Resource: awsCognitoManagedUserPoolClient
Manages a Cognito User Pool Client resource created by another service.
This is an advanced resource and has special caveats to be aware of when using it. Please read this document in its entirety before using this resource.
The awsCognitoManagedUserPoolClient
resource should only be used to manage a Cognito User Pool Client created automatically by an AWS service. For example, when configuring an OpenSearch Domain to use Cognito authentication, the OpenSearch service will create the User Pool Client on setup and delete it when no longer needed. Therefore, the awsCognitoManagedUserPoolClient
resource does not create or delete this resource, but instead "adopts" it into management.
For normal uses of a Cognito User Pool Client, use the awsCognitoManagedUserPoolClient
resource instead.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsCognitoIdentityPoolExample =
new aws.cognitoIdentityPool.CognitoIdentityPool(this, "example", {
identityPoolName: "example",
});
awsCognitoIdentityPoolExample.addOverride("lifecycle", [
{
ignore_changes: ["${cognito_identity_providers}"],
},
]);
const awsCognitoUserPoolExample = new aws.cognitoUserPool.CognitoUserPool(
this,
"example_1",
{
name: "example",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCognitoUserPoolExample.overrideLogicalId("example");
const dataAwsPartitionCurrent = new aws.dataAwsPartition.DataAwsPartition(
this,
"current",
{}
);
const dataAwsIamPolicyDocumentExample =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "example_3", {
statement: [
{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [
{
identifiers: [`es.\${${dataAwsPartitionCurrent.dnsSuffix}}`],
type: "Service",
},
],
sid: "",
},
],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsIamPolicyDocumentExample.overrideLogicalId("example");
const awsIamRoleExample = new aws.iamRole.IamRole(this, "example_4", {
assumeRolePolicy: dataAwsIamPolicyDocumentExample.json,
name: "example-role",
path: "/service-role/",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRoleExample.overrideLogicalId("example");
const awsIamRolePolicyAttachmentExample =
new aws.iamRolePolicyAttachment.IamRolePolicyAttachment(this, "example_5", {
policyArn: `arn:\${${dataAwsPartitionCurrent.partition}}:iam::aws:policy/AmazonESCognitoAccess`,
role: awsIamRoleExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyAttachmentExample.overrideLogicalId("example");
const awsOpensearchDomainExample = new aws.opensearchDomain.OpensearchDomain(
this,
"example_6",
{
cognitoOptions: {
enabled: true,
identityPoolId: awsCognitoIdentityPoolExample.id,
roleArn: awsIamRoleExample.arn,
userPoolId: awsCognitoUserPoolExample.id,
},
depends_on: [
"${aws_cognito_user_pool_domain.example}",
`\${${awsIamRolePolicyAttachmentExample.fqn}}`,
],
domainName: "example",
ebsOptions: {
ebsEnabled: true,
volumeSize: 10,
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsOpensearchDomainExample.overrideLogicalId("example");
const awsCognitoManagedUserPoolClientExample =
new aws.cognitoManagedUserPoolClient.CognitoManagedUserPoolClient(
this,
"example_7",
{
depends_on: [`\${${awsOpensearchDomainExample.fqn}}`],
namePrefix: "AmazonOpenSearchService-example",
userPoolId: awsCognitoUserPoolExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCognitoManagedUserPoolClientExample.overrideLogicalId("example");
Argument Reference
The following arguments are required:
userPoolId
- (Required) User pool the client belongs to.namePattern
- (Required, one ofnamePattern
ornamePrefix
) Regular expression that matches the name of the desired User Pool Client. Must match only one User Pool Client.namePrefix
- (Required, one ofnamePrefix
ornamePattern
) String that matches the beginning of the name of the desired User Pool Client. Must match only one User Pool Client.
The following arguments are optional:
accessTokenValidity
- (Optional) Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. This value will be overridden if you have entered a value intokenValidityUnits
.allowedOauthFlowsUserPoolClient
- (Optional) Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.allowedOauthFlows
- (Optional) List of allowed OAuth flows (code, implicit, client_credentials).allowedOauthScopes
- (Optional) List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).analyticsConfiguration
- (Optional) Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.authSessionValidity
- (Optional) Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between3
and15
. Default value is3
.callbackUrls
- (Optional) List of allowed callback URLs for the identity providers.defaultRedirectUri
- (Optional) Default redirect URI. Must be in the list of callback URLs.enableTokenRevocation
- (Optional) Enables or disables token revocation.enablePropagateAdditionalUserContextData
- (Optional) Activates the propagation of additional user context data.explicitAuthFlows
- (Optional) List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).generateSecret
- (Optional) Should an application secret be generated.idTokenValidity
- (Optional) Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. This value will be overridden if you have entered a value intokenValidityUnits
.logoutUrls
- (Optional) List of allowed logout URLs for the identity providers.preventUserExistenceErrors
- (Optional) Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set toenabled
and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set tolegacy
, those APIs will return auserNotFoundException
exception if the user does not exist in the user pool.readAttributes
- (Optional) List of user pool attributes the application client can read from.refreshTokenValidity
- (Optional) Time limit in days refresh tokens are valid for.supportedIdentityProviders
- (Optional) List of provider names for the identity providers that are supported on this client. Uses theproviderName
attribute ofawsCognitoIdentityProvider
resource(s), or the equivalent string(s).tokenValidityUnits
- (Optional) Configuration block for units in which the validity times are represented in. Detailed below.writeAttributes
- (Optional) List of user pool attributes the application client can write to.
analyticsConfiguration
Either applicationArn
or applicationId
is required.
applicationArn
- (Optional) Application ARN for an Amazon Pinpoint application. Conflicts withexternalId
androleArn
.applicationId
- (Optional) Application ID for an Amazon Pinpoint application.externalId
- (Optional) ID for the Analytics Configuration. Conflicts withapplicationArn
.roleArn
- (Optional) ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts withapplicationArn
.userDataShared
(Optional) If set totrue
, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
tokenValidityUnits
Valid values for the following arguments are: seconds
, minutes
, hours
or days
.
accessToken
- (Optional) Time unit in for the value inaccessTokenValidity
, defaults tohours
.idToken
- (Optional) Time unit in for the value inidTokenValidity
, defaults tohours
.refreshToken
- (Optional) Time unit in for the value inrefreshTokenValidity
, defaults todays
.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
clientSecret
- Client secret of the user pool client.id
- ID of the user pool client.name
- Name of the user pool client.
Import
Cognito User Pool Clients can be imported using the id
of the Cognito User Pool, and the id
of the Cognito User Pool Client, e.g.,