awscognito

package
v2.182.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 5, 2025 License: Apache-2.0 Imports: 12 Imported by: 17

README

Amazon Cognito Construct Library

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. Identity Pool L2 Constructs can be found here.

This module is part of the AWS Cloud Development Kit project.

Table of Contents

User Pools

User pools allow creating and managing your own directory of users that can sign up and sign in. They enable easy integration with social identity providers such as Facebook, Google, Amazon, Microsoft Active Directory, etc. through SAML.

Using the CDK, a new user pool can be created as part of the stack using the construct's constructor. You may specify the userPoolName to give your own identifier to the user pool. If not, CloudFormation will generate a name.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	UserPoolName: jsii.String("myawesomeapp-userpool"),
	SignInCaseSensitive: jsii.Boolean(false),
})

By default, usernames and email addresses in user pools are case sensitive, which means user@example.com and User@example.com are considered different. In most situations it is preferred to have usernames and email addresses be case insensitive so that capitalization differences are ignored. As shown above, you can make a user pool case insensitive by setting signInCaseSensitive to false. The case sensitivity cannot be changed once a user pool is created.

The default set up for the user pool is configured such that only administrators will be allowed to create users. Features such as Multi-factor authentication (MFAs) and Lambda Triggers are not configured by default.

Use the grant() method to add an IAM policy statement associated with the user pool to an IAM principal's policy.

userPool := cognito.NewUserPool(this, jsii.String("myuserpool"))
role := iam.NewRole(this, jsii.String("role"), &RoleProps{
	AssumedBy: iam.NewServicePrincipal(jsii.String("foo")),
})
userPool.grant(role, jsii.String("cognito-idp:AdminCreateUser"))
User pool feature plans

Amazon Cognito has feature plans for user pools. Each plan has a set of features and a monthly cost per active user. Each feature plan unlocks access to more features than the one before it. Learn more about feature plans here.

  • Lite - a low-cost feature plan for user pools with lower numbers of monthly active users.
  • Essentials - all of the latest user pool authentication features.
  • Plus - includes everything in the Essentials plan and adds advanced security features that protect your users.

The default feature plan is Essentials for newly create user pools. For the existing user pools, Lite plan is automatically set.

Previously, some user pool features were included in an advanced security features pricing structure. The features that were included in this structure are now under either the Essentials or Plus plan.

Sign Up

Users can either be signed up by the app's administrators or can sign themselves up. Once a user has signed up, their account needs to be confirmed. Cognito provides several ways to sign users up and confirm their accounts. Learn more about user sign up here.

To verify the email address of a user in your user pool with Amazon Cognito, you can send the user an email message with a link that they can select, or you can send them a code that they can enter.

Code Verification

When a user signs up, email and SMS messages are used to verify their account and contact methods. The following code snippet configures a user pool with properties relevant to these verification messages -

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	SelfSignUpEnabled: jsii.Boolean(true),
	UserVerification: &UserVerificationConfig{
		EmailSubject: jsii.String("Verify your email for our awesome app!"),
		EmailBody: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
		EmailStyle: cognito.VerificationEmailStyle_CODE,
		SmsMessage: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
	},
})

By default, self sign up is disabled. Learn more about email and SMS verification messages here.

Besides users signing themselves up, an administrator of any user pool can sign users up. The user then receives an invitation to join the user pool. The following code snippet configures a user pool with properties relevant to the invitation messages -

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	UserInvitation: &UserInvitationConfig{
		EmailSubject: jsii.String("Invite to join our awesome app!"),
		EmailBody: jsii.String("Hello {username}, you have been invited to join our awesome app! Your temporary password is {####}"),
		SmsMessage: jsii.String("Hello {username}, your temporary password for our awesome app is {####}"),
	},
})

Alternatively, users can use link as a verification method. The following code snippet configures a user pool with properties relevant to these verification messages and link verification method.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	UserVerification: &UserVerificationConfig{
		EmailStyle: cognito.VerificationEmailStyle_LINK,
		EmailSubject: jsii.String("Invite to join our awesome app!"),
		EmailBody: jsii.String("You have been invited to join our awesome app! {##Verify Your Email##}"),
	},
})

All email subjects, bodies and SMS messages for both invitation and verification support Cognito's message templating. Learn more about message templates here.

Sign In

Users registering or signing in into your application can do so with multiple identifiers. There are 4 options available:

  • username: Allow signing in using the one time immutable user name that the user chose at the time of sign up.
  • email: Allow signing in using the email address that is associated with the account.
  • phone: Allow signing in using the phone number that is associated with the account.
  • preferredUsername: Allow signing in with an alternate user name that the user can change at any time. However, this is not available if the username option is not chosen.

The following code sets up a user pool so that the user can sign in with either their username or their email address -

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	// ...
	SignInAliases: &SignInAliases{
		Username: jsii.Boolean(true),
		Email: jsii.Boolean(true),
	},
})

User pools can either be configured so that user name is primary sign in form, but also allows for the other three to be used additionally; or it can be configured so that email and/or phone numbers are the only ways a user can register and sign in. Read more about this here.

⚠️ The Cognito service prevents changing the signInAlias property for an existing user pool.

To match with 'Option 1' in the above link, with a verified email, signInAliases should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

Cognito recommends that email and phone number be automatically verified, if they are one of the sign in methods for the user pool. Read more about that here. The CDK does this by default, when email and/or phone number are specified as part of signInAliases. This can be overridden by specifying the autoVerify property.

The following code snippet sets up only email as a sign in alias, but both email and phone number to be auto-verified.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	// ...
	SignInAliases: &SignInAliases{
		Username: jsii.Boolean(true),
		Email: jsii.Boolean(true),
	},
	AutoVerify: &AutoVerifiedAttrs{
		Email: jsii.Boolean(true),
		Phone: jsii.Boolean(true),
	},
})

A user pool can optionally ignore case when evaluating sign-ins. When signInCaseSensitive is false, Cognito will not check the capitalization of the alias when signing in. Default is true.

Choice-based authentication: passwordless sign-in / passkey sign-in

User pools can be configured to allow the following authentication methods in choice-based authentication:

  • Passwordless sign-in with email message one-time password
  • Passwordless sign-in with SMS message one-time password
  • Passkey (WebAuthn) sign-in

To use choice-based authentication, User pool feature plan should be Essentials or higher.

For details of authentication methods and client implementation, see Manage authentication methods in AWS SDKs.

The following code configures a user pool with choice-based authentication enabled:

userPool := cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
			 // password authentication must be enabled
			EmailOtp: jsii.Boolean(true),
			 // enables email message one-time password
			SmsOtp: jsii.Boolean(true),
			 // enables SMS message one-time password
			Passkey: jsii.Boolean(true),
		},
	},
})

// You should also configure the user pool client with USER_AUTH authentication flow allowed
userPool.addClient(jsii.String("myclient"), &UserPoolClientOptions{
	AuthFlows: &AuthFlow{
		User: jsii.Boolean(true),
	},
})

⚠️ Enabling SMS message one-time password requires the AWS account be activated to SMS message sending. Learn more about SMS message settings for Amazon Cognito user pools.

When enabling passkey sign-in, you should specify the authentication domain used as the relying party ID. Learn more about passkey sign-in of user pools and Web Authentication API.

// Use the hosted Amazon Cognito domain as the relying party ID
// Use the hosted Amazon Cognito domain as the relying party ID
cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
			Passkey: jsii.Boolean(true),
		},
	},
	PasskeyRelyingPartyId: jsii.String("myclientname.auth.region-name.amazoncognito.com"),
})

// Use the custom domain as the relying party ID
// Use the custom domain as the relying party ID
cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
			Passkey: jsii.Boolean(true),
		},
	},
	PasskeyRelyingPartyId: jsii.String("auth.example.com"),
})

You can configure user verification to be preferred (default) or required. When you set user verification to preferred, users can set up authenticators that don't have the user verification capability, and registration and authentication operations can succeed without user verification. To mandate user verification in passkey registration and authentication, specify passkeyUserVerification to PasskeyUserVerification.REQUIRED.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
			Passkey: jsii.Boolean(true),
		},
	},
	PasskeyRelyingPartyId: jsii.String("auth.example.com"),
	PasskeyUserVerification: cognito.PasskeyUserVerification_REQUIRED,
})

To disable choice-based authentication explicitly, specify password only.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
		},
	},
	FeaturePlan: cognito.FeaturePlan_LITE,
})
Attributes

Attributes represent the various properties of each user that's collected and stored in the user pool. Cognito provides a set of standard attributes that are available for all user pools. Users are allowed to select any of these standard attributes to be required. Users will not be able to sign up to the user pool without providing the required attributes. Besides these, additional attributes can be further defined, and are known as custom attributes.

Learn more on attributes in Cognito's documentation.

The following code configures a user pool with two standard attributes (name and address) as required and mutable, and adds four custom attributes.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	StandardAttributes: &StandardAttributes{
		Fullname: &StandardAttribute{
			Required: jsii.Boolean(true),
			Mutable: jsii.Boolean(false),
		},
		Address: &StandardAttribute{
			Required: jsii.Boolean(false),
			Mutable: jsii.Boolean(true),
		},
	},
	CustomAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

As shown in the code snippet, there are data types that are available for custom attributes. The 'String' and 'Number' data types allow for further constraints on their length and values, respectively.

Custom attributes cannot be marked as required.

All custom attributes share the property mutable that specifies whether the value of the attribute can be changed. The default value is false.

User pools come with two 'built-in' attributes - email_verified and phone_number_verified. These cannot be configured (required-ness or mutability) as part of user pool creation. However, user pool administrators can modify them for specific users using the AdminUpdateUserAttributes API.

Attribute verification

When your user updates an email address or phone number attribute, Amazon Cognito marks it unverified until they verify the new value. You can’t send messages to an unverified email address or phone number. Your user can’t sign in with an unverified alias attribute. You can choose how Amazon Cognito handles an updated email address or phone number after the update and before the verification.

Learn more on configuring email or phone verification in Cognito's documentation.

The following code configures a user pool that keeps the original value for the two standard attributes (email and phone_number) until the new values are verified.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	SignInAliases: &SignInAliases{
		Username: jsii.Boolean(true),
	},
	AutoVerify: &AutoVerifiedAttrs{
		Email: jsii.Boolean(true),
		Phone: jsii.Boolean(true),
	},
	KeepOriginal: &KeepOriginalAttrs{
		Email: jsii.Boolean(true),
		Phone: jsii.Boolean(true),
	},
})
Security

Cognito sends various messages to its users via SMS, for different actions, ranging from account verification to marketing. In order to send SMS messages, Cognito needs an IAM role that it can assume, with permissions that allow it to send SMS messages.

By default, the CDK looks at all of the specified properties (and their defaults when not explicitly specified) and automatically creates an SMS role, when needed. For example, if MFA second factor by SMS is enabled, the CDK will create a new role. The smsRole property can be used to specify the user supplied role that should be used instead. Additionally, the property enableSmsRole can be used to override the CDK's default behaviour to either enable or suppress automatic role creation.

poolSmsRole := iam.NewRole(this, jsii.String("userpoolsmsrole"), &RoleProps{
	AssumedBy: iam.NewServicePrincipal(jsii.String("foo")),
})

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	SmsRole: poolSmsRole,
	SmsRoleExternalId: jsii.String("c87467be-4f34-11ea-b77f-2e728ce88125"),
})

When the smsRole property is specified, the smsRoleExternalId may also be specified. The value of smsRoleExternalId will be used as the sts:ExternalId when the Cognito service assumes the role. In turn, the role's assume role policy should be configured to accept this value as the ExternalId. Learn more about ExternalId here.

Multi-factor Authentication (MFA)

User pools can be configured to enable multi-factor authentication (MFA). It can either be turned off, set to optional or made required. Setting MFA to optional means that individual users can choose to enable it. Additionally, the MFA code can be sent either via SMS text message or via a time-based software token. See the documentation on MFA to learn more.

The following code snippet marks MFA for the user pool as required. This means that all users are required to configure an MFA token and use it for sign in. It also allows for the users to use both SMS based MFA, as well, time-based one time password (TOTP).

If you want to enable email-based MFA, set email property to the Amazon SES email-sending configuration and set featurePlan to FeaturePlan.ESSENTIALS or FeaturePlan.PLUS. For more information, see SMS and email message MFA.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	Mfa: cognito.Mfa_REQUIRED,
	MfaSecondFactor: &MfaSecondFactor{
		Sms: jsii.Boolean(true),
		Otp: jsii.Boolean(true),
		Email: jsii.Boolean(false),
	},
})

User pools can be configured with policies around a user's password. This includes the password length and the character sets that they must contain.

Further to this, it can also be configured with the validity of the auto-generated temporary password. A temporary password is generated by the user pool either when an admin signs up a user or when a password reset is requested. The validity of this password dictates how long to give the user to use this password before expiring it.

You can also set a policy for password reuse by setting the passwordHistorySize property. You can prevent a user from resetting their password to a new password that matches their current password or any of up to 23 additional previous passwords, for a maximum total of 24. The passwordHistorySize property can not be set when featurePlan is FeaturePlan.LITE.

The following code snippet configures these properties -

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	PasswordPolicy: &PasswordPolicy{
		MinLength: jsii.Number(12),
		RequireLowercase: jsii.Boolean(true),
		RequireUppercase: jsii.Boolean(true),
		RequireDigits: jsii.Boolean(true),
		RequireSymbols: jsii.Boolean(true),
		TempPasswordValidity: awscdk.Duration_Days(jsii.Number(3)),
	},
})

Note that, tempPasswordValidity can be specified only in whole days. Specifying fractional days would throw an error.

Account Recovery Settings

User pools can be configured on which method a user should use when recovering the password for their account. This can either be email and/or SMS. Read more at Recovering User Accounts

cognito.NewUserPool(this, jsii.String("UserPool"), &UserPoolProps{
	// ...
	AccountRecovery: cognito.AccountRecovery_EMAIL_ONLY,
})

The default for account recovery is by phone if available and by email otherwise. A user will not be allowed to reset their password via phone if they are also using it for MFA.

Advanced Security Mode

⚠️ Advanced Security Mode is deprecated in favor of Threat Protection.

User pools can be configured to use Advanced security. You can turn the user pool advanced security features on, and customize the actions that are taken in response to different risks. Or you can use audit mode to gather metrics on detected risks without taking action. In audit mode, the advanced security features publish metrics to Amazon CloudWatch. See the documentation on Advanced security to learn more.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	AdvancedSecurityMode: cognito.AdvancedSecurityMode_ENFORCED,
})
Threat Protection

This feature is only available if your Feature Plan is set to PLUS.

Threat Protection can be set to configure enforcement levels and automatic responses for users in password-based and custom-challenge authentication flows. For configuration, there are 2 options for standard authentication and custom authentication. These are represented with properties standardThreatProtectionMode and customThreatProtectionMode. See the documentation on Threat Protection

Emails

Cognito sends emails to users in the user pool, when particular actions take place, such as welcome emails, invitation emails, password resets, etc. The address from which these emails are sent can be configured on the user pool. Read more at Email settings for User Pools.

By default, user pools are configured to use Cognito's built in email capability, which will send emails from no-reply@verificationemail.com. If you want to use a custom email address you can configure Cognito to send emails through Amazon SES, which is detailed below.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	Email: cognito.UserPoolEmail_WithCognito(jsii.String("support@myawesomeapp.com")),
})

For typical production environments, the default email limit is below the required delivery volume. To enable a higher delivery volume, you can configure the UserPool to send emails through Amazon SES. To do so, follow the steps in the Cognito Developer Guide to verify an email address, move the account out of the SES sandbox, and grant Cognito email permissions via an authorization policy.

Once the SES setup is complete, the UserPool can be configured to use the SES email.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	Email: cognito.UserPoolEmail_WithSES(&UserPoolSESOptions{
		FromEmail: jsii.String("noreply@myawesomeapp.com"),
		FromName: jsii.String("Awesome App"),
		ReplyTo: jsii.String("support@myawesomeapp.com"),
	}),
})

Sending emails through SES requires that SES be configured (as described above) in a valid SES region. If the UserPool is being created in a different region, sesRegion must be used to specify the correct SES region.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	Email: cognito.UserPoolEmail_WithSES(&UserPoolSESOptions{
		SesRegion: jsii.String("us-east-1"),
		FromEmail: jsii.String("noreply@myawesomeapp.com"),
		FromName: jsii.String("Awesome App"),
		ReplyTo: jsii.String("support@myawesomeapp.com"),
	}),
})

When sending emails from an SES verified domain, sesVerifiedDomain can be used to specify the domain. The email address does not need to be verified when sending emails from a verified domain, because the identity of the email configuration is can be determined from the domain alone.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	Email: cognito.UserPoolEmail_WithSES(&UserPoolSESOptions{
		SesRegion: jsii.String("us-east-1"),
		FromEmail: jsii.String("noreply@myawesomeapp.com"),
		FromName: jsii.String("Awesome App"),
		ReplyTo: jsii.String("support@myawesomeapp.com"),
		SesVerifiedDomain: jsii.String("myawesomeapp.com"),
	}),
})

If fromName does not comply RFC 5322 atom or quoted-string, it will be quoted or mime-encoded.

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	Email: cognito.UserPoolEmail_WithSES(&UserPoolSESOptions{
		FromEmail: jsii.String("noreply@myawesomeapp.com"),
		FromName: jsii.String("myname@mycompany.com"),
	}),
})
Device Tracking

User pools can be configured to track devices that users have logged in to. Read more at Device Tracking

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	DeviceTracking: &DeviceTracking{
		ChallengeRequiredOnNewDevice: jsii.Boolean(true),
		DeviceOnlyRememberedOnUserPrompt: jsii.Boolean(true),
	},
})

The default is to not track devices.

Lambda Triggers

User pools can be configured such that AWS Lambda functions can be triggered when certain user operations or actions occur, such as, sign up, user confirmation, sign in, etc. They can also be used to add custom authentication challenges, user migrations and custom verification messages. Learn more about triggers at User Pool Workflows with Triggers.

Lambda triggers can either be specified as part of the UserPool initialization, or it can be added later, via methods on the construct, as so -

authChallengeFn := lambda.NewFunction(this, jsii.String("authChallengeFn"), &FunctionProps{
	Runtime: lambda.Runtime_NODEJS_LATEST(),
	Handler: jsii.String("index.handler"),
	Code: lambda.Code_FromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
})

userpool := cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	LambdaTriggers: &UserPoolTriggers{
		CreateAuthChallenge: authChallengeFn,
	},
})

userpool.AddTrigger(cognito.UserPoolOperation_USER_MIGRATION(), lambda.NewFunction(this, jsii.String("userMigrationFn"), &FunctionProps{
	Runtime: lambda.Runtime_NODEJS_LATEST(),
	Handler: jsii.String("index.handler"),
	Code: lambda.Code_*FromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
}))

Additionally, only the pre token generation Lambda trigger supports trigger events with lambda version V2.0:

var userpool userPool
var preTokenGenerationFn function


userpool.AddTrigger(cognito.UserPoolOperation_PRE_TOKEN_GENERATION_CONFIG(), preTokenGenerationFn, cognito.LambdaVersion_V2_0)

The following table lists the set of triggers available, and their corresponding method to add it to the user pool. For more information on the function of these triggers and how to configure them, read User Pool Workflows with Triggers.

Trigger Permissions

The function.attachToRolePolicy() API can be used to add additional IAM permissions to the lambda trigger as necessary.

⚠️ Using the attachToRolePolicy API to provide permissions to your user pool will result in a circular dependency. See aws/aws-cdk#7016. Error message when running cdk synth or cdk deploy:

Circular dependency between resources: [pool056F3F7E, fnPostAuthFnCognitoA630A2B1, ...]

To work around the circular dependency issue, use the attachInlinePolicy() API instead, as shown below.

var postAuthFn function


userpool := cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	LambdaTriggers: &UserPoolTriggers{
		PostAuthentication: postAuthFn,
	},
})

// provide permissions to describe the user pool scoped to the ARN the user pool
postAuthFn.Role.AttachInlinePolicy(iam.NewPolicy(this, jsii.String("userpool-policy"), &PolicyProps{
	Statements: []policyStatement{
		iam.NewPolicyStatement(&PolicyStatementProps{
			Actions: []*string{
				jsii.String("cognito-idp:DescribeUserPool"),
			},
			Resources: []*string{
				userpool.UserPoolArn,
			},
		}),
	},
}))
Importing User Pools

Any user pool that has been created outside of this stack, can be imported into the CDK app. Importing a user pool allows for it to be used in other parts of the CDK app that reference an IUserPool. However, imported user pools have limited configurability. As a rule of thumb, none of the properties that are part of the AWS::Cognito::UserPool CloudFormation resource can be configured.

User pools can be imported either using their id via the UserPool.fromUserPoolId(), or by using their ARN, via the UserPool.fromUserPoolArn() API.

awesomePool := cognito.UserPool_FromUserPoolId(this, jsii.String("awesome-user-pool"), jsii.String("us-east-1_oiuR12Abd"))

otherAwesomePool := cognito.UserPool_FromUserPoolArn(this, jsii.String("other-awesome-user-pool"), jsii.String("arn:aws:cognito-idp:eu-west-1:123456789012:userpool/us-east-1_mtRyYQ14D"))
Identity Providers

Users that are part of a user pool can sign in either directly through a user pool, or federate through a third-party identity provider. Once configured, the Cognito backend will take care of integrating with the third-party provider. Read more about Adding User Pool Sign-in Through a Third Party.

The following third-party identity providers are currently supported in the CDK -

The following code configures a user pool to federate with the third party provider, 'Login with Amazon'. The identity provider needs to be configured with a set of credentials that the Cognito backend can use to federate with the third-party identity provider.

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

provider := cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &UserPoolIdentityProviderAmazonProps{
	ClientId: jsii.String("amzn-client-id"),
	ClientSecret: jsii.String("amzn-client-secret"),
	UserPool: userpool,
})

Using Google identity provider is possible to use clientSecretValue with SecretValue from secrets manager.

userpool := cognito.NewUserPool(this, jsii.String("Pool"))
secret := secretsmanager.Secret_FromSecretAttributes(this, jsii.String("CognitoClientSecret"), &SecretAttributes{
	SecretCompleteArn: jsii.String("arn:aws:secretsmanager:xxx:xxx:secret:xxx-xxx"),
}).SecretValue

provider := cognito.NewUserPoolIdentityProviderGoogle(this, jsii.String("Google"), &UserPoolIdentityProviderGoogleProps{
	ClientId: jsii.String("amzn-client-id"),
	ClientSecretValue: secret,
	UserPool: userpool,
})

Using SAML identity provider is possible to use SAML metadata file content or SAML metadata file url.

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

// specify the metadata as a file content
// specify the metadata as a file content
cognito.NewUserPoolIdentityProviderSaml(this, jsii.String("userpoolIdpFile"), &UserPoolIdentityProviderSamlProps{
	UserPool: userpool,
	Metadata: cognito.UserPoolIdentityProviderSamlMetadata_File(jsii.String("my-file-contents")),
	// Whether to require encrypted SAML assertions from IdP
	EncryptedResponses: jsii.Boolean(true),
	// The signing algorithm for the SAML requests
	RequestSigningAlgorithm: cognito.SigningAlgorithm_RSA_SHA256,
	// Enable IdP initiated SAML auth flow
	IdpInitiated: jsii.Boolean(true),
})

// specify the metadata as a URL
// specify the metadata as a URL
cognito.NewUserPoolIdentityProviderSaml(this, jsii.String("userpoolidpUrl"), &UserPoolIdentityProviderSamlProps{
	UserPool: userpool,
	Metadata: cognito.UserPoolIdentityProviderSamlMetadata_Url(jsii.String("https://my-metadata-url.com")),
})

Attribute mapping allows mapping attributes provided by the third-party identity providers to standard and custom attributes of the user pool. Learn more about Specifying Identity Provider Attribute Mappings for Your User Pool.

The following code shows how different attributes provided by 'Login With Amazon' can be mapped to standard and custom user pool attributes.

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &UserPoolIdentityProviderAmazonProps{
	ClientId: jsii.String("amzn-client-id"),
	ClientSecret: jsii.String("amzn-client-secret"),
	UserPool: userpool,
	AttributeMapping: &AttributeMapping{
		Email: cognito.ProviderAttribute_AMAZON_EMAIL(),
		Website: cognito.ProviderAttribute_Other(jsii.String("url")),
		 // use other() when an attribute is not pre-defined in the CDK
		Custom: map[string]providerAttribute{
			// custom user pool attributes go here
			"uniqueId": cognito.*providerAttribute_AMAZON_USER_ID(),
		},
	},
})
App Clients

An app is an entity within a user pool that has permission to call unauthenticated APIs (APIs that do not have an authenticated user), such as APIs to register, sign in, and handle forgotten passwords. To call these APIs, you need an app client ID and an optional client secret. Read Configuring a User Pool App Client to learn more.

The following code creates an app client and retrieves the client id -

pool := cognito.NewUserPool(this, jsii.String("pool"))
client := pool.addClient(jsii.String("customer-app-client"))
clientId := client.UserPoolClientId

Existing app clients can be imported into the CDK app using the UserPoolClient.fromUserPoolClientId() API. For new and imported user pools, clients can also be created via the UserPoolClient constructor, as so -

importedPool := cognito.UserPool_FromUserPoolId(this, jsii.String("imported-pool"), jsii.String("us-east-1_oiuR12Abd"))
cognito.NewUserPoolClient(this, jsii.String("customer-app-client"), &UserPoolClientProps{
	UserPool: importedPool,
})

Clients can be configured with authentication flows. Authentication flows allow users on a client to be authenticated with a user pool. Cognito user pools provide several different types of authentication, such as, SRP (Secure Remote Password) authentication, username-and-password authentication, etc. Learn more about this at UserPool Authentication Flow.

The following code configures a client to use both SRP and username-and-password authentication -

pool := cognito.NewUserPool(this, jsii.String("pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	AuthFlows: &AuthFlow{
		UserPassword: jsii.Boolean(true),
		UserSrp: jsii.Boolean(true),
	},
})

Custom authentication protocols can be configured by setting the custom property under authFlow and defining lambda functions for the corresponding user pool triggers. Learn more at Custom Authentication Flow.

Choice-based authentication can be configured by setting the user property under authFlow. This enables the USER_AUTH authentication flow. Learn more at Choice-based authentication.

In addition to these authentication mechanisms, Cognito user pools also support using OAuth 2.0 framework for authenticating users. User pool clients can be configured with OAuth 2.0 authorization flows and scopes. Learn more about the OAuth 2.0 authorization framework and Cognito user pool's implementation of OAuth2.0.

The following code configures an app client with the authorization code grant flow and registers the the app's welcome page as a callback (or redirect) URL. It also configures the access token scope to 'openid'. All of these concepts can be found in the OAuth 2.0 RFC.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	OAuth: &OAuthSettings{
		Flows: &OAuthFlows{
			AuthorizationCodeGrant: jsii.Boolean(true),
		},
		Scopes: []oAuthScope{
			cognito.*oAuthScope_OPENID(),
		},
		CallbackUrls: []*string{
			jsii.String("https://my-app-domain.com/welcome"),
		},
		LogoutUrls: []*string{
			jsii.String("https://my-app-domain.com/signin"),
		},
	},
})

To set a default redirect URI, use the defaultRedirectUri property. Its value must be present in the callbackUrls list.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	OAuth: &OAuthSettings{
		Flows: &OAuthFlows{
			AuthorizationCodeGrant: jsii.Boolean(true),
		},
		Scopes: []oAuthScope{
			cognito.*oAuthScope_OPENID(),
		},
		DefaultRedirectUri: jsii.String("https://my-app-domain.com/welcome"),
		CallbackUrls: []*string{
			jsii.String("https://my-app-domain.com/welcome"),
			jsii.String("https://my-app-domain.com/hello"),
		},
		LogoutUrls: []*string{
			jsii.String("https://my-app-domain.com/signin"),
		},
	},
})

An app client can be configured to prevent user existence errors. This instructs the Cognito authentication API to return generic authentication failure responses instead of an UserNotFoundException. By default, the flag is not set, which means the CloudFormation default (false) will be used. See the documentation for the full details on the behavior of this flag.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	PreventUserExistenceErrors: jsii.Boolean(true),
})

All identity providers created in the CDK app are automatically registered into the corresponding user pool. All app clients created in the CDK have all of the identity providers enabled by default. The 'Cognito' identity provider, that allows users to register and sign in directly with the Cognito user pool, is also enabled by default. Alternatively, the list of supported identity providers for a client can be explicitly specified -

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	SupportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
		cognito.*userPoolClientIdentityProvider_COGNITO(),
	},
})

If the identity provider and the app client are created in the same stack, specify the dependency between both constructs to make sure that the identity provider already exists when the app client will be created. The app client cannot handle the dependency to the identity provider automatically because the client does not have access to the provider's construct.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
provider := cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &UserPoolIdentityProviderAmazonProps{
	UserPool: pool,
	ClientId: jsii.String("amzn-client-id"),
	ClientSecret: jsii.String("amzn-client-secret"),
})

client := pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	SupportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
	},
})

client.Node.AddDependency(provider)

The property authSessionValidity is the session token for each API request in the authentication flow. Valid duration is from 3 to 15 minutes.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	AuthSessionValidity: awscdk.Duration_Minutes(jsii.Number(15)),
})

In accordance with the OIDC open standard, Cognito user pool clients provide access tokens, ID tokens and refresh tokens. More information is available at Using Tokens with User Pools. The expiration time for these tokens can be configured as shown below.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	AccessTokenValidity: awscdk.Duration_Minutes(jsii.Number(60)),
	IdTokenValidity: awscdk.Duration_*Minutes(jsii.Number(60)),
	RefreshTokenValidity: awscdk.Duration_Days(jsii.Number(30)),
})

Clients can (and should) be allowed to read and write relevant user attributes only. Usually every client can be allowed to read the given_name attribute but not every client should be allowed to set the email_verified attribute. The same criteria applies for both standard and custom attributes, more info is available at Attribute Permissions and Scopes. The default behaviour is to allow read and write permissions on all attributes. The following code shows how this can be configured for a client.

pool := cognito.NewUserPool(this, jsii.String("Pool"))

clientWriteAttributes := (cognito.NewClientAttributes()).WithStandardAttributes(&StandardAttributesMask{
	Fullname: jsii.Boolean(true),
	Email: jsii.Boolean(true),
}).WithCustomAttributes(jsii.String("favoritePizza"), jsii.String("favoriteBeverage"))

clientReadAttributes := clientWriteAttributes.WithStandardAttributes(&StandardAttributesMask{
	EmailVerified: jsii.Boolean(true),
}).WithCustomAttributes(jsii.String("pointsEarned"))

pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	ReadAttributes: clientReadAttributes,
	WriteAttributes: clientWriteAttributes,
})

Token revocation can be configured to be able to revoke refresh tokens in app clients. By default, token revocation is enabled for new user pools. The property can be used to enable the token revocation in existing app clients or to change the default behavior.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	EnableTokenRevocation: jsii.Boolean(true),
})

User Pool clients can generate a client ID as well as a client secret, to support more advanced authentication workflows.

To create a client with an autogenerated client secret, pass the generateSecret: true prop:

var importedPool userPool


userPoolClient := cognito.NewUserPoolClient(this, jsii.String("UserPoolClient"), &UserPoolClientProps{
	UserPool: importedPool,
	GenerateSecret: jsii.Boolean(true),
})

// Allows you to pass the generated secret to other pieces of infrastructure
secret := userPoolClient.userPoolClientSecret

If you set enablePropagateAdditionalUserContextData: true, you can collect and pass information about your user's session to Amazon Cognito advanced security when you use the API to sign them up, sign them in, and reset their password.

var importedPool userPool


userPoolClient := cognito.NewUserPoolClient(this, jsii.String("UserPoolClient"), &UserPoolClientProps{
	UserPool: importedPool,
	GenerateSecret: jsii.Boolean(true),
	EnablePropagateAdditionalUserContextData: jsii.Boolean(true),
})

See Adding user device and session data to API requests for more information.

Resource Servers

A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an access token. See Defining Resource Servers for more information.

An application may choose to model custom permissions via OAuth. Resource Servers provide this capability via custom scopes that are attached to an app client. The following example sets up a resource server for the 'users' resource for two different app clients and configures the clients to use these scopes.

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("read"),
	ScopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("*"),
	ScopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &UserPoolResourceServerOptions{
	Identifier: jsii.String("users"),
	Scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []oAuthScope{
			cognito.*oAuthScope_ResourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []*oAuthScope{
			cognito.*oAuthScope_*ResourceServer(userServer, fullAccessScope),
		},
	},
})
Domains

After setting up an app client, the address for the user pool's sign-up and sign-in webpages can be configured using domains. There are two ways to set up a domain - either the Amazon Cognito hosted domain can be chosen with an available domain prefix, or a custom domain name can be chosen. The custom domain must be one that is already owned, and whose certificate is registered in AWS Certificate Manager.

The following code sets up a user pool domain in Amazon Cognito hosted domain with the prefix 'my-awesome-app', and another domain with the custom domain 'user.myapp.com' -

pool := cognito.NewUserPool(this, jsii.String("Pool"))

pool.addDomain(jsii.String("CognitoDomain"), &UserPoolDomainOptions{
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("my-awesome-app"),
	},
})

certificateArn := "arn:aws:acm:us-east-1:123456789012:certificate/11-3336f1-44483d-adc7-9cd375c5169d"

domainCert := certificatemanager.Certificate_FromCertificateArn(this, jsii.String("domainCert"), certificateArn)
pool.addDomain(jsii.String("CustomDomain"), &UserPoolDomainOptions{
	CustomDomain: &CustomDomainOptions{
		DomainName: jsii.String("user.myapp.com"),
		Certificate: domainCert,
	},
})

Read more about Using the Amazon Cognito Domain and Using Your Own Domain.

You can use the managed login page provided by Amazon Cognito to sign in users. The managed login page has two versions: a classic version and a new version. You can switch between the two versions by using the managedLoginVersion property.

pool := cognito.NewUserPool(this, jsii.String("Pool"))

// Use the new managed login page
pool.addDomain(jsii.String("CognitoDomainWithBlandingDesignManagedLogin"), &UserPoolDomainOptions{
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("blanding-design-ui"),
	},
	ManagedLoginVersion: cognito.ManagedLoginVersion_NEWER_MANAGED_LOGIN,
})

// Use the classic hosted UI
pool.addDomain(jsii.String("DomainWithClassicHostedUi"), &UserPoolDomainOptions{
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("classic-hosted-ui"),
	},
	ManagedLoginVersion: cognito.ManagedLoginVersion_CLASSIC_HOSTED_UI,
})

The signInUrl() methods returns the fully qualified URL to the login page for the user pool. This page comes from the hosted UI configured with Cognito. Learn more at Hosted UI with the Amazon Cognito Console.

userpool := cognito.NewUserPool(this, jsii.String("UserPool"), &UserPoolProps{
})
client := userpool.addClient(jsii.String("Client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		Flows: &OAuthFlows{
			ImplicitCodeGrant: jsii.Boolean(true),
		},
		CallbackUrls: []*string{
			jsii.String("https://myapp.com/home"),
			jsii.String("https://myapp.com/users"),
		},
	},
})
domain := userpool.addDomain(jsii.String("Domain"), &UserPoolDomainOptions{
})
signInUrl := domain.SignInUrl(client, &SignInUrlOptions{
	RedirectUri: jsii.String("https://myapp.com/home"),
})

Existing domains can be imported into CDK apps using UserPoolDomain.fromDomainName() API

myUserPoolDomain := cognito.UserPoolDomain_FromDomainName(this, jsii.String("my-user-pool-domain"), jsii.String("domain-name"))

To get the domain name of the CloudFront distribution associated with the user pool domain, use cloudFrontEndpoint method.

userpool := cognito.NewUserPool(this, jsii.String("UserPool"))
domain := userpool.addDomain(jsii.String("Domain"), &UserPoolDomainOptions{
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("my-awesome-app"),
	},
})

awscdk.NewCfnOutput(this, jsii.String("CloudFrontEndpoint"), &CfnOutputProps{
	Value: domain.cloudFrontEndpoint,
})
Deletion protection

Deletion protection can be enabled on a user pool to prevent accidental deletion:

userpool := cognito.NewUserPool(this, jsii.String("UserPool"), &UserPoolProps{
	// ...
	DeletionProtection: jsii.Boolean(true),
})

By default deletion protection is disabled.

email_verified Attribute Mapping

If you use a third-party identity provider, you can specify the email_verified attribute in attributeMapping.

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

cognito.NewUserPoolIdentityProviderGoogle(this, jsii.String("google"), &UserPoolIdentityProviderGoogleProps{
	UserPool: userpool,
	ClientId: jsii.String("google-client-id"),
	AttributeMapping: &AttributeMapping{
		Email: cognito.ProviderAttribute_GOOGLE_EMAIL(),
		EmailVerified: cognito.ProviderAttribute_GOOGLE_EMAIL_VERIFIED(),
	},
})
User Pool Group

Support for groups in Amazon Cognito user pools enables you to create and manage groups and add users to groups. Use groups to create collections of users to manage their permissions or to represent different types of users.

You can assign an AWS Identity and Access Management (IAM) role to a group to define the permissions for members of a group.

For more information, see Adding groups to a user pool.

var userPool userPool
var role role


cognito.NewUserPoolGroup(this, jsii.String("UserPoolGroup"), &UserPoolGroupProps{
	UserPool: UserPool,
	GroupName: jsii.String("my-group-name"),
	Precedence: jsii.Number(1),
	Role: Role,
})

// You can also add a group by using addGroup method.
userPool.addGroup(jsii.String("AnotherUserPoolGroup"), &UserPoolGroupOptions{
	GroupName: jsii.String("another-group-name"),
})
Analytics Configuration

User pool clients can be configured with Amazon Pinpoint analytics to collect user activity metrics. This integration enables you to track user engagement and campaign effectiveness.

📝 Note: Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see Amazon Cognito and Amazon Pinpoint Region availability.

The following example shows how to configure analytics for a user pool client:

When specifying a Pinpoint application from the same account

If you specify the application property, do not specify the applicationId, externalId, or roleArn properties.

import pinpoint "github.com/aws/aws-cdk-go/awscdk"

var userPool userPool
var pinpointApp cfnApp
var pinpointRole role


cognito.NewUserPoolClient(this, jsii.String("Client"), &UserPoolClientProps{
	UserPool: UserPool,
	Analytics: &AnalyticsConfiguration{
		// Your Pinpoint project
		Application: pinpointApp,

		// Whether to include user data in analytics events
		ShareUserData: jsii.Boolean(true),
	},
})
When specifying a Pinpoint application from a different account

If you specify the applicationId, externalId, or roleArn properties, do not specify the application property. (In this case, the applicationId, externalId, and roleArn must all be specified.)

