ - "cognito-idp.", - { - "Fn::Select": [ - 3, + ] + } + }, + "importedUserPool": { + "ambiguousRoleResolution": "Deny", + "type": "Token", + "identityProvider": { + "Fn::Join": [ + "", + [ + "cognito-idp.", { - "Fn::Split": [ - ":", + "Fn::Select": [ + 3, { - "Fn::GetAtt": [ - "UserPoolToImport1A7C21D3", - "Arn" + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "UserPoolToImport1A7C21D3", + "Arn" + ] + } ] } ] - } - ] - }, - ".", - { - "Ref": "AWS::URLSuffix" - }, - "/", - { - "Fn::Select": [ - 1, + }, + ".", { - "Fn::Split": [ - "/", + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Fn::Select": [ + 1, { - "Fn::Select": [ - 5, + "Fn::Split": [ + "/", { - "Fn::Split": [ - ":", + "Fn::Select": [ + 5, { - "Fn::GetAtt": [ - "UserPoolToImport1A7C21D3", - "Arn" + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "UserPoolToImport1A7C21D3", + "Arn" + ] + } ] } ] @@ -922,37 +928,44 @@ ] } ] + }, + ":", + { + "Ref": "UserPoolToImportclientToImport6885CDF7" } ] - }, - ":", - { - "Ref": "UserPoolToImportclientToImport6885CDF7" - } + ] + } + } + }, + "roles": { + "authenticated": { + "Fn::GetAtt": [ + "identitypoolAuthenticatedRoleB074B49D", + "Arn" ] - ] + }, + "unauthenticated": { + "Fn::GetAtt": [ + "identitypoolUnauthenticatedRoleE61CAC70", + "Arn" + ] + } } } }, - "roles": { - "authenticated": { - "Fn::GetAtt": [ - "identitypoolAuthenticatedRoleB074B49D", - "Arn" - ] - }, - "unauthenticated": { - "Fn::GetAtt": [ - "identitypoolUnauthenticatedRoleE61CAC70", - "Arn" - ] - } + "constructInfo": { + "fqn": "aws-cdk-lib.aws_cognito.CfnIdentityPoolRoleAttachment", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cognito.CfnIdentityPoolRoleAttachment", - "version": "0.0.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0", + "metadata": [ + "*" + ] } } },