fix(cognito-identitypool-alpha): cannot configure roleMappings with imported userPool and client

[sakurai-ryo]

Issue # (if applicable)

Closes #30304

Reason for this change

Currently, we cannot use imported user pools and clients for role mapping in an identity pool.
This is because the IdentityPoolProviderUrl.userPool method takes an L2 construct as its argument type instead of Interface (IUserPool, IUserPoolClient).

    const userPool = cognito.UserPool.fromUserPoolArn(this, 'CognitoUserPool', 'arn');
    const userPoolClient = cognito.UserPoolClient.fromUserPoolClientId(this, 'UserPoolClientId', 'client-id');
    const identityPool = new cognitoidp.IdentityPool(this, 'IdentityPool', {
      // ~
      roleMappings: [
        {
          mappingKey: 'cognito', 
          providerUrl: cognitoidp.IdentityPoolProviderUrl.userPool(userPool, userPoolClient), // ! type error here !
          useToken: true
        }
      ],
      allowUnauthenticatedIdentities: false
    });

Description of changes

The argument types of the IdentityPoolProviderUrl.userPool method are changed to IUserPool and IUserPoolClient.
This method requires the userPoolProviderName of the userPool, but since it does not exist for IUserPool, a property was added.
Since this property is required in the UserPool construct, it is also required in IUserPool.

aws-cdk/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts

Line 902 in c3003ab

public readonly userPoolProviderName: string;

I add a required attribute to the Interface of the aws-cognito module(stable), but I do not think this to be a breaking change.
Please let me know if it is not.

Description of how you validated changes

Unit tests and integ tests are added to verify that the imported userPool and clinet can be used.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[TheRealAmazonKendra]

Thank you for your contribution. Please see my comments inline.

[TheRealAmazonKendra]

Please specify why this is the case. This comment alone gives me pause about these changes.

[TheRealAmazonKendra]

I'm not sure I'm getting this. If the name is constructed from the ARN and ID of the userpool, why can't we construct this on import functions so that it's accessible to users?

[TheRealAmazonKendra]

Also, wouldn't the ID be a subset of the ARN ?

[TheRealAmazonKendra]

I'm not sure that this function is really needed here. The fromId and fromArn functions should be able to assemble and return all of the missing attributes.

Correct me if I'm wrong but the attributes for a UserPool are:

Arn: arn:<partition>:cognito-idp:<region>:<account>:userpool/<userpoolId>
ProviderName: cognito-idp.<region>.<url-suffix>/<userpoolId>
ProviderURL: https://cognito-idp.<region>.<url-suffix>/userpoolId/.well-known/jwks.json (this is listed as the token signing key url, which I think is what's being referred to here?)
UserPoolId: userpoolId

So, given that, you could add each of the missing fields as attributes in the IUserPool and then construct each of these (assuming same region as in the id for fromId) in the existing fromXxx functions so that you don't even need to create a new function.

[TheRealAmazonKendra]

Doing so would mitigate every one of my comments above.

Pull request has been modified.

[sakurai-ryo]

Hi @TheRealAmazonKendra
Thanks for the review.
Really sorry. I got mixed up with other PRs and misunderstood.
I fixed it by deleting the fromUserPoolAttributes method and constructing the ProviderName within the fromUserPoolArn method.
Also, I updated the PR description.

[Leo10Gama]

Thanks for the changes! Left a few more comments looking for a bit more clarification on these changes.

[Leo10Gama]

Can we keep the stack identical for this test, or does it need these additional properties to work? If so, that would probably make these breaking changes. If not, can we update the logic that checks for the new userPoolProviderName so that it works without additional props?

[Leo10Gama]

Can we update the docstring to be more similar to some of the other attributes? Feels redundant to have an attribute userPoolProviderName with the description User pool provider name.

[Leo10Gama]

The formation logic of this string should be changed, since amazonaws.com is a partition that could be different for different users. Can you use the arnParts attributes for this instead? Something along the lines of:

`cognito-idp.${arnParts.region}.${arnParts.partition}/${userPoolId}`;

Pull request has been modified.

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[paulhcsun]

Nice work, thanks @sakurai-ryo and @Leo10Gama both!

[paulhcsun]

@Mergifyio update

[mergify]

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/github-merit-badger.yml without workflows permission

[paulhcsun]

@Mergifyio update

[mergify]

update

☑️ Nothing to do

• #commits-behind > 0 [📌 update requirement]
• -closed [📌 update requirement]
• -conflict [📌 update requirement]
• queue-position = -1 [📌 update requirement]

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: c627419
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.