Those three attributes are for the cases when Cognito user pool need to be connected to Pinpoint app in other account.

import pinpoint "github.com/aws/aws-cdk-go/awscdk"

var userPool userPool
var pinpointApp cfnApp
var pinpointRole role


cognito.NewUserPoolClient(this, jsii.String("Client"), &UserPoolClientProps{
	UserPool: UserPool,
	Analytics: &AnalyticsConfiguration{
		// Your Pinpoint project ID
		ApplicationId: pinpointApp.ref,

		// External ID for the IAM role
		ExternalId: jsii.String("sample-external-id"),

		// IAM role that Cognito can assume to publish to Pinpoint
		Role: pinpointRole,

		// Whether to include user data in analytics events
		ShareUserData: jsii.Boolean(true),
	},
})

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CfnIdentityPoolPrincipalTag_CFN_RESOURCE_TYPE_NAME added in v2.82.0 

func CfnIdentityPoolPrincipalTag_CFN_RESOURCE_TYPE_NAME() *string

func CfnIdentityPoolPrincipalTag_IsCfnElement added in v2.82.0 

func CfnIdentityPoolPrincipalTag_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnIdentityPoolPrincipalTag_IsCfnResource added in v2.82.0 

func CfnIdentityPoolPrincipalTag_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnIdentityPoolPrincipalTag_IsConstruct added in v2.82.0 

func CfnIdentityPoolPrincipalTag_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnIdentityPoolRoleAttachment_CFN_RESOURCE_TYPE_NAME 

func CfnIdentityPoolRoleAttachment_CFN_RESOURCE_TYPE_NAME() *string

func CfnIdentityPoolRoleAttachment_IsCfnElement 

func CfnIdentityPoolRoleAttachment_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnIdentityPoolRoleAttachment_IsCfnResource 

func CfnIdentityPoolRoleAttachment_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnIdentityPoolRoleAttachment_IsConstruct 

func CfnIdentityPoolRoleAttachment_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnIdentityPool_CFN_RESOURCE_TYPE_NAME 

func CfnIdentityPool_CFN_RESOURCE_TYPE_NAME() *string

func CfnIdentityPool_IsCfnElement 

func CfnIdentityPool_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnIdentityPool_IsCfnResource 

func CfnIdentityPool_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnIdentityPool_IsConstruct 

func CfnIdentityPool_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnLogDeliveryConfiguration_CFN_RESOURCE_TYPE_NAME added in v2.101.0 

func CfnLogDeliveryConfiguration_CFN_RESOURCE_TYPE_NAME() *string

func CfnLogDeliveryConfiguration_IsCfnElement added in v2.101.0 

func CfnLogDeliveryConfiguration_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnLogDeliveryConfiguration_IsCfnResource added in v2.101.0 

func CfnLogDeliveryConfiguration_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnLogDeliveryConfiguration_IsConstruct added in v2.101.0 

func CfnLogDeliveryConfiguration_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnManagedLoginBranding_CFN_RESOURCE_TYPE_NAME added in v2.172.0 

func CfnManagedLoginBranding_CFN_RESOURCE_TYPE_NAME() *string

func CfnManagedLoginBranding_IsCfnElement added in v2.172.0 

func CfnManagedLoginBranding_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnManagedLoginBranding_IsCfnResource added in v2.172.0 

func CfnManagedLoginBranding_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnManagedLoginBranding_IsConstruct added in v2.172.0 

func CfnManagedLoginBranding_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolClient_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolClient_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolClient_IsCfnElement 

func CfnUserPoolClient_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolClient_IsCfnResource 

func CfnUserPoolClient_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnUserPoolClient_IsConstruct 

func CfnUserPoolClient_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolDomain_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolDomain_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolDomain_IsCfnElement 

func CfnUserPoolDomain_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolDomain_IsCfnResource 

func CfnUserPoolDomain_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnUserPoolDomain_IsConstruct 

func CfnUserPoolDomain_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolGroup_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolGroup_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolGroup_IsCfnElement 

func CfnUserPoolGroup_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolGroup_IsCfnResource 

func CfnUserPoolGroup_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnUserPoolGroup_IsConstruct 

func CfnUserPoolGroup_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolIdentityProvider_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolIdentityProvider_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolIdentityProvider_IsCfnElement 

func CfnUserPoolIdentityProvider_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolIdentityProvider_IsCfnResource 

func CfnUserPoolIdentityProvider_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnUserPoolIdentityProvider_IsConstruct 

func CfnUserPoolIdentityProvider_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolResourceServer_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolResourceServer_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolResourceServer_IsCfnElement 

func CfnUserPoolResourceServer_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolResourceServer_IsCfnResource 

func CfnUserPoolResourceServer_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnUserPoolResourceServer_IsConstruct 

func CfnUserPoolResourceServer_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolRiskConfigurationAttachment_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolRiskConfigurationAttachment_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolRiskConfigurationAttachment_IsCfnElement 

func CfnUserPoolRiskConfigurationAttachment_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolRiskConfigurationAttachment_IsCfnResource 

func CfnUserPoolRiskConfigurationAttachment_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnUserPoolRiskConfigurationAttachment_IsConstruct 

func CfnUserPoolRiskConfigurationAttachment_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolUICustomizationAttachment_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolUICustomizationAttachment_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolUICustomizationAttachment_IsCfnElement 

func CfnUserPoolUICustomizationAttachment_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolUICustomizationAttachment_IsCfnResource 

func CfnUserPoolUICustomizationAttachment_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnUserPoolUICustomizationAttachment_IsConstruct 

func CfnUserPoolUICustomizationAttachment_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolUserToGroupAttachment_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolUserToGroupAttachment_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolUserToGroupAttachment_IsCfnElement 

func CfnUserPoolUserToGroupAttachment_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolUserToGroupAttachment_IsCfnResource 

func CfnUserPoolUserToGroupAttachment_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnUserPoolUserToGroupAttachment_IsConstruct 

func CfnUserPoolUserToGroupAttachment_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolUser_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolUser_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolUser_IsCfnElement 

func CfnUserPoolUser_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolUser_IsCfnResource 

func CfnUserPoolUser_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnUserPoolUser_IsConstruct 

func CfnUserPoolUser_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPool_CFN_RESOURCE_TYPE_NAME 

func CfnUserPool_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPool_IsCfnElement 

func CfnUserPool_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPool_IsCfnResource 

func CfnUserPool_IsCfnResource(x interface{}) *bool

Check whether the given object is a CfnResource.

func CfnUserPool_IsConstruct 

func CfnUserPool_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func NewBooleanAttribute_Override 

func NewBooleanAttribute_Override(b BooleanAttribute, props *CustomAttributeProps)

func NewCfnIdentityPoolPrincipalTag_Override added in v2.82.0 

func NewCfnIdentityPoolPrincipalTag_Override(c CfnIdentityPoolPrincipalTag, scope constructs.Construct, id *string, props *CfnIdentityPoolPrincipalTagProps)

func NewCfnIdentityPoolRoleAttachment_Override 

func NewCfnIdentityPoolRoleAttachment_Override(c CfnIdentityPoolRoleAttachment, scope constructs.Construct, id *string, props *CfnIdentityPoolRoleAttachmentProps)

func NewCfnIdentityPool_Override 

func NewCfnIdentityPool_Override(c CfnIdentityPool, scope constructs.Construct, id *string, props *CfnIdentityPoolProps)

func NewCfnLogDeliveryConfiguration_Override added in v2.101.0 

func NewCfnLogDeliveryConfiguration_Override(c CfnLogDeliveryConfiguration, scope constructs.Construct, id *string, props *CfnLogDeliveryConfigurationProps)

func NewCfnManagedLoginBranding_Override added in v2.172.0 

func NewCfnManagedLoginBranding_Override(c CfnManagedLoginBranding, scope constructs.Construct, id *string, props *CfnManagedLoginBrandingProps)

func NewCfnUserPoolClient_Override 

func NewCfnUserPoolClient_Override(c CfnUserPoolClient, scope constructs.Construct, id *string, props *CfnUserPoolClientProps)

func NewCfnUserPoolDomain_Override 

func NewCfnUserPoolDomain_Override(c CfnUserPoolDomain, scope constructs.Construct, id *string, props *CfnUserPoolDomainProps)

func NewCfnUserPoolGroup_Override 

func NewCfnUserPoolGroup_Override(c CfnUserPoolGroup, scope constructs.Construct, id *string, props *CfnUserPoolGroupProps)

func NewCfnUserPoolIdentityProvider_Override 

func NewCfnUserPoolIdentityProvider_Override(c CfnUserPoolIdentityProvider, scope constructs.Construct, id *string, props *CfnUserPoolIdentityProviderProps)

func NewCfnUserPoolResourceServer_Override 

func NewCfnUserPoolResourceServer_Override(c CfnUserPoolResourceServer, scope constructs.Construct, id *string, props *CfnUserPoolResourceServerProps)

func NewCfnUserPoolRiskConfigurationAttachment_Override 

func NewCfnUserPoolRiskConfigurationAttachment_Override(c CfnUserPoolRiskConfigurationAttachment, scope constructs.Construct, id *string, props *CfnUserPoolRiskConfigurationAttachmentProps)

func NewCfnUserPoolUICustomizationAttachment_Override 

func NewCfnUserPoolUICustomizationAttachment_Override(c CfnUserPoolUICustomizationAttachment, scope constructs.Construct, id *string, props *CfnUserPoolUICustomizationAttachmentProps)

func NewCfnUserPoolUserToGroupAttachment_Override 

func NewCfnUserPoolUserToGroupAttachment_Override(c CfnUserPoolUserToGroupAttachment, scope constructs.Construct, id *string, props *CfnUserPoolUserToGroupAttachmentProps)

func NewCfnUserPoolUser_Override 

func NewCfnUserPoolUser_Override(c CfnUserPoolUser, scope constructs.Construct, id *string, props *CfnUserPoolUserProps)

func NewCfnUserPool_Override 

func NewCfnUserPool_Override(c CfnUserPool, scope constructs.Construct, id *string, props *CfnUserPoolProps)

func NewClientAttributes_Override 

func NewClientAttributes_Override(c ClientAttributes)

Creates a ClientAttributes with the specified attributes. Default: - a ClientAttributes object without any attributes.

func NewDateTimeAttribute_Override 

func NewDateTimeAttribute_Override(d DateTimeAttribute, props *CustomAttributeProps)

func NewNumberAttribute_Override 

func NewNumberAttribute_Override(n NumberAttribute, props *NumberAttributeProps)

func NewResourceServerScope_Override 

func NewResourceServerScope_Override(r ResourceServerScope, props *ResourceServerScopeProps)

func NewStringAttribute_Override 

func NewStringAttribute_Override(s StringAttribute, props *StringAttributeProps)

func NewUserPoolClient_Override 

func NewUserPoolClient_Override(u UserPoolClient, scope constructs.Construct, id *string, props *UserPoolClientProps)

func NewUserPoolDomain_Override 

func NewUserPoolDomain_Override(u UserPoolDomain, scope constructs.Construct, id *string, props *UserPoolDomainProps)

func NewUserPoolEmail_Override 

func NewUserPoolEmail_Override(u UserPoolEmail)

func NewUserPoolGroup_Override added in v2.165.0 

func NewUserPoolGroup_Override(u UserPoolGroup, scope constructs.Construct, id *string, props *UserPoolGroupProps)

func NewUserPoolIdentityProviderAmazon_Override 

func NewUserPoolIdentityProviderAmazon_Override(u UserPoolIdentityProviderAmazon, scope constructs.Construct, id *string, props *UserPoolIdentityProviderAmazonProps)

func NewUserPoolIdentityProviderApple_Override 

func NewUserPoolIdentityProviderApple_Override(u UserPoolIdentityProviderApple, scope constructs.Construct, id *string, props *UserPoolIdentityProviderAppleProps)

func NewUserPoolIdentityProviderFacebook_Override 

func NewUserPoolIdentityProviderFacebook_Override(u UserPoolIdentityProviderFacebook, scope constructs.Construct, id *string, props *UserPoolIdentityProviderFacebookProps)

func NewUserPoolIdentityProviderGoogle_Override 

func NewUserPoolIdentityProviderGoogle_Override(u UserPoolIdentityProviderGoogle, scope constructs.Construct, id *string, props *UserPoolIdentityProviderGoogleProps)

func NewUserPoolIdentityProviderOidc_Override added in v2.27.0 

func NewUserPoolIdentityProviderOidc_Override(u UserPoolIdentityProviderOidc, scope constructs.Construct, id *string, props *UserPoolIdentityProviderOidcProps)

func NewUserPoolIdentityProviderSaml_Override added in v2.42.0 

func NewUserPoolIdentityProviderSaml_Override(u UserPoolIdentityProviderSaml, scope constructs.Construct, id *string, props *UserPoolIdentityProviderSamlProps)

func NewUserPoolResourceServer_Override 

func NewUserPoolResourceServer_Override(u UserPoolResourceServer, scope constructs.Construct, id *string, props *UserPoolResourceServerProps)

func NewUserPool_Override 

func NewUserPool_Override(u UserPool, scope constructs.Construct, id *string, props *UserPoolProps)

func UserPoolClient_IsConstruct 

func UserPoolClient_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolClient_IsOwnedResource added in v2.32.0 

func UserPoolClient_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPoolClient_IsResource 

func UserPoolClient_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolDomain_IsConstruct 

func UserPoolDomain_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolDomain_IsOwnedResource added in v2.32.0 

func UserPoolDomain_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPoolDomain_IsResource 

func UserPoolDomain_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolGroup_IsConstruct added in v2.165.0 

func UserPoolGroup_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolGroup_IsOwnedResource added in v2.165.0 

func UserPoolGroup_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPoolGroup_IsResource added in v2.165.0 

func UserPoolGroup_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderAmazon_IsConstruct 

func UserPoolIdentityProviderAmazon_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderAmazon_IsOwnedResource added in v2.32.0 

func UserPoolIdentityProviderAmazon_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPoolIdentityProviderAmazon_IsResource 

func UserPoolIdentityProviderAmazon_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderApple_IsConstruct 

func UserPoolIdentityProviderApple_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderApple_IsOwnedResource added in v2.32.0 

func UserPoolIdentityProviderApple_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPoolIdentityProviderApple_IsResource 

func UserPoolIdentityProviderApple_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderFacebook_IsConstruct 

func UserPoolIdentityProviderFacebook_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderFacebook_IsOwnedResource added in v2.32.0 

func UserPoolIdentityProviderFacebook_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPoolIdentityProviderFacebook_IsResource 

func UserPoolIdentityProviderFacebook_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderGoogle_IsConstruct 

func UserPoolIdentityProviderGoogle_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderGoogle_IsOwnedResource added in v2.32.0 

func UserPoolIdentityProviderGoogle_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPoolIdentityProviderGoogle_IsResource 

func UserPoolIdentityProviderGoogle_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderOidc_IsConstruct added in v2.27.0 

func UserPoolIdentityProviderOidc_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderOidc_IsOwnedResource added in v2.32.0 

func UserPoolIdentityProviderOidc_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPoolIdentityProviderOidc_IsResource added in v2.27.0 

func UserPoolIdentityProviderOidc_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderSaml_IsConstruct added in v2.42.0 

func UserPoolIdentityProviderSaml_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderSaml_IsOwnedResource added in v2.42.0 

func UserPoolIdentityProviderSaml_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPoolIdentityProviderSaml_IsResource added in v2.42.0 

func UserPoolIdentityProviderSaml_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolResourceServer_IsConstruct 

func UserPoolResourceServer_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolResourceServer_IsOwnedResource added in v2.32.0 

func UserPoolResourceServer_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPoolResourceServer_IsResource 

func UserPoolResourceServer_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPool_IsConstruct 

func UserPool_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPool_IsOwnedResource added in v2.32.0 

func UserPool_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserPool_IsResource 

func UserPool_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

Types

type AccountRecovery 

type AccountRecovery string

How will a user be able to recover their account?

When a user forgets their password, they can have a code sent to their verified email or verified phone to recover their account. You can choose the preferred way to send codes below. We recommend not allowing phone to be used for both password resets and multi-factor authentication (MFA).

Example: 

cognito.NewUserPool(this, jsii.String("UserPool"), &UserPoolProps{
	// ...
	AccountRecovery: cognito.AccountRecovery_EMAIL_ONLY,
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html 

const (
	// Email if available, otherwise phone, but don’t allow a user to reset their password via phone if they are also using it for MFA.
	AccountRecovery_EMAIL_AND_PHONE_WITHOUT_MFA AccountRecovery = "EMAIL_AND_PHONE_WITHOUT_MFA"
	// Phone if available, otherwise email, but don’t allow a user to reset their password via phone if they are also using it for MFA.
	AccountRecovery_PHONE_WITHOUT_MFA_AND_EMAIL AccountRecovery = "PHONE_WITHOUT_MFA_AND_EMAIL"
	// Email only.
	AccountRecovery_EMAIL_ONLY AccountRecovery = "EMAIL_ONLY"
	// Phone only, but don’t allow a user to reset their password via phone if they are also using it for MFA.
	AccountRecovery_PHONE_ONLY_WITHOUT_MFA AccountRecovery = "PHONE_ONLY_WITHOUT_MFA"
	// (Not Recommended) Phone if available, otherwise email, and do allow a user to reset their password via phone if they are also using it for MFA.
	AccountRecovery_PHONE_AND_EMAIL AccountRecovery = "PHONE_AND_EMAIL"
	// None – users will have to contact an administrator to reset their passwords.
	AccountRecovery_NONE AccountRecovery = "NONE"
)

type AdvancedSecurityMode deprecated added in v2.55.0 

type AdvancedSecurityMode string

The different ways in which a user pool's Advanced Security Mode can be configured.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	AdvancedSecurityMode: cognito.AdvancedSecurityMode_ENFORCED,
})

See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html

Deprecated: Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level. 

const (
	// Enable advanced security mode.
	// Deprecated: Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level.
	AdvancedSecurityMode_ENFORCED AdvancedSecurityMode = "ENFORCED"
	// gather metrics on detected risks without taking action.
	//
	// Metrics are published to Amazon CloudWatch.
	// Deprecated: Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level.
	AdvancedSecurityMode_AUDIT AdvancedSecurityMode = "AUDIT"
	// Advanced security mode is disabled.
	// Deprecated: Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level.
	AdvancedSecurityMode_OFF AdvancedSecurityMode = "OFF"
)

type AllowedFirstAuthFactors added in v2.179.0 

type AllowedFirstAuthFactors struct {
	// Whether the password authentication is allowed.
	//
	// This must be true.
	Password *bool `field:"required" json:"password" yaml:"password"`
	// Whether the email message one-time password is allowed.
	// Default: false.
	//
	EmailOtp *bool `field:"optional" json:"emailOtp" yaml:"emailOtp"`
	// Whether the Passkey (WebAuthn) is allowed.
	// Default: false.
	//
	Passkey *bool `field:"optional" json:"passkey" yaml:"passkey"`
	// Whether the SMS message one-time password is allowed.
	// Default: false.
	//
	SmsOtp *bool `field:"optional" json:"smsOtp" yaml:"smsOtp"`
}

The types of authentication that you want to allow for users' first authentication prompt.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
			Passkey: jsii.Boolean(true),
		},
	},
	PasskeyRelyingPartyId: jsii.String("auth.example.com"),
	PasskeyUserVerification: cognito.PasskeyUserVerification_REQUIRED,
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice

type AnalyticsConfiguration added in v2.179.0 

type AnalyticsConfiguration struct {
	// The Amazon Pinpoint project that you want to connect to your user pool app client.
	//
	// Amazon Cognito publishes events to the Amazon Pinpoint project.
	// You can also configure your application to pass an endpoint ID in the `AnalyticsMetadata` parameter of sign-in operations.
	// The endpoint ID is information about the destination for push notifications.
	// Default: - no configuration, you need to specify either `application` or all of `applicationId`, `externalId`, and `role`.
	//
	Application awspinpoint.CfnApp `field:"optional" json:"application" yaml:"application"`
	// Your Amazon Pinpoint project ID.
	// Default: - no configuration, you need to specify either this property along with `externalId` and `role` or `application`.
	//
	ApplicationId *string `field:"optional" json:"applicationId" yaml:"applicationId"`
	// The external ID of the role that Amazon Cognito assumes to send analytics data to Amazon Pinpoint.
	//
	// More info here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
	// Default: - no configuration, you need to specify either this property along with `applicationId` and `role` or `application`.
	//
	ExternalId *string `field:"optional" json:"externalId" yaml:"externalId"`
	// The IAM role that has the permissions required for Amazon Cognito to publish events to Amazon Pinpoint analytics.
	// Default: - no configuration, you need to specify either this property along with `applicationId` and `externalId` or `application`.
	//
	Role awsiam.IRole `field:"optional" json:"role" yaml:"role"`
	// If `true`, Amazon Cognito includes user data in the events that it publishes to Amazon Pinpoint analytics.
	// Default: - false.
	//
	ShareUserData *bool `field:"optional" json:"shareUserData" yaml:"shareUserData"`
}

The settings for Amazon Pinpoint analytics configuration.

With an analytics configuration, your application can collect user-activity metrics for user notifications with an Amazon Pinpoint campaign. Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see Amazon Cognito and Amazon Pinpoint Region availability: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings.

Example: 

import pinpoint "github.com/aws/aws-cdk-go/awscdk"

var userPool userPool
var pinpointApp cfnApp
var pinpointRole role

cognito.NewUserPoolClient(this, jsii.String("Client"), &UserPoolClientProps{
	UserPool: UserPool,
	Analytics: &AnalyticsConfiguration{
		// Your Pinpoint project
		Application: pinpointApp,

		// Whether to include user data in analytics events
		ShareUserData: jsii.Boolean(true),
	},
})

type AttributeMapping 

type AttributeMapping struct {
	// The user's postal address is a required attribute.
	// Default: - not mapped.
	//
	Address ProviderAttribute `field:"optional" json:"address" yaml:"address"`
	// The user's birthday.
	// Default: - not mapped.
	//
	Birthdate ProviderAttribute `field:"optional" json:"birthdate" yaml:"birthdate"`
	// Specify custom attribute mapping here and mapping for any standard attributes not supported yet.
	// Default: - no custom attribute mapping.
	//
	Custom *map[string]ProviderAttribute `field:"optional" json:"custom" yaml:"custom"`
	// The user's e-mail address.
	// Default: - not mapped.
	//
	Email ProviderAttribute `field:"optional" json:"email" yaml:"email"`
	// The user's e-mail address is verification.
	// Default: - not mapped.
	//
	EmailVerified ProviderAttribute `field:"optional" json:"emailVerified" yaml:"emailVerified"`
	// The surname or last name of user.
	// Default: - not mapped.
	//
	FamilyName ProviderAttribute `field:"optional" json:"familyName" yaml:"familyName"`
	// The user's full name in displayable form.
	// Default: - not mapped.
	//
	Fullname ProviderAttribute `field:"optional" json:"fullname" yaml:"fullname"`
	// The user's gender.
	// Default: - not mapped.
	//
	Gender ProviderAttribute `field:"optional" json:"gender" yaml:"gender"`
	// The user's first name or give name.
	// Default: - not mapped.
	//
	GivenName ProviderAttribute `field:"optional" json:"givenName" yaml:"givenName"`
	// Time, the user's information was last updated.
	// Default: - not mapped.
	//
	LastUpdateTime ProviderAttribute `field:"optional" json:"lastUpdateTime" yaml:"lastUpdateTime"`
	// The user's locale.
	// Default: - not mapped.
	//
	Locale ProviderAttribute `field:"optional" json:"locale" yaml:"locale"`
	// The user's middle name.
	// Default: - not mapped.
	//
	MiddleName ProviderAttribute `field:"optional" json:"middleName" yaml:"middleName"`
	// The user's nickname or casual name.
	// Default: - not mapped.
	//
	Nickname ProviderAttribute `field:"optional" json:"nickname" yaml:"nickname"`
	// The user's telephone number.
	// Default: - not mapped.
	//
	PhoneNumber ProviderAttribute `field:"optional" json:"phoneNumber" yaml:"phoneNumber"`
	// The user's preferred username.
	// Default: - not mapped.
	//
	PreferredUsername ProviderAttribute `field:"optional" json:"preferredUsername" yaml:"preferredUsername"`
	// The URL to the user's profile page.
	// Default: - not mapped.
	//
	ProfilePage ProviderAttribute `field:"optional" json:"profilePage" yaml:"profilePage"`
	// The URL to the user's profile picture.
	// Default: - not mapped.
	//
	ProfilePicture ProviderAttribute `field:"optional" json:"profilePicture" yaml:"profilePicture"`
	// The user's time zone.
	// Default: - not mapped.
	//
	Timezone ProviderAttribute `field:"optional" json:"timezone" yaml:"timezone"`
	// The URL to the user's web page or blog.
	// Default: - not mapped.
	//
	Website ProviderAttribute `field:"optional" json:"website" yaml:"website"`
}

The mapping of user pool attributes to the attributes provided by the identity providers.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &UserPoolIdentityProviderAmazonProps{
	ClientId: jsii.String("amzn-client-id"),
	ClientSecret: jsii.String("amzn-client-secret"),
	UserPool: userpool,
	AttributeMapping: &AttributeMapping{
		Email: cognito.ProviderAttribute_AMAZON_EMAIL(),
		Website: cognito.ProviderAttribute_Other(jsii.String("url")),
		 // use other() when an attribute is not pre-defined in the CDK
		Custom: map[string]providerAttribute{
			// custom user pool attributes go here
			"uniqueId": cognito.*providerAttribute_AMAZON_USER_ID(),
		},
	},
})

type AuthFlow 

type AuthFlow struct {
	// Enable admin based user password authentication flow.
	// Default: false.
	//
	AdminUserPassword *bool `field:"optional" json:"adminUserPassword" yaml:"adminUserPassword"`
	// Enable custom authentication flow.
	// Default: false.
	//
	Custom *bool `field:"optional" json:"custom" yaml:"custom"`
	// Enable Choice-based authentication.
	// Default: false.
	//
	User *bool `field:"optional" json:"user" yaml:"user"`
	// Enable auth using username & password.
	// Default: false.
	//
	UserPassword *bool `field:"optional" json:"userPassword" yaml:"userPassword"`
	// Enable SRP based authentication.
	// Default: false.
	//
	UserSrp *bool `field:"optional" json:"userSrp" yaml:"userSrp"`
}

Types of authentication flow.

Example: 

userPool := cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
			 // password authentication must be enabled
			EmailOtp: jsii.Boolean(true),
			 // enables email message one-time password
			SmsOtp: jsii.Boolean(true),
			 // enables SMS message one-time password
			Passkey: jsii.Boolean(true),
		},
	},
})

// You should also configure the user pool client with USER_AUTH authentication flow allowed
userPool.addClient(jsii.String("myclient"), &UserPoolClientOptions{
	AuthFlows: &AuthFlow{
		User: jsii.Boolean(true),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

type AutoVerifiedAttrs 

type AutoVerifiedAttrs struct {
	// Whether the email address of the user should be auto verified at sign up.
	//
	// Note: If both `email` and `phone` is set, Cognito only verifies the phone number. To also verify email, see here -
	// https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html
	// Default: - true, if email is turned on for `signIn`. false, otherwise.
	//
	Email *bool `field:"optional" json:"email" yaml:"email"`
	// Whether the phone number of the user should be auto verified at sign up.
	// Default: - true, if phone is turned on for `signIn`. false, otherwise.
	//
	Phone *bool `field:"optional" json:"phone" yaml:"phone"`
}

Attributes that can be automatically verified for users in a user pool.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	// ...
	SignInAliases: &SignInAliases{
		Username: jsii.Boolean(true),
		Email: jsii.Boolean(true),
	},
	AutoVerify: &AutoVerifiedAttrs{
		Email: jsii.Boolean(true),
		Phone: jsii.Boolean(true),
	},
})

type BaseUrlOptions added in v2.24.0 

type BaseUrlOptions struct {
	// Whether to return the FIPS-compliant endpoint.
	// Default: return the standard URL.
	//
	Fips *bool `field:"optional" json:"fips" yaml:"fips"`
}

Options to customize the behaviour of `baseUrl()`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

baseUrlOptions := &BaseUrlOptions{
	Fips: jsii.Boolean(false),
}

type BooleanAttribute 

type BooleanAttribute interface {
	ICustomAttribute
	// Bind this custom attribute type to the values as expected by CloudFormation.
	Bind() *CustomAttributeConfig
}

The Boolean custom attribute type.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	StandardAttributes: &StandardAttributes{
		Fullname: &StandardAttribute{
			Required: jsii.Boolean(true),
			Mutable: jsii.Boolean(false),
		},
		Address: &StandardAttribute{
			Required: jsii.Boolean(false),
			Mutable: jsii.Boolean(true),
		},
	},
	CustomAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

func NewBooleanAttribute 

func NewBooleanAttribute(props *CustomAttributeProps) BooleanAttribute

type CfnIdentityPool 

type CfnIdentityPool interface {
	awscdk.CfnResource
	awscdk.IInspectable
	awscdk.ITaggableV2
	// Enables the Basic (Classic) authentication flow.
	AllowClassicFlow() interface{}
	SetAllowClassicFlow(val interface{})
	// Specifies whether the identity pool supports unauthenticated logins.
	AllowUnauthenticatedIdentities() interface{}
	SetAllowUnauthenticatedIdentities(val interface{})
	AttrId() *string
	// The name of the Amazon Cognito identity pool, returned as a string.
	AttrName() *string
	// Tag Manager which manages the tags for this resource.
	CdkTagManager() awscdk.TagManager
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// The events to configure.
	CognitoEvents() interface{}
	SetCognitoEvents(val interface{})
	// The Amazon Cognito user pools and their client IDs.
	CognitoIdentityProviders() interface{}
	SetCognitoIdentityProviders(val interface{})
	// Configuration options for configuring Amazon Cognito streams.
	CognitoStreams() interface{}
	SetCognitoStreams(val interface{})
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The "domain" Amazon Cognito uses when referencing your users.
	DeveloperProviderName() *string
	SetDeveloperProviderName(val *string)
	// The name of your Amazon Cognito identity pool.
	IdentityPoolName() *string
	SetIdentityPoolName(val *string)
	// Tags to assign to the identity pool.
	IdentityPoolTags() *[]*awscdk.CfnTag
	SetIdentityPoolTags(val *[]*awscdk.CfnTag)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// The Amazon Resource Names (ARNs) of the OpenID connect providers.
	OpenIdConnectProviderArns() *[]*string
	SetOpenIdConnectProviderArns(val *[]*string)
	// The configuration options to be applied to the identity pool.
	PushSync() interface{}
	SetPushSync(val interface{})
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The Amazon Resource Names (ARNs) of the Security Assertion Markup Language (SAML) providers.
	SamlProviderArns() *[]*string
	SetSamlProviderArns(val *[]*string)
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Key-value pairs that map provider names to provider app IDs.
	SupportedLoginProviders() interface{}
	SetSupportedLoginProviders(val interface{})
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

The `AWS::Cognito::IdentityPool` resource creates an Amazon Cognito identity pool.

To avoid deleting the resource accidentally from AWS CloudFormation , use [DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) and the [UpdateReplacePolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) to retain the resource on deletion or replacement.

Example: 

import cognito "github.com/aws/aws-cdk-go/awscdk"

var myProvider openIdConnectProvider

cognito.NewCfnIdentityPool(this, jsii.String("IdentityPool"), &CfnIdentityPoolProps{
	OpenIdConnectProviderArns: []*string{
		myProvider.OpenIdConnectProviderArn,
	},
	// And the other properties for your identity pool
	AllowUnauthenticatedIdentities: jsii.Boolean(false),
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html

func NewCfnIdentityPool 

func NewCfnIdentityPool(scope constructs.Construct, id *string, props *CfnIdentityPoolProps) CfnIdentityPool

type CfnIdentityPoolPrincipalTag added in v2.82.0 

type CfnIdentityPoolPrincipalTag interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The identity pool that you want to associate with this principal tag map.
	IdentityPoolId() *string
	SetIdentityPoolId(val *string)
	// The identity pool identity provider (IdP) that you want to associate with this principal tag map.
	IdentityProviderName() *string
	SetIdentityProviderName(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// A JSON-formatted list of user claims and the principal tags that you want to associate with them.
	PrincipalTags() interface{}
	SetPrincipalTags(val interface{})
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// Use a default set of mappings between claims and tags for this provider, instead of a custom map.
	UseDefaults() interface{}
	SetUseDefaults(val interface{})
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A list of the identity pool principal tag assignments for attributes for access control.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var principalTags interface{}

cfnIdentityPoolPrincipalTag := awscdk.Aws_cognito.NewCfnIdentityPoolPrincipalTag(this, jsii.String("MyCfnIdentityPoolPrincipalTag"), &CfnIdentityPoolPrincipalTagProps{
	IdentityPoolId: jsii.String("identityPoolId"),
	IdentityProviderName: jsii.String("identityProviderName"),

	// the properties below are optional
	PrincipalTags: principalTags,
	UseDefaults: jsii.Boolean(false),
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html

func NewCfnIdentityPoolPrincipalTag added in v2.82.0 

func NewCfnIdentityPoolPrincipalTag(scope constructs.Construct, id *string, props *CfnIdentityPoolPrincipalTagProps) CfnIdentityPoolPrincipalTag

type CfnIdentityPoolPrincipalTagProps added in v2.82.0 

type CfnIdentityPoolPrincipalTagProps struct {
	// The identity pool that you want to associate with this principal tag map.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html#cfn-cognito-identitypoolprincipaltag-identitypoolid
	//
	IdentityPoolId *string `field:"required" json:"identityPoolId" yaml:"identityPoolId"`
	// The identity pool identity provider (IdP) that you want to associate with this principal tag map.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html#cfn-cognito-identitypoolprincipaltag-identityprovidername
	//
	IdentityProviderName *string `field:"required" json:"identityProviderName" yaml:"identityProviderName"`
	// A JSON-formatted list of user claims and the principal tags that you want to associate with them.
	//
	// When Amazon Cognito requests credentials, it sets the value of the principal tag to the value of the user's claim.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html#cfn-cognito-identitypoolprincipaltag-principaltags
	//
	PrincipalTags interface{} `field:"optional" json:"principalTags" yaml:"principalTags"`
	// Use a default set of mappings between claims and tags for this provider, instead of a custom map.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html#cfn-cognito-identitypoolprincipaltag-usedefaults
	//
	UseDefaults interface{} `field:"optional" json:"useDefaults" yaml:"useDefaults"`
}

Properties for defining a `CfnIdentityPoolPrincipalTag`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var principalTags interface{}

cfnIdentityPoolPrincipalTagProps := &CfnIdentityPoolPrincipalTagProps{
	IdentityPoolId: jsii.String("identityPoolId"),
	IdentityProviderName: jsii.String("identityProviderName"),

	// the properties below are optional
	PrincipalTags: principalTags,
	UseDefaults: jsii.Boolean(false),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html

type CfnIdentityPoolProps 

type CfnIdentityPoolProps struct {
	// Specifies whether the identity pool supports unauthenticated logins.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-allowunauthenticatedidentities
	//
	AllowUnauthenticatedIdentities interface{} `field:"required" json:"allowUnauthenticatedIdentities" yaml:"allowUnauthenticatedIdentities"`
	// Enables the Basic (Classic) authentication flow.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-allowclassicflow
	//
	AllowClassicFlow interface{} `field:"optional" json:"allowClassicFlow" yaml:"allowClassicFlow"`
	// The events to configure.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-cognitoevents
	//
	CognitoEvents interface{} `field:"optional" json:"cognitoEvents" yaml:"cognitoEvents"`
	// The Amazon Cognito user pools and their client IDs.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-cognitoidentityproviders
	//
	CognitoIdentityProviders interface{} `field:"optional" json:"cognitoIdentityProviders" yaml:"cognitoIdentityProviders"`
	// Configuration options for configuring Amazon Cognito streams.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-cognitostreams
	//
	CognitoStreams interface{} `field:"optional" json:"cognitoStreams" yaml:"cognitoStreams"`
	// The "domain" Amazon Cognito uses when referencing your users.
	//
	// This name acts as a placeholder that allows your backend and the Amazon Cognito service to communicate about the developer provider. For the `DeveloperProviderName` , you can use letters and periods (.), underscores (_), and dashes (-).
	//
	// *Minimum length* : 1
	//
	// *Maximum length* : 100.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-developerprovidername
	//
	DeveloperProviderName *string `field:"optional" json:"developerProviderName" yaml:"developerProviderName"`
	// The name of your Amazon Cognito identity pool.
	//
	// *Minimum length* : 1
	//
	// *Maximum length* : 128
	//
	// *Pattern* : `[\w\s+=,.@-]+`
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-identitypoolname
	//
	IdentityPoolName *string `field:"optional" json:"identityPoolName" yaml:"identityPoolName"`
	// Tags to assign to the identity pool.
	//
	// A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-identitypooltags
	//
	IdentityPoolTags *[]*awscdk.CfnTag `field:"optional" json:"identityPoolTags" yaml:"identityPoolTags"`
	// The Amazon Resource Names (ARNs) of the OpenID connect providers.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-openidconnectproviderarns
	//
	OpenIdConnectProviderArns *[]*string `field:"optional" json:"openIdConnectProviderArns" yaml:"openIdConnectProviderArns"`
	// The configuration options to be applied to the identity pool.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-pushsync
	//
	PushSync interface{} `field:"optional" json:"pushSync" yaml:"pushSync"`
	// The Amazon Resource Names (ARNs) of the Security Assertion Markup Language (SAML) providers.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-samlproviderarns
	//
	SamlProviderArns *[]*string `field:"optional" json:"samlProviderArns" yaml:"samlProviderArns"`
	// Key-value pairs that map provider names to provider app IDs.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html#cfn-cognito-identitypool-supportedloginproviders
	//
	SupportedLoginProviders interface{} `field:"optional" json:"supportedLoginProviders" yaml:"supportedLoginProviders"`
}

Properties for defining a `CfnIdentityPool`.

Example: 

import cognito "github.com/aws/aws-cdk-go/awscdk"

var myProvider openIdConnectProvider

cognito.NewCfnIdentityPool(this, jsii.String("IdentityPool"), &CfnIdentityPoolProps{
	OpenIdConnectProviderArns: []*string{
		myProvider.OpenIdConnectProviderArn,
	},
	// And the other properties for your identity pool
	AllowUnauthenticatedIdentities: jsii.Boolean(false),
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html

type CfnIdentityPoolRoleAttachment 

type CfnIdentityPoolRoleAttachment interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// The resource ID.
	AttrId() *string
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// An identity pool ID in the format `REGION:GUID` .
	IdentityPoolId() *string
	SetIdentityPoolId(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// How users for a specific identity provider are mapped to roles.
	RoleMappings() interface{}
	SetRoleMappings(val interface{})
	// The map of the roles associated with this pool.
	Roles() interface{}
	SetRoles(val interface{})
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

The `AWS::Cognito::IdentityPoolRoleAttachment` resource manages the role configuration for an Amazon Cognito identity pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var roles interface{}

cfnIdentityPoolRoleAttachment := awscdk.Aws_cognito.NewCfnIdentityPoolRoleAttachment(this, jsii.String("MyCfnIdentityPoolRoleAttachment"), &CfnIdentityPoolRoleAttachmentProps{
	IdentityPoolId: jsii.String("identityPoolId"),

	// the properties below are optional
	RoleMappings: map[string]interface{}{
		"roleMappingsKey": &RoleMappingProperty{
			"type": jsii.String("type"),

			// the properties below are optional
			"ambiguousRoleResolution": jsii.String("ambiguousRoleResolution"),
			"identityProvider": jsii.String("identityProvider"),
			"rulesConfiguration": &RulesConfigurationTypeProperty{
				"rules": []interface{}{
					&MappingRuleProperty{
						"claim": jsii.String("claim"),
						"matchType": jsii.String("matchType"),
						"roleArn": jsii.String("roleArn"),
						"value": jsii.String("value"),
					},
				},
			},
		},
	},
	Roles: roles,
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html

func NewCfnIdentityPoolRoleAttachment 

func NewCfnIdentityPoolRoleAttachment(scope constructs.Construct, id *string, props *CfnIdentityPoolRoleAttachmentProps) CfnIdentityPoolRoleAttachment

type CfnIdentityPoolRoleAttachmentProps 

type CfnIdentityPoolRoleAttachmentProps struct {
	// An identity pool ID in the format `REGION:GUID` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html#cfn-cognito-identitypoolroleattachment-identitypoolid
	//
	IdentityPoolId *string `field:"required" json:"identityPoolId" yaml:"identityPoolId"`
	// How users for a specific identity provider are mapped to roles.
	//
	// This is a string to the `RoleMapping` object map. The string identifies the identity provider. For example: `graph.facebook.com` or `cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id` .
	//
	// If the `IdentityProvider` field isn't provided in this object, the string is used as the identity provider name.
	//
	// For more information, see the [RoleMapping property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html#cfn-cognito-identitypoolroleattachment-rolemappings
	//
	RoleMappings interface{} `field:"optional" json:"roleMappings" yaml:"roleMappings"`
	// The map of the roles associated with this pool.
	//
	// For a given role, the key is either "authenticated" or "unauthenticated". The value is the role ARN.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html#cfn-cognito-identitypoolroleattachment-roles
	//
	Roles interface{} `field:"optional" json:"roles" yaml:"roles"`
}

Properties for defining a `CfnIdentityPoolRoleAttachment`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var roles interface{}

cfnIdentityPoolRoleAttachmentProps := &CfnIdentityPoolRoleAttachmentProps{
	IdentityPoolId: jsii.String("identityPoolId"),

	// the properties below are optional
	RoleMappings: map[string]interface{}{
		"roleMappingsKey": &RoleMappingProperty{
			"type": jsii.String("type"),

			// the properties below are optional
			"ambiguousRoleResolution": jsii.String("ambiguousRoleResolution"),
			"identityProvider": jsii.String("identityProvider"),
			"rulesConfiguration": &RulesConfigurationTypeProperty{
				"rules": []interface{}{
					&MappingRuleProperty{
						"claim": jsii.String("claim"),
						"matchType": jsii.String("matchType"),
						"roleArn": jsii.String("roleArn"),
						"value": jsii.String("value"),
					},
				},
			},
		},
	},
	Roles: roles,
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html

type CfnIdentityPoolRoleAttachment_MappingRuleProperty 

type CfnIdentityPoolRoleAttachment_MappingRuleProperty struct {
	// The claim name that must be present in the token.
	//
	// For example: "isAdmin" or "paid".
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-mappingrule.html#cfn-cognito-identitypoolroleattachment-mappingrule-claim
	//
	Claim *string `field:"required" json:"claim" yaml:"claim"`
	// The match condition that specifies how closely the claim value in the IdP token must match `Value` .
	//
	// Valid values are: `Equals` , `Contains` , `StartsWith` , and `NotEqual` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-mappingrule.html#cfn-cognito-identitypoolroleattachment-mappingrule-matchtype
	//
	MatchType *string `field:"required" json:"matchType" yaml:"matchType"`
	// The Amazon Resource Name (ARN) of the role.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-mappingrule.html#cfn-cognito-identitypoolroleattachment-mappingrule-rolearn
	//
	RoleArn *string `field:"required" json:"roleArn" yaml:"roleArn"`
	// A brief string that the claim must match.
	//
	// For example, "paid" or "yes".
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-mappingrule.html#cfn-cognito-identitypoolroleattachment-mappingrule-value
	//
	Value *string `field:"required" json:"value" yaml:"value"`
}

Defines how to map a claim to a role ARN.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

mappingRuleProperty := &MappingRuleProperty{
	Claim: jsii.String("claim"),
	MatchType: jsii.String("matchType"),
	RoleArn: jsii.String("roleArn"),
	Value: jsii.String("value"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-mappingrule.html

type CfnIdentityPoolRoleAttachment_RoleMappingProperty 

type CfnIdentityPoolRoleAttachment_RoleMappingProperty struct {
	// The role mapping type.
	//
	// Token will use `cognito:roles` and `cognito:preferred_role` claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-type
	//
	Type *string `field:"required" json:"type" yaml:"type"`
	// If you specify Token or Rules as the `Type` , `AmbiguousRoleResolution` is required.
	//
	// Specifies the action to be taken if either no rules match the claim value for the `Rules` type, or there is no `cognito:preferred_role` claim and there are multiple `cognito:roles` matches for the `Token` type.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-ambiguousroleresolution
	//
	AmbiguousRoleResolution *string `field:"optional" json:"ambiguousRoleResolution" yaml:"ambiguousRoleResolution"`
	// Identifier for the identity provider for which the role is mapped.
	//
	// For example: `graph.facebook.com` or `cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id (http://cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id)` . This is the identity provider that is used by the user for authentication.
	//
	// If the identity provider property isn't provided, the key of the entry in the `RoleMappings` map is used as the identity provider.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-identityprovider
	//
	IdentityProvider *string `field:"optional" json:"identityProvider" yaml:"identityProvider"`
	// The rules to be used for mapping users to roles.
	//
	// If you specify "Rules" as the role-mapping type, RulesConfiguration is required.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-rulesconfiguration
	//
	RulesConfiguration interface{} `field:"optional" json:"rulesConfiguration" yaml:"rulesConfiguration"`
}

One of a set of `RoleMappings` , a property of the [AWS::Cognito::IdentityPoolRoleAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html) resource that defines the role-mapping attributes of an Amazon Cognito identity pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

roleMappingProperty := &RoleMappingProperty{
	Type: jsii.String("type"),

	// the properties below are optional
	AmbiguousRoleResolution: jsii.String("ambiguousRoleResolution"),
	IdentityProvider: jsii.String("identityProvider"),
	RulesConfiguration: &RulesConfigurationTypeProperty{
		Rules: []interface{}{
			&MappingRuleProperty{
				Claim: jsii.String("claim"),
				MatchType: jsii.String("matchType"),
				RoleArn: jsii.String("roleArn"),
				Value: jsii.String("value"),
			},
		},
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html

type CfnIdentityPoolRoleAttachment_RulesConfigurationTypeProperty 

type CfnIdentityPoolRoleAttachment_RulesConfigurationTypeProperty struct {
	// The rules.
	//
	// You can specify up to 25 rules per identity provider.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rulesconfigurationtype.html#cfn-cognito-identitypoolroleattachment-rulesconfigurationtype-rules
	//
	Rules interface{} `field:"required" json:"rules" yaml:"rules"`
}

`RulesConfigurationType` is a subproperty of the [RoleMapping](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html) property that defines the rules to be used for mapping users to roles.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

rulesConfigurationTypeProperty := &RulesConfigurationTypeProperty{
	Rules: []interface{}{
		&MappingRuleProperty{
			Claim: jsii.String("claim"),
			MatchType: jsii.String("matchType"),
			RoleArn: jsii.String("roleArn"),
			Value: jsii.String("value"),
		},
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rulesconfigurationtype.html

type CfnIdentityPool_CognitoIdentityProviderProperty 

type CfnIdentityPool_CognitoIdentityProviderProperty struct {
	// The client ID for the Amazon Cognito user pool.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html#cfn-cognito-identitypool-cognitoidentityprovider-clientid
	//
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The provider name for an Amazon Cognito user pool.
	//
	// For example: `cognito-idp.us-east-2.amazonaws.com/us-east-2_123456789` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html#cfn-cognito-identitypool-cognitoidentityprovider-providername
	//
	ProviderName *string `field:"required" json:"providerName" yaml:"providerName"`
	// TRUE if server-side token validation is enabled for the identity provider’s token.
	//
	// After you set the `ServerSideTokenCheck` to TRUE for an identity pool, that identity pool checks with the integrated user pools to make sure the user has not been globally signed out or deleted before the identity pool provides an OIDC token or AWS credentials for the user.
	//
	// If the user is signed out or deleted, the identity pool returns a 400 Not Authorized error.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html#cfn-cognito-identitypool-cognitoidentityprovider-serversidetokencheck
	//
	ServerSideTokenCheck interface{} `field:"optional" json:"serverSideTokenCheck" yaml:"serverSideTokenCheck"`
}

`CognitoIdentityProvider` is a property of the [AWS::Cognito::IdentityPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html) resource that represents an Amazon Cognito user pool and its client ID.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cognitoIdentityProviderProperty := &CognitoIdentityProviderProperty{
	ClientId: jsii.String("clientId"),
	ProviderName: jsii.String("providerName"),

	// the properties below are optional
	ServerSideTokenCheck: jsii.Boolean(false),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html

type CfnIdentityPool_CognitoStreamsProperty 

type CfnIdentityPool_CognitoStreamsProperty struct {
	// The Amazon Resource Name (ARN) of the role Amazon Cognito can assume to publish to the stream.
	//
	// This role must grant access to Amazon Cognito (cognito-sync) to invoke `PutRecord` on your Amazon Cognito stream.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitostreams.html#cfn-cognito-identitypool-cognitostreams-rolearn
	//
	RoleArn *string `field:"optional" json:"roleArn" yaml:"roleArn"`
	// Status of the Amazon Cognito streams.
	//
	// Valid values are: `ENABLED` or `DISABLED` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitostreams.html#cfn-cognito-identitypool-cognitostreams-streamingstatus
	//
	StreamingStatus *string `field:"optional" json:"streamingStatus" yaml:"streamingStatus"`
	// The name of the Amazon Cognito stream to receive updates.
	//
	// This stream must be in the developer's account and in the same Region as the identity pool.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitostreams.html#cfn-cognito-identitypool-cognitostreams-streamname
	//
	StreamName *string `field:"optional" json:"streamName" yaml:"streamName"`
}

`CognitoStreams` is a property of the [AWS::Cognito::IdentityPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html) resource that defines configuration options for Amazon Cognito streams.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cognitoStreamsProperty := &CognitoStreamsProperty{
	RoleArn: jsii.String("roleArn"),
	StreamingStatus: jsii.String("streamingStatus"),
	StreamName: jsii.String("streamName"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitostreams.html

type CfnIdentityPool_PushSyncProperty 

type CfnIdentityPool_PushSyncProperty struct {
	// The ARNs of the Amazon SNS platform applications that could be used by clients.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-pushsync.html#cfn-cognito-identitypool-pushsync-applicationarns
	//
	ApplicationArns *[]*string `field:"optional" json:"applicationArns" yaml:"applicationArns"`
	// An IAM role configured to allow Amazon Cognito to call Amazon SNS on behalf of the developer.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-pushsync.html#cfn-cognito-identitypool-pushsync-rolearn
	//
	RoleArn *string `field:"optional" json:"roleArn" yaml:"roleArn"`
}

`PushSync` is a property of the [AWS::Cognito::IdentityPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html) resource that defines the configuration options to be applied to an Amazon Cognito identity pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

pushSyncProperty := &PushSyncProperty{
	ApplicationArns: []*string{
		jsii.String("applicationArns"),
	},
	RoleArn: jsii.String("roleArn"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-pushsync.html

type CfnLogDeliveryConfiguration added in v2.101.0 

type CfnLogDeliveryConfiguration interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// A user pool ID, for example `us-east-1_EXAMPLE` .
	AttrId() *string
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// A logging destination of a user pool.
	LogConfigurations() interface{}
	SetLogConfigurations(val interface{})
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// The ID of the user pool where you configured logging.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

Sets up or modifies the logging configuration of a user pool.

User pools can export user notification logs and, when threat protection is active, user-activity logs. For more information, see [Exporting user pool logs](https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html) .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnLogDeliveryConfiguration := awscdk.Aws_cognito.NewCfnLogDeliveryConfiguration(this, jsii.String("MyCfnLogDeliveryConfiguration"), &CfnLogDeliveryConfigurationProps{
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	LogConfigurations: []interface{}{
		&LogConfigurationProperty{
			CloudWatchLogsConfiguration: &CloudWatchLogsConfigurationProperty{
				LogGroupArn: jsii.String("logGroupArn"),
			},
			EventSource: jsii.String("eventSource"),
			FirehoseConfiguration: &FirehoseConfigurationProperty{
				StreamArn: jsii.String("streamArn"),
			},
			LogLevel: jsii.String("logLevel"),
			S3Configuration: &S3ConfigurationProperty{
				BucketArn: jsii.String("bucketArn"),
			},
		},
	},
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html

func NewCfnLogDeliveryConfiguration added in v2.101.0 

func NewCfnLogDeliveryConfiguration(scope constructs.Construct, id *string, props *CfnLogDeliveryConfigurationProps) CfnLogDeliveryConfiguration

type CfnLogDeliveryConfigurationProps added in v2.101.0 

type CfnLogDeliveryConfigurationProps struct {
	// The ID of the user pool where you configured logging.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html#cfn-cognito-logdeliveryconfiguration-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// A logging destination of a user pool.
	//
	// User pools can have multiple logging destinations for message-delivery and user-activity logs.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfigurations
	//
	LogConfigurations interface{} `field:"optional" json:"logConfigurations" yaml:"logConfigurations"`
}

Properties for defining a `CfnLogDeliveryConfiguration`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnLogDeliveryConfigurationProps := &CfnLogDeliveryConfigurationProps{
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	LogConfigurations: []interface{}{
		&LogConfigurationProperty{
			CloudWatchLogsConfiguration: &CloudWatchLogsConfigurationProperty{
				LogGroupArn: jsii.String("logGroupArn"),
			},
			EventSource: jsii.String("eventSource"),
			FirehoseConfiguration: &FirehoseConfigurationProperty{
				StreamArn: jsii.String("streamArn"),
			},
			LogLevel: jsii.String("logLevel"),
			S3Configuration: &S3ConfigurationProperty{
				BucketArn: jsii.String("bucketArn"),
			},
		},
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html

type CfnLogDeliveryConfiguration_CloudWatchLogsConfigurationProperty added in v2.101.0 

type CfnLogDeliveryConfiguration_CloudWatchLogsConfigurationProperty struct {
	// The Amazon Resource Name (arn) of a CloudWatch Logs log group where your user pool sends logs.
	//
	// The log group must not be encrypted with AWS Key Management Service and must be in the same AWS account as your user pool.
	//
	// To send logs to log groups with a resource policy of a size greater than 5120 characters, configure a log group with a path that starts with `/aws/vendedlogs` . For more information, see [Enabling logging from certain AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration.html#cfn-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration-loggrouparn
	//
	LogGroupArn *string `field:"optional" json:"logGroupArn" yaml:"logGroupArn"`
}

Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cloudWatchLogsConfigurationProperty := &CloudWatchLogsConfigurationProperty{
	LogGroupArn: jsii.String("logGroupArn"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration.html

type CfnLogDeliveryConfiguration_FirehoseConfigurationProperty added in v2.154.0 

type CfnLogDeliveryConfiguration_FirehoseConfigurationProperty struct {
	// The ARN of an Amazon Data Firehose stream that's the destination for threat protection log export.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-firehoseconfiguration.html#cfn-cognito-logdeliveryconfiguration-firehoseconfiguration-streamarn
	//
	StreamArn *string `field:"optional" json:"streamArn" yaml:"streamArn"`
}

Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

firehoseConfigurationProperty := &FirehoseConfigurationProperty{
	StreamArn: jsii.String("streamArn"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-firehoseconfiguration.html

type CfnLogDeliveryConfiguration_LogConfigurationProperty added in v2.101.0 

type CfnLogDeliveryConfiguration_LogConfigurationProperty struct {
	// Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-cloudwatchlogsconfiguration
	//
	CloudWatchLogsConfiguration interface{} `field:"optional" json:"cloudWatchLogsConfiguration" yaml:"cloudWatchLogsConfiguration"`
	// The source of events that your user pool sends for logging.
	//
	// To send error-level logs about user notification activity, set to `userNotification` . To send info-level logs about threat-protection user activity in user pools with the Plus feature plan, set to `userAuthEvents` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-eventsource
	//
	EventSource *string `field:"optional" json:"eventSource" yaml:"eventSource"`
	// Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-firehoseconfiguration
	//
	FirehoseConfiguration interface{} `field:"optional" json:"firehoseConfiguration" yaml:"firehoseConfiguration"`
	// The `errorlevel` selection of logs that a user pool sends for detailed activity logging.
	//
	// To send `userNotification` activity with [information about message delivery](https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html) , choose `ERROR` with `CloudWatchLogsConfiguration` . To send `userAuthEvents` activity with user logs from threat protection with the Plus feature plan, choose `INFO` with one of `CloudWatchLogsConfiguration` , `FirehoseConfiguration` , or `S3Configuration` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-loglevel
	//
	LogLevel *string `field:"optional" json:"logLevel" yaml:"logLevel"`
	// Configuration for the Amazon S3 bucket destination of user activity log export with threat protection.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-s3configuration
	//
	S3Configuration interface{} `field:"optional" json:"s3Configuration" yaml:"s3Configuration"`
}

The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

logConfigurationProperty := &LogConfigurationProperty{
	CloudWatchLogsConfiguration: &CloudWatchLogsConfigurationProperty{
		LogGroupArn: jsii.String("logGroupArn"),
	},
	EventSource: jsii.String("eventSource"),
	FirehoseConfiguration: &FirehoseConfigurationProperty{
		StreamArn: jsii.String("streamArn"),
	},
	LogLevel: jsii.String("logLevel"),
	S3Configuration: &S3ConfigurationProperty{
		BucketArn: jsii.String("bucketArn"),
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html

type CfnLogDeliveryConfiguration_S3ConfigurationProperty added in v2.154.0 

type CfnLogDeliveryConfiguration_S3ConfigurationProperty struct {
	// The ARN of an Amazon S3 bucket that's the destination for threat protection log export.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-s3configuration.html#cfn-cognito-logdeliveryconfiguration-s3configuration-bucketarn
	//
	BucketArn *string `field:"optional" json:"bucketArn" yaml:"bucketArn"`
}

Configuration for the Amazon S3 bucket destination of user activity log export with threat protection.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

s3ConfigurationProperty := &S3ConfigurationProperty{
	BucketArn: jsii.String("bucketArn"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-s3configuration.html

type CfnManagedLoginBranding added in v2.172.0 

type CfnManagedLoginBranding interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// An array of image files that you want to apply to roles like backgrounds, logos, and icons.
	Assets() interface{}
	SetAssets(val interface{})
	// The ID of the managed login branding style.
	AttrManagedLoginBrandingId() *string
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// The app client that's assigned to the branding style that you want more information about.
	ClientId() *string
	SetClientId(val *string)
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// When `true` , returns values for branding options that are unchanged from Amazon Cognito defaults.
	ReturnMergedResources() interface{}
	SetReturnMergedResources(val interface{})
	// A JSON file, encoded as a `Document` type, with the the settings that you want to apply to your style.
	Settings() interface{}
	SetSettings(val interface{})
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// When true, applies the default branding style options.
	UseCognitoProvidedValues() interface{}
	SetUseCognitoProvidedValues(val interface{})
	// The user pool where the branding style is assigned.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

Creates a new set of branding settings for a user pool style and associates it with an app client.

This operation is the programmatic option for the creation of a new style in the branding designer.

Provides values for UI customization in a `Settings` JSON object and image files in an `Assets` array. To send the JSON object `Document` type parameter in `Settings` , you might need to update to the most recent version of your AWS SDK.

This operation has a 2-megabyte request-size limit and include the CSS settings and image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito doesn't require that you pass all parameters in one request and preserves existing style settings that you don't specify. If your request is larger than 2MB, separate it into multiple requests, each with a size smaller than the limit.

As a best practice, modify the output of [DescribeManagedLoginBrandingByClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBrandingByClient.html) into the request parameters for this operation. To get all settings, set `ReturnMergedResources` to `true` . For more information, see [API and SDK operations for managed login branding](https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-brandingdesigner.html#branding-designer-api)

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var settings interface{}

cfnManagedLoginBranding := awscdk.Aws_cognito.NewCfnManagedLoginBranding(this, jsii.String("MyCfnManagedLoginBranding"), &CfnManagedLoginBrandingProps{
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	Assets: []interface{}{
		&AssetTypeProperty{
			Category: jsii.String("category"),
			ColorMode: jsii.String("colorMode"),
			Extension: jsii.String("extension"),

			// the properties below are optional
			Bytes: jsii.String("bytes"),
			ResourceId: jsii.String("resourceId"),
		},
	},
	ClientId: jsii.String("clientId"),
	ReturnMergedResources: jsii.Boolean(false),
	Settings: settings,
	UseCognitoProvidedValues: jsii.Boolean(false),
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html

func NewCfnManagedLoginBranding added in v2.172.0 

func NewCfnManagedLoginBranding(scope constructs.Construct, id *string, props *CfnManagedLoginBrandingProps) CfnManagedLoginBranding

type CfnManagedLoginBrandingProps added in v2.172.0 

type CfnManagedLoginBrandingProps struct {
	// The user pool where the branding style is assigned.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// An array of image files that you want to apply to roles like backgrounds, logos, and icons.
	//
	// Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-assets
	//
	Assets interface{} `field:"optional" json:"assets" yaml:"assets"`
	// The app client that's assigned to the branding style that you want more information about.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-clientid
	//
	ClientId *string `field:"optional" json:"clientId" yaml:"clientId"`
	// When `true` , returns values for branding options that are unchanged from Amazon Cognito defaults.
	//
	// When `false` or when you omit this parameter, returns only values that you customized in your branding style.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-returnmergedresources
	//
	ReturnMergedResources interface{} `field:"optional" json:"returnMergedResources" yaml:"returnMergedResources"`
	// A JSON file, encoded as a `Document` type, with the the settings that you want to apply to your style.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-settings
	//
	Settings interface{} `field:"optional" json:"settings" yaml:"settings"`
	// When true, applies the default branding style options.
	//
	// This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding designer.
	//
	// When you specify `true` for this option, you must also omit values for `Settings` and `Assets` in the request.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html#cfn-cognito-managedloginbranding-usecognitoprovidedvalues
	//
	UseCognitoProvidedValues interface{} `field:"optional" json:"useCognitoProvidedValues" yaml:"useCognitoProvidedValues"`
}

Properties for defining a `CfnManagedLoginBranding`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var settings interface{}

cfnManagedLoginBrandingProps := &CfnManagedLoginBrandingProps{
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	Assets: []interface{}{
		&AssetTypeProperty{
			Category: jsii.String("category"),
			ColorMode: jsii.String("colorMode"),
			Extension: jsii.String("extension"),

			// the properties below are optional
			Bytes: jsii.String("bytes"),
			ResourceId: jsii.String("resourceId"),
		},
	},
	ClientId: jsii.String("clientId"),
	ReturnMergedResources: jsii.Boolean(false),
	Settings: settings,
	UseCognitoProvidedValues: jsii.Boolean(false),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-managedloginbranding.html

type CfnManagedLoginBranding_AssetTypeProperty added in v2.172.0 

type CfnManagedLoginBranding_AssetTypeProperty struct {
	// The category that the image corresponds to in your managed login configuration.
	//
	// Managed login has asset categories for different types of logos, backgrounds, and icons.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-category
	//
	Category *string `field:"required" json:"category" yaml:"category"`
	// The display-mode target of the asset: light, dark, or browser-adaptive.
	//
	// For example, Amazon Cognito displays a dark-mode image only when the browser or application is in dark mode, but displays a browser-adaptive file in all contexts.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-colormode
	//
	ColorMode *string `field:"required" json:"colorMode" yaml:"colorMode"`
	// The file type of the image file.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-extension
	//
	Extension *string `field:"required" json:"extension" yaml:"extension"`
	// The image file, in Base64-encoded binary.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-bytes
	//
	Bytes *string `field:"optional" json:"bytes" yaml:"bytes"`
	// The ID of the asset.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html#cfn-cognito-managedloginbranding-assettype-resourceid
	//
	ResourceId *string `field:"optional" json:"resourceId" yaml:"resourceId"`
}

An image file from a managed login branding style in a user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

assetTypeProperty := &AssetTypeProperty{
	Category: jsii.String("category"),
	ColorMode: jsii.String("colorMode"),
	Extension: jsii.String("extension"),

	// the properties below are optional
	Bytes: jsii.String("bytes"),
	ResourceId: jsii.String("resourceId"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-managedloginbranding-assettype.html

type CfnUserPool 

type CfnUserPool interface {
	awscdk.CfnResource
	awscdk.IInspectable
	awscdk.ITaggable
	// The available verified method a user can use to recover their password when they call `ForgotPassword` .
	AccountRecoverySetting() interface{}
	SetAccountRecoverySetting(val interface{})
	// The settings for administrator creation of users in a user pool.
	AdminCreateUserConfig() interface{}
	SetAdminCreateUserConfig(val interface{})
	// Attributes supported as an alias for this user pool.
	AliasAttributes() *[]*string
	SetAliasAttributes(val *[]*string)
	// The Amazon Resource Name (ARN) of the user pool, such as `arn:aws:cognito-idp:us-east-1:123412341234:userpool/us-east-1_123412341` .
	AttrArn() *string
	// A friendly name for the IdP.
	AttrProviderName() *string
	// The URL of the provider of the Amazon Cognito user pool, specified as a `String` .
	AttrProviderUrl() *string
	// The ID of the user pool.
	AttrUserPoolId() *string
	// The attributes that you want your user pool to automatically verify.
	AutoVerifiedAttributes() *[]*string
	SetAutoVerifiedAttributes(val *[]*string)
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// When active, `DeletionProtection` prevents accidental deletion of your user pool.
	DeletionProtection() *string
	SetDeletionProtection(val *string)
	// The device-remembering configuration for a user pool.
	DeviceConfiguration() interface{}
	SetDeviceConfiguration(val interface{})
	EmailAuthenticationMessage() *string
	SetEmailAuthenticationMessage(val *string)
	EmailAuthenticationSubject() *string
	SetEmailAuthenticationSubject(val *string)
	// The email configuration of your user pool.
	EmailConfiguration() interface{}
	SetEmailConfiguration(val interface{})
	// This parameter is no longer used.
	EmailVerificationMessage() *string
	SetEmailVerificationMessage(val *string)
	// This parameter is no longer used.
	EmailVerificationSubject() *string
	SetEmailVerificationSubject(val *string)
	// Set enabled MFA options on a specified user pool.
	EnabledMfas() *[]*string
	SetEnabledMfas(val *[]*string)
	// A collection of user pool Lambda triggers.
	LambdaConfig() interface{}
	SetLambdaConfig(val interface{})
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// Displays the state of multi-factor authentication (MFA) as on, off, or optional.
	MfaConfiguration() *string
	SetMfaConfiguration(val *string)
	// The tree node.
	Node() constructs.Node
	// A list of user pool policies.
	Policies() interface{}
	SetPolicies(val interface{})
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// An array of attributes for the new user pool.
	Schema() interface{}
	SetSchema(val interface{})
	// The contents of the SMS authentication message.
	SmsAuthenticationMessage() *string
	SetSmsAuthenticationMessage(val *string)
	// The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service.
	SmsConfiguration() interface{}
	SetSmsConfiguration(val interface{})
	// This parameter is no longer used.
	SmsVerificationMessage() *string
	SetSmsVerificationMessage(val *string)
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Tag Manager which manages the tags for this resource.
	Tags() awscdk.TagManager
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// The settings for updates to user attributes.
	UserAttributeUpdateSettings() interface{}
	SetUserAttributeUpdateSettings(val interface{})
	// Specifies whether a user can use an email address or phone number as a username when they sign up.
	UsernameAttributes() *[]*string
	SetUsernameAttributes(val *[]*string)
	// Sets the case sensitivity option for sign-in usernames.
	UsernameConfiguration() interface{}
	SetUsernameConfiguration(val interface{})
	// Contains settings for activation of threat protection, including the operating mode and additional authentication types.
	UserPoolAddOns() interface{}
	SetUserPoolAddOns(val interface{})
	// A friendly name for your user pool.
	UserPoolName() *string
	SetUserPoolName(val *string)
	// The tag keys and values to assign to the user pool.
	UserPoolTagsRaw() interface{}
	SetUserPoolTagsRaw(val interface{})
	// The user pool [feature plan](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html) , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to `ESSENTIALS` .
	UserPoolTier() *string
	SetUserPoolTier(val *string)
	// The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.
	VerificationMessageTemplate() interface{}
	SetVerificationMessageTemplate(val interface{})
	// Sets or displays the authentication domain, typically your user pool domain, that passkey providers must use as a relying party (RP) in their configuration.
	WebAuthnRelyingPartyId() *string
	SetWebAuthnRelyingPartyId(val *string)
	// When `required` , users can only register and sign in users with passkeys that are capable of [user verification](https://docs.aws.amazon.com/https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement) . When `preferred` , your user pool doesn't require the use of authenticators with user verification but encourages it.
	WebAuthnUserVerification() *string
	SetWebAuthnUserVerification(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

The `AWS::Cognito::UserPool` resource creates an Amazon Cognito user pool.

For more information on working with Amazon Cognito user pools, see [Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) and [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) .

> If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var userPoolTags interface{}

cfnUserPool := awscdk.Aws_cognito.NewCfnUserPool(this, jsii.String("MyCfnUserPool"), &CfnUserPoolProps{
	AccountRecoverySetting: &AccountRecoverySettingProperty{
		RecoveryMechanisms: []interface{}{
			&RecoveryOptionProperty{
				Name: jsii.String("name"),
				Priority: jsii.Number(123),
			},
		},
	},
	AdminCreateUserConfig: &AdminCreateUserConfigProperty{
		AllowAdminCreateUserOnly: jsii.Boolean(false),
		InviteMessageTemplate: &InviteMessageTemplateProperty{
			EmailMessage: jsii.String("emailMessage"),
			EmailSubject: jsii.String("emailSubject"),
			SmsMessage: jsii.String("smsMessage"),
		},
		UnusedAccountValidityDays: jsii.Number(123),
	},
	AliasAttributes: []*string{
		jsii.String("aliasAttributes"),
	},
	AutoVerifiedAttributes: []*string{
		jsii.String("autoVerifiedAttributes"),
	},
	DeletionProtection: jsii.String("deletionProtection"),
	DeviceConfiguration: &DeviceConfigurationProperty{
		ChallengeRequiredOnNewDevice: jsii.Boolean(false),
		DeviceOnlyRememberedOnUserPrompt: jsii.Boolean(false),
	},
	EmailAuthenticationMessage: jsii.String("emailAuthenticationMessage"),
	EmailAuthenticationSubject: jsii.String("emailAuthenticationSubject"),
	EmailConfiguration: &EmailConfigurationProperty{
		ConfigurationSet: jsii.String("configurationSet"),
		EmailSendingAccount: jsii.String("emailSendingAccount"),
		From: jsii.String("from"),
		ReplyToEmailAddress: jsii.String("replyToEmailAddress"),
		SourceArn: jsii.String("sourceArn"),
	},
	EmailVerificationMessage: jsii.String("emailVerificationMessage"),
	EmailVerificationSubject: jsii.String("emailVerificationSubject"),
	EnabledMfas: []*string{
		jsii.String("enabledMfas"),
	},
	LambdaConfig: &LambdaConfigProperty{
		CreateAuthChallenge: jsii.String("createAuthChallenge"),
		CustomEmailSender: &CustomEmailSenderProperty{
			LambdaArn: jsii.String("lambdaArn"),
			LambdaVersion: jsii.String("lambdaVersion"),
		},
		CustomMessage: jsii.String("customMessage"),
		CustomSmsSender: &CustomSMSSenderProperty{
			LambdaArn: jsii.String("lambdaArn"),
			LambdaVersion: jsii.String("lambdaVersion"),
		},
		DefineAuthChallenge: jsii.String("defineAuthChallenge"),
		KmsKeyId: jsii.String("kmsKeyId"),
		PostAuthentication: jsii.String("postAuthentication"),
		PostConfirmation: jsii.String("postConfirmation"),
		PreAuthentication: jsii.String("preAuthentication"),
		PreSignUp: jsii.String("preSignUp"),
		PreTokenGeneration: jsii.String("preTokenGeneration"),
		PreTokenGenerationConfig: &PreTokenGenerationConfigProperty{
			LambdaArn: jsii.String("lambdaArn"),
			LambdaVersion: jsii.String("lambdaVersion"),
		},
		UserMigration: jsii.String("userMigration"),
		VerifyAuthChallengeResponse: jsii.String("verifyAuthChallengeResponse"),
	},
	MfaConfiguration: jsii.String("mfaConfiguration"),
	Policies: &PoliciesProperty{
		PasswordPolicy: &PasswordPolicyProperty{
			MinimumLength: jsii.Number(123),
			PasswordHistorySize: jsii.Number(123),
			RequireLowercase: jsii.Boolean(false),
			RequireNumbers: jsii.Boolean(false),
			RequireSymbols: jsii.Boolean(false),
			RequireUppercase: jsii.Boolean(false),
			TemporaryPasswordValidityDays: jsii.Number(123),
		},
		SignInPolicy: &SignInPolicyProperty{
			AllowedFirstAuthFactors: []*string{
				jsii.String("allowedFirstAuthFactors"),
			},
		},
	},
	Schema: []interface{}{
		&SchemaAttributeProperty{
			AttributeDataType: jsii.String("attributeDataType"),
			DeveloperOnlyAttribute: jsii.Boolean(false),
			Mutable: jsii.Boolean(false),
			Name: jsii.String("name"),
			NumberAttributeConstraints: &NumberAttributeConstraintsProperty{
				MaxValue: jsii.String("maxValue"),
				MinValue: jsii.String("minValue"),
			},
			Required: jsii.Boolean(false),
			StringAttributeConstraints: &StringAttributeConstraintsProperty{
				MaxLength: jsii.String("maxLength"),
				MinLength: jsii.String("minLength"),
			},
		},
	},
	SmsAuthenticationMessage: jsii.String("smsAuthenticationMessage"),
	SmsConfiguration: &SmsConfigurationProperty{
		ExternalId: jsii.String("externalId"),
		SnsCallerArn: jsii.String("snsCallerArn"),
		SnsRegion: jsii.String("snsRegion"),
	},
	SmsVerificationMessage: jsii.String("smsVerificationMessage"),
	UserAttributeUpdateSettings: &UserAttributeUpdateSettingsProperty{
		AttributesRequireVerificationBeforeUpdate: []*string{
			jsii.String("attributesRequireVerificationBeforeUpdate"),
		},
	},
	UsernameAttributes: []*string{
		jsii.String("usernameAttributes"),
	},
	UsernameConfiguration: &UsernameConfigurationProperty{
		CaseSensitive: jsii.Boolean(false),
	},
	UserPoolAddOns: &UserPoolAddOnsProperty{
		AdvancedSecurityAdditionalFlows: &AdvancedSecurityAdditionalFlowsProperty{
			CustomAuthMode: jsii.String("customAuthMode"),
		},
		AdvancedSecurityMode: jsii.String("advancedSecurityMode"),
	},
	UserPoolName: jsii.String("userPoolName"),
	UserPoolTags: userPoolTags,
	UserPoolTier: jsii.String("userPoolTier"),
	VerificationMessageTemplate: &VerificationMessageTemplateProperty{
		DefaultEmailOption: jsii.String("defaultEmailOption"),
		EmailMessage: jsii.String("emailMessage"),
		EmailMessageByLink: jsii.String("emailMessageByLink"),
		EmailSubject: jsii.String("emailSubject"),
		EmailSubjectByLink: jsii.String("emailSubjectByLink"),
		SmsMessage: jsii.String("smsMessage"),
	},
	WebAuthnRelyingPartyId: jsii.String("webAuthnRelyingPartyId"),
	WebAuthnUserVerification: jsii.String("webAuthnUserVerification"),
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html

func NewCfnUserPool 

func NewCfnUserPool(scope constructs.Construct, id *string, props *CfnUserPoolProps) CfnUserPool

type CfnUserPoolClient 

type CfnUserPoolClient interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// The access token time limit.
	AccessTokenValidity() *float64
	SetAccessTokenValidity(val *float64)
	// The OAuth grant types that you want your app client to generate for clients in managed login authentication.
	AllowedOAuthFlows() *[]*string
	SetAllowedOAuthFlows(val *[]*string)
	// Set to `true` to use OAuth 2.0 authorization server features in your app client.
	AllowedOAuthFlowsUserPoolClient() interface{}
	SetAllowedOAuthFlowsUserPoolClient(val interface{})
	// The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with.
	AllowedOAuthScopes() *[]*string
	SetAllowedOAuthScopes(val *[]*string)
	// The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.
	AnalyticsConfiguration() interface{}
	SetAnalyticsConfiguration(val interface{})
	// The ID of the app client, for example `1example23456789` .
	AttrClientId() *string
	AttrClientSecret() *string
	AttrName() *string
	// Amazon Cognito creates a session token for each API request in an authentication flow.
	AuthSessionValidity() *float64
	SetAuthSessionValidity(val *float64)
	// A list of allowed redirect, or callback, URLs for managed login authentication.
	CallbackUrLs() *[]*string
	SetCallbackUrLs(val *[]*string)
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// A friendly name for the app client that you want to create.
	ClientName() *string
	SetClientName(val *string)
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The default redirect URI.
	DefaultRedirectUri() *string
	SetDefaultRedirectUri(val *string)
	// When `true` , your application can include additional `UserContextData` in authentication requests.
	EnablePropagateAdditionalUserContextData() interface{}
	SetEnablePropagateAdditionalUserContextData(val interface{})
	// Activates or deactivates token revocation.
	EnableTokenRevocation() interface{}
	SetEnableTokenRevocation(val interface{})
	// The [authentication flows](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html) that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.
	ExplicitAuthFlows() *[]*string
	SetExplicitAuthFlows(val *[]*string)
	// When `true` , generates a client secret for the app client.
	GenerateSecret() interface{}
	SetGenerateSecret(val interface{})
	// The ID token time limit.
	IdTokenValidity() *float64
	SetIdTokenValidity(val *float64)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// A list of allowed logout URLs for managed login authentication.
	LogoutUrLs() *[]*string
	SetLogoutUrLs(val *[]*string)
	// The tree node.
	Node() constructs.Node
	// Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool.
	PreventUserExistenceErrors() *string
	SetPreventUserExistenceErrors(val *string)
	// The list of user attributes that you want your app client to have read access to.
	ReadAttributes() *[]*string
	SetReadAttributes(val *[]*string)
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The refresh token time limit.
	RefreshTokenValidity() *float64
	SetRefreshTokenValidity(val *float64)
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// A list of provider names for the identity providers (IdPs) that are supported on this client.
	SupportedIdentityProviders() *[]*string
	SetSupportedIdentityProviders(val *[]*string)
	// The units that validity times are represented in.
	TokenValidityUnits() interface{}
	SetTokenValidityUnits(val interface{})
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// The ID of the user pool where you want to create an app client.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// The list of user attributes that you want your app client to have write access to.
	WriteAttributes() *[]*string
	SetWriteAttributes(val *[]*string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

The `AWS::Cognito::UserPoolClient` resource specifies an Amazon Cognito user pool client.

> If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.

Example: 

import "github.com/aws/aws-cdk-go/awscdk"

var vpc vpc
var certificate certificate

lb := elbv2.NewApplicationLoadBalancer(this, jsii.String("LB"), &ApplicationLoadBalancerProps{
	Vpc: Vpc,
	InternetFacing: jsii.Boolean(true),
})

userPool := awscdk.Aws_cognito.NewUserPool(this, jsii.String("UserPool"))
userPoolClient := awscdk.Aws_cognito.NewUserPoolClient(this, jsii.String("Client"), &UserPoolClientProps{
	UserPool: UserPool,

	// Required minimal configuration for use with an ELB
	GenerateSecret: jsii.Boolean(true),
	AuthFlows: &AuthFlow{
		UserPassword: jsii.Boolean(true),
	},
	OAuth: &OAuthSettings{
		Flows: &OAuthFlows{
			AuthorizationCodeGrant: jsii.Boolean(true),
		},
		Scopes: []oAuthScope{
			awscdk.*Aws_cognito.*oAuthScope_EMAIL(),
		},
		CallbackUrls: []*string{
			fmt.Sprintf("https://%v/oauth2/idpresponse", lb.LoadBalancerDnsName),
		},
	},
})
cfnClient := userPoolClient.Node.defaultChild.(cfnUserPoolClient)
cfnClient.AddPropertyOverride(jsii.String("RefreshTokenValidity"), jsii.Number(1))
cfnClient.AddPropertyOverride(jsii.String("SupportedIdentityProviders"), []interface{}{
	jsii.String("COGNITO"),
})

userPoolDomain := awscdk.Aws_cognito.NewUserPoolDomain(this, jsii.String("Domain"), &UserPoolDomainProps{
	UserPool: UserPool,
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("test-cdk-prefix"),
	},
})

lb.AddListener(jsii.String("Listener"), &BaseApplicationListenerProps{
	Port: jsii.Number(443),
	Certificates: []iListenerCertificate{
		certificate,
	},
	DefaultAction: actions.NewAuthenticateCognitoAction(&AuthenticateCognitoActionProps{
		UserPool: *UserPool,
		UserPoolClient: *UserPoolClient,
		UserPoolDomain: *UserPoolDomain,
		Next: elbv2.ListenerAction_FixedResponse(jsii.Number(200), &FixedResponseOptions{
			ContentType: jsii.String("text/plain"),
			MessageBody: jsii.String("Authenticated"),
		}),
	}),
})

awscdk.NewCfnOutput(this, jsii.String("DNS"), &CfnOutputProps{
	Value: lb.*LoadBalancerDnsName,
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html

func NewCfnUserPoolClient 

func NewCfnUserPoolClient(scope constructs.Construct, id *string, props *CfnUserPoolClientProps) CfnUserPoolClient

type CfnUserPoolClientProps 

type CfnUserPoolClientProps struct {
	// The ID of the user pool where you want to create an app client.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// The access token time limit.
	//
	// After this limit expires, your user can't use their access token. To specify the time unit for `AccessTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.
	//
	// For example, when you set `AccessTokenValidity` to `10` and `TokenValidityUnits` to `hours` , your user can authorize access with
	// their access token for 10 hours.
	//
	// The default time unit for `AccessTokenValidity` in an API request is hours. *Valid range* is displayed below in seconds.
	//
	// If you don't specify otherwise in the configuration of your app client, your access
	// tokens are valid for one hour.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-accesstokenvalidity
	//
	AccessTokenValidity *float64 `field:"optional" json:"accessTokenValidity" yaml:"accessTokenValidity"`
	// The OAuth grant types that you want your app client to generate for clients in managed login authentication.
	//
	// To create an app client that generates client credentials grants, you must add `client_credentials` as the only allowed OAuth flow.
	//
	// - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.
	// - **implicit** - Issue the access token, and the ID token when scopes like `openid` and `profile` are requested, directly to your user.
	// - **client_credentials** - Issue the access token from the `/oauth2/token` endpoint directly to a non-person user, authorized by a combination of the client ID and client secret.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflows
	//
	AllowedOAuthFlows *[]*string `field:"optional" json:"allowedOAuthFlows" yaml:"allowedOAuthFlows"`
	// Set to `true` to use OAuth 2.0 authorization server features in your app client.
	//
	// This parameter must have a value of `true` before you can configure the following features in your app client.
	//
	// - `CallBackURLs` : Callback URLs.
	// - `LogoutURLs` : Sign-out redirect URLs.
	// - `AllowedOAuthScopes` : OAuth 2.0 scopes.
	// - `AllowedOAuthFlows` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants.
	//
	// To use authorization server features, configure one of these features in the Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API request. If you don't set a value for `AllowedOAuthFlowsUserPoolClient` in a request with the AWS CLI or SDKs, it defaults to `false` . When `false` , only SDK-based API sign-in is permitted.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflowsuserpoolclient
	//
	AllowedOAuthFlowsUserPoolClient interface{} `field:"optional" json:"allowedOAuthFlowsUserPoolClient" yaml:"allowedOAuthFlowsUserPoolClient"`
	// The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with.
	//
	// Scopes govern access control to user pool self-service API operations, user data from the `userInfo` endpoint, and third-party APIs. Scope values include `phone` , `email` , `openid` , and `profile` . The `aws.cognito.signin.user.admin` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes
	//
	AllowedOAuthScopes *[]*string `field:"optional" json:"allowedOAuthScopes" yaml:"allowedOAuthScopes"`
	// The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.
	//
	// In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see [Using Amazon Pinpoint analytics](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-analyticsconfiguration
	//
	AnalyticsConfiguration interface{} `field:"optional" json:"analyticsConfiguration" yaml:"analyticsConfiguration"`
	// Amazon Cognito creates a session token for each API request in an authentication flow.
	//
	// `AuthSessionValidity` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity
	//
	AuthSessionValidity *float64 `field:"optional" json:"authSessionValidity" yaml:"authSessionValidity"`
	// A list of allowed redirect, or callback, URLs for managed login authentication.
	//
	// These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes.
	//
	// A redirect URI must meet the following requirements:
	//
	// - Be an absolute URI.
	// - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with `redirect_uri` values that aren't in the list of `CallbackURLs` that you provide in this parameter.
	// - Not include a fragment component.
	//
	// See [OAuth 2.0 - Redirection Endpoint](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2) .
	//
	// Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
	//
	// App callback URLs such as myapp://example are also supported.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-callbackurls
	//
	CallbackUrLs *[]*string `field:"optional" json:"callbackUrLs" yaml:"callbackUrLs"`
	// A friendly name for the app client that you want to create.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-clientname
	//
	ClientName *string `field:"optional" json:"clientName" yaml:"clientName"`
	// The default redirect URI.
	//
	// In app clients with one assigned IdP, replaces `redirect_uri` in authentication requests. Must be in the `CallbackURLs` list.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-defaultredirecturi
	//
	DefaultRedirectUri *string `field:"optional" json:"defaultRedirectUri" yaml:"defaultRedirectUri"`
	// When `true` , your application can include additional `UserContextData` in authentication requests.
	//
	// This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see [Adding session data to API requests](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint) . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate `EnablePropagateAdditionalUserContextData` in an app client that has a client secret.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-enablepropagateadditionalusercontextdata
	//
	EnablePropagateAdditionalUserContextData interface{} `field:"optional" json:"enablePropagateAdditionalUserContextData" yaml:"enablePropagateAdditionalUserContextData"`
	// Activates or deactivates token revocation.
	//
	// If you don't include this parameter, token revocation is automatically activated for the new user pool client.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-enabletokenrevocation
	//
	EnableTokenRevocation interface{} `field:"optional" json:"enableTokenRevocation" yaml:"enableTokenRevocation"`
	// The [authentication flows](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html) that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.
	//
	// > If you don't specify a value for `ExplicitAuthFlows` , your app client supports `ALLOW_REFRESH_TOKEN_AUTH` , `ALLOW_USER_SRP_AUTH` , and `ALLOW_CUSTOM_AUTH` .
	//
	// The values for authentication flow options include the following.
	//
	// - `ALLOW_USER_AUTH` : Enable selection-based sign-in with `USER_AUTH` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other `ExplicitAuthFlows` permitting them. For example users can complete an SRP challenge through `USER_AUTH` without the flow `USER_SRP_AUTH` being active for the app client. This flow doesn't include `CUSTOM_AUTH` .
	//
	// To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.
	// - `ALLOW_ADMIN_USER_PASSWORD_AUTH` : Enable admin based user password authentication flow `ADMIN_USER_PASSWORD_AUTH` . This setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password.
	// - `ALLOW_CUSTOM_AUTH` : Enable Lambda trigger based authentication.
	// - `ALLOW_USER_PASSWORD_AUTH` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.
	// - `ALLOW_USER_SRP_AUTH` : Enable SRP-based authentication.
	// - `ALLOW_REFRESH_TOKEN_AUTH` : Enable authflow to refresh tokens.
	//
	// In some environments, you will see the values `ADMIN_NO_SRP_AUTH` , `CUSTOM_AUTH_FLOW_ONLY` , or `USER_PASSWORD_AUTH` . You can't assign these legacy `ExplicitAuthFlows` values to user pool clients at the same time as values that begin with `ALLOW_` ,
	// like `ALLOW_USER_SRP_AUTH` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-explicitauthflows
	//
	ExplicitAuthFlows *[]*string `field:"optional" json:"explicitAuthFlows" yaml:"explicitAuthFlows"`
	// When `true` , generates a client secret for the app client.
	//
	// Client secrets are used with server-side and machine-to-machine applications. Client secrets are automatically generated; you can't specify a secret value. For more information, see [App client types](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-generatesecret
	//
	GenerateSecret interface{} `field:"optional" json:"generateSecret" yaml:"generateSecret"`
	// The ID token time limit.
	//
	// After this limit expires, your user can't use their ID token. To specify the time unit for `IdTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.
	//
	// For example, when you set `IdTokenValidity` as `10` and `TokenValidityUnits` as `hours` , your user can authenticate their session with their ID token for 10 hours.
	//
	// The default time unit for `IdTokenValidity` in an API request is hours. *Valid range* is displayed below in seconds.
	//
	// If you don't specify otherwise in the configuration of your app client, your ID
	// tokens are valid for one hour.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-idtokenvalidity
	//
	IdTokenValidity *float64 `field:"optional" json:"idTokenValidity" yaml:"idTokenValidity"`
	// A list of allowed logout URLs for managed login authentication.
	//
	// When you pass `logout_uri` and `client_id` parameters to `/logout` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of `logout_uri` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see [Logout endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-logouturls
	//
	LogoutUrLs *[]*string `field:"optional" json:"logoutUrLs" yaml:"logoutUrLs"`
	// Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool.
	//
	// When set to `ENABLED` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY` , those APIs return a `UserNotFoundException` exception if the user doesn't exist in the user pool.
	//
	// Valid values include:
	//
	// - `ENABLED` - This prevents user existence-related errors.
	// - `LEGACY` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented.
	//
	// Defaults to `LEGACY` when you don't provide a value.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-preventuserexistenceerrors
	//
	PreventUserExistenceErrors *string `field:"optional" json:"preventUserExistenceErrors" yaml:"preventUserExistenceErrors"`
	// The list of user attributes that you want your app client to have read access to.
	//
	// After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information.
	//
	// When you don't specify the `ReadAttributes` for your app client, your app can read the values of `email_verified` , `phone_number_verified` , and the Standard attributes of your user pool. When your user pool app client has read access to these default attributes, `ReadAttributes` doesn't return any information. Amazon Cognito only populates `ReadAttributes` in the API response if you have specified your own custom set of read attributes.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-readattributes
	//
	ReadAttributes *[]*string `field:"optional" json:"readAttributes" yaml:"readAttributes"`
	// The refresh token time limit.
	//
	// After this limit expires, your user can't use their refresh token. To specify the time unit for `RefreshTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.
	//
	// For example, when you set `RefreshTokenValidity` as `10` and `TokenValidityUnits` as `days` , your user can refresh their session
	// and retrieve new access and ID tokens for 10 days.
	//
	// The default time unit for `RefreshTokenValidity` in an API request is days. You can't set `RefreshTokenValidity` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds.
	//
	// If you don't specify otherwise in the configuration of your app client, your refresh
	// tokens are valid for 30 days.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-refreshtokenvalidity
	//
	RefreshTokenValidity *float64 `field:"optional" json:"refreshTokenValidity" yaml:"refreshTokenValidity"`
	// A list of provider names for the identity providers (IdPs) that are supported on this client.
	//
	// The following are supported: `COGNITO` , `Facebook` , `Google` , `SignInWithApple` , and `LoginWithAmazon` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example `MySAMLIdP` or `MyOIDCIdP` .
	//
	// This parameter sets the IdPs that [managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) will display on the login page for your app client. The removal of `COGNITO` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a [AWS WAF rule](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-supportedidentityproviders
	//
	SupportedIdentityProviders *[]*string `field:"optional" json:"supportedIdentityProviders" yaml:"supportedIdentityProviders"`
	// The units that validity times are represented in.
	//
	// The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-tokenvalidityunits
	//
	TokenValidityUnits interface{} `field:"optional" json:"tokenValidityUnits" yaml:"tokenValidityUnits"`
	// The list of user attributes that you want your app client to have write access to.
	//
	// After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list.
	//
	// When you don't specify the `WriteAttributes` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, `WriteAttributes` doesn't return any information. Amazon Cognito only populates `WriteAttributes` in the API response if you have specified your own custom set of write attributes.
	//
	// If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-writeattributes
	//
	WriteAttributes *[]*string `field:"optional" json:"writeAttributes" yaml:"writeAttributes"`
}

Properties for defining a `CfnUserPoolClient`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolClientProps := &CfnUserPoolClientProps{
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	AccessTokenValidity: jsii.Number(123),
	AllowedOAuthFlows: []*string{
		jsii.String("allowedOAuthFlows"),
	},
	AllowedOAuthFlowsUserPoolClient: jsii.Boolean(false),
	AllowedOAuthScopes: []*string{
		jsii.String("allowedOAuthScopes"),
	},
	AnalyticsConfiguration: &AnalyticsConfigurationProperty{
		ApplicationArn: jsii.String("applicationArn"),
		ApplicationId: jsii.String("applicationId"),
		ExternalId: jsii.String("externalId"),
		RoleArn: jsii.String("roleArn"),
		UserDataShared: jsii.Boolean(false),
	},
	AuthSessionValidity: jsii.Number(123),
	CallbackUrLs: []*string{
		jsii.String("callbackUrLs"),
	},
	ClientName: jsii.String("clientName"),
	DefaultRedirectUri: jsii.String("defaultRedirectUri"),
	EnablePropagateAdditionalUserContextData: jsii.Boolean(false),
	EnableTokenRevocation: jsii.Boolean(false),
	ExplicitAuthFlows: []*string{
		jsii.String("explicitAuthFlows"),
	},
	GenerateSecret: jsii.Boolean(false),
	IdTokenValidity: jsii.Number(123),
	LogoutUrLs: []*string{
		jsii.String("logoutUrLs"),
	},
	PreventUserExistenceErrors: jsii.String("preventUserExistenceErrors"),
	ReadAttributes: []*string{
		jsii.String("readAttributes"),
	},
	RefreshTokenValidity: jsii.Number(123),
	SupportedIdentityProviders: []*string{
		jsii.String("supportedIdentityProviders"),
	},
	TokenValidityUnits: &TokenValidityUnitsProperty{
		AccessToken: jsii.String("accessToken"),
		IdToken: jsii.String("idToken"),
		RefreshToken: jsii.String("refreshToken"),
	},
	WriteAttributes: []*string{
		jsii.String("writeAttributes"),
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html

type CfnUserPoolClient_AnalyticsConfigurationProperty 

type CfnUserPoolClient_AnalyticsConfigurationProperty struct {
	// The Amazon Resource Name (ARN) of an Amazon Pinpoint project that you want to connect to your user pool app client.
	//
	// Amazon Cognito publishes events to the Amazon Pinpoint project that `ApplicationArn` declares. You can also configure your application to pass an endpoint ID in the `AnalyticsMetadata` parameter of sign-in operations. The endpoint ID is information about the destination for push notifications
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html#cfn-cognito-userpoolclient-analyticsconfiguration-applicationarn
	//
	ApplicationArn *string `field:"optional" json:"applicationArn" yaml:"applicationArn"`
	// Your Amazon Pinpoint project ID.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html#cfn-cognito-userpoolclient-analyticsconfiguration-applicationid
	//
	ApplicationId *string `field:"optional" json:"applicationId" yaml:"applicationId"`
	// The [external ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) of the role that Amazon Cognito assumes to send analytics data to Amazon Pinpoint.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html#cfn-cognito-userpoolclient-analyticsconfiguration-externalid
	//
	ExternalId *string `field:"optional" json:"externalId" yaml:"externalId"`
	// The ARN of an AWS Identity and Access Management role that has the permissions required for Amazon Cognito to publish events to Amazon Pinpoint analytics.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html#cfn-cognito-userpoolclient-analyticsconfiguration-rolearn
	//
	RoleArn *string `field:"optional" json:"roleArn" yaml:"roleArn"`
	// If `UserDataShared` is `true` , Amazon Cognito includes user data in the events that it publishes to Amazon Pinpoint analytics.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html#cfn-cognito-userpoolclient-analyticsconfiguration-userdatashared
	//
	UserDataShared interface{} `field:"optional" json:"userDataShared" yaml:"userDataShared"`
}

The settings for Amazon Pinpoint analytics configuration.

With an analytics configuration, your application can collect user-activity metrics for user notifications with a Amazon Pinpoint campaign.

Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see [Amazon Cognito and Amazon Pinpoint Region availability](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings) .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

analyticsConfigurationProperty := &AnalyticsConfigurationProperty{
	ApplicationArn: jsii.String("applicationArn"),
	ApplicationId: jsii.String("applicationId"),
	ExternalId: jsii.String("externalId"),
	RoleArn: jsii.String("roleArn"),
	UserDataShared: jsii.Boolean(false),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-analyticsconfiguration.html

type CfnUserPoolClient_TokenValidityUnitsProperty 

type CfnUserPoolClient_TokenValidityUnitsProperty struct {
	// A time unit for the value that you set in the `AccessTokenValidity` parameter.
	//
	// The default `AccessTokenValidity` time unit is `hours` . `AccessTokenValidity` duration can range from five minutes to one day.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-tokenvalidityunits.html#cfn-cognito-userpoolclient-tokenvalidityunits-accesstoken
	//
	AccessToken *string `field:"optional" json:"accessToken" yaml:"accessToken"`
	// A time unit for the value that you set in the `IdTokenValidity` parameter.
	//
	// The default `IdTokenValidity` time unit is `hours` . `IdTokenValidity` duration can range from five minutes to one day.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-tokenvalidityunits.html#cfn-cognito-userpoolclient-tokenvalidityunits-idtoken
	//
	IdToken *string `field:"optional" json:"idToken" yaml:"idToken"`
	// A time unit for the value that you set in the `RefreshTokenValidity` parameter.
	//
	// The default `RefreshTokenValidity` time unit is `days` . `RefreshTokenValidity` duration can range from 60 minutes to 10 years.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-tokenvalidityunits.html#cfn-cognito-userpoolclient-tokenvalidityunits-refreshtoken
	//
	RefreshToken *string `field:"optional" json:"refreshToken" yaml:"refreshToken"`
}

The units that validity times are represented in.

The default unit for refresh tokens is days, and the default for ID and access tokens are hours.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

tokenValidityUnitsProperty := &TokenValidityUnitsProperty{
	AccessToken: jsii.String("accessToken"),
	IdToken: jsii.String("idToken"),
	RefreshToken: jsii.String("refreshToken"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolclient-tokenvalidityunits.html

type CfnUserPoolDomain 

type CfnUserPoolDomain interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// The Amazon CloudFront endpoint that you use as the target of the alias that you set up with your Domain Name Service (DNS) provider.
	AttrCloudFrontDistribution() *string
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The configuration for a custom domain that hosts the sign-up and sign-in pages for your application.
	CustomDomainConfig() interface{}
	SetCustomDomainConfig(val interface{})
	// The name of the domain that you want to update.
	Domain() *string
	SetDomain(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// A version number that indicates the state of managed login for your domain.
	ManagedLoginVersion() *float64
	SetManagedLoginVersion(val *float64)
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// The ID of the user pool that is associated with the domain you're updating.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

The AWS::Cognito::UserPoolDomain resource creates a new domain for a user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolDomain := awscdk.Aws_cognito.NewCfnUserPoolDomain(this, jsii.String("MyCfnUserPoolDomain"), &CfnUserPoolDomainProps{
	Domain: jsii.String("domain"),
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	CustomDomainConfig: &CustomDomainConfigTypeProperty{
		CertificateArn: jsii.String("certificateArn"),
	},
	ManagedLoginVersion: jsii.Number(123),
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html

func NewCfnUserPoolDomain 

func NewCfnUserPoolDomain(scope constructs.Construct, id *string, props *CfnUserPoolDomainProps) CfnUserPoolDomain

type CfnUserPoolDomainProps 

type CfnUserPoolDomainProps struct {
	// The name of the domain that you want to update.
	//
	// For custom domains, this is the fully-qualified domain name, for example `auth.example.com` . For prefix domains, this is the prefix alone, such as `myprefix` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-domain
	//
	Domain *string `field:"required" json:"domain" yaml:"domain"`
	// The ID of the user pool that is associated with the domain you're updating.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// The configuration for a custom domain that hosts the sign-up and sign-in pages for your application.
	//
	// Use this object to specify an SSL certificate that is managed by ACM.
	//
	// When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-customdomainconfig
	//
	CustomDomainConfig interface{} `field:"optional" json:"customDomainConfig" yaml:"customDomainConfig"`
	// A version number that indicates the state of managed login for your domain.
	//
	// Version `1` is hosted UI (classic). Version `2` is the newer managed login with the branding designer. For more information, see [Managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-managedloginversion
	//
	ManagedLoginVersion *float64 `field:"optional" json:"managedLoginVersion" yaml:"managedLoginVersion"`
}

Properties for defining a `CfnUserPoolDomain`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolDomainProps := &CfnUserPoolDomainProps{
	Domain: jsii.String("domain"),
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	CustomDomainConfig: &CustomDomainConfigTypeProperty{
		CertificateArn: jsii.String("certificateArn"),
	},
	ManagedLoginVersion: jsii.Number(123),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html

type CfnUserPoolDomain_CustomDomainConfigTypeProperty 

type CfnUserPoolDomain_CustomDomainConfigTypeProperty struct {
	// The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate.
	//
	// You use this certificate for the subdomain of your custom domain.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpooldomain-customdomainconfigtype.html#cfn-cognito-userpooldomain-customdomainconfigtype-certificatearn
	//
	CertificateArn *string `field:"optional" json:"certificateArn" yaml:"certificateArn"`
}

The configuration for a hosted UI custom domain.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

customDomainConfigTypeProperty := &CustomDomainConfigTypeProperty{
	CertificateArn: jsii.String("certificateArn"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpooldomain-customdomainconfigtype.html

type CfnUserPoolGroup 

type CfnUserPoolGroup interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// A description of the group that you're creating.
	Description() *string
	SetDescription(val *string)
	// A name for the group.
	GroupName() *string
	SetGroupName(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool.
	Precedence() *float64
	SetPrecedence(val *float64)
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The Amazon Resource Name (ARN) for the IAM role that you want to associate with the group.
	RoleArn() *string
	SetRoleArn(val *string)
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// The ID of the user pool where you want to create a user group.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A user pool group.

Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolGroup := awscdk.Aws_cognito.NewCfnUserPoolGroup(this, jsii.String("MyCfnUserPoolGroup"), &CfnUserPoolGroupProps{
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	Description: jsii.String("description"),
	GroupName: jsii.String("groupName"),
	Precedence: jsii.Number(123),
	RoleArn: jsii.String("roleArn"),
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html

func NewCfnUserPoolGroup 

func NewCfnUserPoolGroup(scope constructs.Construct, id *string, props *CfnUserPoolGroupProps) CfnUserPoolGroup

type CfnUserPoolGroupProps 

type CfnUserPoolGroupProps struct {
	// The ID of the user pool where you want to create a user group.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html#cfn-cognito-userpoolgroup-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// A description of the group that you're creating.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html#cfn-cognito-userpoolgroup-description
	//
	Description *string `field:"optional" json:"description" yaml:"description"`
	// A name for the group.
	//
	// This name must be unique in your user pool.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html#cfn-cognito-userpoolgroup-groupname
	//
	GroupName *string `field:"optional" json:"groupName" yaml:"groupName"`
	// A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool.
	//
	// Zero is the highest precedence value. Groups with lower `Precedence` values take precedence over groups with higher or null `Precedence` values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the `cognito:roles` and `cognito:preferred_role` claims.
	//
	// Two groups can have the same `Precedence` value. If this happens, neither group takes precedence over the other. If two groups with the same `Precedence` have the same role ARN, that role is used in the `cognito:preferred_role` claim in tokens for users in each group. If the two groups have different role ARNs, the `cognito:preferred_role` claim isn't set in users' tokens.
	//
	// The default `Precedence` value is null. The maximum `Precedence` value is `2^31-1` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html#cfn-cognito-userpoolgroup-precedence
	//
	Precedence *float64 `field:"optional" json:"precedence" yaml:"precedence"`
	// The Amazon Resource Name (ARN) for the IAM role that you want to associate with the group.
	//
	// A group role primarily declares a preferred role for the credentials that you get from an identity pool. Amazon Cognito ID tokens have a `cognito:preferred_role` claim that presents the highest-precedence group that a user belongs to. Both ID and access tokens also contain a `cognito:groups` claim that list all the groups that a user is a member of.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html#cfn-cognito-userpoolgroup-rolearn
	//
	RoleArn *string `field:"optional" json:"roleArn" yaml:"roleArn"`
}

Properties for defining a `CfnUserPoolGroup`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolGroupProps := &CfnUserPoolGroupProps{
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	Description: jsii.String("description"),
	GroupName: jsii.String("groupName"),
	Precedence: jsii.Number(123),
	RoleArn: jsii.String("roleArn"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html

type CfnUserPoolIdentityProvider 

type CfnUserPoolIdentityProvider interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// A mapping of IdP attributes to standard and custom user pool attributes.
	AttributeMapping() interface{}
	SetAttributeMapping(val interface{})
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// An array of IdP identifiers, for example `"IdPIdentifiers": [ "MyIdP", "MyIdP2" ]` .
	IdpIdentifiers() *[]*string
	SetIdpIdentifiers(val *[]*string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// The scopes, URLs, and identifiers for your external identity provider.
	ProviderDetails() interface{}
	SetProviderDetails(val interface{})
	// The name that you want to assign to the IdP.
	ProviderName() *string
	SetProviderName(val *string)
	// The type of IdP that you want to add.
	ProviderType() *string
	SetProviderType(val *string)
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// The Id of the user pool where you want to create an IdP.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

The `AWS::Cognito::UserPoolIdentityProvider` resource creates an identity provider for a user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var attributeMapping interface{}
var providerDetails interface{}

cfnUserPoolIdentityProvider := awscdk.Aws_cognito.NewCfnUserPoolIdentityProvider(this, jsii.String("MyCfnUserPoolIdentityProvider"), &CfnUserPoolIdentityProviderProps{
	ProviderDetails: providerDetails,
	ProviderName: jsii.String("providerName"),
	ProviderType: jsii.String("providerType"),
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	AttributeMapping: attributeMapping,
	IdpIdentifiers: []*string{
		jsii.String("idpIdentifiers"),
	},
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html

func NewCfnUserPoolIdentityProvider 

func NewCfnUserPoolIdentityProvider(scope constructs.Construct, id *string, props *CfnUserPoolIdentityProviderProps) CfnUserPoolIdentityProvider

type CfnUserPoolIdentityProviderProps 

type CfnUserPoolIdentityProviderProps struct {
	// The scopes, URLs, and identifiers for your external identity provider.
	//
	// The following
	// examples describe the provider detail keys for each IdP type. These values and their
	// schema are subject to change. Social IdP `authorize_scopes` values must match
	// the values listed here.
	//
	// - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from `oidc_issuer` : `attributes_url` , `authorize_url` , `jwks_uri` , `token_url` .
	//
	// Create or update request: `"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`
	//
	// Describe response: `"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`
	// - **SAML** - Create or update request with Metadata URL: `"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`
	//
	// Create or update request with Metadata file: `"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`
	//
	// The value of `MetadataFile` must be the plaintext metadata document with all quote (") characters escaped by backslashes.
	//
	// Describe response: `"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`
	// - **LoginWithAmazon** - Create or update request: `"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`
	//
	// Describe response: `"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`
	// - **Google** - Create or update request: `"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`
	//
	// Describe response: `"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`
	// - **SignInWithApple** - Create or update request: `"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`
	//
	// Describe response: `"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`
	// - **Facebook** - Create or update request: `"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`
	//
	// Describe response: `"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }`
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providerdetails
	//
	ProviderDetails interface{} `field:"required" json:"providerDetails" yaml:"providerDetails"`
	// The name that you want to assign to the IdP.
	//
	// You can pass the identity provider name in the `identity_provider` query parameter of requests to the [Authorize endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) to silently redirect to sign-in with the associated IdP.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providername
	//
	ProviderName *string `field:"required" json:"providerName" yaml:"providerName"`
	// The type of IdP that you want to add.
	//
	// Amazon Cognito supports OIDC, SAML 2.0, Login With Amazon, Sign In With Apple, Google, and Facebook IdPs.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providertype
	//
	ProviderType *string `field:"required" json:"providerType" yaml:"providerType"`
	// The Id of the user pool where you want to create an IdP.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// A mapping of IdP attributes to standard and custom user pool attributes.
	//
	// Specify a user pool attribute as the key of the key-value pair, and the IdP attribute claim name as the value.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-attributemapping
	//
	AttributeMapping interface{} `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// An array of IdP identifiers, for example `"IdPIdentifiers": [ "MyIdP", "MyIdP2" ]` .
	//
	// Identifiers are friendly names that you can pass in the `idp_identifier` query parameter of requests to the [Authorize endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) to silently redirect to sign-in with the associated IdP. Identifiers in a domain format also enable the use of [email-address matching with SAML providers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-naming.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-idpidentifiers
	//
	IdpIdentifiers *[]*string `field:"optional" json:"idpIdentifiers" yaml:"idpIdentifiers"`
}

Properties for defining a `CfnUserPoolIdentityProvider`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var attributeMapping interface{}
var providerDetails interface{}

cfnUserPoolIdentityProviderProps := &CfnUserPoolIdentityProviderProps{
	ProviderDetails: providerDetails,
	ProviderName: jsii.String("providerName"),
	ProviderType: jsii.String("providerType"),
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	AttributeMapping: attributeMapping,
	IdpIdentifiers: []*string{
		jsii.String("idpIdentifiers"),
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html

type CfnUserPoolProps 

type CfnUserPoolProps struct {
	// The available verified method a user can use to recover their password when they call `ForgotPassword` .
	//
	// You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-accountrecoverysetting
	//
	AccountRecoverySetting interface{} `field:"optional" json:"accountRecoverySetting" yaml:"accountRecoverySetting"`
	// The settings for administrator creation of users in a user pool.
	//
	// Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-admincreateuserconfig
	//
	AdminCreateUserConfig interface{} `field:"optional" json:"adminCreateUserConfig" yaml:"adminCreateUserConfig"`
	// Attributes supported as an alias for this user pool.
	//
	// For more information about alias attributes, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-aliasattributes
	//
	AliasAttributes *[]*string `field:"optional" json:"aliasAttributes" yaml:"aliasAttributes"`
	// The attributes that you want your user pool to automatically verify.
	//
	// For more information, see [Verifying contact information at sign-up](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-autoverifiedattributes
	//
	AutoVerifiedAttributes *[]*string `field:"optional" json:"autoVerifiedAttributes" yaml:"autoVerifiedAttributes"`
	// When active, `DeletionProtection` prevents accidental deletion of your user pool.
	//
	// Before you can delete a user pool that you have protected against deletion, you
	// must deactivate this feature.
	//
	// When you try to delete a protected user pool in a `DeleteUserPool` API request, Amazon Cognito returns an `InvalidParameterException` error. To delete a protected user pool, send a new `DeleteUserPool` request after you deactivate deletion protection in an `UpdateUserPool` API request.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-deletionprotection
	//
	DeletionProtection *string `field:"optional" json:"deletionProtection" yaml:"deletionProtection"`
	// The device-remembering configuration for a user pool.
	//
	// Device remembering or device tracking is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html) . A null value indicates that you have deactivated device remembering in your user pool.
	//
	// > When you provide a value for any `DeviceConfiguration` field, you activate the Amazon Cognito device-remembering feature. For more infor
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-deviceconfiguration
	//
	DeviceConfiguration interface{} `field:"optional" json:"deviceConfiguration" yaml:"deviceConfiguration"`
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-emailauthenticationmessage
	//
	EmailAuthenticationMessage *string `field:"optional" json:"emailAuthenticationMessage" yaml:"emailAuthenticationMessage"`
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-emailauthenticationsubject
	//
	EmailAuthenticationSubject *string `field:"optional" json:"emailAuthenticationSubject" yaml:"emailAuthenticationSubject"`
	// The email configuration of your user pool.
	//
	// The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-emailconfiguration
	//
	EmailConfiguration interface{} `field:"optional" json:"emailConfiguration" yaml:"emailConfiguration"`
	// This parameter is no longer used.
	//
	// See [VerificationMessageTemplateType](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-emailverificationmessage
	//
	EmailVerificationMessage *string `field:"optional" json:"emailVerificationMessage" yaml:"emailVerificationMessage"`
	// This parameter is no longer used.
	//
	// See [VerificationMessageTemplateType](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-emailverificationsubject
	//
	EmailVerificationSubject *string `field:"optional" json:"emailVerificationSubject" yaml:"emailVerificationSubject"`
	// Set enabled MFA options on a specified user pool.
	//
	// To disable all MFAs after it has been enabled, set `MfaConfiguration` to `OFF` and remove EnabledMfas. MFAs can only be all disabled if `MfaConfiguration` is `OFF` . After you enable `SMS_MFA` , you can only disable it by setting `MfaConfiguration` to `OFF` . Can be one of the following values:
	//
	// - `SMS_MFA` - Enables MFA with SMS for the user pool. To select this option, you must also provide values for `SmsConfiguration` .
	// - `SOFTWARE_TOKEN_MFA` - Enables software token MFA for the user pool.
	// - `EMAIL_OTP` - Enables MFA with email for the user pool. To select this option, you must provide values for `EmailConfiguration` and within those, set `EmailSendingAccount` to `DEVELOPER` .
	//
	// Allowed values: `SMS_MFA` | `SOFTWARE_TOKEN_MFA` | `EMAIL_OTP`.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-enabledmfas
	//
	EnabledMfas *[]*string `field:"optional" json:"enabledMfas" yaml:"enabledMfas"`
	// A collection of user pool Lambda triggers.
	//
	// Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-lambdaconfig
	//
	LambdaConfig interface{} `field:"optional" json:"lambdaConfig" yaml:"lambdaConfig"`
	// Displays the state of multi-factor authentication (MFA) as on, off, or optional.
	//
	// When `ON` , all users must set up MFA before they can sign in. When `OPTIONAL` , your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose `OPTIONAL` .
	//
	// When `MfaConfiguration` is `OPTIONAL` , managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-mfaconfiguration
	//
	MfaConfiguration *string `field:"optional" json:"mfaConfiguration" yaml:"mfaConfiguration"`
	// A list of user pool policies.
	//
	// Contains the policy that sets password-complexity requirements.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-policies
	//
	Policies interface{} `field:"optional" json:"policies" yaml:"policies"`
	// An array of attributes for the new user pool.
	//
	// You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see [Working with user attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-schema
	//
	Schema interface{} `field:"optional" json:"schema" yaml:"schema"`
	// The contents of the SMS authentication message.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-smsauthenticationmessage
	//
	SmsAuthenticationMessage *string `field:"optional" json:"smsAuthenticationMessage" yaml:"smsAuthenticationMessage"`
	// The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service.
	//
	// To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see [SMS message settings](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-smsconfiguration
	//
	SmsConfiguration interface{} `field:"optional" json:"smsConfiguration" yaml:"smsConfiguration"`
	// This parameter is no longer used.
	//
	// See [VerificationMessageTemplateType](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-smsverificationmessage
	//
	SmsVerificationMessage *string `field:"optional" json:"smsVerificationMessage" yaml:"smsVerificationMessage"`
	// The settings for updates to user attributes.
	//
	// These settings include the property `AttributesRequireVerificationBeforeUpdate` ,
	// a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For
	// more information, see [Verifying updates to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userattributeupdatesettings
	//
	UserAttributeUpdateSettings interface{} `field:"optional" json:"userAttributeUpdateSettings" yaml:"userAttributeUpdateSettings"`
	// Specifies whether a user can use an email address or phone number as a username when they sign up.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-usernameattributes
	//
	UsernameAttributes *[]*string `field:"optional" json:"usernameAttributes" yaml:"usernameAttributes"`
	// Sets the case sensitivity option for sign-in usernames.
	//
	// When `CaseSensitive` is `false` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, `username` , `USERNAME` , or `UserName` , or for email, `email@example.com` or `EMaiL@eXamplE.Com` . For most use cases, set case sensitivity to `false` as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
	//
	// When `CaseSensitive` is `true` (case sensitive), Amazon Cognito interprets `USERNAME` and `UserName` as distinct users.
	//
	// This configuration is immutable after you set it.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-usernameconfiguration
	//
	UsernameConfiguration interface{} `field:"optional" json:"usernameConfiguration" yaml:"usernameConfiguration"`
	// Contains settings for activation of threat protection, including the operating mode and additional authentication types.
	//
	// To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to `ENFORCED` .
	//
	// For more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) . To activate this setting, your user pool must be on the [Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpooladdons
	//
	UserPoolAddOns interface{} `field:"optional" json:"userPoolAddOns" yaml:"userPoolAddOns"`
	// A friendly name for your user pool.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpoolname
	//
	UserPoolName *string `field:"optional" json:"userPoolName" yaml:"userPoolName"`
	// The tag keys and values to assign to the user pool.
	//
	// A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpooltags
	//
	UserPoolTags interface{} `field:"optional" json:"userPoolTags" yaml:"userPoolTags"`
	// The user pool [feature plan](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html) , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to `ESSENTIALS` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpooltier
	//
	UserPoolTier *string `field:"optional" json:"userPoolTier" yaml:"userPoolTier"`
	// The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.
	//
	// Set the email message type that corresponds to your `DefaultEmailOption` selection. For `CONFIRM_WITH_LINK` , specify an `EmailMessageByLink` and leave `EmailMessage` blank. For `CONFIRM_WITH_CODE` , specify an `EmailMessage` and leave `EmailMessageByLink` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-verificationmessagetemplate
	//
	VerificationMessageTemplate interface{} `field:"optional" json:"verificationMessageTemplate" yaml:"verificationMessageTemplate"`
	// Sets or displays the authentication domain, typically your user pool domain, that passkey providers must use as a relying party (RP) in their configuration.
	//
	// Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain:
	//
	// - The user pool is configured for passkey authentication.
	// - The user pool has a custom domain, whether or not it also has a prefix domain.
	// - Your application performs authentication with managed login or the classic hosted UI.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-webauthnrelyingpartyid
	//
	WebAuthnRelyingPartyId *string `field:"optional" json:"webAuthnRelyingPartyId" yaml:"webAuthnRelyingPartyId"`
	// When `required` , users can only register and sign in users with passkeys that are capable of [user verification](https://docs.aws.amazon.com/https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement) . When `preferred` , your user pool doesn't require the use of authenticators with user verification but encourages it.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-webauthnuserverification
	//
	WebAuthnUserVerification *string `field:"optional" json:"webAuthnUserVerification" yaml:"webAuthnUserVerification"`
}

Properties for defining a `CfnUserPool`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var userPoolTags interface{}

cfnUserPoolProps := &CfnUserPoolProps{
	AccountRecoverySetting: &AccountRecoverySettingProperty{
		RecoveryMechanisms: []interface{}{
			&RecoveryOptionProperty{
				Name: jsii.String("name"),
				Priority: jsii.Number(123),
			},
		},
	},
	AdminCreateUserConfig: &AdminCreateUserConfigProperty{
		AllowAdminCreateUserOnly: jsii.Boolean(false),
		InviteMessageTemplate: &InviteMessageTemplateProperty{
			EmailMessage: jsii.String("emailMessage"),
			EmailSubject: jsii.String("emailSubject"),
			SmsMessage: jsii.String("smsMessage"),
		},
		UnusedAccountValidityDays: jsii.Number(123),
	},
	AliasAttributes: []*string{
		jsii.String("aliasAttributes"),
	},
	AutoVerifiedAttributes: []*string{
		jsii.String("autoVerifiedAttributes"),
	},
	DeletionProtection: jsii.String("deletionProtection"),
	DeviceConfiguration: &DeviceConfigurationProperty{
		ChallengeRequiredOnNewDevice: jsii.Boolean(false),
		DeviceOnlyRememberedOnUserPrompt: jsii.Boolean(false),
	},
	EmailAuthenticationMessage: jsii.String("emailAuthenticationMessage"),
	EmailAuthenticationSubject: jsii.String("emailAuthenticationSubject"),
	EmailConfiguration: &EmailConfigurationProperty{
		ConfigurationSet: jsii.String("configurationSet"),
		EmailSendingAccount: jsii.String("emailSendingAccount"),
		From: jsii.String("from"),
		ReplyToEmailAddress: jsii.String("replyToEmailAddress"),
		SourceArn: jsii.String("sourceArn"),
	},
	EmailVerificationMessage: jsii.String("emailVerificationMessage"),
	EmailVerificationSubject: jsii.String("emailVerificationSubject"),
	EnabledMfas: []*string{
		jsii.String("enabledMfas"),
	},
	LambdaConfig: &LambdaConfigProperty{
		CreateAuthChallenge: jsii.String("createAuthChallenge"),
		CustomEmailSender: &CustomEmailSenderProperty{
			LambdaArn: jsii.String("lambdaArn"),
			LambdaVersion: jsii.String("lambdaVersion"),
		},
		CustomMessage: jsii.String("customMessage"),
		CustomSmsSender: &CustomSMSSenderProperty{
			LambdaArn: jsii.String("lambdaArn"),
			LambdaVersion: jsii.String("lambdaVersion"),
		},
		DefineAuthChallenge: jsii.String("defineAuthChallenge"),
		KmsKeyId: jsii.String("kmsKeyId"),
		PostAuthentication: jsii.String("postAuthentication"),
		PostConfirmation: jsii.String("postConfirmation"),
		PreAuthentication: jsii.String("preAuthentication"),
		PreSignUp: jsii.String("preSignUp"),
		PreTokenGeneration: jsii.String("preTokenGeneration"),
		PreTokenGenerationConfig: &PreTokenGenerationConfigProperty{
			LambdaArn: jsii.String("lambdaArn"),
			LambdaVersion: jsii.String("lambdaVersion"),
		},
		UserMigration: jsii.String("userMigration"),
		VerifyAuthChallengeResponse: jsii.String("verifyAuthChallengeResponse"),
	},
	MfaConfiguration: jsii.String("mfaConfiguration"),
	Policies: &PoliciesProperty{
		PasswordPolicy: &PasswordPolicyProperty{
			MinimumLength: jsii.Number(123),
			PasswordHistorySize: jsii.Number(123),
			RequireLowercase: jsii.Boolean(false),
			RequireNumbers: jsii.Boolean(false),
			RequireSymbols: jsii.Boolean(false),
			RequireUppercase: jsii.Boolean(false),
			TemporaryPasswordValidityDays: jsii.Number(123),
		},
		SignInPolicy: &SignInPolicyProperty{
			AllowedFirstAuthFactors: []*string{
				jsii.String("allowedFirstAuthFactors"),
			},
		},
	},
	Schema: []interface{}{
		&SchemaAttributeProperty{
			AttributeDataType: jsii.String("attributeDataType"),
			DeveloperOnlyAttribute: jsii.Boolean(false),
			Mutable: jsii.Boolean(false),
			Name: jsii.String("name"),
			NumberAttributeConstraints: &NumberAttributeConstraintsProperty{
				MaxValue: jsii.String("maxValue"),
				MinValue: jsii.String("minValue"),
			},
			Required: jsii.Boolean(false),
			StringAttributeConstraints: &StringAttributeConstraintsProperty{
				MaxLength: jsii.String("maxLength"),
				MinLength: jsii.String("minLength"),
			},
		},
	},
	SmsAuthenticationMessage: jsii.String("smsAuthenticationMessage"),
	SmsConfiguration: &SmsConfigurationProperty{
		ExternalId: jsii.String("externalId"),
		SnsCallerArn: jsii.String("snsCallerArn"),
		SnsRegion: jsii.String("snsRegion"),
	},
	SmsVerificationMessage: jsii.String("smsVerificationMessage"),
	UserAttributeUpdateSettings: &UserAttributeUpdateSettingsProperty{
		AttributesRequireVerificationBeforeUpdate: []*string{
			jsii.String("attributesRequireVerificationBeforeUpdate"),
		},
	},
	UsernameAttributes: []*string{
		jsii.String("usernameAttributes"),
	},
	UsernameConfiguration: &UsernameConfigurationProperty{
		CaseSensitive: jsii.Boolean(false),
	},
	UserPoolAddOns: &UserPoolAddOnsProperty{
		AdvancedSecurityAdditionalFlows: &AdvancedSecurityAdditionalFlowsProperty{
			CustomAuthMode: jsii.String("customAuthMode"),
		},
		AdvancedSecurityMode: jsii.String("advancedSecurityMode"),
	},
	UserPoolName: jsii.String("userPoolName"),
	UserPoolTags: userPoolTags,
	UserPoolTier: jsii.String("userPoolTier"),
	VerificationMessageTemplate: &VerificationMessageTemplateProperty{
		DefaultEmailOption: jsii.String("defaultEmailOption"),
		EmailMessage: jsii.String("emailMessage"),
		EmailMessageByLink: jsii.String("emailMessageByLink"),
		EmailSubject: jsii.String("emailSubject"),
		EmailSubjectByLink: jsii.String("emailSubjectByLink"),
		SmsMessage: jsii.String("smsMessage"),
	},
	WebAuthnRelyingPartyId: jsii.String("webAuthnRelyingPartyId"),
	WebAuthnUserVerification: jsii.String("webAuthnUserVerification"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html

type CfnUserPoolResourceServer 

type CfnUserPoolResourceServer interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// A unique resource server identifier for the resource server.
	Identifier() *string
	SetIdentifier(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// A friendly name for the resource server.
	Name() *string
	SetName(val *string)
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// A list of scopes.
	Scopes() interface{}
	SetScopes(val interface{})
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// The ID of the user pool where you want to create a resource server.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

The `AWS::Cognito::UserPoolResourceServer` resource creates a new OAuth2.0 resource server and defines custom scopes in it.

> If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolResourceServer := awscdk.Aws_cognito.NewCfnUserPoolResourceServer(this, jsii.String("MyCfnUserPoolResourceServer"), &CfnUserPoolResourceServerProps{
	Identifier: jsii.String("identifier"),
	Name: jsii.String("name"),
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	Scopes: []interface{}{
		&ResourceServerScopeTypeProperty{
			ScopeDescription: jsii.String("scopeDescription"),
			ScopeName: jsii.String("scopeName"),
		},
	},
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html

func NewCfnUserPoolResourceServer 

func NewCfnUserPoolResourceServer(scope constructs.Construct, id *string, props *CfnUserPoolResourceServerProps) CfnUserPoolResourceServer

type CfnUserPoolResourceServerProps 

type CfnUserPoolResourceServerProps struct {
	// A unique resource server identifier for the resource server.
	//
	// The identifier can be an API friendly name like `solar-system-data` . You can also set an API URL like `https://solar-system-data-api.example.com` as your identifier.
	//
	// Amazon Cognito represents scopes in the access token in the format `$resource-server-identifier/$scope` . Longer scope-identifier strings increase the size of your access tokens.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html#cfn-cognito-userpoolresourceserver-identifier
	//
	Identifier *string `field:"required" json:"identifier" yaml:"identifier"`
	// A friendly name for the resource server.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html#cfn-cognito-userpoolresourceserver-name
	//
	Name *string `field:"required" json:"name" yaml:"name"`
	// The ID of the user pool where you want to create a resource server.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html#cfn-cognito-userpoolresourceserver-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// A list of scopes.
	//
	// Each scope is a map with keys `ScopeName` and `ScopeDescription` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html#cfn-cognito-userpoolresourceserver-scopes
	//
	Scopes interface{} `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties for defining a `CfnUserPoolResourceServer`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolResourceServerProps := &CfnUserPoolResourceServerProps{
	Identifier: jsii.String("identifier"),
	Name: jsii.String("name"),
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	Scopes: []interface{}{
		&ResourceServerScopeTypeProperty{
			ScopeDescription: jsii.String("scopeDescription"),
			ScopeName: jsii.String("scopeName"),
		},
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolresourceserver.html

type CfnUserPoolResourceServer_ResourceServerScopeTypeProperty 

type CfnUserPoolResourceServer_ResourceServerScopeTypeProperty struct {
	// A friendly description of a custom scope.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolresourceserver-resourceserverscopetype.html#cfn-cognito-userpoolresourceserver-resourceserverscopetype-scopedescription
	//
	ScopeDescription *string `field:"required" json:"scopeDescription" yaml:"scopeDescription"`
	// The name of the scope.
	//
	// Amazon Cognito renders custom scopes in the format `resourceServerIdentifier/ScopeName` . For example, if this parameter is `exampleScope` in the resource server with the identifier `exampleResourceServer` , you request and receive the scope `exampleResourceServer/exampleScope` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolresourceserver-resourceserverscopetype.html#cfn-cognito-userpoolresourceserver-resourceserverscopetype-scopename
	//
	ScopeName *string `field:"required" json:"scopeName" yaml:"scopeName"`
}

One custom scope associated with a user pool resource server.

This data type is a member of `ResourceServerScopeType` . For more information, see [Scopes, M2M, and API authorization with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html) .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

resourceServerScopeTypeProperty := &ResourceServerScopeTypeProperty{
	ScopeDescription: jsii.String("scopeDescription"),
	ScopeName: jsii.String("scopeName"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolresourceserver-resourceserverscopetype.html

type CfnUserPoolRiskConfigurationAttachment 

type CfnUserPoolRiskConfigurationAttachment interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// The settings for automated responses and notification templates for adaptive authentication with threat protection.
	AccountTakeoverRiskConfiguration() interface{}
	SetAccountTakeoverRiskConfiguration(val interface{})
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// The app client where this configuration is applied.
	ClientId() *string
	SetClientId(val *string)
	// Settings for compromised-credentials actions and authentication types with threat protection in full-function `ENFORCED` mode.
	CompromisedCredentialsRiskConfiguration() interface{}
	SetCompromisedCredentialsRiskConfiguration(val interface{})
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
	RiskExceptionConfiguration() interface{}
	SetRiskExceptionConfiguration(val interface{})
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// The ID of the user pool that has the risk configuration applied.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

The `AWS::Cognito::UserPoolRiskConfigurationAttachment` resource sets the risk configuration that is used for Amazon Cognito advanced security features.

You can specify risk configuration for a single client (with a specific `clientId` ) or for all clients (by setting the `clientId` to `ALL` ). If you specify `ALL` , the default configuration is used for every client that has had no risk configuration set previously. If you specify risk configuration for a particular client, it no longer falls back to the `ALL` configuration.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolRiskConfigurationAttachment := awscdk.Aws_cognito.NewCfnUserPoolRiskConfigurationAttachment(this, jsii.String("MyCfnUserPoolRiskConfigurationAttachment"), &CfnUserPoolRiskConfigurationAttachmentProps{
	ClientId: jsii.String("clientId"),
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	AccountTakeoverRiskConfiguration: &AccountTakeoverRiskConfigurationTypeProperty{
		Actions: &AccountTakeoverActionsTypeProperty{
			HighAction: &AccountTakeoverActionTypeProperty{
				EventAction: jsii.String("eventAction"),
				Notify: jsii.Boolean(false),
			},
			LowAction: &AccountTakeoverActionTypeProperty{
				EventAction: jsii.String("eventAction"),
				Notify: jsii.Boolean(false),
			},
			MediumAction: &AccountTakeoverActionTypeProperty{
				EventAction: jsii.String("eventAction"),
				Notify: jsii.Boolean(false),
			},
		},

		// the properties below are optional
		NotifyConfiguration: &NotifyConfigurationTypeProperty{
			SourceArn: jsii.String("sourceArn"),

			// the properties below are optional
			BlockEmail: &NotifyEmailTypeProperty{
				Subject: jsii.String("subject"),

				// the properties below are optional
				HtmlBody: jsii.String("htmlBody"),
				TextBody: jsii.String("textBody"),
			},
			From: jsii.String("from"),
			MfaEmail: &NotifyEmailTypeProperty{
				Subject: jsii.String("subject"),

				// the properties below are optional
				HtmlBody: jsii.String("htmlBody"),
				TextBody: jsii.String("textBody"),
			},
			NoActionEmail: &NotifyEmailTypeProperty{
				Subject: jsii.String("subject"),

				// the properties below are optional
				HtmlBody: jsii.String("htmlBody"),
				TextBody: jsii.String("textBody"),
			},
			ReplyTo: jsii.String("replyTo"),
		},
	},
	CompromisedCredentialsRiskConfiguration: &CompromisedCredentialsRiskConfigurationTypeProperty{
		Actions: &CompromisedCredentialsActionsTypeProperty{
			EventAction: jsii.String("eventAction"),
		},

		// the properties below are optional
		EventFilter: []*string{
			jsii.String("eventFilter"),
		},
	},
	RiskExceptionConfiguration: &RiskExceptionConfigurationTypeProperty{
		BlockedIpRangeList: []*string{
			jsii.String("blockedIpRangeList"),
		},
		SkippedIpRangeList: []*string{
			jsii.String("skippedIpRangeList"),
		},
	},
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html

func NewCfnUserPoolRiskConfigurationAttachment 

func NewCfnUserPoolRiskConfigurationAttachment(scope constructs.Construct, id *string, props *CfnUserPoolRiskConfigurationAttachmentProps) CfnUserPoolRiskConfigurationAttachment

type CfnUserPoolRiskConfigurationAttachmentProps 

type CfnUserPoolRiskConfigurationAttachmentProps struct {
	// The app client where this configuration is applied.
	//
	// When this parameter isn't present, the risk configuration applies to all user pool app clients that don't have client-level settings.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-clientid
	//
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The ID of the user pool that has the risk configuration applied.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// The settings for automated responses and notification templates for adaptive authentication with threat protection.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfiguration
	//
	AccountTakeoverRiskConfiguration interface{} `field:"optional" json:"accountTakeoverRiskConfiguration" yaml:"accountTakeoverRiskConfiguration"`
	// Settings for compromised-credentials actions and authentication types with threat protection in full-function `ENFORCED` mode.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfiguration
	//
	CompromisedCredentialsRiskConfiguration interface{} `field:"optional" json:"compromisedCredentialsRiskConfiguration" yaml:"compromisedCredentialsRiskConfiguration"`
	// Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-riskexceptionconfiguration
	//
	RiskExceptionConfiguration interface{} `field:"optional" json:"riskExceptionConfiguration" yaml:"riskExceptionConfiguration"`
}

Properties for defining a `CfnUserPoolRiskConfigurationAttachment`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolRiskConfigurationAttachmentProps := &CfnUserPoolRiskConfigurationAttachmentProps{
	ClientId: jsii.String("clientId"),
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	AccountTakeoverRiskConfiguration: &AccountTakeoverRiskConfigurationTypeProperty{
		Actions: &AccountTakeoverActionsTypeProperty{
			HighAction: &AccountTakeoverActionTypeProperty{
				EventAction: jsii.String("eventAction"),
				Notify: jsii.Boolean(false),
			},
			LowAction: &AccountTakeoverActionTypeProperty{
				EventAction: jsii.String("eventAction"),
				Notify: jsii.Boolean(false),
			},
			MediumAction: &AccountTakeoverActionTypeProperty{
				EventAction: jsii.String("eventAction"),
				Notify: jsii.Boolean(false),
			},
		},

		// the properties below are optional
		NotifyConfiguration: &NotifyConfigurationTypeProperty{
			SourceArn: jsii.String("sourceArn"),

			// the properties below are optional
			BlockEmail: &NotifyEmailTypeProperty{
				Subject: jsii.String("subject"),

				// the properties below are optional
				HtmlBody: jsii.String("htmlBody"),
				TextBody: jsii.String("textBody"),
			},
			From: jsii.String("from"),
			MfaEmail: &NotifyEmailTypeProperty{
				Subject: jsii.String("subject"),

				// the properties below are optional
				HtmlBody: jsii.String("htmlBody"),
				TextBody: jsii.String("textBody"),
			},
			NoActionEmail: &NotifyEmailTypeProperty{
				Subject: jsii.String("subject"),

				// the properties below are optional
				HtmlBody: jsii.String("htmlBody"),
				TextBody: jsii.String("textBody"),
			},
			ReplyTo: jsii.String("replyTo"),
		},
	},
	CompromisedCredentialsRiskConfiguration: &CompromisedCredentialsRiskConfigurationTypeProperty{
		Actions: &CompromisedCredentialsActionsTypeProperty{
			EventAction: jsii.String("eventAction"),
		},

		// the properties below are optional
		EventFilter: []*string{
			jsii.String("eventFilter"),
		},
	},
	RiskExceptionConfiguration: &RiskExceptionConfigurationTypeProperty{
		BlockedIpRangeList: []*string{
			jsii.String("blockedIpRangeList"),
		},
		SkippedIpRangeList: []*string{
			jsii.String("skippedIpRangeList"),
		},
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverActionTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverActionTypeProperty struct {
	// The action to take for the attempted account takeover action for the associated risk level.
	//
	// Valid values are as follows:
	//
	// - `BLOCK` : Block the request.
	// - `MFA_IF_CONFIGURED` : Present an MFA challenge if possible. MFA is possible if the user pool has active MFA methods that the user can set up. For example, if the user pool only supports SMS message MFA but the user doesn't have a phone number attribute, MFA setup isn't possible. If MFA setup isn't possible, allow the request.
	// - `MFA_REQUIRED` : Present an MFA challenge if possible. Block the request if a user hasn't set up MFA. To sign in with required MFA, users must have an email address or phone number attribute, or a registered TOTP factor.
	// - `NO_ACTION` : Take no action. Permit sign-in.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractiontype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractiontype-eventaction
	//
	EventAction *string `field:"required" json:"eventAction" yaml:"eventAction"`
	// Determines whether Amazon Cognito sends a user a notification message when your user pools assesses a user's session at the associated risk level.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractiontype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractiontype-notify
	//
	Notify interface{} `field:"required" json:"notify" yaml:"notify"`
}

The automated response to a risk level for adaptive authentication in full-function, or `ENFORCED` , mode.

You can assign an action to each risk level that advanced security features evaluates.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

accountTakeoverActionTypeProperty := &AccountTakeoverActionTypeProperty{
	EventAction: jsii.String("eventAction"),
	Notify: jsii.Boolean(false),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractiontype.html

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverActionsTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverActionsTypeProperty struct {
	// The action that you assign to a high-risk assessment by threat protection.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-highaction
	//
	HighAction interface{} `field:"optional" json:"highAction" yaml:"highAction"`
	// The action that you assign to a low-risk assessment by threat protection.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-lowaction
	//
	LowAction interface{} `field:"optional" json:"lowAction" yaml:"lowAction"`
	// The action that you assign to a medium-risk assessment by threat protection.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-mediumaction
	//
	MediumAction interface{} `field:"optional" json:"mediumAction" yaml:"mediumAction"`
}

A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

accountTakeoverActionsTypeProperty := &AccountTakeoverActionsTypeProperty{
	HighAction: &AccountTakeoverActionTypeProperty{
		EventAction: jsii.String("eventAction"),
		Notify: jsii.Boolean(false),
	},
	LowAction: &AccountTakeoverActionTypeProperty{
		EventAction: jsii.String("eventAction"),
		Notify: jsii.Boolean(false),
	},
	MediumAction: &AccountTakeoverActionTypeProperty{
		EventAction: jsii.String("eventAction"),
		Notify: jsii.Boolean(false),
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverRiskConfigurationTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverRiskConfigurationTypeProperty struct {
	// A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype-actions
	//
	Actions interface{} `field:"required" json:"actions" yaml:"actions"`
	// The settings for composing and sending an email message when threat protection assesses a risk level with adaptive authentication.
	//
	// When you choose to notify users in `AccountTakeoverRiskConfiguration` , Amazon Cognito sends an email message using the method and template that you set with this data type.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype-notifyconfiguration
	//
	NotifyConfiguration interface{} `field:"optional" json:"notifyConfiguration" yaml:"notifyConfiguration"`
}

The settings for automated responses and notification templates for adaptive authentication with advanced security features.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

accountTakeoverRiskConfigurationTypeProperty := &AccountTakeoverRiskConfigurationTypeProperty{
	Actions: &AccountTakeoverActionsTypeProperty{
		HighAction: &AccountTakeoverActionTypeProperty{
			EventAction: jsii.String("eventAction"),
			Notify: jsii.Boolean(false),
		},
		LowAction: &AccountTakeoverActionTypeProperty{
			EventAction: jsii.String("eventAction"),
			Notify: jsii.Boolean(false),
		},
		MediumAction: &AccountTakeoverActionTypeProperty{
			EventAction: jsii.String("eventAction"),
			Notify: jsii.Boolean(false),
		},
	},

	// the properties below are optional
	NotifyConfiguration: &NotifyConfigurationTypeProperty{
		SourceArn: jsii.String("sourceArn"),

		// the properties below are optional
		BlockEmail: &NotifyEmailTypeProperty{
			Subject: jsii.String("subject"),

			// the properties below are optional
			HtmlBody: jsii.String("htmlBody"),
			TextBody: jsii.String("textBody"),
		},
		From: jsii.String("from"),
		MfaEmail: &NotifyEmailTypeProperty{
			Subject: jsii.String("subject"),

			// the properties below are optional
			HtmlBody: jsii.String("htmlBody"),
			TextBody: jsii.String("textBody"),
		},
		NoActionEmail: &NotifyEmailTypeProperty{
			Subject: jsii.String("subject"),

			// the properties below are optional
			HtmlBody: jsii.String("htmlBody"),
			TextBody: jsii.String("textBody"),
		},
		ReplyTo: jsii.String("replyTo"),
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html

type CfnUserPoolRiskConfigurationAttachment_CompromisedCredentialsActionsTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_CompromisedCredentialsActionsTypeProperty struct {
	// The action that Amazon Cognito takes when it detects compromised credentials.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsactionstype.html#cfn-cognito-userpoolriskconfigurationattachment-compromisedcredentialsactionstype-eventaction
	//
	EventAction *string `field:"required" json:"eventAction" yaml:"eventAction"`
}

Settings for user pool actions when Amazon Cognito detects compromised credentials with advanced security features in full-function `ENFORCED` mode.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

compromisedCredentialsActionsTypeProperty := &CompromisedCredentialsActionsTypeProperty{
	EventAction: jsii.String("eventAction"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsactionstype.html

type CfnUserPoolRiskConfigurationAttachment_CompromisedCredentialsRiskConfigurationTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_CompromisedCredentialsRiskConfigurationTypeProperty struct {
	// Settings for the actions that you want your user pool to take when Amazon Cognito detects compromised credentials.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfigurationtype-actions
	//
	Actions interface{} `field:"required" json:"actions" yaml:"actions"`
	// Settings for the sign-in activity where you want to configure compromised-credentials actions.
	//
	// Defaults to all events.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfigurationtype-eventfilter
	//
	EventFilter *[]*string `field:"optional" json:"eventFilter" yaml:"eventFilter"`
}

Settings for compromised-credentials actions and authentication-event sources with advanced security features in full-function `ENFORCED` mode.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

compromisedCredentialsRiskConfigurationTypeProperty := &CompromisedCredentialsRiskConfigurationTypeProperty{
	Actions: &CompromisedCredentialsActionsTypeProperty{
		EventAction: jsii.String("eventAction"),
	},

	// the properties below are optional
	EventFilter: []*string{
		jsii.String("eventFilter"),
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfigurationtype.html

type CfnUserPoolRiskConfigurationAttachment_NotifyConfigurationTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_NotifyConfigurationTypeProperty struct {
	// The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy.
	//
	// This identity permits Amazon Cognito to send for the email address specified in the `From` parameter.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-sourcearn
	//
	SourceArn *string `field:"required" json:"sourceArn" yaml:"sourceArn"`
	// The template for the email message that your user pool sends when a detected risk event is blocked.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-blockemail
	//
	BlockEmail interface{} `field:"optional" json:"blockEmail" yaml:"blockEmail"`
	// The email address that sends the email message.
	//
	// The address must be either individually verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-from
	//
	From *string `field:"optional" json:"from" yaml:"from"`
	// The template for the email message that your user pool sends when MFA is challenged in response to a detected risk.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-mfaemail
	//
	MfaEmail interface{} `field:"optional" json:"mfaEmail" yaml:"mfaEmail"`
	// The template for the email message that your user pool sends when no action is taken in response to a detected risk.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-noactionemail
	//
	NoActionEmail interface{} `field:"optional" json:"noActionEmail" yaml:"noActionEmail"`
	// The reply-to email address of an email template.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype-replyto
	//
	ReplyTo *string `field:"optional" json:"replyTo" yaml:"replyTo"`
}

The configuration for Amazon SES email messages that advanced security features sends to a user when your adaptive authentication automated response has a *Notify* action.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

notifyConfigurationTypeProperty := &NotifyConfigurationTypeProperty{
	SourceArn: jsii.String("sourceArn"),

	// the properties below are optional
	BlockEmail: &NotifyEmailTypeProperty{
		Subject: jsii.String("subject"),

		// the properties below are optional
		HtmlBody: jsii.String("htmlBody"),
		TextBody: jsii.String("textBody"),
	},
	From: jsii.String("from"),
	MfaEmail: &NotifyEmailTypeProperty{
		Subject: jsii.String("subject"),

		// the properties below are optional
		HtmlBody: jsii.String("htmlBody"),
		TextBody: jsii.String("textBody"),
	},
	NoActionEmail: &NotifyEmailTypeProperty{
		Subject: jsii.String("subject"),

		// the properties below are optional
		HtmlBody: jsii.String("htmlBody"),
		TextBody: jsii.String("textBody"),
	},
	ReplyTo: jsii.String("replyTo"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyconfigurationtype.html

type CfnUserPoolRiskConfigurationAttachment_NotifyEmailTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_NotifyEmailTypeProperty struct {
	// The subject of the threat protection email notification.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyemailtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyemailtype-subject
	//
	Subject *string `field:"required" json:"subject" yaml:"subject"`
	// The body of an email notification formatted in HTML.
	//
	// Choose an `HtmlBody` or a `TextBody` to send an HTML-formatted or plaintext message, respectively.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyemailtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyemailtype-htmlbody
	//
	HtmlBody *string `field:"optional" json:"htmlBody" yaml:"htmlBody"`
	// The body of an email notification formatted in plaintext.
	//
	// Choose an `HtmlBody` or a `TextBody` to send an HTML-formatted or plaintext message, respectively.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyemailtype.html#cfn-cognito-userpoolriskconfigurationattachment-notifyemailtype-textbody
	//
	TextBody *string `field:"optional" json:"textBody" yaml:"textBody"`
}

The template for email messages that advanced security features sends to a user when your threat protection automated response has a *Notify* action.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

notifyEmailTypeProperty := &NotifyEmailTypeProperty{
	Subject: jsii.String("subject"),

	// the properties below are optional
	HtmlBody: jsii.String("htmlBody"),
	TextBody: jsii.String("textBody"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-notifyemailtype.html

type CfnUserPoolRiskConfigurationAttachment_RiskExceptionConfigurationTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_RiskExceptionConfigurationTypeProperty struct {
	// An always-block IP address list.
	//
	// Overrides the risk decision and always blocks authentication requests. This parameter is displayed and set in CIDR notation.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-riskexceptionconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-riskexceptionconfigurationtype-blockediprangelist
	//
	BlockedIpRangeList *[]*string `field:"optional" json:"blockedIpRangeList" yaml:"blockedIpRangeList"`
	// An always-allow IP address list.
	//
	// Risk detection isn't performed on the IP addresses in this range list. This parameter is displayed and set in CIDR notation.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-riskexceptionconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-riskexceptionconfigurationtype-skippediprangelist
	//
	SkippedIpRangeList *[]*string `field:"optional" json:"skippedIpRangeList" yaml:"skippedIpRangeList"`
}

Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

riskExceptionConfigurationTypeProperty := &RiskExceptionConfigurationTypeProperty{
	BlockedIpRangeList: []*string{
		jsii.String("blockedIpRangeList"),
	},
	SkippedIpRangeList: []*string{
		jsii.String("skippedIpRangeList"),
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-riskexceptionconfigurationtype.html

type CfnUserPoolUICustomizationAttachment 

type CfnUserPoolUICustomizationAttachment interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// The app client ID for your UI customization.
	ClientId() *string
	SetClientId(val *string)
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client.
	Css() *string
	SetCss(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// The ID of the user pool where you want to apply branding to the classic hosted UI.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A container for the UI customization information for the hosted UI in a user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolUICustomizationAttachment := awscdk.Aws_cognito.NewCfnUserPoolUICustomizationAttachment(this, jsii.String("MyCfnUserPoolUICustomizationAttachment"), &CfnUserPoolUICustomizationAttachmentProps{
	ClientId: jsii.String("clientId"),
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	Css: jsii.String("css"),
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html

func NewCfnUserPoolUICustomizationAttachment 

func NewCfnUserPoolUICustomizationAttachment(scope constructs.Construct, id *string, props *CfnUserPoolUICustomizationAttachmentProps) CfnUserPoolUICustomizationAttachment

type CfnUserPoolUICustomizationAttachmentProps 

type CfnUserPoolUICustomizationAttachmentProps struct {
	// The app client ID for your UI customization.
	//
	// When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html#cfn-cognito-userpooluicustomizationattachment-clientid
	//
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The ID of the user pool where you want to apply branding to the classic hosted UI.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html#cfn-cognito-userpooluicustomizationattachment-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client.
	//
	// To download a template, go to the Amazon Cognito console. Navigate to your user pool *App clients* tab, select *Login pages* , edit *Hosted UI (classic) style* , and select the link to `CSS template.css` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html#cfn-cognito-userpooluicustomizationattachment-css
	//
	Css *string `field:"optional" json:"css" yaml:"css"`
}

Properties for defining a `CfnUserPoolUICustomizationAttachment`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolUICustomizationAttachmentProps := &CfnUserPoolUICustomizationAttachmentProps{
	ClientId: jsii.String("clientId"),
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	Css: jsii.String("css"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html

type CfnUserPoolUser 

type CfnUserPoolUser interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
	ClientMetadata() interface{}
	SetClientMetadata(val interface{})
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// Specify `EMAIL` if email will be used to send the welcome message.
	DesiredDeliveryMediums() *[]*string
	SetDesiredDeliveryMediums(val *[]*string)
	// This parameter is used only if the `phone_number_verified` or `email_verified` attribute is set to `True` .
	ForceAliasCreation() interface{}
	SetForceAliasCreation(val interface{})
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// Set to `RESEND` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password.
	MessageAction() *string
	SetMessageAction(val *string)
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created.
	UserAttributes() interface{}
	SetUserAttributes(val interface{})
	// The value that you want to set as the username sign-in attribute.
	Username() *string
	SetUsername(val *string)
	// The ID of the user pool where you want to create a user.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger.
	ValidationData() interface{}
	SetValidationData(val interface{})
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

The `AWS::Cognito::UserPoolUser` resource creates an Amazon Cognito user pool user.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolUser := awscdk.Aws_cognito.NewCfnUserPoolUser(this, jsii.String("MyCfnUserPoolUser"), &CfnUserPoolUserProps{
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	ClientMetadata: map[string]*string{
		"clientMetadataKey": jsii.String("clientMetadata"),
	},
	DesiredDeliveryMediums: []*string{
		jsii.String("desiredDeliveryMediums"),
	},
	ForceAliasCreation: jsii.Boolean(false),
	MessageAction: jsii.String("messageAction"),
	UserAttributes: []interface{}{
		&AttributeTypeProperty{
			Name: jsii.String("name"),
			Value: jsii.String("value"),
		},
	},
	Username: jsii.String("username"),
	ValidationData: []interface{}{
		&AttributeTypeProperty{
			Name: jsii.String("name"),
			Value: jsii.String("value"),
		},
	},
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html

func NewCfnUserPoolUser 

func NewCfnUserPoolUser(scope constructs.Construct, id *string, props *CfnUserPoolUserProps) CfnUserPoolUser

type CfnUserPoolUserProps 

type CfnUserPoolUserProps struct {
	// The ID of the user pool where you want to create a user.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
	//
	// You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a `ClientMetadata` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the `clientMetadata` value to enhance your workflow for your specific needs.
	//
	// For more information, see [Using Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html) in the *Amazon Cognito Developer Guide* .
	//
	// > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:
	// >
	// > - Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
	// > - Validate the `ClientMetadata` value.
	// > - Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-clientmetadata
	//
	ClientMetadata interface{} `field:"optional" json:"clientMetadata" yaml:"clientMetadata"`
	// Specify `EMAIL` if email will be used to send the welcome message.
	//
	// Specify `SMS` if the phone number will be used. The default value is `SMS` . You can specify more than one value.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-desireddeliverymediums
	//
	DesiredDeliveryMediums *[]*string `field:"optional" json:"desiredDeliveryMediums" yaml:"desiredDeliveryMediums"`
	// This parameter is used only if the `phone_number_verified` or `email_verified` attribute is set to `True` .
	//
	// Otherwise, it is ignored.
	//
	// If this parameter is set to `True` and the phone number or email address specified in the `UserAttributes` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias.
	//
	// If this parameter is set to `False` , the API throws an `AliasExistsException` error if the alias already exists. The default value is `False` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-forcealiascreation
	//
	ForceAliasCreation interface{} `field:"optional" json:"forceAliasCreation" yaml:"forceAliasCreation"`
	// Set to `RESEND` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password.
	//
	// Set to `SUPPRESS` to suppress sending the message. You can specify only one value.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-messageaction
	//
	MessageAction *string `field:"optional" json:"messageAction" yaml:"messageAction"`
	// An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created.
	//
	// You can create a user without specifying any attributes other than `Username` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to `AdminCreateUser` ) or the user should supply (when they sign up in response to your welcome message).
	//
	// For custom attributes, you must prepend the `custom:` prefix to the attribute name.
	//
	// To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.
	//
	// You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a `TemporaryPassword` .
	//
	// In your call to `AdminCreateUser` , you can set the `email_verified` attribute to `True` , and you can set the `phone_number_verified` attribute to `True` .
	//
	// - *email* : The email address of the user to whom the message that contains the code and username will be sent. Required if the `email_verified` attribute is set to `True` , or if `"EMAIL"` is specified in the `DesiredDeliveryMediums` parameter.
	// - *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the `phone_number_verified` attribute is set to `True` , or if `"SMS"` is specified in the `DesiredDeliveryMediums` parameter.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-userattributes
	//
	UserAttributes interface{} `field:"optional" json:"userAttributes" yaml:"userAttributes"`
	// The value that you want to set as the username sign-in attribute.
	//
	// The following conditions apply to the username parameter.
	//
	// - The username can't be a duplicate of another username in the same user pool.
	// - You can't change the value of a username after you create it.
	// - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-username
	//
	Username *string `field:"optional" json:"username" yaml:"username"`
	// Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger.
	//
	// This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.
	//
	// Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs.
	//
	// For more information about the pre sign-up Lambda trigger, see [Pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-validationdata
	//
	ValidationData interface{} `field:"optional" json:"validationData" yaml:"validationData"`
}

Properties for defining a `CfnUserPoolUser`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolUserProps := &CfnUserPoolUserProps{
	UserPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	ClientMetadata: map[string]*string{
		"clientMetadataKey": jsii.String("clientMetadata"),
	},
	DesiredDeliveryMediums: []*string{
		jsii.String("desiredDeliveryMediums"),
	},
	ForceAliasCreation: jsii.Boolean(false),
	MessageAction: jsii.String("messageAction"),
	UserAttributes: []interface{}{
		&AttributeTypeProperty{
			Name: jsii.String("name"),
			Value: jsii.String("value"),
		},
	},
	Username: jsii.String("username"),
	ValidationData: []interface{}{
		&AttributeTypeProperty{
			Name: jsii.String("name"),
			Value: jsii.String("value"),
		},
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html

type CfnUserPoolUserToGroupAttachment 

type CfnUserPoolUserToGroupAttachment interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The name of the group that you want to add your user to.
	GroupName() *string
	SetGroupName(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Deprecated.
	// Deprecated: use `updatedProperties`
	//
	// Return properties modified after initiation
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperties() *map[string]interface{}
	// The user's username.
	Username() *string
	SetUsername(val *string)
	// The ID of the user pool that contains the group that you want to add the user to.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependency(target awscdk.CfnResource)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	// Deprecated: use addDependency.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//   "GlobalSecondaryIndexes": [
	//     {
	//       "Projection": {
	//         "NonKeyAttributes": [ "myattribute" ]
	//         ...
	//       }
	//       ...
	//     },
	//     {
	//       "ProjectionType": "INCLUDE"
	//       ...
	//     },
	//   ]
	//   ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string, typeHint awscdk.ResolutionTypeHint) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Retrieves an array of resources this resource depends on.
	//
	// This assembles dependencies on resources across stacks (including nested stacks)
	// automatically.
	ObtainDependencies() *[]interface{}
	// Get a shallow copy of dependencies between this resource and other resources in the same stack.
	ObtainResourceDependencies() *[]awscdk.CfnResource
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	// Indicates that this resource no longer depends on another resource.
	//
	// This can be used for resources across stacks (including nested stacks)
	// and the dependency will automatically be removed from the relevant scope.
	RemoveDependency(target awscdk.CfnResource)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Replaces one dependency with another.
	ReplaceDependency(target awscdk.CfnResource, newTarget awscdk.CfnResource)
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

Adds a user to a group.

A user who is in a group can present a preferred-role claim to an identity pool, and populates a `cognito:groups` claim to their access and identity tokens.

> Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy. > > **Learn more** - [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) > - [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html)

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolUserToGroupAttachment := awscdk.Aws_cognito.NewCfnUserPoolUserToGroupAttachment(this, jsii.String("MyCfnUserPoolUserToGroupAttachment"), &CfnUserPoolUserToGroupAttachmentProps{
	GroupName: jsii.String("groupName"),
	Username: jsii.String("username"),
	UserPoolId: jsii.String("userPoolId"),
})

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html

func NewCfnUserPoolUserToGroupAttachment 

func NewCfnUserPoolUserToGroupAttachment(scope constructs.Construct, id *string, props *CfnUserPoolUserToGroupAttachmentProps) CfnUserPoolUserToGroupAttachment

type CfnUserPoolUserToGroupAttachmentProps 

type CfnUserPoolUserToGroupAttachmentProps struct {
	// The name of the group that you want to add your user to.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html#cfn-cognito-userpoolusertogroupattachment-groupname
	//
	GroupName *string `field:"required" json:"groupName" yaml:"groupName"`
	// The user's username.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html#cfn-cognito-userpoolusertogroupattachment-username
	//
	Username *string `field:"required" json:"username" yaml:"username"`
	// The ID of the user pool that contains the group that you want to add the user to.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html#cfn-cognito-userpoolusertogroupattachment-userpoolid
	//
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
}

Properties for defining a `CfnUserPoolUserToGroupAttachment`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolUserToGroupAttachmentProps := &CfnUserPoolUserToGroupAttachmentProps{
	GroupName: jsii.String("groupName"),
	Username: jsii.String("username"),
	UserPoolId: jsii.String("userPoolId"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolusertogroupattachment.html

type CfnUserPoolUser_AttributeTypeProperty 

type CfnUserPoolUser_AttributeTypeProperty struct {
	// The name of the attribute.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpooluser-attributetype.html#cfn-cognito-userpooluser-attributetype-name
	//
	Name *string `field:"optional" json:"name" yaml:"name"`
	// The value of the attribute.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpooluser-attributetype.html#cfn-cognito-userpooluser-attributetype-value
	//
	Value *string `field:"optional" json:"value" yaml:"value"`
}

The name and value of a user attribute.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

attributeTypeProperty := &AttributeTypeProperty{
	Name: jsii.String("name"),
	Value: jsii.String("value"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpooluser-attributetype.html

type CfnUserPool_AccountRecoverySettingProperty 

type CfnUserPool_AccountRecoverySettingProperty struct {
	// The list of options and priorities for user message delivery in forgot-password operations.
	//
	// Sets or displays user pool preferences for email or SMS message priority, whether users should fall back to a second delivery method, and whether passwords should only be reset by administrators.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-accountrecoverysetting.html#cfn-cognito-userpool-accountrecoverysetting-recoverymechanisms
	//
	RecoveryMechanisms interface{} `field:"optional" json:"recoveryMechanisms" yaml:"recoveryMechanisms"`
}

The available verified method a user can use to recover their password when they call `ForgotPassword` .

You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

accountRecoverySettingProperty := &AccountRecoverySettingProperty{
	RecoveryMechanisms: []interface{}{
		&RecoveryOptionProperty{
			Name: jsii.String("name"),
			Priority: jsii.Number(123),
		},
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-accountrecoverysetting.html

type CfnUserPool_AdminCreateUserConfigProperty 

type CfnUserPool_AdminCreateUserConfigProperty struct {
	// The setting for allowing self-service sign-up.
	//
	// When `true` , only administrators can create new user profiles. When `false` , users can register themselves and create a new user profile with the `SignUp` operation.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html#cfn-cognito-userpool-admincreateuserconfig-allowadmincreateuseronly
	//
	AllowAdminCreateUserOnly interface{} `field:"optional" json:"allowAdminCreateUserOnly" yaml:"allowAdminCreateUserOnly"`
	// The template for the welcome message to new users.
	//
	// This template must include the `{####}` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder.
	//
	// See also [Customizing User Invitation Messages](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html#cfn-cognito-userpool-admincreateuserconfig-invitemessagetemplate
	//
	InviteMessageTemplate interface{} `field:"optional" json:"inviteMessageTemplate" yaml:"inviteMessageTemplate"`
	// This parameter is no longer in use.
	//
	// The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call `AdminCreateUser` again, specifying `RESEND` for the `MessageAction` parameter.
	//
	// The default value for this parameter is 7.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html#cfn-cognito-userpool-admincreateuserconfig-unusedaccountvaliditydays
	//
	UnusedAccountValidityDays *float64 `field:"optional" json:"unusedAccountValidityDays" yaml:"unusedAccountValidityDays"`
}

The settings for administrator creation of users in a user pool.

Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

adminCreateUserConfigProperty := &AdminCreateUserConfigProperty{
	AllowAdminCreateUserOnly: jsii.Boolean(false),
	InviteMessageTemplate: &InviteMessageTemplateProperty{
		EmailMessage: jsii.String("emailMessage"),
		EmailSubject: jsii.String("emailSubject"),
		SmsMessage: jsii.String("smsMessage"),
	},
	UnusedAccountValidityDays: jsii.Number(123),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html

type CfnUserPool_AdvancedSecurityAdditionalFlowsProperty added in v2.154.0 

type CfnUserPool_AdvancedSecurityAdditionalFlowsProperty struct {
	// The operating mode of threat protection in custom authentication with [Custom authentication challenge Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-advancedsecurityadditionalflows.html#cfn-cognito-userpool-advancedsecurityadditionalflows-customauthmode
	//
	CustomAuthMode *string `field:"optional" json:"customAuthMode" yaml:"customAuthMode"`
}

Threat protection configuration options for additional authentication types in your user pool, including custom authentication.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

advancedSecurityAdditionalFlowsProperty := &AdvancedSecurityAdditionalFlowsProperty{
	CustomAuthMode: jsii.String("customAuthMode"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-advancedsecurityadditionalflows.html

type CfnUserPool_CustomEmailSenderProperty 

type CfnUserPool_CustomEmailSenderProperty struct {
	// The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customemailsender.html#cfn-cognito-userpool-customemailsender-lambdaarn
	//
	LambdaArn *string `field:"optional" json:"lambdaArn" yaml:"lambdaArn"`
	// The user pool trigger version of the request that Amazon Cognito sends to your Lambda function.
	//
	// Higher-numbered versions add fields that support new features.
	//
	// You must use a `LambdaVersion` of `V1_0` with a custom sender function.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customemailsender.html#cfn-cognito-userpool-customemailsender-lambdaversion
	//
	LambdaVersion *string `field:"optional" json:"lambdaVersion" yaml:"lambdaVersion"`
}

The configuration of a custom email sender Lambda trigger.

This trigger routes all email notifications from a user pool to a Lambda function that delivers the message using custom logic.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

customEmailSenderProperty := &CustomEmailSenderProperty{
	LambdaArn: jsii.String("lambdaArn"),
	LambdaVersion: jsii.String("lambdaVersion"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customemailsender.html

type CfnUserPool_CustomSMSSenderProperty 

type CfnUserPool_CustomSMSSenderProperty struct {
	// The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customsmssender.html#cfn-cognito-userpool-customsmssender-lambdaarn
	//
	LambdaArn *string `field:"optional" json:"lambdaArn" yaml:"lambdaArn"`
	// The user pool trigger version of the request that Amazon Cognito sends to your Lambda function.
	//
	// Higher-numbered versions add fields that support new features.
	//
	// You must use a `LambdaVersion` of `V1_0` with a custom sender function.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customsmssender.html#cfn-cognito-userpool-customsmssender-lambdaversion
	//
	LambdaVersion *string `field:"optional" json:"lambdaVersion" yaml:"lambdaVersion"`
}

The configuration of a custom SMS sender Lambda trigger.

This trigger routes all SMS notifications from a user pool to a Lambda function that delivers the message using custom logic.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

customSMSSenderProperty := &CustomSMSSenderProperty{
	LambdaArn: jsii.String("lambdaArn"),
	LambdaVersion: jsii.String("lambdaVersion"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-customsmssender.html

type CfnUserPool_DeviceConfigurationProperty 

type CfnUserPool_DeviceConfigurationProperty struct {
	// When true, a remembered device can sign in with device authentication instead of SMS and time-based one-time password (TOTP) factors for multi-factor authentication (MFA).
	//
	// > Whether or not `ChallengeRequiredOnNewDevice` is true, users who sign in with devices that have not been confirmed or remembered must still provide a second factor in a user pool that requires MFA.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-deviceconfiguration.html#cfn-cognito-userpool-deviceconfiguration-challengerequiredonnewdevice
	//
	ChallengeRequiredOnNewDevice interface{} `field:"optional" json:"challengeRequiredOnNewDevice" yaml:"challengeRequiredOnNewDevice"`
	// When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a `ConfirmDevice` API request.
	//
	// In your app, create a prompt for your user to choose whether they want to remember their device. Return the user's choice in an `UpdateDeviceStatus` API request.
	//
	// When `DeviceOnlyRememberedOnUserPrompt` is `false` , Amazon Cognito immediately remembers devices that you register in a `ConfirmDevice` API request.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-deviceconfiguration.html#cfn-cognito-userpool-deviceconfiguration-deviceonlyrememberedonuserprompt
	//
	DeviceOnlyRememberedOnUserPrompt interface{} `field:"optional" json:"deviceOnlyRememberedOnUserPrompt" yaml:"deviceOnlyRememberedOnUserPrompt"`
}

The device-remembering configuration for a user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

deviceConfigurationProperty := &DeviceConfigurationProperty{
	ChallengeRequiredOnNewDevice: jsii.Boolean(false),
	DeviceOnlyRememberedOnUserPrompt: jsii.Boolean(false),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-deviceconfiguration.html

type CfnUserPool_EmailConfigurationProperty 

type CfnUserPool_EmailConfigurationProperty struct {
	// The set of configuration rules that can be applied to emails sent using Amazon Simple Email Service.
	//
	// A configuration set is applied to an email by including a reference to the configuration set in the headers of the email. Once applied, all of the rules in that configuration set are applied to the email. Configuration sets can be used to apply the following types of rules to emails:
	//
	// - **Event publishing** - Amazon Simple Email Service can track the number of send, delivery, open, click, bounce, and complaint events for each email sent. Use event publishing to send information about these events to other AWS services such as and Amazon CloudWatch
	// - **IP pool management** - When leasing dedicated IP addresses with Amazon Simple Email Service, you can create groups of IP addresses, called dedicated IP pools. You can then associate the dedicated IP pools with configuration sets.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-emailconfiguration.html#cfn-cognito-userpool-emailconfiguration-configurationset
	//
	ConfigurationSet *string `field:"optional" json:"configurationSet" yaml:"configurationSet"`
	// Specifies whether Amazon Cognito uses its built-in functionality to send your users email messages, or uses your Amazon Simple Email Service email configuration.
	//
	// Specify one of the following values:
	//
	// - **COGNITO_DEFAULT** - When Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is less than the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration.
	//
	// To look up the email delivery limit for the default option, see [Limits](https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html) in the *Amazon Cognito Developer Guide* .
	//
	// The default FROM address is `no-reply@verificationemail.com` . To customize the FROM address, provide the Amazon Resource Name (ARN) of an Amazon SES verified email address for the `SourceArn` parameter.
	// - **DEVELOPER** - When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your AWS account .
	//
	// If you use this option, provide the ARN of an Amazon SES verified email address for the `SourceArn` parameter.
	//
	// Before Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a *service-linked role* , which is a type of role in your AWS account . This role contains the permissions that allow you to access Amazon SES and send email messages from your email address. For more information about the service-linked role that Amazon Cognito creates, see [Using Service-Linked Roles for Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/using-service-linked-roles.html) in the *Amazon Cognito Developer Guide* .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-emailconfiguration.html#cfn-cognito-userpool-emailconfiguration-emailsendingaccount
	//
	EmailSendingAccount *string `field:"optional" json:"emailSendingAccount" yaml:"emailSendingAccount"`
	// Either the sender’s email address or the sender’s name with their email address.
	//
	// For example, `testuser@example.com` or `Test User <testuser@example.com>` . This address appears before the body of the email.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-emailconfiguration.html#cfn-cognito-userpool-emailconfiguration-from
	//
	From *string `field:"optional" json:"from" yaml:"from"`
	// The destination to which the receiver of the email should reply.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-emailconfiguration.html#cfn-cognito-userpool-emailconfiguration-replytoemailaddress
	//
	ReplyToEmailAddress *string `field:"optional" json:"replyToEmailAddress" yaml:"replyToEmailAddress"`
	// The ARN of a verified email address or an address from a verified domain in Amazon SES.
	//
	// You can set a `SourceArn` email from a verified domain only with an API request. You can set a verified email address, but not an address in a verified domain, in the Amazon Cognito console. Amazon Cognito uses the email address that you provide in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:
	//
	// - If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.
	// - If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.
	//
	// The Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-emailconfiguration.html#cfn-cognito-userpool-emailconfiguration-sourcearn
	//
	SourceArn *string `field:"optional" json:"sourceArn" yaml:"sourceArn"`
}

The email configuration of your user pool.

The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

emailConfigurationProperty := &EmailConfigurationProperty{
	ConfigurationSet: jsii.String("configurationSet"),
	EmailSendingAccount: jsii.String("emailSendingAccount"),
	From: jsii.String("from"),
	ReplyToEmailAddress: jsii.String("replyToEmailAddress"),
	SourceArn: jsii.String("sourceArn"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-emailconfiguration.html

type CfnUserPool_InviteMessageTemplateProperty 

type CfnUserPool_InviteMessageTemplateProperty struct {
	// The message template for email messages.
	//
	// EmailMessage is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-invitemessagetemplate.html#cfn-cognito-userpool-invitemessagetemplate-emailmessage
	//
	EmailMessage *string `field:"optional" json:"emailMessage" yaml:"emailMessage"`
	// The subject line for email messages.
	//
	// EmailSubject is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-invitemessagetemplate.html#cfn-cognito-userpool-invitemessagetemplate-emailsubject
	//
	EmailSubject *string `field:"optional" json:"emailSubject" yaml:"emailSubject"`
	// The message template for SMS messages.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-invitemessagetemplate.html#cfn-cognito-userpool-invitemessagetemplate-smsmessage
	//
	SmsMessage *string `field:"optional" json:"smsMessage" yaml:"smsMessage"`
}

The template for the welcome message to new users.

This template must include the `{####}` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder.

See also [Customizing User Invitation Messages](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization) .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

inviteMessageTemplateProperty := &InviteMessageTemplateProperty{
	EmailMessage: jsii.String("emailMessage"),
	EmailSubject: jsii.String("emailSubject"),
	SmsMessage: jsii.String("smsMessage"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-invitemessagetemplate.html

type CfnUserPool_LambdaConfigProperty 

type CfnUserPool_LambdaConfigProperty struct {
	// The configuration of a create auth challenge Lambda trigger, one of three triggers in the sequence of the [custom authentication challenge triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-createauthchallenge
	//
	CreateAuthChallenge *string `field:"optional" json:"createAuthChallenge" yaml:"createAuthChallenge"`
	// The configuration of a custom email sender Lambda trigger.
	//
	// This trigger routes all email notifications from a user pool to a Lambda function that delivers the message using custom logic.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-customemailsender
	//
	CustomEmailSender interface{} `field:"optional" json:"customEmailSender" yaml:"customEmailSender"`
	// A custom message Lambda trigger.
	//
	// This trigger is an opportunity to customize all SMS and email messages from your user pool. When a custom message trigger is active, your user pool routes all messages to a Lambda function that returns a runtime-customized message subject and body for your user pool to deliver to a user.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-custommessage
	//
	CustomMessage *string `field:"optional" json:"customMessage" yaml:"customMessage"`
	// The configuration of a custom SMS sender Lambda trigger.
	//
	// This trigger routes all SMS notifications from a user pool to a Lambda function that delivers the message using custom logic.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-customsmssender
	//
	CustomSmsSender interface{} `field:"optional" json:"customSmsSender" yaml:"customSmsSender"`
	// The configuration of a define auth challenge Lambda trigger, one of three triggers in the sequence of the [custom authentication challenge triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-defineauthchallenge
	//
	DefineAuthChallenge *string `field:"optional" json:"defineAuthChallenge" yaml:"defineAuthChallenge"`
	// The ARN of an [KMS key](https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#master_keys) . Amazon Cognito uses the key to encrypt codes and temporary passwords sent to custom sender Lambda triggers.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-kmskeyid
	//
	KmsKeyId *string `field:"optional" json:"kmsKeyId" yaml:"kmsKeyId"`
	// The configuration of a [post authentication Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html) in a user pool. This trigger can take custom actions after a user signs in.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-postauthentication
	//
	PostAuthentication *string `field:"optional" json:"postAuthentication" yaml:"postAuthentication"`
	// The configuration of a [post confirmation Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html) in a user pool. This trigger can take custom actions after a user confirms their user account and their email address or phone number.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-postconfirmation
	//
	PostConfirmation *string `field:"optional" json:"postConfirmation" yaml:"postConfirmation"`
	// The configuration of a [pre authentication trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html) in a user pool. This trigger can evaluate and modify user sign-in events.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-preauthentication
	//
	PreAuthentication *string `field:"optional" json:"preAuthentication" yaml:"preAuthentication"`
	// The configuration of a [pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html) in a user pool. This trigger evaluates new users and can bypass confirmation, [link a federated user profile](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html) , or block sign-up requests.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-presignup
	//
	PreSignUp *string `field:"optional" json:"preSignUp" yaml:"preSignUp"`
	// The legacy configuration of a [pre token generation Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html) in a user pool.
	//
	// Set this parameter for legacy purposes. If you also set an ARN in `PreTokenGenerationConfig` , its value must be identical to `PreTokenGeneration` . For new instances of pre token generation triggers, set the `LambdaArn` of `PreTokenGenerationConfig` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-pretokengeneration
	//
	PreTokenGeneration *string `field:"optional" json:"preTokenGeneration" yaml:"preTokenGeneration"`
	// The detailed configuration of a [pre token generation Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html) in a user pool. If you also set an ARN in `PreTokenGeneration` , its value must be identical to `PreTokenGenerationConfig` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-pretokengenerationconfig
	//
	PreTokenGenerationConfig interface{} `field:"optional" json:"preTokenGenerationConfig" yaml:"preTokenGenerationConfig"`
	// The configuration of a [migrate user Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html) in a user pool. This trigger can create user profiles when users sign in or attempt to reset their password with credentials that don't exist yet.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-usermigration
	//
	UserMigration *string `field:"optional" json:"userMigration" yaml:"userMigration"`
	// The configuration of a verify auth challenge Lambda trigger, one of three triggers in the sequence of the [custom authentication challenge triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-verifyauthchallengeresponse
	//
	VerifyAuthChallengeResponse *string `field:"optional" json:"verifyAuthChallengeResponse" yaml:"verifyAuthChallengeResponse"`
}

A collection of user pool Lambda triggers.

Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

lambdaConfigProperty := &LambdaConfigProperty{
	CreateAuthChallenge: jsii.String("createAuthChallenge"),
	CustomEmailSender: &CustomEmailSenderProperty{
		LambdaArn: jsii.String("lambdaArn"),
		LambdaVersion: jsii.String("lambdaVersion"),
	},
	CustomMessage: jsii.String("customMessage"),
	CustomSmsSender: &CustomSMSSenderProperty{
		LambdaArn: jsii.String("lambdaArn"),
		LambdaVersion: jsii.String("lambdaVersion"),
	},
	DefineAuthChallenge: jsii.String("defineAuthChallenge"),
	KmsKeyId: jsii.String("kmsKeyId"),
	PostAuthentication: jsii.String("postAuthentication"),
	PostConfirmation: jsii.String("postConfirmation"),
	PreAuthentication: jsii.String("preAuthentication"),
	PreSignUp: jsii.String("preSignUp"),
	PreTokenGeneration: jsii.String("preTokenGeneration"),
	PreTokenGenerationConfig: &PreTokenGenerationConfigProperty{
		LambdaArn: jsii.String("lambdaArn"),
		LambdaVersion: jsii.String("lambdaVersion"),
	},
	UserMigration: jsii.String("userMigration"),
	VerifyAuthChallengeResponse: jsii.String("verifyAuthChallengeResponse"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html

type CfnUserPool_NumberAttributeConstraintsProperty 

type CfnUserPool_NumberAttributeConstraintsProperty struct {
	// The maximum length of a number attribute value.
	//
	// Must be a number less than or equal to `2^1023` , represented as a string with a length of 131072 characters or fewer.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-numberattributeconstraints.html#cfn-cognito-userpool-numberattributeconstraints-maxvalue
	//
	MaxValue *string `field:"optional" json:"maxValue" yaml:"maxValue"`
	// The minimum value of an attribute that is of the number data type.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-numberattributeconstraints.html#cfn-cognito-userpool-numberattributeconstraints-minvalue
	//
	MinValue *string `field:"optional" json:"minValue" yaml:"minValue"`
}

The minimum and maximum values of an attribute that is of the number type, for example `custom:age` .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

numberAttributeConstraintsProperty := &NumberAttributeConstraintsProperty{
	MaxValue: jsii.String("maxValue"),
	MinValue: jsii.String("minValue"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-numberattributeconstraints.html

type CfnUserPool_PasswordPolicyProperty 

type CfnUserPool_PasswordPolicyProperty struct {
	// The minimum length of the password in the policy that you have set.
	//
	// This value can't be less than 6.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-minimumlength
	//
	MinimumLength *float64 `field:"optional" json:"minimumLength" yaml:"minimumLength"`
	// The number of previous passwords that you want Amazon Cognito to restrict each user from reusing.
	//
	// Users can't set a password that matches any of `n` previous passwords, where `n` is the value of `PasswordHistorySize` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-passwordhistorysize
	//
	PasswordHistorySize *float64 `field:"optional" json:"passwordHistorySize" yaml:"passwordHistorySize"`
	// The requirement in a password policy that users must include at least one lowercase letter in their password.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requirelowercase
	//
	RequireLowercase interface{} `field:"optional" json:"requireLowercase" yaml:"requireLowercase"`
	// The requirement in a password policy that users must include at least one number in their password.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requirenumbers
	//
	RequireNumbers interface{} `field:"optional" json:"requireNumbers" yaml:"requireNumbers"`
	// The requirement in a password policy that users must include at least one symbol in their password.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requiresymbols
	//
	RequireSymbols interface{} `field:"optional" json:"requireSymbols" yaml:"requireSymbols"`
	// The requirement in a password policy that users must include at least one uppercase letter in their password.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-requireuppercase
	//
	RequireUppercase interface{} `field:"optional" json:"requireUppercase" yaml:"requireUppercase"`
	// The number of days a temporary password is valid in the password policy.
	//
	// If the user doesn't sign in during this time, an administrator must reset their password. Defaults to `7` . If you submit a value of `0` , Amazon Cognito treats it as a null value and sets `TemporaryPasswordValidityDays` to its default value.
	//
	// > When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-temporarypasswordvaliditydays
	//
	TemporaryPasswordValidityDays *float64 `field:"optional" json:"temporaryPasswordValidityDays" yaml:"temporaryPasswordValidityDays"`
}

The password policy settings for a user pool, including complexity, history, and length requirements.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

passwordPolicyProperty := &PasswordPolicyProperty{
	MinimumLength: jsii.Number(123),
	PasswordHistorySize: jsii.Number(123),
	RequireLowercase: jsii.Boolean(false),
	RequireNumbers: jsii.Boolean(false),
	RequireSymbols: jsii.Boolean(false),
	RequireUppercase: jsii.Boolean(false),
	TemporaryPasswordValidityDays: jsii.Number(123),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html

type CfnUserPool_PoliciesProperty 

type CfnUserPool_PoliciesProperty struct {
	// The password policy settings for a user pool, including complexity, history, and length requirements.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html#cfn-cognito-userpool-policies-passwordpolicy
	//
	PasswordPolicy interface{} `field:"optional" json:"passwordPolicy" yaml:"passwordPolicy"`
	// The policy for allowed types of authentication in a user pool.
	//
	// To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html#cfn-cognito-userpool-policies-signinpolicy
	//
	SignInPolicy interface{} `field:"optional" json:"signInPolicy" yaml:"signInPolicy"`
}

A list of user pool policies.

Contains the policy that sets password-complexity requirements.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

policiesProperty := &PoliciesProperty{
	PasswordPolicy: &PasswordPolicyProperty{
		MinimumLength: jsii.Number(123),
		PasswordHistorySize: jsii.Number(123),
		RequireLowercase: jsii.Boolean(false),
		RequireNumbers: jsii.Boolean(false),
		RequireSymbols: jsii.Boolean(false),
		RequireUppercase: jsii.Boolean(false),
		TemporaryPasswordValidityDays: jsii.Number(123),
	},
	SignInPolicy: &SignInPolicyProperty{
		AllowedFirstAuthFactors: []*string{
			jsii.String("allowedFirstAuthFactors"),
		},
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html

type CfnUserPool_PreTokenGenerationConfigProperty added in v2.119.0 

type CfnUserPool_PreTokenGenerationConfigProperty struct {
	// The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
	//
	// This parameter and the `PreTokenGeneration` property of `LambdaConfig` have the same value. For new instances of pre token generation triggers, set `LambdaArn` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-pretokengenerationconfig.html#cfn-cognito-userpool-pretokengenerationconfig-lambdaarn
	//
	LambdaArn *string `field:"optional" json:"lambdaArn" yaml:"lambdaArn"`
	// The user pool trigger version of the request that Amazon Cognito sends to your Lambda function.
	//
	// Higher-numbered versions add fields that support new features.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-pretokengenerationconfig.html#cfn-cognito-userpool-pretokengenerationconfig-lambdaversion
	//
	LambdaVersion *string `field:"optional" json:"lambdaVersion" yaml:"lambdaVersion"`
}

The properties of a pre token generation Lambda trigger.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

preTokenGenerationConfigProperty := &PreTokenGenerationConfigProperty{
	LambdaArn: jsii.String("lambdaArn"),
	LambdaVersion: jsii.String("lambdaVersion"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-pretokengenerationconfig.html

type CfnUserPool_RecoveryOptionProperty 

type CfnUserPool_RecoveryOptionProperty struct {
	// The recovery method that this object sets a recovery option for.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-recoveryoption.html#cfn-cognito-userpool-recoveryoption-name
	//
	Name *string `field:"optional" json:"name" yaml:"name"`
	// Your priority preference for using the specified attribute in account recovery.
	//
	// The highest priority is `1` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-recoveryoption.html#cfn-cognito-userpool-recoveryoption-priority
	//
	Priority *float64 `field:"optional" json:"priority" yaml:"priority"`
}

A recovery option for a user.

The `AccountRecoverySettingType` data type is an array of this object. Each `RecoveryOptionType` has a priority property that determines whether it is a primary or secondary option.

For example, if `verified_email` has a priority of `1` and `verified_phone_number` has a priority of `2` , your user pool sends account-recovery messages to a verified email address but falls back to an SMS message if the user has a verified phone number. The `admin_only` option prevents self-service account recovery.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

recoveryOptionProperty := &RecoveryOptionProperty{
	Name: jsii.String("name"),
	Priority: jsii.Number(123),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-recoveryoption.html

type CfnUserPool_SchemaAttributeProperty 

type CfnUserPool_SchemaAttributeProperty struct {
	// The data format of the values for your attribute.
	//
	// When you choose an `AttributeDataType` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example `"custom:isMember" : "true"` or `"custom:YearsAsMember" : "12"` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html#cfn-cognito-userpool-schemaattribute-attributedatatype
	//
	AttributeDataType *string `field:"optional" json:"attributeDataType" yaml:"attributeDataType"`
	// > You should use [WriteAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes) in the user pool client to control how attributes can be mutated for new use cases instead of using `DeveloperOnlyAttribute` .
	//
	// Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users won't be able to modify this attribute using their access token. For example, `DeveloperOnlyAttribute` can be modified using AdminUpdateUserAttributes but can't be updated using UpdateUserAttributes.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html#cfn-cognito-userpool-schemaattribute-developeronlyattribute
	//
	DeveloperOnlyAttribute interface{} `field:"optional" json:"developerOnlyAttribute" yaml:"developerOnlyAttribute"`
	// Specifies whether the value of the attribute can be changed.
	//
	// Any user pool attribute whose value you map from an IdP attribute must be mutable, with a parameter value of `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html#cfn-cognito-userpool-schemaattribute-mutable
	//
	Mutable interface{} `field:"optional" json:"mutable" yaml:"mutable"`
	// The name of your user pool attribute.
	//
	// When you create or update a user pool, adding a schema attribute creates a custom or developer-only attribute. When you add an attribute with a `Name` value of `MyAttribute` , Amazon Cognito creates the custom attribute `custom:MyAttribute` . When `DeveloperOnlyAttribute` is `true` , Amazon Cognito creates your attribute as `dev:MyAttribute` . In an operation that describes a user pool, Amazon Cognito returns this value as `value` for standard attributes, `custom:value` for custom attributes, and `dev:value` for developer-only attributes..
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html#cfn-cognito-userpool-schemaattribute-name
	//
	Name *string `field:"optional" json:"name" yaml:"name"`
	// Specifies the constraints for an attribute of the number type.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html#cfn-cognito-userpool-schemaattribute-numberattributeconstraints
	//
	NumberAttributeConstraints interface{} `field:"optional" json:"numberAttributeConstraints" yaml:"numberAttributeConstraints"`
	// Specifies whether a user pool attribute is required.
	//
	// If the attribute is required and the user doesn't provide a value, registration or sign-in will fail.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html#cfn-cognito-userpool-schemaattribute-required
	//
	Required interface{} `field:"optional" json:"required" yaml:"required"`
	// Specifies the constraints for an attribute of the string type.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html#cfn-cognito-userpool-schemaattribute-stringattributeconstraints
	//
	StringAttributeConstraints interface{} `field:"optional" json:"stringAttributeConstraints" yaml:"stringAttributeConstraints"`
}

A list of the user attributes and their properties in your user pool.

The attribute schema contains standard attributes, custom attributes with a `custom:` prefix, and developer attributes with a `dev:` prefix. For more information, see [User pool attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html) .

Developer-only `dev:` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

schemaAttributeProperty := &SchemaAttributeProperty{
	AttributeDataType: jsii.String("attributeDataType"),
	DeveloperOnlyAttribute: jsii.Boolean(false),
	Mutable: jsii.Boolean(false),
	Name: jsii.String("name"),
	NumberAttributeConstraints: &NumberAttributeConstraintsProperty{
		MaxValue: jsii.String("maxValue"),
		MinValue: jsii.String("minValue"),
	},
	Required: jsii.Boolean(false),
	StringAttributeConstraints: &StringAttributeConstraintsProperty{
		MaxLength: jsii.String("maxLength"),
		MinLength: jsii.String("minLength"),
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html

type CfnUserPool_SignInPolicyProperty added in v2.172.0 

type CfnUserPool_SignInPolicyProperty struct {
	// The sign-in methods that a user pool supports as the first factor.
	//
	// You can permit users to start authentication with a standard username and password, or with other one-time password and hardware factors.
	//
	// Supports values of `EMAIL_OTP` , `SMS_OTP` , `WEB_AUTHN` and `PASSWORD` ,.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html#cfn-cognito-userpool-signinpolicy-allowedfirstauthfactors
	//
	AllowedFirstAuthFactors *[]*string `field:"optional" json:"allowedFirstAuthFactors" yaml:"allowedFirstAuthFactors"`
}

The policy for allowed types of authentication in a user pool.

To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

signInPolicyProperty := &SignInPolicyProperty{
	AllowedFirstAuthFactors: []*string{
		jsii.String("allowedFirstAuthFactors"),
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html

type CfnUserPool_SmsConfigurationProperty 

type CfnUserPool_SmsConfigurationProperty struct {
	// The external ID provides additional security for your IAM role.
	//
	// You can use an `ExternalId` with the IAM role that you use with Amazon SNS to send SMS messages for your user pool. If you provide an `ExternalId` , your Amazon Cognito user pool includes it in the request to assume your IAM role. You can configure the role trust policy to require that Amazon Cognito, and any principal, provide the `ExternalID` . If you use the Amazon Cognito Management Console to create a role for SMS multi-factor authentication (MFA), Amazon Cognito creates a role with the required permissions and a trust policy that demonstrates use of the `ExternalId` .
	//
	// For more information about the `ExternalId` of a role, see [How to use an external ID when granting access to your AWS resources to a third party](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-smsconfiguration.html#cfn-cognito-userpool-smsconfiguration-externalid
	//
	ExternalId *string `field:"optional" json:"externalId" yaml:"externalId"`
	// The Amazon Resource Name (ARN) of the Amazon SNS caller.
	//
	// This is the ARN of the IAM role in your AWS account that Amazon Cognito will use to send SMS messages. SMS messages are subject to a [spending limit](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-smsconfiguration.html#cfn-cognito-userpool-smsconfiguration-snscallerarn
	//
	SnsCallerArn *string `field:"optional" json:"snsCallerArn" yaml:"snsCallerArn"`
	// The AWS Region to use with Amazon SNS integration.
	//
	// You can choose the same Region as your user pool, or a supported *Legacy Amazon SNS alternate Region* .
	//
	// Amazon Cognito resources in the Asia Pacific (Seoul) AWS Region must use your Amazon SNS configuration in the Asia Pacific (Tokyo) Region. For more information, see [SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-smsconfiguration.html#cfn-cognito-userpool-smsconfiguration-snsregion
	//
	SnsRegion *string `field:"optional" json:"snsRegion" yaml:"snsRegion"`
}

User pool configuration for delivery of SMS messages with Amazon Simple Notification Service.

To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

smsConfigurationProperty := &SmsConfigurationProperty{
	ExternalId: jsii.String("externalId"),
	SnsCallerArn: jsii.String("snsCallerArn"),
	SnsRegion: jsii.String("snsRegion"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-smsconfiguration.html

type CfnUserPool_StringAttributeConstraintsProperty 

type CfnUserPool_StringAttributeConstraintsProperty struct {
	// The maximum length of a string attribute value.
	//
	// Must be a number less than or equal to `2^1023` , represented as a string with a length of 131072 characters or fewer.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-stringattributeconstraints.html#cfn-cognito-userpool-stringattributeconstraints-maxlength
	//
	MaxLength *string `field:"optional" json:"maxLength" yaml:"maxLength"`
	// The minimum length of a string attribute value.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-stringattributeconstraints.html#cfn-cognito-userpool-stringattributeconstraints-minlength
	//
	MinLength *string `field:"optional" json:"minLength" yaml:"minLength"`
}

The minimum and maximum length values of an attribute that is of the string type, for example `custom:department` .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

stringAttributeConstraintsProperty := &StringAttributeConstraintsProperty{
	MaxLength: jsii.String("maxLength"),
	MinLength: jsii.String("minLength"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-stringattributeconstraints.html

type CfnUserPool_UserAttributeUpdateSettingsProperty added in v2.27.0 

type CfnUserPool_UserAttributeUpdateSettingsProperty struct {
	// Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute.
	//
	// When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value.
	//
	// When `AttributesRequireVerificationBeforeUpdate` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where `AttributesRequireVerificationBeforeUpdate` is false, API operations that change attribute values can immediately update a user’s `email` or `phone_number` attribute.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userattributeupdatesettings.html#cfn-cognito-userpool-userattributeupdatesettings-attributesrequireverificationbeforeupdate
	//
	AttributesRequireVerificationBeforeUpdate *[]*string `field:"required" json:"attributesRequireVerificationBeforeUpdate" yaml:"attributesRequireVerificationBeforeUpdate"`
}

The settings for updates to user attributes.

These settings include the property `AttributesRequireVerificationBeforeUpdate` , a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see [Verifying updates to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates) .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

userAttributeUpdateSettingsProperty := &UserAttributeUpdateSettingsProperty{
	AttributesRequireVerificationBeforeUpdate: []*string{
		jsii.String("attributesRequireVerificationBeforeUpdate"),
	},
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userattributeupdatesettings.html

type CfnUserPool_UserPoolAddOnsProperty 

type CfnUserPool_UserPoolAddOnsProperty struct {
	// Threat protection configuration options for additional authentication types in your user pool, including custom authentication.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecurityadditionalflows
	//
	AdvancedSecurityAdditionalFlows interface{} `field:"optional" json:"advancedSecurityAdditionalFlows" yaml:"advancedSecurityAdditionalFlows"`
	// The operating mode of threat protection for standard authentication types in your user pool, including username-password and secure remote password (SRP) authentication.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode
	//
	AdvancedSecurityMode *string `field:"optional" json:"advancedSecurityMode" yaml:"advancedSecurityMode"`
}

User pool add-ons.

Contains settings for activation of threat protection. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` .

For more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) . To activate this setting, your user pool must be on the [Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html) .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

userPoolAddOnsProperty := &UserPoolAddOnsProperty{
	AdvancedSecurityAdditionalFlows: &AdvancedSecurityAdditionalFlowsProperty{
		CustomAuthMode: jsii.String("customAuthMode"),
	},
	AdvancedSecurityMode: jsii.String("advancedSecurityMode"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html

type CfnUserPool_UsernameConfigurationProperty 

type CfnUserPool_UsernameConfigurationProperty struct {
	// Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs.
	//
	// For most use cases, set case sensitivity to `False` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name.
	//
	// Valid values include:
	//
	// - **true** - Enables case sensitivity for all username input. When this option is set to `true` , users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value.
	// - **false** - Enables case insensitivity for all username input. For example, when this option is set to `false` , users can sign in using `username` , `USERNAME` , or `UserName` . This option also enables both `preferred_username` and `email` alias to be case insensitive, in addition to the `username` attribute.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-usernameconfiguration.html#cfn-cognito-userpool-usernameconfiguration-casesensitive
	//
	CaseSensitive interface{} `field:"optional" json:"caseSensitive" yaml:"caseSensitive"`
}

Case sensitivity of the username input for the selected sign-in option.

When case sensitivity is set to `False` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, `username` , `USERNAME` , or `UserName` , or for email, `email@example.com` or `EMaiL@eXamplE.Com` . For most use cases, set case sensitivity to `False` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

usernameConfigurationProperty := &UsernameConfigurationProperty{
	CaseSensitive: jsii.Boolean(false),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-usernameconfiguration.html

type CfnUserPool_VerificationMessageTemplateProperty 

type CfnUserPool_VerificationMessageTemplateProperty struct {
	// The configuration of verification emails to contain a clickable link or a verification code.
	//
	// For link, your template body must contain link text in the format `{##Click here##}` . "Click here" in the example is a customizable string. For code, your template body must contain a code placeholder in the format `{####}` .
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-defaultemailoption
	//
	DefaultEmailOption *string `field:"optional" json:"defaultEmailOption" yaml:"defaultEmailOption"`
	// The template for email messages that Amazon Cognito sends to your users.
	//
	// You can set an `EmailMessage` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-emailmessage
	//
	EmailMessage *string `field:"optional" json:"emailMessage" yaml:"emailMessage"`
	// The email message template for sending a confirmation link to the user.
	//
	// You can set an `EmailMessageByLink` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-emailmessagebylink
	//
	EmailMessageByLink *string `field:"optional" json:"emailMessageByLink" yaml:"emailMessageByLink"`
	// The subject line for the email message template.
	//
	// You can set an `EmailSubject` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-emailsubject
	//
	EmailSubject *string `field:"optional" json:"emailSubject" yaml:"emailSubject"`
	// The subject line for the email message template for sending a confirmation link to the user.
	//
	// You can set an `EmailSubjectByLink` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-emailsubjectbylink
	//
	EmailSubjectByLink *string `field:"optional" json:"emailSubjectByLink" yaml:"emailSubjectByLink"`
	// The template for SMS messages that Amazon Cognito sends to your users.
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html#cfn-cognito-userpool-verificationmessagetemplate-smsmessage
	//
	SmsMessage *string `field:"optional" json:"smsMessage" yaml:"smsMessage"`
}

The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

verificationMessageTemplateProperty := &VerificationMessageTemplateProperty{
	DefaultEmailOption: jsii.String("defaultEmailOption"),
	EmailMessage: jsii.String("emailMessage"),
	EmailMessageByLink: jsii.String("emailMessageByLink"),
	EmailSubject: jsii.String("emailSubject"),
	EmailSubjectByLink: jsii.String("emailSubjectByLink"),
	SmsMessage: jsii.String("smsMessage"),
}

See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html

type ClientAttributes 

type ClientAttributes interface {
	// The list of attributes represented by this ClientAttributes.
	Attributes() *[]*string
	// Creates a custom ClientAttributes with the specified attributes.
	WithCustomAttributes(attributes ...*string) ClientAttributes
	// Creates a custom ClientAttributes with the specified attributes.
	WithStandardAttributes(attributes *StandardAttributesMask) ClientAttributes
}

A set of attributes, useful to set Read and Write attributes.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

clientWriteAttributes := (cognito.NewClientAttributes()).WithStandardAttributes(&StandardAttributesMask{
	Fullname: jsii.Boolean(true),
	Email: jsii.Boolean(true),
}).WithCustomAttributes(jsii.String("favoritePizza"), jsii.String("favoriteBeverage"))

clientReadAttributes := clientWriteAttributes.WithStandardAttributes(&StandardAttributesMask{
	EmailVerified: jsii.Boolean(true),
}).WithCustomAttributes(jsii.String("pointsEarned"))

pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	ReadAttributes: clientReadAttributes,
	WriteAttributes: clientWriteAttributes,
})

func NewClientAttributes 

func NewClientAttributes() ClientAttributes

Creates a ClientAttributes with the specified attributes. Default: - a ClientAttributes object without any attributes.

type CognitoDomainOptions 

type CognitoDomainOptions struct {
	// The prefix to the Cognito hosted domain name that will be associated with the user pool.
	DomainPrefix *string `field:"required" json:"domainPrefix" yaml:"domainPrefix"`
}

Options while specifying a cognito prefix domain.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

pool.addDomain(jsii.String("CognitoDomain"), &UserPoolDomainOptions{
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("my-awesome-app"),
	},
})

certificateArn := "arn:aws:acm:us-east-1:123456789012:certificate/11-3336f1-44483d-adc7-9cd375c5169d"

domainCert := certificatemanager.Certificate_FromCertificateArn(this, jsii.String("domainCert"), certificateArn)
pool.addDomain(jsii.String("CustomDomain"), &UserPoolDomainOptions{
	CustomDomain: &CustomDomainOptions{
		DomainName: jsii.String("user.myapp.com"),
		Certificate: domainCert,
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html

type CustomAttributeConfig 

type CustomAttributeConfig struct {
	// The data type of the custom attribute.
	// See: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html#CognitoUserPools-Type-SchemaAttributeType-AttributeDataType
	//
	DataType *string `field:"required" json:"dataType" yaml:"dataType"`
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that's mapped to an identity provider attribute, you must set this parameter to true.
	// Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider.
	// If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute.
	// Default: false.
	//
	Mutable *bool `field:"optional" json:"mutable" yaml:"mutable"`
	// The constraints for a custom attribute of the 'Number' data type.
	// Default: - None.
	//
	NumberConstraints *NumberAttributeConstraints `field:"optional" json:"numberConstraints" yaml:"numberConstraints"`
	// The constraints for a custom attribute of 'String' data type.
	// Default: - None.
	//
	StringConstraints *StringAttributeConstraints `field:"optional" json:"stringConstraints" yaml:"stringConstraints"`
}

Configuration that will be fed into CloudFormation for any custom attribute type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

customAttributeConfig := &CustomAttributeConfig{
	DataType: jsii.String("dataType"),

	// the properties below are optional
	Mutable: jsii.Boolean(false),
	NumberConstraints: &NumberAttributeConstraints{
		Max: jsii.Number(123),
		Min: jsii.Number(123),
	},
	StringConstraints: &StringAttributeConstraints{
		MaxLen: jsii.Number(123),
		MinLen: jsii.Number(123),
	},
}

type CustomAttributeProps 

type CustomAttributeProps struct {
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that's mapped to an identity provider attribute, you must set this parameter to true.
	// Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider.
	// If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute.
	// Default: false.
	//
	Mutable *bool `field:"optional" json:"mutable" yaml:"mutable"`
}

Constraints that can be applied to a custom attribute of any type.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	StandardAttributes: &StandardAttributes{
		Fullname: &StandardAttribute{
			Required: jsii.Boolean(true),
			Mutable: jsii.Boolean(false),
		},
		Address: &StandardAttribute{
			Required: jsii.Boolean(false),
			Mutable: jsii.Boolean(true),
		},
	},
	CustomAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

type CustomDomainOptions 

type CustomDomainOptions struct {
	// The certificate to associate with this domain.
	Certificate awscertificatemanager.ICertificate `field:"required" json:"certificate" yaml:"certificate"`
	// The custom domain name that you would like to associate with this User Pool.
	DomainName *string `field:"required" json:"domainName" yaml:"domainName"`
}

Options while specifying custom domain.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

pool.addDomain(jsii.String("CognitoDomain"), &UserPoolDomainOptions{
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("my-awesome-app"),
	},
})

certificateArn := "arn:aws:acm:us-east-1:123456789012:certificate/11-3336f1-44483d-adc7-9cd375c5169d"

domainCert := certificatemanager.Certificate_FromCertificateArn(this, jsii.String("domainCert"), certificateArn)
pool.addDomain(jsii.String("CustomDomain"), &UserPoolDomainOptions{
	CustomDomain: &CustomDomainOptions{
		DomainName: jsii.String("user.myapp.com"),
		Certificate: domainCert,
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html

type CustomThreatProtectionMode added in v2.181.0 

type CustomThreatProtectionMode string

The Type of Threat Protection Enabled for Custom Authentication.

This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html 

const (
	// Cognito automatically takes preventative actions in response to different levels of risk that you configure for your user pool.
	CustomThreatProtectionMode_FULL_FUNCTION CustomThreatProtectionMode = "FULL_FUNCTION"
	// Cognito gathers metrics on detected risks, but doesn't take automatic action.
	CustomThreatProtectionMode_AUDIT_ONLY CustomThreatProtectionMode = "AUDIT_ONLY"
)

type DateTimeAttribute 

type DateTimeAttribute interface {
	ICustomAttribute
	// Bind this custom attribute type to the values as expected by CloudFormation.
	Bind() *CustomAttributeConfig
}

The DateTime custom attribute type.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	StandardAttributes: &StandardAttributes{
		Fullname: &StandardAttribute{
			Required: jsii.Boolean(true),
			Mutable: jsii.Boolean(false),
		},
		Address: &StandardAttribute{
			Required: jsii.Boolean(false),
			Mutable: jsii.Boolean(true),
		},
	},
	CustomAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

func NewDateTimeAttribute 

func NewDateTimeAttribute(props *CustomAttributeProps) DateTimeAttribute

type DeviceTracking 

type DeviceTracking struct {
	// Indicates whether a challenge is required on a new device.
	//
	// Only applicable to a new device.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
	//
	// Default: false.
	//
	ChallengeRequiredOnNewDevice *bool `field:"required" json:"challengeRequiredOnNewDevice" yaml:"challengeRequiredOnNewDevice"`
	// If true, a device is only remembered on user prompt.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
	//
	// Default: false.
	//
	DeviceOnlyRememberedOnUserPrompt *bool `field:"required" json:"deviceOnlyRememberedOnUserPrompt" yaml:"deviceOnlyRememberedOnUserPrompt"`
}

Device tracking settings.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	DeviceTracking: &DeviceTracking{
		ChallengeRequiredOnNewDevice: jsii.Boolean(true),
		DeviceOnlyRememberedOnUserPrompt: jsii.Boolean(true),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html

type EmailSettings 

type EmailSettings struct {
	// The 'from' address on the emails received by the user.
	// Default: noreply@verificationemail.com
	//
	From *string `field:"optional" json:"from" yaml:"from"`
	// The 'replyTo' address on the emails received by the user as defined by IETF RFC-5322.
	//
	// When set, most email clients recognize to change 'to' line to this address when a reply is drafted.
	// Default: - Not set.
	//
	ReplyTo *string `field:"optional" json:"replyTo" yaml:"replyTo"`
}

Email settings for the user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

emailSettings := &EmailSettings{
	From: jsii.String("from"),
	ReplyTo: jsii.String("replyTo"),
}

type FeaturePlan added in v2.173.0 

type FeaturePlan string

The user pool feature plan, or tier.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
		},
	},
	FeaturePlan: cognito.FeaturePlan_LITE,
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html 

const (
	// Lite feature plan.
	FeaturePlan_LITE FeaturePlan = "LITE"
	// Essentials feature plan.
	FeaturePlan_ESSENTIALS FeaturePlan = "ESSENTIALS"
	// Plus feature plan.
	FeaturePlan_PLUS FeaturePlan = "PLUS"
)

type ICustomAttribute 

type ICustomAttribute interface {
	// Bind this custom attribute type to the values as expected by CloudFormation.
	Bind() *CustomAttributeConfig
}

Represents a custom attribute type.

type IUserPool 

type IUserPool interface {
	awscdk.IResource
	// Add a new app client to this user pool.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html
	//
	AddClient(id *string, options *UserPoolClientOptions) UserPoolClient
	// Associate a domain to this user pool.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html
	//
	AddDomain(id *string, options *UserPoolDomainOptions) UserPoolDomain
	// Add a new group to this user pool.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
	//
	AddGroup(id *string, options *UserPoolGroupOptions) UserPoolGroup
	// Add a new resource server to this user pool.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-resource-servers.html
	//
	AddResourceServer(id *string, options *UserPoolResourceServerOptions) UserPoolResourceServer
	// Adds an IAM policy statement associated with this user pool to an IAM principal's policy.
	Grant(grantee awsiam.IGrantable, actions ...*string) awsiam.Grant
	// Register an identity provider with this user pool.
	RegisterIdentityProvider(provider IUserPoolIdentityProvider)
	// Get all identity providers registered with this user pool.
	IdentityProviders() *[]IUserPoolIdentityProvider
	// The ARN of this user pool resource.
	UserPoolArn() *string
	// The physical ID of this user pool resource.
	UserPoolId() *string
	// The provider name of this user pool resource.
	UserPoolProviderName() *string
}

Represents a Cognito UserPool.

func UserPool_FromUserPoolArn 

func UserPool_FromUserPoolArn(scope constructs.Construct, id *string, userPoolArn *string) IUserPool

Import an existing user pool based on its ARN.

func UserPool_FromUserPoolId 

func UserPool_FromUserPoolId(scope constructs.Construct, id *string, userPoolId *string) IUserPool

Import an existing user pool based on its id.

type IUserPoolClient 

type IUserPoolClient interface {
	awscdk.IResource
	// Name of the application client.
	UserPoolClientId() *string
	// The generated client secret.
	//
	// Only available if the "generateSecret" props is set to true.
	UserPoolClientSecret() awscdk.SecretValue
}

Represents a Cognito user pool client.

func UserPoolClient_FromUserPoolClientId 

func UserPoolClient_FromUserPoolClientId(scope constructs.Construct, id *string, userPoolClientId *string) IUserPoolClient

Import a user pool client given its id.

type IUserPoolDomain 

type IUserPoolDomain interface {
	awscdk.IResource
	// The domain that was specified to be created.
	//
	// If `customDomain` was selected, this holds the full domain name that was specified.
	// If the `cognitoDomain` was used, it contains the prefix to the Cognito hosted domain.
	DomainName() *string
}

Represents a user pool domain.

func UserPoolDomain_FromDomainName 

func UserPoolDomain_FromDomainName(scope constructs.Construct, id *string, userPoolDomainName *string) IUserPoolDomain

Import a UserPoolDomain given its domain name.

type IUserPoolGroup added in v2.165.0 

type IUserPoolGroup interface {
	awscdk.IResource
	// The user group name.
	GroupName() *string
}

Represents a user pool group.

func UserPoolGroup_FromGroupName added in v2.165.0 

func UserPoolGroup_FromGroupName(scope constructs.Construct, id *string, groupName *string) IUserPoolGroup

Import a UserPoolGroup given its group name.

type IUserPoolIdentityProvider 

type IUserPoolIdentityProvider interface {
	awscdk.IResource
	// The primary identifier of this identity provider.
	ProviderName() *string
}

Represents a UserPoolIdentityProvider.

func UserPoolIdentityProvider_FromProviderName 

func UserPoolIdentityProvider_FromProviderName(scope constructs.Construct, id *string, providerName *string) IUserPoolIdentityProvider

Import an existing UserPoolIdentityProvider.

type IUserPoolResourceServer 

type IUserPoolResourceServer interface {
	awscdk.IResource
	// Resource server id.
	UserPoolResourceServerId() *string
}

Represents a Cognito user pool resource server.

func UserPoolResourceServer_FromUserPoolResourceServerId 

func UserPoolResourceServer_FromUserPoolResourceServerId(scope constructs.Construct, id *string, userPoolResourceServerId *string) IUserPoolResourceServer

Import a user pool resource client given its id.

type KeepOriginalAttrs added in v2.33.0 

type KeepOriginalAttrs struct {
	// Whether the email address of the user should remain the original value until the new email address is verified.
	// Default: - false.
	//
	Email *bool `field:"optional" json:"email" yaml:"email"`
	// Whether the phone number of the user should remain the original value until the new phone number is verified.
	// Default: - false.
	//
	Phone *bool `field:"optional" json:"phone" yaml:"phone"`
}

Attributes that will be kept until the user verifies the changed attribute.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	SignInAliases: &SignInAliases{
		Username: jsii.Boolean(true),
	},
	AutoVerify: &AutoVerifiedAttrs{
		Email: jsii.Boolean(true),
		Phone: jsii.Boolean(true),
	},
	KeepOriginal: &KeepOriginalAttrs{
		Email: jsii.Boolean(true),
		Phone: jsii.Boolean(true),
	},
})

type LambdaVersion added in v2.127.0 

type LambdaVersion string

The user pool trigger version of the request that Amazon Cognito sends to your Lambda function.

Example: 

var userpool userPool
var preTokenGenerationFn function

userpool.AddTrigger(cognito.UserPoolOperation_PRE_TOKEN_GENERATION_CONFIG(), preTokenGenerationFn, cognito.LambdaVersion_V2_0)

const (
	// V1_0 trigger.
	LambdaVersion_V1_0 LambdaVersion = "V1_0"
	// V2_0 trigger.
	//
	// This is supported only for PRE_TOKEN_GENERATION trigger.
	LambdaVersion_V2_0 LambdaVersion = "V2_0"
)

type ManagedLoginVersion added in v2.177.0 

type ManagedLoginVersion string

The branding version of managed login for the domain.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

// Use the new managed login page
pool.addDomain(jsii.String("CognitoDomainWithBlandingDesignManagedLogin"), &UserPoolDomainOptions{
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("blanding-design-ui"),
	},
	ManagedLoginVersion: cognito.ManagedLoginVersion_NEWER_MANAGED_LOGIN,
})

// Use the classic hosted UI
pool.addDomain(jsii.String("DomainWithClassicHostedUi"), &UserPoolDomainOptions{
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("classic-hosted-ui"),
	},
	ManagedLoginVersion: cognito.ManagedLoginVersion_CLASSIC_HOSTED_UI,
})

const (
	// The classic hosted UI.
	ManagedLoginVersion_CLASSIC_HOSTED_UI ManagedLoginVersion = "CLASSIC_HOSTED_UI"
	// The newer managed login with the branding designer.
	ManagedLoginVersion_NEWER_MANAGED_LOGIN ManagedLoginVersion = "NEWER_MANAGED_LOGIN"
)

type Mfa 

type Mfa string

The different ways in which a user pool's MFA enforcement can be configured.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	Mfa: cognito.Mfa_REQUIRED,
	MfaSecondFactor: &MfaSecondFactor{
		Sms: jsii.Boolean(true),
		Otp: jsii.Boolean(true),
		Email: jsii.Boolean(false),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html 

const (
	// Users are not required to use MFA for sign in, and cannot configure one.
	Mfa_OFF Mfa = "OFF"
	// Users are not required to use MFA for sign in, but can configure one if they so choose to.
	Mfa_OPTIONAL Mfa = "OPTIONAL"
	// Users are required to configure an MFA, and have to use it to sign in.
	Mfa_REQUIRED Mfa = "REQUIRED"
)

type MfaSecondFactor 

type MfaSecondFactor struct {
	// The MFA token is a time-based one time password that is generated by a hardware or software token.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html
	//
	// Default: false.
	//
	Otp *bool `field:"required" json:"otp" yaml:"otp"`
	// The MFA token is sent to the user via SMS to their verified phone numbers.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html
	//
	// Default: true.
	//
	Sms *bool `field:"required" json:"sms" yaml:"sms"`
	// The MFA token is sent to the user via EMAIL.
	//
	// To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration
	// and set `feturePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html
	//
	// Default: false.
	//
	Email *bool `field:"optional" json:"email" yaml:"email"`
}

The different ways in which a user pool can obtain their MFA token for sign in.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	Mfa: cognito.Mfa_REQUIRED,
	MfaSecondFactor: &MfaSecondFactor{
		Sms: jsii.Boolean(true),
		Otp: jsii.Boolean(true),
		Email: jsii.Boolean(false),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html

type NumberAttribute 

type NumberAttribute interface {
	ICustomAttribute
	// Bind this custom attribute type to the values as expected by CloudFormation.
	Bind() *CustomAttributeConfig
}

The Number custom attribute type.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	StandardAttributes: &StandardAttributes{
		Fullname: &StandardAttribute{
			Required: jsii.Boolean(true),
			Mutable: jsii.Boolean(false),
		},
		Address: &StandardAttribute{
			Required: jsii.Boolean(false),
			Mutable: jsii.Boolean(true),
		},
	},
	CustomAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

func NewNumberAttribute 

func NewNumberAttribute(props *NumberAttributeProps) NumberAttribute

type NumberAttributeConstraints 

type NumberAttributeConstraints struct {
	// Maximum value of this attribute.
	// Default: - no maximum value.
	//
	Max *float64 `field:"optional" json:"max" yaml:"max"`
	// Minimum value of this attribute.
	// Default: - no minimum value.
	//
	Min *float64 `field:"optional" json:"min" yaml:"min"`
}

Constraints that can be applied to a custom attribute of number type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

numberAttributeConstraints := &NumberAttributeConstraints{
	Max: jsii.Number(123),
	Min: jsii.Number(123),
}

type NumberAttributeProps 

type NumberAttributeProps struct {
	// Maximum value of this attribute.
	// Default: - no maximum value.
	//
	Max *float64 `field:"optional" json:"max" yaml:"max"`
	// Minimum value of this attribute.
	// Default: - no minimum value.
	//
	Min *float64 `field:"optional" json:"min" yaml:"min"`
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that's mapped to an identity provider attribute, you must set this parameter to true.
	// Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider.
	// If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute.
	// Default: false.
	//
	Mutable *bool `field:"optional" json:"mutable" yaml:"mutable"`
}

Props for NumberAttr.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	StandardAttributes: &StandardAttributes{
		Fullname: &StandardAttribute{
			Required: jsii.Boolean(true),
			Mutable: jsii.Boolean(false),
		},
		Address: &StandardAttribute{
			Required: jsii.Boolean(false),
			Mutable: jsii.Boolean(true),
		},
	},
	CustomAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

type OAuthFlows 

type OAuthFlows struct {
	// Initiate an authorization code grant flow, which provides an authorization code as the response.
	// Default: false.
	//
	AuthorizationCodeGrant *bool `field:"optional" json:"authorizationCodeGrant" yaml:"authorizationCodeGrant"`
	// Client should get the access token and ID token from the token endpoint using a combination of client and client_secret.
	// Default: false.
	//
	ClientCredentials *bool `field:"optional" json:"clientCredentials" yaml:"clientCredentials"`
	// The client should get the access token and ID token directly.
	// Default: false.
	//
	ImplicitCodeGrant *bool `field:"optional" json:"implicitCodeGrant" yaml:"implicitCodeGrant"`
}

Types of OAuth grant flows.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("UserPool"), &UserPoolProps{
})
client := userpool.addClient(jsii.String("Client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		Flows: &OAuthFlows{
			ImplicitCodeGrant: jsii.Boolean(true),
		},
		CallbackUrls: []*string{
			jsii.String("https://myapp.com/home"),
			jsii.String("https://myapp.com/users"),
		},
	},
})
domain := userpool.addDomain(jsii.String("Domain"), &UserPoolDomainOptions{
})
signInUrl := domain.SignInUrl(client, &SignInUrlOptions{
	RedirectUri: jsii.String("https://myapp.com/home"),
})

See: - the 'Allowed OAuth Flows' section at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html

type OAuthScope 

type OAuthScope interface {
	// The name of this scope as recognized by CloudFormation.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes
	//
	ScopeName() *string
}

OAuth scopes that are allowed with this client.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("read"),
	ScopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("*"),
	ScopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &UserPoolResourceServerOptions{
	Identifier: jsii.String("users"),
	Scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []oAuthScope{
			cognito.*oAuthScope_ResourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []*oAuthScope{
			cognito.*oAuthScope_*ResourceServer(userServer, fullAccessScope),
		},
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html

func OAuthScope_COGNITO_ADMIN 

func OAuthScope_COGNITO_ADMIN() OAuthScope

func OAuthScope_Custom 

func OAuthScope_Custom(name *string) OAuthScope

Custom scope is one that you define for your own resource server in the Resource Servers.

The format is 'resource-server-identifier/scope'. See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html

func OAuthScope_EMAIL 

func OAuthScope_EMAIL() OAuthScope

func OAuthScope_OPENID 

func OAuthScope_OPENID() OAuthScope

func OAuthScope_PHONE 

func OAuthScope_PHONE() OAuthScope

func OAuthScope_PROFILE 

func OAuthScope_PROFILE() OAuthScope

func OAuthScope_ResourceServer 

func OAuthScope_ResourceServer(server IUserPoolResourceServer, scope ResourceServerScope) OAuthScope

Adds a custom scope that's tied to a resource server in your stack.

type OAuthSettings 

type OAuthSettings struct {
	// List of allowed redirect URLs for the identity providers.
	// Default: - ['https://example.com'] if either authorizationCodeGrant or implicitCodeGrant flows are enabled, no callback URLs otherwise.
	//
	CallbackUrls *[]*string `field:"optional" json:"callbackUrls" yaml:"callbackUrls"`
	// The default redirect URI. Must be in the `callbackUrls` list.
	//
	// A redirect URI must:
	// * Be an absolute URI
	// * Be registered with the authorization server.
	// * Not include a fragment component.
	// See: https://tools.ietf.org/html/rfc6749#section-3.1.2
	//
	// Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
	//
	// App callback URLs such as myapp://example are also supported.
	//
	// Default: - no default redirect URI.
	//
	DefaultRedirectUri *string `field:"optional" json:"defaultRedirectUri" yaml:"defaultRedirectUri"`
	// OAuth flows that are allowed with this client.
	// See:  - the 'Allowed OAuth Flows' section at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
	//
	// Default: {authorizationCodeGrant:true,implicitCodeGrant:true}.
	//
	Flows *OAuthFlows `field:"optional" json:"flows" yaml:"flows"`
	// List of allowed logout URLs for the identity providers.
	// Default: - no logout URLs.
	//
	LogoutUrls *[]*string `field:"optional" json:"logoutUrls" yaml:"logoutUrls"`
	// OAuth scopes that are allowed with this client.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
	//
	// Default: [OAuthScope.PHONE,OAuthScope.EMAIL,OAuthScope.OPENID,OAuthScope.PROFILE,OAuthScope.COGNITO_ADMIN]
	//
	Scopes *[]OAuthScope `field:"optional" json:"scopes" yaml:"scopes"`
}

OAuth settings to configure the interaction between the app and this client.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("read"),
	ScopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("*"),
	ScopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &UserPoolResourceServerOptions{
	Identifier: jsii.String("users"),
	Scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []oAuthScope{
			cognito.*oAuthScope_ResourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []*oAuthScope{
			cognito.*oAuthScope_*ResourceServer(userServer, fullAccessScope),
		},
	},
})

type OidcAttributeRequestMethod added in v2.27.0 

type OidcAttributeRequestMethod string

The method to use to request attributes. 

const (
	// GET.
	OidcAttributeRequestMethod_GET OidcAttributeRequestMethod = "GET"
	// POST.
	OidcAttributeRequestMethod_POST OidcAttributeRequestMethod = "POST"
)

type OidcEndpoints added in v2.27.0 

type OidcEndpoints struct {
	// Authorization endpoint.
	Authorization *string `field:"required" json:"authorization" yaml:"authorization"`
	// Jwks_uri endpoint.
	JwksUri *string `field:"required" json:"jwksUri" yaml:"jwksUri"`
	// Token endpoint.
	Token *string `field:"required" json:"token" yaml:"token"`
	// UserInfo endpoint.
	UserInfo *string `field:"required" json:"userInfo" yaml:"userInfo"`
}

OpenID Connect endpoints.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

oidcEndpoints := &OidcEndpoints{
	Authorization: jsii.String("authorization"),
	JwksUri: jsii.String("jwksUri"),
	Token: jsii.String("token"),
	UserInfo: jsii.String("userInfo"),
}

type PasskeyUserVerification added in v2.179.0 

type PasskeyUserVerification string

The user-pool treatment for MFA with a passkey.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
			Passkey: jsii.Boolean(true),
		},
	},
	PasskeyRelyingPartyId: jsii.String("auth.example.com"),
	PasskeyUserVerification: cognito.PasskeyUserVerification_REQUIRED,
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passkey 

const (
	// Passkey MFA is preferred.
	PasskeyUserVerification_PREFERRED PasskeyUserVerification = "PREFERRED"
	// Passkey MFA is required.
	PasskeyUserVerification_REQUIRED PasskeyUserVerification = "REQUIRED"
)

type PasswordPolicy 

type PasswordPolicy struct {
	// Minimum length required for a user's password.
	// Default: 8.
	//
	MinLength *float64 `field:"optional" json:"minLength" yaml:"minLength"`
	// The number of previous passwords that you want Amazon Cognito to restrict each user from reusing.
	//
	// `passwordHistorySize` can not be set when `featurePlan` is `FeaturePlan.LITE`.
	// Default: undefined - Cognito default setting is no restriction.
	//
	PasswordHistorySize *float64 `field:"optional" json:"passwordHistorySize" yaml:"passwordHistorySize"`
	// Whether the user is required to have digits in their password.
	// Default: true.
	//
	RequireDigits *bool `field:"optional" json:"requireDigits" yaml:"requireDigits"`
	// Whether the user is required to have lowercase characters in their password.
	// Default: true.
	//
	RequireLowercase *bool `field:"optional" json:"requireLowercase" yaml:"requireLowercase"`
	// Whether the user is required to have symbols in their password.
	// Default: true.
	//
	RequireSymbols *bool `field:"optional" json:"requireSymbols" yaml:"requireSymbols"`
	// Whether the user is required to have uppercase characters in their password.
	// Default: true.
	//
	RequireUppercase *bool `field:"optional" json:"requireUppercase" yaml:"requireUppercase"`
	// The length of time the temporary password generated by an admin is valid.
	//
	// This must be provided as whole days, like Duration.days(3) or Duration.hours(48).
	// Fractional days, such as Duration.hours(20), will generate an error.
	// Default: Duration.days(7)
	//
	TempPasswordValidity awscdk.Duration `field:"optional" json:"tempPasswordValidity" yaml:"tempPasswordValidity"`
}

Password policy for User Pools.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	PasswordPolicy: &PasswordPolicy{
		MinLength: jsii.Number(12),
		RequireLowercase: jsii.Boolean(true),
		RequireUppercase: jsii.Boolean(true),
		RequireDigits: jsii.Boolean(true),
		RequireSymbols: jsii.Boolean(true),
		TempPasswordValidity: awscdk.Duration_Days(jsii.Number(3)),
	},
})

type ProviderAttribute 

type ProviderAttribute interface {
	// The attribute value string as recognized by the provider.
	AttributeName() *string
}

An attribute available from a third party identity provider.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &UserPoolIdentityProviderAmazonProps{
	ClientId: jsii.String("amzn-client-id"),
	ClientSecret: jsii.String("amzn-client-secret"),
	UserPool: userpool,
	AttributeMapping: &AttributeMapping{
		Email: cognito.ProviderAttribute_AMAZON_EMAIL(),
		Website: cognito.ProviderAttribute_Other(jsii.String("url")),
		 // use other() when an attribute is not pre-defined in the CDK
		Custom: map[string]providerAttribute{
			// custom user pool attributes go here
			"uniqueId": cognito.*providerAttribute_AMAZON_USER_ID(),
		},
	},
})

func ProviderAttribute_AMAZON_EMAIL 

func ProviderAttribute_AMAZON_EMAIL() ProviderAttribute

func ProviderAttribute_AMAZON_NAME 

func ProviderAttribute_AMAZON_NAME() ProviderAttribute

func ProviderAttribute_AMAZON_POSTAL_CODE 

func ProviderAttribute_AMAZON_POSTAL_CODE() ProviderAttribute

func ProviderAttribute_AMAZON_USER_ID 

func ProviderAttribute_AMAZON_USER_ID() ProviderAttribute

func ProviderAttribute_APPLE_EMAIL 

func ProviderAttribute_APPLE_EMAIL() ProviderAttribute

func ProviderAttribute_APPLE_EMAIL_VERIFIED added in v2.163.0 

func ProviderAttribute_APPLE_EMAIL_VERIFIED() ProviderAttribute

func ProviderAttribute_APPLE_FIRST_NAME 

func ProviderAttribute_APPLE_FIRST_NAME() ProviderAttribute

func ProviderAttribute_APPLE_LAST_NAME 

func ProviderAttribute_APPLE_LAST_NAME() ProviderAttribute

func ProviderAttribute_APPLE_NAME 

func ProviderAttribute_APPLE_NAME() ProviderAttribute

func ProviderAttribute_FACEBOOK_BIRTHDAY 

func ProviderAttribute_FACEBOOK_BIRTHDAY() ProviderAttribute

func ProviderAttribute_FACEBOOK_EMAIL 

func ProviderAttribute_FACEBOOK_EMAIL() ProviderAttribute

func ProviderAttribute_FACEBOOK_FIRST_NAME 

func ProviderAttribute_FACEBOOK_FIRST_NAME() ProviderAttribute

func ProviderAttribute_FACEBOOK_GENDER 

func ProviderAttribute_FACEBOOK_GENDER() ProviderAttribute

func ProviderAttribute_FACEBOOK_ID 

func ProviderAttribute_FACEBOOK_ID() ProviderAttribute

func ProviderAttribute_FACEBOOK_LAST_NAME 

func ProviderAttribute_FACEBOOK_LAST_NAME() ProviderAttribute

func ProviderAttribute_FACEBOOK_LOCALE 

func ProviderAttribute_FACEBOOK_LOCALE() ProviderAttribute

func ProviderAttribute_FACEBOOK_MIDDLE_NAME 

func ProviderAttribute_FACEBOOK_MIDDLE_NAME() ProviderAttribute

func ProviderAttribute_FACEBOOK_NAME 

func ProviderAttribute_FACEBOOK_NAME() ProviderAttribute

func ProviderAttribute_GOOGLE_BIRTHDAYS 

func ProviderAttribute_GOOGLE_BIRTHDAYS() ProviderAttribute

func ProviderAttribute_GOOGLE_EMAIL 

func ProviderAttribute_GOOGLE_EMAIL() ProviderAttribute

func ProviderAttribute_GOOGLE_EMAIL_VERIFIED added in v2.163.0 

func ProviderAttribute_GOOGLE_EMAIL_VERIFIED() ProviderAttribute

func ProviderAttribute_GOOGLE_FAMILY_NAME 

func ProviderAttribute_GOOGLE_FAMILY_NAME() ProviderAttribute

func ProviderAttribute_GOOGLE_GENDER 

func ProviderAttribute_GOOGLE_GENDER() ProviderAttribute

func ProviderAttribute_GOOGLE_GIVEN_NAME 

func ProviderAttribute_GOOGLE_GIVEN_NAME() ProviderAttribute

func ProviderAttribute_GOOGLE_NAME 

func ProviderAttribute_GOOGLE_NAME() ProviderAttribute

func ProviderAttribute_GOOGLE_NAMES 

func ProviderAttribute_GOOGLE_NAMES() ProviderAttribute

func ProviderAttribute_GOOGLE_PHONE_NUMBERS 

func ProviderAttribute_GOOGLE_PHONE_NUMBERS() ProviderAttribute

func ProviderAttribute_GOOGLE_PICTURE 

func ProviderAttribute_GOOGLE_PICTURE() ProviderAttribute

func ProviderAttribute_Other 

func ProviderAttribute_Other(attributeName *string) ProviderAttribute

Use this to specify an attribute from the identity provider that is not pre-defined in the CDK.

type ResourceServerScope 

type ResourceServerScope interface {
	// A description of the scope.
	ScopeDescription() *string
	// The name of the scope.
	ScopeName() *string
}

A scope for ResourceServer.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("read"),
	ScopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("*"),
	ScopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &UserPoolResourceServerOptions{
	Identifier: jsii.String("users"),
	Scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []oAuthScope{
			cognito.*oAuthScope_ResourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []*oAuthScope{
			cognito.*oAuthScope_*ResourceServer(userServer, fullAccessScope),
		},
	},
})

func NewResourceServerScope 

func NewResourceServerScope(props *ResourceServerScopeProps) ResourceServerScope

type ResourceServerScopeProps 

type ResourceServerScopeProps struct {
	// A description of the scope.
	ScopeDescription *string `field:"required" json:"scopeDescription" yaml:"scopeDescription"`
	// The name of the scope.
	ScopeName *string `field:"required" json:"scopeName" yaml:"scopeName"`
}

Props to initialize ResourceServerScope.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("read"),
	ScopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("*"),
	ScopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &UserPoolResourceServerOptions{
	Identifier: jsii.String("users"),
	Scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []oAuthScope{
			cognito.*oAuthScope_ResourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []*oAuthScope{
			cognito.*oAuthScope_*ResourceServer(userServer, fullAccessScope),
		},
	},
})

type SignInAliases 

type SignInAliases struct {
	// Whether a user is allowed to sign up or sign in with an email address.
	// Default: false.
	//
	Email *bool `field:"optional" json:"email" yaml:"email"`
	// Whether a user is allowed to sign up or sign in with a phone number.
	// Default: false.
	//
	Phone *bool `field:"optional" json:"phone" yaml:"phone"`
	// Whether a user is allowed to sign in with a secondary username, that can be set and modified after sign up.
	//
	// Can only be used in conjunction with `USERNAME`.
	// Default: false.
	//
	PreferredUsername *bool `field:"optional" json:"preferredUsername" yaml:"preferredUsername"`
	// Whether user is allowed to sign up or sign in with a username.
	// Default: true.
	//
	Username *bool `field:"optional" json:"username" yaml:"username"`
}

The different ways in which users of this pool can sign up or sign in.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	// ...
	SignInAliases: &SignInAliases{
		Username: jsii.Boolean(true),
		Email: jsii.Boolean(true),
	},
	AutoVerify: &AutoVerifiedAttrs{
		Email: jsii.Boolean(true),
		Phone: jsii.Boolean(true),
	},
})

type SignInPolicy added in v2.179.0 

type SignInPolicy struct {
	// The types of authentication that you want to allow for users' first authentication prompt.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice
	//
	// Default: - Password only.
	//
	AllowedFirstAuthFactors *AllowedFirstAuthFactors `field:"optional" json:"allowedFirstAuthFactors" yaml:"allowedFirstAuthFactors"`
}

Sign-in policy for User Pools.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
			Passkey: jsii.Boolean(true),
		},
	},
	PasskeyRelyingPartyId: jsii.String("auth.example.com"),
	PasskeyUserVerification: cognito.PasskeyUserVerification_REQUIRED,
})

type SignInUrlOptions 

type SignInUrlOptions struct {
	// Whether to return the FIPS-compliant endpoint.
	// Default: return the standard URL.
	//
	Fips *bool `field:"optional" json:"fips" yaml:"fips"`
	// Where to redirect to after sign in.
	RedirectUri *string `field:"required" json:"redirectUri" yaml:"redirectUri"`
	// The path in the URI where the sign-in page is located.
	// Default: '/login'.
	//
	SignInPath *string `field:"optional" json:"signInPath" yaml:"signInPath"`
}

Options to customize the behaviour of `signInUrl()`.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("UserPool"), &UserPoolProps{
})
client := userpool.addClient(jsii.String("Client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		Flows: &OAuthFlows{
			ImplicitCodeGrant: jsii.Boolean(true),
		},
		CallbackUrls: []*string{
			jsii.String("https://myapp.com/home"),
			jsii.String("https://myapp.com/users"),
		},
	},
})
domain := userpool.addDomain(jsii.String("Domain"), &UserPoolDomainOptions{
})
signInUrl := domain.SignInUrl(client, &SignInUrlOptions{
	RedirectUri: jsii.String("https://myapp.com/home"),
})

type SigningAlgorithm added in v2.138.0 

type SigningAlgorithm string

Signing algorithms for SAML requests.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

// specify the metadata as a file content
// specify the metadata as a file content
cognito.NewUserPoolIdentityProviderSaml(this, jsii.String("userpoolIdpFile"), &UserPoolIdentityProviderSamlProps{
	UserPool: userpool,
	Metadata: cognito.UserPoolIdentityProviderSamlMetadata_File(jsii.String("my-file-contents")),
	// Whether to require encrypted SAML assertions from IdP
	EncryptedResponses: jsii.Boolean(true),
	// The signing algorithm for the SAML requests
	RequestSigningAlgorithm: cognito.SigningAlgorithm_RSA_SHA256,
	// Enable IdP initiated SAML auth flow
	IdpInitiated: jsii.Boolean(true),
})

// specify the metadata as a URL
// specify the metadata as a URL
cognito.NewUserPoolIdentityProviderSaml(this, jsii.String("userpoolidpUrl"), &UserPoolIdentityProviderSamlProps{
	UserPool: userpool,
	Metadata: cognito.UserPoolIdentityProviderSamlMetadata_Url(jsii.String("https://my-metadata-url.com")),
})

const (
	// RSA with SHA-256.
	SigningAlgorithm_RSA_SHA256 SigningAlgorithm = "RSA_SHA256"
)

type StandardAttribute 

type StandardAttribute struct {
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that's mapped to an identity provider attribute, this must be set to `true`.
	// Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider.
	// If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute.
	// Default: true.
	//
	Mutable *bool `field:"optional" json:"mutable" yaml:"mutable"`
	// Specifies whether the attribute is required upon user registration.
	//
	// If the attribute is required and the user does not provide a value, registration or sign-in will fail.
	// Default: false.
	//
	Required *bool `field:"optional" json:"required" yaml:"required"`
}

Standard attribute that can be marked as required or mutable.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	StandardAttributes: &StandardAttributes{
		Fullname: &StandardAttribute{
			Required: jsii.Boolean(true),
			Mutable: jsii.Boolean(false),
		},
		Address: &StandardAttribute{
			Required: jsii.Boolean(false),
			Mutable: jsii.Boolean(true),
		},
	},
	CustomAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#cognito-user-pools-standard-attributes

type StandardAttributes 

type StandardAttributes struct {
	// The user's postal address.
	// Default: - see the defaults under `StandardAttribute`.
	//
	Address *StandardAttribute `field:"optional" json:"address" yaml:"address"`
	// The user's birthday, represented as an ISO 8601:2004 format.
	// Default: - see the defaults under `StandardAttribute`.
	//
	Birthdate *StandardAttribute `field:"optional" json:"birthdate" yaml:"birthdate"`
	// The user's e-mail address, represented as an RFC 5322 [RFC5322] addr-spec.
	// Default: - see the defaults under `StandardAttribute`.
	//
	Email *StandardAttribute `field:"optional" json:"email" yaml:"email"`
	// The surname or last name of the user.
	// Default: - see the defaults under `StandardAttribute`.
	//
	FamilyName *StandardAttribute `field:"optional" json:"familyName" yaml:"familyName"`
	// The user's full name in displayable form, including all name parts, titles and suffixes.
	// Default: - see the defaults under `StandardAttribute`.
	//
	Fullname *StandardAttribute `field:"optional" json:"fullname" yaml:"fullname"`
	// The user's gender.
	// Default: - see the defaults under `StandardAttribute`.
	//
	Gender *StandardAttribute `field:"optional" json:"gender" yaml:"gender"`
	// The user's first name or give name.
	// Default: - see the defaults under `StandardAttribute`.
	//
	GivenName *StandardAttribute `field:"optional" json:"givenName" yaml:"givenName"`
	// The time, the user's information was last updated.
	// Default: - see the defaults under `StandardAttribute`.
	//
	LastUpdateTime *StandardAttribute `field:"optional" json:"lastUpdateTime" yaml:"lastUpdateTime"`
	// The user's locale, represented as a BCP47 [RFC5646] language tag.
	// Default: - see the defaults under `StandardAttribute`.
	//
	Locale *StandardAttribute `field:"optional" json:"locale" yaml:"locale"`
	// The user's middle name.
	// Default: - see the defaults under `StandardAttribute`.
	//
	MiddleName *StandardAttribute `field:"optional" json:"middleName" yaml:"middleName"`
	// The user's nickname or casual name.
	// Default: - see the defaults under `StandardAttribute`.
	//
	Nickname *StandardAttribute `field:"optional" json:"nickname" yaml:"nickname"`
	// The user's telephone number.
	// Default: - see the defaults under `StandardAttribute`.
	//
	PhoneNumber *StandardAttribute `field:"optional" json:"phoneNumber" yaml:"phoneNumber"`
	// The user's preferred username, different from the immutable user name.
	// Default: - see the defaults under `StandardAttribute`.
	//
	PreferredUsername *StandardAttribute `field:"optional" json:"preferredUsername" yaml:"preferredUsername"`
	// The URL to the user's profile page.
	// Default: - see the defaults under `StandardAttribute`.
	//
	ProfilePage *StandardAttribute `field:"optional" json:"profilePage" yaml:"profilePage"`
	// The URL to the user's profile picture.
	// Default: - see the defaults under `StandardAttribute`.
	//
	ProfilePicture *StandardAttribute `field:"optional" json:"profilePicture" yaml:"profilePicture"`
	// The user's time zone.
	// Default: - see the defaults under `StandardAttribute`.
	//
	Timezone *StandardAttribute `field:"optional" json:"timezone" yaml:"timezone"`
	// The URL to the user's web page or blog.
	// Default: - see the defaults under `StandardAttribute`.
	//
	Website *StandardAttribute `field:"optional" json:"website" yaml:"website"`
}

The set of standard attributes that can be marked as required or mutable.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	StandardAttributes: &StandardAttributes{
		Fullname: &StandardAttribute{
			Required: jsii.Boolean(true),
			Mutable: jsii.Boolean(false),
		},
		Address: &StandardAttribute{
			Required: jsii.Boolean(false),
			Mutable: jsii.Boolean(true),
		},
	},
	CustomAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#cognito-user-pools-standard-attributes

type StandardAttributesMask 

type StandardAttributesMask struct {
	// The user's postal address.
	// Default: false.
	//
	Address *bool `field:"optional" json:"address" yaml:"address"`
	// The user's birthday, represented as an ISO 8601:2004 format.
	// Default: false.
	//
	Birthdate *bool `field:"optional" json:"birthdate" yaml:"birthdate"`
	// The user's e-mail address, represented as an RFC 5322 [RFC5322] addr-spec.
	// Default: false.
	//
	Email *bool `field:"optional" json:"email" yaml:"email"`
	// Whether the email address has been verified.
	// Default: false.
	//
	EmailVerified *bool `field:"optional" json:"emailVerified" yaml:"emailVerified"`
	// The surname or last name of the user.
	// Default: false.
	//
	FamilyName *bool `field:"optional" json:"familyName" yaml:"familyName"`
	// The user's full name in displayable form, including all name parts, titles and suffixes.
	// Default: false.
	//
	Fullname *bool `field:"optional" json:"fullname" yaml:"fullname"`
	// The user's gender.
	// Default: false.
	//
	Gender *bool `field:"optional" json:"gender" yaml:"gender"`
	// The user's first name or give name.
	// Default: false.
	//
	GivenName *bool `field:"optional" json:"givenName" yaml:"givenName"`
	// The time, the user's information was last updated.
	// Default: false.
	//
	LastUpdateTime *bool `field:"optional" json:"lastUpdateTime" yaml:"lastUpdateTime"`
	// The user's locale, represented as a BCP47 [RFC5646] language tag.
	// Default: false.
	//
	Locale *bool `field:"optional" json:"locale" yaml:"locale"`
	// The user's middle name.
	// Default: false.
	//
	MiddleName *bool `field:"optional" json:"middleName" yaml:"middleName"`
	// The user's nickname or casual name.
	// Default: false.
	//
	Nickname *bool `field:"optional" json:"nickname" yaml:"nickname"`
	// The user's telephone number.
	// Default: false.
	//
	PhoneNumber *bool `field:"optional" json:"phoneNumber" yaml:"phoneNumber"`
	// Whether the phone number has been verified.
	// Default: false.
	//
	PhoneNumberVerified *bool `field:"optional" json:"phoneNumberVerified" yaml:"phoneNumberVerified"`
	// The user's preferred username, different from the immutable user name.
	// Default: false.
	//
	PreferredUsername *bool `field:"optional" json:"preferredUsername" yaml:"preferredUsername"`
	// The URL to the user's profile page.
	// Default: false.
	//
	ProfilePage *bool `field:"optional" json:"profilePage" yaml:"profilePage"`
	// The URL to the user's profile picture.
	// Default: false.
	//
	ProfilePicture *bool `field:"optional" json:"profilePicture" yaml:"profilePicture"`
	// The user's time zone.
	// Default: false.
	//
	Timezone *bool `field:"optional" json:"timezone" yaml:"timezone"`
	// The URL to the user's web page or blog.
	// Default: false.
	//
	Website *bool `field:"optional" json:"website" yaml:"website"`
}

This interface contains standard attributes recognized by Cognito from https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html including built-in attributes `email_verified` and `phone_number_verified`.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

clientWriteAttributes := (cognito.NewClientAttributes()).WithStandardAttributes(&StandardAttributesMask{
	Fullname: jsii.Boolean(true),
	Email: jsii.Boolean(true),
}).WithCustomAttributes(jsii.String("favoritePizza"), jsii.String("favoriteBeverage"))

clientReadAttributes := clientWriteAttributes.WithStandardAttributes(&StandardAttributesMask{
	EmailVerified: jsii.Boolean(true),
}).WithCustomAttributes(jsii.String("pointsEarned"))

pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	ReadAttributes: clientReadAttributes,
	WriteAttributes: clientWriteAttributes,
})

type StandardThreatProtectionMode added in v2.181.0 

type StandardThreatProtectionMode string

The Type of Threat Protection Enabled for Standard Authentication.

This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html 

const (
	// Cognito automatically takes preventative actions in response to different levels of risk that you configure for your user pool.
	StandardThreatProtectionMode_FULL_FUNCTION StandardThreatProtectionMode = "FULL_FUNCTION"
	// Cognito gathers metrics on detected risks, but doesn't take automatic action.
	StandardThreatProtectionMode_AUDIT_ONLY StandardThreatProtectionMode = "AUDIT_ONLY"
	// Cognito doesn't gather metrics on detected risks or automatically take preventative actions.
	StandardThreatProtectionMode_NO_ENFORCEMENT StandardThreatProtectionMode = "NO_ENFORCEMENT"
)

type StringAttribute 

type StringAttribute interface {
	ICustomAttribute
	// Bind this custom attribute type to the values as expected by CloudFormation.
	Bind() *CustomAttributeConfig
}

The String custom attribute type.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	StandardAttributes: &StandardAttributes{
		Fullname: &StandardAttribute{
			Required: jsii.Boolean(true),
			Mutable: jsii.Boolean(false),
		},
		Address: &StandardAttribute{
			Required: jsii.Boolean(false),
			Mutable: jsii.Boolean(true),
		},
	},
	CustomAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

func NewStringAttribute 

func NewStringAttribute(props *StringAttributeProps) StringAttribute

type StringAttributeConstraints 

type StringAttributeConstraints struct {
	// Maximum length of this attribute.
	// Default: 2048.
	//
	MaxLen *float64 `field:"optional" json:"maxLen" yaml:"maxLen"`
	// Minimum length of this attribute.
	// Default: 0.
	//
	MinLen *float64 `field:"optional" json:"minLen" yaml:"minLen"`
}

Constraints that can be applied to a custom attribute of string type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

stringAttributeConstraints := &StringAttributeConstraints{
	MaxLen: jsii.Number(123),
	MinLen: jsii.Number(123),
}

type StringAttributeProps 

type StringAttributeProps struct {
	// Maximum length of this attribute.
	// Default: 2048.
	//
	MaxLen *float64 `field:"optional" json:"maxLen" yaml:"maxLen"`
	// Minimum length of this attribute.
	// Default: 0.
	//
	MinLen *float64 `field:"optional" json:"minLen" yaml:"minLen"`
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that's mapped to an identity provider attribute, you must set this parameter to true.
	// Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider.
	// If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute.
	// Default: false.
	//
	Mutable *bool `field:"optional" json:"mutable" yaml:"mutable"`
}

Props for constructing a StringAttr.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	StandardAttributes: &StandardAttributes{
		Fullname: &StandardAttribute{
			Required: jsii.Boolean(true),
			Mutable: jsii.Boolean(false),
		},
		Address: &StandardAttribute{
			Required: jsii.Boolean(false),
			Mutable: jsii.Boolean(true),
		},
	},
	CustomAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

type UserInvitationConfig 

type UserInvitationConfig struct {
	// The template to the email body that is sent to the user when an administrator signs them up to the user pool.
	// Default: 'Your username is {username} and temporary password is {####}.'
	//
	EmailBody *string `field:"optional" json:"emailBody" yaml:"emailBody"`
	// The template to the email subject that is sent to the user when an administrator signs them up to the user pool.
	// Default: 'Your temporary password'.
	//
	EmailSubject *string `field:"optional" json:"emailSubject" yaml:"emailSubject"`
	// The template to the SMS message that is sent to the user when an administrator signs them up to the user pool.
	// Default: 'Your username is {username} and temporary password is {####}'.
	//
	SmsMessage *string `field:"optional" json:"smsMessage" yaml:"smsMessage"`
}

User pool configuration when administrators sign users up.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	UserInvitation: &UserInvitationConfig{
		EmailSubject: jsii.String("Invite to join our awesome app!"),
		EmailBody: jsii.String("Hello {username}, you have been invited to join our awesome app! Your temporary password is {####}"),
		SmsMessage: jsii.String("Hello {username}, your temporary password for our awesome app is {####}"),
	},
})

type UserPool 

type UserPool interface {
	awscdk.Resource
	IUserPool
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// Get all identity providers registered with this user pool.
	IdentityProviders() *[]IUserPoolIdentityProvider
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// The ARN of the user pool.
	UserPoolArn() *string
	// The physical ID of this user pool resource.
	UserPoolId() *string
	// User pool provider name.
	UserPoolProviderName() *string
	// User pool provider URL.
	UserPoolProviderUrl() *string
	// Add a new app client to this user pool.
	AddClient(id *string, options *UserPoolClientOptions) UserPoolClient
	// Associate a domain to this user pool.
	AddDomain(id *string, options *UserPoolDomainOptions) UserPoolDomain
	// Add a new group to this user pool.
	AddGroup(id *string, options *UserPoolGroupOptions) UserPoolGroup
	// Add a new resource server to this user pool.
	AddResourceServer(id *string, options *UserPoolResourceServerOptions) UserPoolResourceServer
	// Add a lambda trigger to a user pool operation.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
	//
	AddTrigger(operation UserPoolOperation, fn awslambda.IFunction, lambdaVersion LambdaVersion)
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Adds an IAM policy statement associated with this user pool to an IAM principal's policy.
	Grant(grantee awsiam.IGrantable, actions ...*string) awsiam.Grant
	// Register an identity provider with this user pool.
	RegisterIdentityProvider(provider IUserPoolIdentityProvider)
	// Returns a string representation of this construct.
	ToString() *string
}

Define a Cognito User Pool.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	OAuth: &OAuthSettings{
		Flows: &OAuthFlows{
			AuthorizationCodeGrant: jsii.Boolean(true),
		},
		Scopes: []oAuthScope{
			cognito.*oAuthScope_OPENID(),
		},
		CallbackUrls: []*string{
			jsii.String("https://my-app-domain.com/welcome"),
		},
		LogoutUrls: []*string{
			jsii.String("https://my-app-domain.com/signin"),
		},
	},
})

func NewUserPool 

func NewUserPool(scope constructs.Construct, id *string, props *UserPoolProps) UserPool

type UserPoolClient 

type UserPoolClient interface {
	awscdk.Resource
	IUserPoolClient
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// The OAuth flows enabled for this client.
	OAuthFlows() *OAuthFlows
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Name of the application client.
	UserPoolClientId() *string
	// The client name that was specified via the `userPoolClientName` property during initialization, throws an error otherwise.
	UserPoolClientName() *string
	// The generated client secret.
	//
	// Only available if the "generateSecret" props is set to true.
	UserPoolClientSecret() awscdk.SecretValue
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Define a UserPool App Client.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
provider := cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &UserPoolIdentityProviderAmazonProps{
	UserPool: pool,
	ClientId: jsii.String("amzn-client-id"),
	ClientSecret: jsii.String("amzn-client-secret"),
})

client := pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	SupportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
	},
})

client.Node.AddDependency(provider)

func NewUserPoolClient 

func NewUserPoolClient(scope constructs.Construct, id *string, props *UserPoolClientProps) UserPoolClient

type UserPoolClientIdentityProvider 

type UserPoolClientIdentityProvider interface {
	// The name of the identity provider as recognized by CloudFormation property `SupportedIdentityProviders`.
	Name() *string
}

Identity providers supported by the UserPoolClient.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	SupportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
		cognito.*userPoolClientIdentityProvider_COGNITO(),
	},
})

func UserPoolClientIdentityProvider_AMAZON 

func UserPoolClientIdentityProvider_AMAZON() UserPoolClientIdentityProvider

func UserPoolClientIdentityProvider_APPLE 

func UserPoolClientIdentityProvider_APPLE() UserPoolClientIdentityProvider

func UserPoolClientIdentityProvider_COGNITO 

func UserPoolClientIdentityProvider_COGNITO() UserPoolClientIdentityProvider

func UserPoolClientIdentityProvider_Custom 

func UserPoolClientIdentityProvider_Custom(name *string) UserPoolClientIdentityProvider

Specify a provider not yet supported by the CDK.

func UserPoolClientIdentityProvider_FACEBOOK 

func UserPoolClientIdentityProvider_FACEBOOK() UserPoolClientIdentityProvider

func UserPoolClientIdentityProvider_GOOGLE 

func UserPoolClientIdentityProvider_GOOGLE() UserPoolClientIdentityProvider

type UserPoolClientOptions 

type UserPoolClientOptions struct {
	// Validity of the access token.
	//
	// Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token
	//
	// Default: Duration.minutes(60)
	//
	AccessTokenValidity awscdk.Duration `field:"optional" json:"accessTokenValidity" yaml:"accessTokenValidity"`
	// The analytics configuration for this client.
	// Default: - no analytics configuration.
	//
	Analytics *AnalyticsConfiguration `field:"optional" json:"analytics" yaml:"analytics"`
	// The set of OAuth authentication flows to enable on the client.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html
	//
	// Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
	//
	AuthFlows *AuthFlow `field:"optional" json:"authFlows" yaml:"authFlows"`
	// Cognito creates a session token for each API request in an authentication flow.
	//
	// AuthSessionValidity is the duration, in minutes, of that session token.
	// see defaults in `AuthSessionValidity`. Valid duration is from 3 to 15 minutes.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity
	//
	// Default: - Duration.minutes(3)
	//
	AuthSessionValidity awscdk.Duration `field:"optional" json:"authSessionValidity" yaml:"authSessionValidity"`
	// Turns off all OAuth interactions for this client.
	// Default: false.
	//
	DisableOAuth *bool `field:"optional" json:"disableOAuth" yaml:"disableOAuth"`
	// Enable the propagation of additional user context data.
	//
	// You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
	//
	// Default: false for new user pool clients.
	//
	EnablePropagateAdditionalUserContextData *bool `field:"optional" json:"enablePropagateAdditionalUserContextData" yaml:"enablePropagateAdditionalUserContextData"`
	// Enable token revocation for this client.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation
	//
	// Default: true for new user pool clients.
	//
	EnableTokenRevocation *bool `field:"optional" json:"enableTokenRevocation" yaml:"enableTokenRevocation"`
	// Whether to generate a client secret.
	// Default: false.
	//
	GenerateSecret *bool `field:"optional" json:"generateSecret" yaml:"generateSecret"`
	// Validity of the ID token.
	//
	// Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token
	//
	// Default: Duration.minutes(60)
	//
	IdTokenValidity awscdk.Duration `field:"optional" json:"idTokenValidity" yaml:"idTokenValidity"`
	// OAuth settings for this client to interact with the app.
	//
	// An error is thrown when this is specified and `disableOAuth` is set.
	// Default: - see defaults in `OAuthSettings`. meaningless if `disableOAuth` is set.
	//
	OAuth *OAuthSettings `field:"optional" json:"oAuth" yaml:"oAuth"`
	// Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html
	//
	// Default: false.
	//
	PreventUserExistenceErrors *bool `field:"optional" json:"preventUserExistenceErrors" yaml:"preventUserExistenceErrors"`
	// The set of attributes this client will be able to read.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
	//
	// Default: - all standard and custom attributes.
	//
	ReadAttributes ClientAttributes `field:"optional" json:"readAttributes" yaml:"readAttributes"`
	// Validity of the refresh token.
	//
	// Values between 60 minutes and 10 years are valid.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token
	//
	// Default: Duration.days(30)
	//
	RefreshTokenValidity awscdk.Duration `field:"optional" json:"refreshTokenValidity" yaml:"refreshTokenValidity"`
	// The list of identity providers that users should be able to use to sign in using this client.
	// Default: - supports all identity providers that are registered with the user pool. If the user pool and/or
	// identity providers are imported, either specify this option explicitly or ensure that the identity providers are
	// registered with the user pool using the `UserPool.registerIdentityProvider()` API.
	//
	SupportedIdentityProviders *[]UserPoolClientIdentityProvider `field:"optional" json:"supportedIdentityProviders" yaml:"supportedIdentityProviders"`
	// Name of the application client.
	// Default: - cloudformation generated name.
	//
	UserPoolClientName *string `field:"optional" json:"userPoolClientName" yaml:"userPoolClientName"`
	// The set of attributes this client will be able to write.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
	//
	// Default: - all standard and custom attributes.
	//
	WriteAttributes ClientAttributes `field:"optional" json:"writeAttributes" yaml:"writeAttributes"`
}

Options to create a UserPoolClient.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	OAuth: &OAuthSettings{
		Flows: &OAuthFlows{
			AuthorizationCodeGrant: jsii.Boolean(true),
		},
		Scopes: []oAuthScope{
			cognito.*oAuthScope_OPENID(),
		},
		CallbackUrls: []*string{
			jsii.String("https://my-app-domain.com/welcome"),
		},
		LogoutUrls: []*string{
			jsii.String("https://my-app-domain.com/signin"),
		},
	},
})

type UserPoolClientProps 

type UserPoolClientProps struct {
	// Validity of the access token.
	//
	// Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token
	//
	// Default: Duration.minutes(60)
	//
	AccessTokenValidity awscdk.Duration `field:"optional" json:"accessTokenValidity" yaml:"accessTokenValidity"`
	// The analytics configuration for this client.
	// Default: - no analytics configuration.
	//
	Analytics *AnalyticsConfiguration `field:"optional" json:"analytics" yaml:"analytics"`
	// The set of OAuth authentication flows to enable on the client.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html
	//
	// Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
	//
	AuthFlows *AuthFlow `field:"optional" json:"authFlows" yaml:"authFlows"`
	// Cognito creates a session token for each API request in an authentication flow.
	//
	// AuthSessionValidity is the duration, in minutes, of that session token.
	// see defaults in `AuthSessionValidity`. Valid duration is from 3 to 15 minutes.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity
	//
	// Default: - Duration.minutes(3)
	//
	AuthSessionValidity awscdk.Duration `field:"optional" json:"authSessionValidity" yaml:"authSessionValidity"`
	// Turns off all OAuth interactions for this client.
	// Default: false.
	//
	DisableOAuth *bool `field:"optional" json:"disableOAuth" yaml:"disableOAuth"`
	// Enable the propagation of additional user context data.
	//
	// You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
	//
	// Default: false for new user pool clients.
	//
	EnablePropagateAdditionalUserContextData *bool `field:"optional" json:"enablePropagateAdditionalUserContextData" yaml:"enablePropagateAdditionalUserContextData"`
	// Enable token revocation for this client.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation
	//
	// Default: true for new user pool clients.
	//
	EnableTokenRevocation *bool `field:"optional" json:"enableTokenRevocation" yaml:"enableTokenRevocation"`
	// Whether to generate a client secret.
	// Default: false.
	//
	GenerateSecret *bool `field:"optional" json:"generateSecret" yaml:"generateSecret"`
	// Validity of the ID token.
	//
	// Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token
	//
	// Default: Duration.minutes(60)
	//
	IdTokenValidity awscdk.Duration `field:"optional" json:"idTokenValidity" yaml:"idTokenValidity"`
	// OAuth settings for this client to interact with the app.
	//
	// An error is thrown when this is specified and `disableOAuth` is set.
	// Default: - see defaults in `OAuthSettings`. meaningless if `disableOAuth` is set.
	//
	OAuth *OAuthSettings `field:"optional" json:"oAuth" yaml:"oAuth"`
	// Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html
	//
	// Default: false.
	//
	PreventUserExistenceErrors *bool `field:"optional" json:"preventUserExistenceErrors" yaml:"preventUserExistenceErrors"`
	// The set of attributes this client will be able to read.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
	//
	// Default: - all standard and custom attributes.
	//
	ReadAttributes ClientAttributes `field:"optional" json:"readAttributes" yaml:"readAttributes"`
	// Validity of the refresh token.
	//
	// Values between 60 minutes and 10 years are valid.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token
	//
	// Default: Duration.days(30)
	//
	RefreshTokenValidity awscdk.Duration `field:"optional" json:"refreshTokenValidity" yaml:"refreshTokenValidity"`
	// The list of identity providers that users should be able to use to sign in using this client.
	// Default: - supports all identity providers that are registered with the user pool. If the user pool and/or
	// identity providers are imported, either specify this option explicitly or ensure that the identity providers are
	// registered with the user pool using the `UserPool.registerIdentityProvider()` API.
	//
	SupportedIdentityProviders *[]UserPoolClientIdentityProvider `field:"optional" json:"supportedIdentityProviders" yaml:"supportedIdentityProviders"`
	// Name of the application client.
	// Default: - cloudformation generated name.
	//
	UserPoolClientName *string `field:"optional" json:"userPoolClientName" yaml:"userPoolClientName"`
	// The set of attributes this client will be able to write.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
	//
	// Default: - all standard and custom attributes.
	//
	WriteAttributes ClientAttributes `field:"optional" json:"writeAttributes" yaml:"writeAttributes"`
	// The UserPool resource this client will have access to.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
}

Properties for the UserPoolClient construct.

Example: 

import pinpoint "github.com/aws/aws-cdk-go/awscdk"

var userPool userPool
var pinpointApp cfnApp
var pinpointRole role

cognito.NewUserPoolClient(this, jsii.String("Client"), &UserPoolClientProps{
	UserPool: UserPool,
	Analytics: &AnalyticsConfiguration{
		// Your Pinpoint project ID
		ApplicationId: pinpointApp.ref,

		// External ID for the IAM role
		ExternalId: jsii.String("sample-external-id"),

		// IAM role that Cognito can assume to publish to Pinpoint
		Role: pinpointRole,

		// Whether to include user data in analytics events
		ShareUserData: jsii.Boolean(true),
	},
})

type UserPoolDomain 

type UserPoolDomain interface {
	awscdk.Resource
	IUserPoolDomain
	// The domain name of the CloudFront distribution associated with the user pool domain.
	//
	// This method creates a custom resource internally to get the CloudFront domain name.
	// Deprecated: use `cloudFrontEndpoint` method instead.
	CloudFrontDomainName() *string
	// The domain name of the CloudFront distribution associated with the user pool domain.
	CloudFrontEndpoint() *string
	// The domain that was specified to be created.
	//
	// If `customDomain` was selected, this holds the full domain name that was specified.
	// If the `cognitoDomain` was used, it contains the prefix to the Cognito hosted domain.
	DomainName() *string
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	// The URL to the hosted UI associated with this domain.
	BaseUrl(options *BaseUrlOptions) *string
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// The URL to the sign in page in this domain using a specific UserPoolClient.
	SignInUrl(client UserPoolClient, options *SignInUrlOptions) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Define a user pool domain.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("UserPool"), &UserPoolProps{
})
client := userpool.addClient(jsii.String("Client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		Flows: &OAuthFlows{
			ImplicitCodeGrant: jsii.Boolean(true),
		},
		CallbackUrls: []*string{
			jsii.String("https://myapp.com/home"),
			jsii.String("https://myapp.com/users"),
		},
	},
})
domain := userpool.addDomain(jsii.String("Domain"), &UserPoolDomainOptions{
})
signInUrl := domain.SignInUrl(client, &SignInUrlOptions{
	RedirectUri: jsii.String("https://myapp.com/home"),
})

func NewUserPoolDomain 

func NewUserPoolDomain(scope constructs.Construct, id *string, props *UserPoolDomainProps) UserPoolDomain

type UserPoolDomainOptions 

type UserPoolDomainOptions struct {
	// Associate a cognito prefix domain with your user pool Either `customDomain` or `cognitoDomain` must be specified.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html
	//
	// Default: - not set if `customDomain` is specified, otherwise, throws an error.
	//
	CognitoDomain *CognitoDomainOptions `field:"optional" json:"cognitoDomain" yaml:"cognitoDomain"`
	// Associate a custom domain with your user pool Either `customDomain` or `cognitoDomain` must be specified.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html
	//
	// Default: - not set if `cognitoDomain` is specified, otherwise, throws an error.
	//
	CustomDomain *CustomDomainOptions `field:"optional" json:"customDomain" yaml:"customDomain"`
	// A version that indicates the state of managed login.
	//
	// This choice applies to all app clients that host services at the domain.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html
	//
	// Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
	//
	ManagedLoginVersion ManagedLoginVersion `field:"optional" json:"managedLoginVersion" yaml:"managedLoginVersion"`
}

Options to create a UserPoolDomain.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

pool.addDomain(jsii.String("CognitoDomain"), &UserPoolDomainOptions{
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("my-awesome-app"),
	},
})

certificateArn := "arn:aws:acm:us-east-1:123456789012:certificate/11-3336f1-44483d-adc7-9cd375c5169d"

domainCert := certificatemanager.Certificate_FromCertificateArn(this, jsii.String("domainCert"), certificateArn)
pool.addDomain(jsii.String("CustomDomain"), &UserPoolDomainOptions{
	CustomDomain: &CustomDomainOptions{
		DomainName: jsii.String("user.myapp.com"),
		Certificate: domainCert,
	},
})

type UserPoolDomainProps 

type UserPoolDomainProps struct {
	// Associate a cognito prefix domain with your user pool Either `customDomain` or `cognitoDomain` must be specified.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html
	//
	// Default: - not set if `customDomain` is specified, otherwise, throws an error.
	//
	CognitoDomain *CognitoDomainOptions `field:"optional" json:"cognitoDomain" yaml:"cognitoDomain"`
	// Associate a custom domain with your user pool Either `customDomain` or `cognitoDomain` must be specified.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html
	//
	// Default: - not set if `cognitoDomain` is specified, otherwise, throws an error.
	//
	CustomDomain *CustomDomainOptions `field:"optional" json:"customDomain" yaml:"customDomain"`
	// A version that indicates the state of managed login.
	//
	// This choice applies to all app clients that host services at the domain.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html
	//
	// Default: undefined - Cognito default setting is ManagedLoginVersion.CLASSIC_HOSTED_UI
	//
	ManagedLoginVersion ManagedLoginVersion `field:"optional" json:"managedLoginVersion" yaml:"managedLoginVersion"`
	// The user pool to which this domain should be associated.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
}

Props for UserPoolDomain construct.

Example: 

import "github.com/aws/aws-cdk-go/awscdk"

var vpc vpc
var certificate certificate

lb := elbv2.NewApplicationLoadBalancer(this, jsii.String("LB"), &ApplicationLoadBalancerProps{
	Vpc: Vpc,
	InternetFacing: jsii.Boolean(true),
})

userPool := awscdk.Aws_cognito.NewUserPool(this, jsii.String("UserPool"))
userPoolClient := awscdk.Aws_cognito.NewUserPoolClient(this, jsii.String("Client"), &UserPoolClientProps{
	UserPool: UserPool,

	// Required minimal configuration for use with an ELB
	GenerateSecret: jsii.Boolean(true),
	AuthFlows: &AuthFlow{
		UserPassword: jsii.Boolean(true),
	},
	OAuth: &OAuthSettings{
		Flows: &OAuthFlows{
			AuthorizationCodeGrant: jsii.Boolean(true),
		},
		Scopes: []oAuthScope{
			awscdk.*Aws_cognito.*oAuthScope_EMAIL(),
		},
		CallbackUrls: []*string{
			fmt.Sprintf("https://%v/oauth2/idpresponse", lb.LoadBalancerDnsName),
		},
	},
})
cfnClient := userPoolClient.Node.defaultChild.(cfnUserPoolClient)
cfnClient.AddPropertyOverride(jsii.String("RefreshTokenValidity"), jsii.Number(1))
cfnClient.AddPropertyOverride(jsii.String("SupportedIdentityProviders"), []interface{}{
	jsii.String("COGNITO"),
})

userPoolDomain := awscdk.Aws_cognito.NewUserPoolDomain(this, jsii.String("Domain"), &UserPoolDomainProps{
	UserPool: UserPool,
	CognitoDomain: &CognitoDomainOptions{
		DomainPrefix: jsii.String("test-cdk-prefix"),
	},
})

lb.AddListener(jsii.String("Listener"), &BaseApplicationListenerProps{
	Port: jsii.Number(443),
	Certificates: []iListenerCertificate{
		certificate,
	},
	DefaultAction: actions.NewAuthenticateCognitoAction(&AuthenticateCognitoActionProps{
		UserPool: *UserPool,
		UserPoolClient: *UserPoolClient,
		UserPoolDomain: *UserPoolDomain,
		Next: elbv2.ListenerAction_FixedResponse(jsii.Number(200), &FixedResponseOptions{
			ContentType: jsii.String("text/plain"),
			MessageBody: jsii.String("Authenticated"),
		}),
	}),
})

awscdk.NewCfnOutput(this, jsii.String("DNS"), &CfnOutputProps{
	Value: lb.*LoadBalancerDnsName,
})

type UserPoolEmail 

type UserPoolEmail interface {
}

Configure how Cognito sends emails.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	Email: cognito.UserPoolEmail_WithSES(&UserPoolSESOptions{
		FromEmail: jsii.String("noreply@myawesomeapp.com"),
		FromName: jsii.String("Awesome App"),
		ReplyTo: jsii.String("support@myawesomeapp.com"),
	}),
})

func UserPoolEmail_WithCognito 

func UserPoolEmail_WithCognito(replyTo *string) UserPoolEmail

Send email using Cognito.

func UserPoolEmail_WithSES 

func UserPoolEmail_WithSES(options *UserPoolSESOptions) UserPoolEmail

Send email using SES.

type UserPoolEmailConfig added in v2.164.0 

type UserPoolEmailConfig struct {
	// The name of the configuration set in SES.
	// Default: - none.
	//
	ConfigurationSet *string `field:"optional" json:"configurationSet" yaml:"configurationSet"`
	// Specifies whether to use Cognito's built in email functionality or SES.
	// Default: - Cognito built in email functionality.
	//
	EmailSendingAccount *string `field:"optional" json:"emailSendingAccount" yaml:"emailSendingAccount"`
	// Identifies either the sender's email address or the sender's name with their email address.
	//
	// If emailSendingAccount is DEVELOPER then this cannot be specified.
	// Default: 'no-reply@verificationemail.com'
	//
	From *string `field:"optional" json:"from" yaml:"from"`
	// The destination to which the receiver of the email should reply to.
	// Default: - same as `from`.
	//
	ReplyToEmailAddress *string `field:"optional" json:"replyToEmailAddress" yaml:"replyToEmailAddress"`
	// The ARN of a verified email address in Amazon SES.
	//
	// required if emailSendingAccount is DEVELOPER or if
	// 'from' is provided.
	// Default: - none.
	//
	SourceArn *string `field:"optional" json:"sourceArn" yaml:"sourceArn"`
}

Result of binding email settings with a user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

userPoolEmailConfig := &UserPoolEmailConfig{
	ConfigurationSet: jsii.String("configurationSet"),
	EmailSendingAccount: jsii.String("emailSendingAccount"),
	From: jsii.String("from"),
	ReplyToEmailAddress: jsii.String("replyToEmailAddress"),
	SourceArn: jsii.String("sourceArn"),
}

type UserPoolGroup added in v2.165.0 

type UserPoolGroup interface {
	awscdk.Resource
	IUserPoolGroup
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The user group name.
	GroupName() *string
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Define a user pool group.

Example: 

var userPool userPool
var role role

cognito.NewUserPoolGroup(this, jsii.String("UserPoolGroup"), &UserPoolGroupProps{
	UserPool: UserPool,
	GroupName: jsii.String("my-group-name"),
	Precedence: jsii.Number(1),
	Role: Role,
})

// You can also add a group by using addGroup method.
userPool.addGroup(jsii.String("AnotherUserPoolGroup"), &UserPoolGroupOptions{
	GroupName: jsii.String("another-group-name"),
})

func NewUserPoolGroup added in v2.165.0 

func NewUserPoolGroup(scope constructs.Construct, id *string, props *UserPoolGroupProps) UserPoolGroup

type UserPoolGroupOptions added in v2.165.0 

type UserPoolGroupOptions struct {
	// A string containing the description of the group.
	// Default: - no description.
	//
	Description *string `field:"optional" json:"description" yaml:"description"`
	// The name of the group.
	//
	// Must be unique.
	// Default: - auto generate a name.
	//
	GroupName *string `field:"optional" json:"groupName" yaml:"groupName"`
	// A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool.
	//
	// Zero is the highest precedence value.
	//
	// Groups with lower Precedence values take precedence over groups with higher or null Precedence values.
	// If a user belongs to two or more groups, it is the group with the lowest precedence value
	// whose role ARN is given in the user's tokens for the cognito:roles and cognito:preferred_role claims.
	//
	// Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other.
	// If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role
	// claim in tokens for users in each group.
	// If the two groups have different role ARNs, the cognito:preferred_role claim isn't set in users' tokens.
	// Default: - null.
	//
	Precedence *float64 `field:"optional" json:"precedence" yaml:"precedence"`
	// The role for the group.
	// Default: - no description.
	//
	Role awsiam.IRole `field:"optional" json:"role" yaml:"role"`
}

Options to create a UserPoolGroup.

Example: 

var userPool userPool
var role role

cognito.NewUserPoolGroup(this, jsii.String("UserPoolGroup"), &UserPoolGroupProps{
	UserPool: UserPool,
	GroupName: jsii.String("my-group-name"),
	Precedence: jsii.Number(1),
	Role: Role,
})

// You can also add a group by using addGroup method.
userPool.addGroup(jsii.String("AnotherUserPoolGroup"), &UserPoolGroupOptions{
	GroupName: jsii.String("another-group-name"),
})

type UserPoolGroupProps added in v2.165.0 

type UserPoolGroupProps struct {
	// A string containing the description of the group.
	// Default: - no description.
	//
	Description *string `field:"optional" json:"description" yaml:"description"`
	// The name of the group.
	//
	// Must be unique.
	// Default: - auto generate a name.
	//
	GroupName *string `field:"optional" json:"groupName" yaml:"groupName"`
	// A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool.
	//
	// Zero is the highest precedence value.
	//
	// Groups with lower Precedence values take precedence over groups with higher or null Precedence values.
	// If a user belongs to two or more groups, it is the group with the lowest precedence value
	// whose role ARN is given in the user's tokens for the cognito:roles and cognito:preferred_role claims.
	//
	// Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other.
	// If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role
	// claim in tokens for users in each group.
	// If the two groups have different role ARNs, the cognito:preferred_role claim isn't set in users' tokens.
	// Default: - null.
	//
	Precedence *float64 `field:"optional" json:"precedence" yaml:"precedence"`
	// The role for the group.
	// Default: - no description.
	//
	Role awsiam.IRole `field:"optional" json:"role" yaml:"role"`
	// The user pool to which this group is associated.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
}

Props for UserPoolGroup construct.

Example: 

var userPool userPool
var role role

cognito.NewUserPoolGroup(this, jsii.String("UserPoolGroup"), &UserPoolGroupProps{
	UserPool: UserPool,
	GroupName: jsii.String("my-group-name"),
	Precedence: jsii.Number(1),
	Role: Role,
})

// You can also add a group by using addGroup method.
userPool.addGroup(jsii.String("AnotherUserPoolGroup"), &UserPoolGroupOptions{
	GroupName: jsii.String("another-group-name"),
})

type UserPoolIdentityProvider 

type UserPoolIdentityProvider interface {
}

User pool third-party identity providers.

type UserPoolIdentityProviderAmazon 

type UserPoolIdentityProviderAmazon interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents an identity provider that integrates with Login with Amazon.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
provider := cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &UserPoolIdentityProviderAmazonProps{
	UserPool: pool,
	ClientId: jsii.String("amzn-client-id"),
	ClientSecret: jsii.String("amzn-client-secret"),
})

client := pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	SupportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
	},
})

client.Node.AddDependency(provider)

func NewUserPoolIdentityProviderAmazon 

func NewUserPoolIdentityProviderAmazon(scope constructs.Construct, id *string, props *UserPoolIdentityProviderAmazonProps) UserPoolIdentityProviderAmazon

type UserPoolIdentityProviderAmazonProps 

type UserPoolIdentityProviderAmazonProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	// Default: - no attribute mapping.
	//
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The client id recognized by Login with Amazon APIs.
	// See: https://developer.amazon.com/docs/login-with-amazon/security-profile.html#client-identifier
	//
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The client secret to be accompanied with clientId for Login with Amazon APIs to authenticate the client.
	// See: https://developer.amazon.com/docs/login-with-amazon/security-profile.html#client-identifier
	//
	ClientSecret *string `field:"required" json:"clientSecret" yaml:"clientSecret"`
	// The types of user profile data to obtain for the Amazon profile.
	// See: https://developer.amazon.com/docs/login-with-amazon/customer-profile.html
	//
	// Default: [ profile ].
	//
	Scopes *[]*string `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties to initialize UserPoolAmazonIdentityProvider.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
provider := cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &UserPoolIdentityProviderAmazonProps{
	UserPool: pool,
	ClientId: jsii.String("amzn-client-id"),
	ClientSecret: jsii.String("amzn-client-secret"),
})

client := pool.addClient(jsii.String("app-client"), &UserPoolClientOptions{
	// ...
	SupportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
	},
})

client.Node.AddDependency(provider)

type UserPoolIdentityProviderApple 

type UserPoolIdentityProviderApple interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents an identity provider that integrates with Apple.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import cdk "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var secretValue secretValue
var userPool userPool

userPoolIdentityProviderApple := awscdk.Aws_cognito.NewUserPoolIdentityProviderApple(this, jsii.String("MyUserPoolIdentityProviderApple"), &UserPoolIdentityProviderAppleProps{
	ClientId: jsii.String("clientId"),
	KeyId: jsii.String("keyId"),
	TeamId: jsii.String("teamId"),
	UserPool: userPool,

	// the properties below are optional
	AttributeMapping: &AttributeMapping{
		Address: providerAttribute,
		Birthdate: providerAttribute,
		Custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		Email: providerAttribute,
		EmailVerified: providerAttribute,
		FamilyName: providerAttribute,
		Fullname: providerAttribute,
		Gender: providerAttribute,
		GivenName: providerAttribute,
		LastUpdateTime: providerAttribute,
		Locale: providerAttribute,
		MiddleName: providerAttribute,
		Nickname: providerAttribute,
		PhoneNumber: providerAttribute,
		PreferredUsername: providerAttribute,
		ProfilePage: providerAttribute,
		ProfilePicture: providerAttribute,
		Timezone: providerAttribute,
		Website: providerAttribute,
	},
	PrivateKey: jsii.String("privateKey"),
	PrivateKeyValue: secretValue,
	Scopes: []*string{
		jsii.String("scopes"),
	},
})

func NewUserPoolIdentityProviderApple 

func NewUserPoolIdentityProviderApple(scope constructs.Construct, id *string, props *UserPoolIdentityProviderAppleProps) UserPoolIdentityProviderApple

type UserPoolIdentityProviderAppleProps 

type UserPoolIdentityProviderAppleProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	// Default: - no attribute mapping.
	//
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The client id recognized by Apple APIs.
	// See: https://developer.apple.com/documentation/sign_in_with_apple/clientconfigi/3230948-clientid
	//
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The keyId (of the same key, which content has to be later supplied as `privateKey`) for Apple APIs to authenticate the client.
	KeyId *string `field:"required" json:"keyId" yaml:"keyId"`
	// The teamId for Apple APIs to authenticate the client.
	TeamId *string `field:"required" json:"teamId" yaml:"teamId"`
	// The privateKey content for Apple APIs to authenticate the client.
	// Default: none.
	//
	// Deprecated: use privateKeyValue.
	PrivateKey *string `field:"optional" json:"privateKey" yaml:"privateKey"`
	// The privateKey content for Apple APIs to authenticate the client.
	// Default: none.
	//
	PrivateKeyValue awscdk.SecretValue `field:"optional" json:"privateKeyValue" yaml:"privateKeyValue"`
	// The list of apple permissions to obtain for getting access to the apple profile.
	// See: https://developer.apple.com/documentation/sign_in_with_apple/clientconfigi/3230955-scope
	//
	// Default: [ name ].
	//
	Scopes *[]*string `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties to initialize UserPoolAppleIdentityProvider.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import cdk "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var secretValue secretValue
var userPool userPool

userPoolIdentityProviderAppleProps := &UserPoolIdentityProviderAppleProps{
	ClientId: jsii.String("clientId"),
	KeyId: jsii.String("keyId"),
	TeamId: jsii.String("teamId"),
	UserPool: userPool,

	// the properties below are optional
	AttributeMapping: &AttributeMapping{
		Address: providerAttribute,
		Birthdate: providerAttribute,
		Custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		Email: providerAttribute,
		EmailVerified: providerAttribute,
		FamilyName: providerAttribute,
		Fullname: providerAttribute,
		Gender: providerAttribute,
		GivenName: providerAttribute,
		LastUpdateTime: providerAttribute,
		Locale: providerAttribute,
		MiddleName: providerAttribute,
		Nickname: providerAttribute,
		PhoneNumber: providerAttribute,
		PreferredUsername: providerAttribute,
		ProfilePage: providerAttribute,
		ProfilePicture: providerAttribute,
		Timezone: providerAttribute,
		Website: providerAttribute,
	},
	PrivateKey: jsii.String("privateKey"),
	PrivateKeyValue: secretValue,
	Scopes: []*string{
		jsii.String("scopes"),
	},
}

type UserPoolIdentityProviderFacebook 

type UserPoolIdentityProviderFacebook interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents an identity provider that integrates with Facebook Login.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderFacebook := awscdk.Aws_cognito.NewUserPoolIdentityProviderFacebook(this, jsii.String("MyUserPoolIdentityProviderFacebook"), &UserPoolIdentityProviderFacebookProps{
	ClientId: jsii.String("clientId"),
	ClientSecret: jsii.String("clientSecret"),
	UserPool: userPool,

	// the properties below are optional
	ApiVersion: jsii.String("apiVersion"),
	AttributeMapping: &AttributeMapping{
		Address: providerAttribute,
		Birthdate: providerAttribute,
		Custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		Email: providerAttribute,
		EmailVerified: providerAttribute,
		FamilyName: providerAttribute,
		Fullname: providerAttribute,
		Gender: providerAttribute,
		GivenName: providerAttribute,
		LastUpdateTime: providerAttribute,
		Locale: providerAttribute,
		MiddleName: providerAttribute,
		Nickname: providerAttribute,
		PhoneNumber: providerAttribute,
		PreferredUsername: providerAttribute,
		ProfilePage: providerAttribute,
		ProfilePicture: providerAttribute,
		Timezone: providerAttribute,
		Website: providerAttribute,
	},
	Scopes: []*string{
		jsii.String("scopes"),
	},
})

func NewUserPoolIdentityProviderFacebook 

func NewUserPoolIdentityProviderFacebook(scope constructs.Construct, id *string, props *UserPoolIdentityProviderFacebookProps) UserPoolIdentityProviderFacebook

type UserPoolIdentityProviderFacebookProps 

type UserPoolIdentityProviderFacebookProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	// Default: - no attribute mapping.
	//
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The client id recognized by Facebook APIs.
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The client secret to be accompanied with clientId for Facebook to authenticate the client.
	// See: https://developers.facebook.com/docs/facebook-login/security#appsecret
	//
	ClientSecret *string `field:"required" json:"clientSecret" yaml:"clientSecret"`
	// The Facebook API version to use.
	// Default: - to the oldest version supported by Facebook.
	//
	ApiVersion *string `field:"optional" json:"apiVersion" yaml:"apiVersion"`
	// The list of Facebook permissions to obtain for getting access to the Facebook profile.
	// See: https://developers.facebook.com/docs/facebook-login/permissions
	//
	// Default: [ public_profile ].
	//
	Scopes *[]*string `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties to initialize UserPoolFacebookIdentityProvider.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderFacebookProps := &UserPoolIdentityProviderFacebookProps{
	ClientId: jsii.String("clientId"),
	ClientSecret: jsii.String("clientSecret"),
	UserPool: userPool,

	// the properties below are optional
	ApiVersion: jsii.String("apiVersion"),
	AttributeMapping: &AttributeMapping{
		Address: providerAttribute,
		Birthdate: providerAttribute,
		Custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		Email: providerAttribute,
		EmailVerified: providerAttribute,
		FamilyName: providerAttribute,
		Fullname: providerAttribute,
		Gender: providerAttribute,
		GivenName: providerAttribute,
		LastUpdateTime: providerAttribute,
		Locale: providerAttribute,
		MiddleName: providerAttribute,
		Nickname: providerAttribute,
		PhoneNumber: providerAttribute,
		PreferredUsername: providerAttribute,
		ProfilePage: providerAttribute,
		ProfilePicture: providerAttribute,
		Timezone: providerAttribute,
		Website: providerAttribute,
	},
	Scopes: []*string{
		jsii.String("scopes"),
	},
}

type UserPoolIdentityProviderGoogle 

type UserPoolIdentityProviderGoogle interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents an identity provider that integrates with Google.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("Pool"))
secret := secretsmanager.Secret_FromSecretAttributes(this, jsii.String("CognitoClientSecret"), &SecretAttributes{
	SecretCompleteArn: jsii.String("arn:aws:secretsmanager:xxx:xxx:secret:xxx-xxx"),
}).SecretValue

provider := cognito.NewUserPoolIdentityProviderGoogle(this, jsii.String("Google"), &UserPoolIdentityProviderGoogleProps{
	ClientId: jsii.String("amzn-client-id"),
	ClientSecretValue: secret,
	UserPool: userpool,
})

func NewUserPoolIdentityProviderGoogle 

func NewUserPoolIdentityProviderGoogle(scope constructs.Construct, id *string, props *UserPoolIdentityProviderGoogleProps) UserPoolIdentityProviderGoogle

type UserPoolIdentityProviderGoogleProps 

type UserPoolIdentityProviderGoogleProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	// Default: - no attribute mapping.
	//
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The client id recognized by Google APIs.
	// See: https://developers.google.com/identity/sign-in/web/sign-in#specify_your_apps_client_id
	//
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The client secret to be accompanied with clientId for Google APIs to authenticate the client.
	// See: https://developers.google.com/identity/sign-in/web/sign-in
	//
	// Default: none.
	//
	// Deprecated: use clientSecretValue instead.
	ClientSecret *string `field:"optional" json:"clientSecret" yaml:"clientSecret"`
	// The client secret to be accompanied with clientId for Google APIs to authenticate the client as SecretValue.
	// See: https://developers.google.com/identity/sign-in/web/sign-in
	//
	// Default: none.
	//
	ClientSecretValue awscdk.SecretValue `field:"optional" json:"clientSecretValue" yaml:"clientSecretValue"`
	// The list of Google permissions to obtain for getting access to the Google profile.
	// See: https://developers.google.com/identity/sign-in/web/sign-in
	//
	// Default: [ profile ].
	//
	Scopes *[]*string `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties to initialize UserPoolGoogleIdentityProvider.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("Pool"))
secret := secretsmanager.Secret_FromSecretAttributes(this, jsii.String("CognitoClientSecret"), &SecretAttributes{
	SecretCompleteArn: jsii.String("arn:aws:secretsmanager:xxx:xxx:secret:xxx-xxx"),
}).SecretValue

provider := cognito.NewUserPoolIdentityProviderGoogle(this, jsii.String("Google"), &UserPoolIdentityProviderGoogleProps{
	ClientId: jsii.String("amzn-client-id"),
	ClientSecretValue: secret,
	UserPool: userpool,
})

type UserPoolIdentityProviderOidc added in v2.27.0 

type UserPoolIdentityProviderOidc interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents an identity provider that integrates with OpenID Connect.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderOidc := awscdk.Aws_cognito.NewUserPoolIdentityProviderOidc(this, jsii.String("MyUserPoolIdentityProviderOidc"), &UserPoolIdentityProviderOidcProps{
	ClientId: jsii.String("clientId"),
	ClientSecret: jsii.String("clientSecret"),
	IssuerUrl: jsii.String("issuerUrl"),
	UserPool: userPool,

	// the properties below are optional
	AttributeMapping: &AttributeMapping{
		Address: providerAttribute,
		Birthdate: providerAttribute,
		Custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		Email: providerAttribute,
		EmailVerified: providerAttribute,
		FamilyName: providerAttribute,
		Fullname: providerAttribute,
		Gender: providerAttribute,
		GivenName: providerAttribute,
		LastUpdateTime: providerAttribute,
		Locale: providerAttribute,
		MiddleName: providerAttribute,
		Nickname: providerAttribute,
		PhoneNumber: providerAttribute,
		PreferredUsername: providerAttribute,
		ProfilePage: providerAttribute,
		ProfilePicture: providerAttribute,
		Timezone: providerAttribute,
		Website: providerAttribute,
	},
	AttributeRequestMethod: awscdk.*Aws_cognito.OidcAttributeRequestMethod_GET,
	Endpoints: &OidcEndpoints{
		Authorization: jsii.String("authorization"),
		JwksUri: jsii.String("jwksUri"),
		Token: jsii.String("token"),
		UserInfo: jsii.String("userInfo"),
	},
	Identifiers: []*string{
		jsii.String("identifiers"),
	},
	Name: jsii.String("name"),
	Scopes: []*string{
		jsii.String("scopes"),
	},
})

func NewUserPoolIdentityProviderOidc added in v2.27.0 

func NewUserPoolIdentityProviderOidc(scope constructs.Construct, id *string, props *UserPoolIdentityProviderOidcProps) UserPoolIdentityProviderOidc

type UserPoolIdentityProviderOidcProps added in v2.27.0 

type UserPoolIdentityProviderOidcProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	// Default: - no attribute mapping.
	//
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The client id.
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The client secret.
	ClientSecret *string `field:"required" json:"clientSecret" yaml:"clientSecret"`
	// Issuer URL.
	IssuerUrl *string `field:"required" json:"issuerUrl" yaml:"issuerUrl"`
	// The method to use to request attributes.
	// Default: OidcAttributeRequestMethod.GET
	//
	AttributeRequestMethod OidcAttributeRequestMethod `field:"optional" json:"attributeRequestMethod" yaml:"attributeRequestMethod"`
	// OpenID connect endpoints.
	// Default: - auto discovered with issuer URL.
	//
	Endpoints *OidcEndpoints `field:"optional" json:"endpoints" yaml:"endpoints"`
	// Identifiers.
	//
	// Identifiers can be used to redirect users to the correct IdP in multitenant apps.
	// Default: - no identifiers used.
	//
	Identifiers *[]*string `field:"optional" json:"identifiers" yaml:"identifiers"`
	// The name of the provider.
	// Default: - the unique ID of the construct.
	//
	Name *string `field:"optional" json:"name" yaml:"name"`
	// The OAuth 2.0 scopes that you will request from OpenID Connect. Scopes are groups of OpenID Connect user attributes to exchange with your app.
	// Default: ['openid'].
	//
	Scopes *[]*string `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties to initialize UserPoolIdentityProviderOidc.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderOidcProps := &UserPoolIdentityProviderOidcProps{
	ClientId: jsii.String("clientId"),
	ClientSecret: jsii.String("clientSecret"),
	IssuerUrl: jsii.String("issuerUrl"),
	UserPool: userPool,

	// the properties below are optional
	AttributeMapping: &AttributeMapping{
		Address: providerAttribute,
		Birthdate: providerAttribute,
		Custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		Email: providerAttribute,
		EmailVerified: providerAttribute,
		FamilyName: providerAttribute,
		Fullname: providerAttribute,
		Gender: providerAttribute,
		GivenName: providerAttribute,
		LastUpdateTime: providerAttribute,
		Locale: providerAttribute,
		MiddleName: providerAttribute,
		Nickname: providerAttribute,
		PhoneNumber: providerAttribute,
		PreferredUsername: providerAttribute,
		ProfilePage: providerAttribute,
		ProfilePicture: providerAttribute,
		Timezone: providerAttribute,
		Website: providerAttribute,
	},
	AttributeRequestMethod: awscdk.Aws_cognito.OidcAttributeRequestMethod_GET,
	Endpoints: &OidcEndpoints{
		Authorization: jsii.String("authorization"),
		JwksUri: jsii.String("jwksUri"),
		Token: jsii.String("token"),
		UserInfo: jsii.String("userInfo"),
	},
	Identifiers: []*string{
		jsii.String("identifiers"),
	},
	Name: jsii.String("name"),
	Scopes: []*string{
		jsii.String("scopes"),
	},
}

type UserPoolIdentityProviderProps 

type UserPoolIdentityProviderProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	// Default: - no attribute mapping.
	//
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
}

Properties to create a new instance of UserPoolIdentityProvider.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderProps := &UserPoolIdentityProviderProps{
	UserPool: userPool,

	// the properties below are optional
	AttributeMapping: &AttributeMapping{
		Address: providerAttribute,
		Birthdate: providerAttribute,
		Custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		Email: providerAttribute,
		EmailVerified: providerAttribute,
		FamilyName: providerAttribute,
		Fullname: providerAttribute,
		Gender: providerAttribute,
		GivenName: providerAttribute,
		LastUpdateTime: providerAttribute,
		Locale: providerAttribute,
		MiddleName: providerAttribute,
		Nickname: providerAttribute,
		PhoneNumber: providerAttribute,
		PreferredUsername: providerAttribute,
		ProfilePage: providerAttribute,
		ProfilePicture: providerAttribute,
		Timezone: providerAttribute,
		Website: providerAttribute,
	},
}

type UserPoolIdentityProviderSaml added in v2.42.0 

type UserPoolIdentityProviderSaml interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents an identity provider that integrates with SAML.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

// specify the metadata as a file content
// specify the metadata as a file content
cognito.NewUserPoolIdentityProviderSaml(this, jsii.String("userpoolIdpFile"), &UserPoolIdentityProviderSamlProps{
	UserPool: userpool,
	Metadata: cognito.UserPoolIdentityProviderSamlMetadata_File(jsii.String("my-file-contents")),
	// Whether to require encrypted SAML assertions from IdP
	EncryptedResponses: jsii.Boolean(true),
	// The signing algorithm for the SAML requests
	RequestSigningAlgorithm: cognito.SigningAlgorithm_RSA_SHA256,
	// Enable IdP initiated SAML auth flow
	IdpInitiated: jsii.Boolean(true),
})

// specify the metadata as a URL
// specify the metadata as a URL
cognito.NewUserPoolIdentityProviderSaml(this, jsii.String("userpoolidpUrl"), &UserPoolIdentityProviderSamlProps{
	UserPool: userpool,
	Metadata: cognito.UserPoolIdentityProviderSamlMetadata_Url(jsii.String("https://my-metadata-url.com")),
})

func NewUserPoolIdentityProviderSaml added in v2.42.0 

func NewUserPoolIdentityProviderSaml(scope constructs.Construct, id *string, props *UserPoolIdentityProviderSamlProps) UserPoolIdentityProviderSaml

type UserPoolIdentityProviderSamlMetadata added in v2.42.0 

type UserPoolIdentityProviderSamlMetadata interface {
	// A URL hosting SAML metadata, or the content of a file containing SAML metadata.
	MetadataContent() *string
	// The type of metadata, either a URL or file content.
	MetadataType() UserPoolIdentityProviderSamlMetadataType
}

Metadata for a SAML user pool identity provider.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

// specify the metadata as a file content
// specify the metadata as a file content
cognito.NewUserPoolIdentityProviderSaml(this, jsii.String("userpoolIdpFile"), &UserPoolIdentityProviderSamlProps{
	UserPool: userpool,
	Metadata: cognito.UserPoolIdentityProviderSamlMetadata_File(jsii.String("my-file-contents")),
	// Whether to require encrypted SAML assertions from IdP
	EncryptedResponses: jsii.Boolean(true),
	// The signing algorithm for the SAML requests
	RequestSigningAlgorithm: cognito.SigningAlgorithm_RSA_SHA256,
	// Enable IdP initiated SAML auth flow
	IdpInitiated: jsii.Boolean(true),
})

// specify the metadata as a URL
// specify the metadata as a URL
cognito.NewUserPoolIdentityProviderSaml(this, jsii.String("userpoolidpUrl"), &UserPoolIdentityProviderSamlProps{
	UserPool: userpool,
	Metadata: cognito.UserPoolIdentityProviderSamlMetadata_Url(jsii.String("https://my-metadata-url.com")),
})

func UserPoolIdentityProviderSamlMetadata_File added in v2.42.0 

func UserPoolIdentityProviderSamlMetadata_File(fileContent *string) UserPoolIdentityProviderSamlMetadata

Specify SAML metadata via the contents of a file.

func UserPoolIdentityProviderSamlMetadata_Url added in v2.42.0 

func UserPoolIdentityProviderSamlMetadata_Url(url *string) UserPoolIdentityProviderSamlMetadata

Specify SAML metadata via a URL.

type UserPoolIdentityProviderSamlMetadataType added in v2.42.0 

type UserPoolIdentityProviderSamlMetadataType string

Metadata types that can be used for a SAML user pool identity provider. 

const (
	// Metadata provided via a URL.
	UserPoolIdentityProviderSamlMetadataType_URL UserPoolIdentityProviderSamlMetadataType = "URL"
	// Metadata provided via the contents of a file.
	UserPoolIdentityProviderSamlMetadataType_FILE UserPoolIdentityProviderSamlMetadataType = "FILE"
)

type UserPoolIdentityProviderSamlProps added in v2.42.0 

type UserPoolIdentityProviderSamlProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	// Default: - no attribute mapping.
	//
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The SAML metadata.
	Metadata UserPoolIdentityProviderSamlMetadata `field:"required" json:"metadata" yaml:"metadata"`
	// Whether to require encrypted SAML assertions from IdP.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html#cognito-user-pools-SAML-encryption
	//
	// Default: false.
	//
	EncryptedResponses *bool `field:"optional" json:"encryptedResponses" yaml:"encryptedResponses"`
	// Identifiers.
	//
	// Identifiers can be used to redirect users to the correct IdP in multitenant apps.
	// Default: - no identifiers used.
	//
	Identifiers *[]*string `field:"optional" json:"identifiers" yaml:"identifiers"`
	// Whether to enable IdP-initiated SAML auth flows.
	// Default: false.
	//
	IdpInitiated *bool `field:"optional" json:"idpInitiated" yaml:"idpInitiated"`
	// Whether to enable the "Sign-out flow" feature.
	// Default: - false.
	//
	IdpSignout *bool `field:"optional" json:"idpSignout" yaml:"idpSignout"`
	// The name of the provider.
	//
	// Must be between 3 and 32 characters.
	// Default: - the unique ID of the construct.
	//
	Name *string `field:"optional" json:"name" yaml:"name"`
	// The signing algorithm for SAML requests.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html#cognito-user-pools-SAML-signing
	//
	// Default: - don't sign requests.
	//
	RequestSigningAlgorithm SigningAlgorithm `field:"optional" json:"requestSigningAlgorithm" yaml:"requestSigningAlgorithm"`
}

Properties to initialize UserPoolIdentityProviderSaml.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

// specify the metadata as a file content
// specify the metadata as a file content
cognito.NewUserPoolIdentityProviderSaml(this, jsii.String("userpoolIdpFile"), &UserPoolIdentityProviderSamlProps{
	UserPool: userpool,
	Metadata: cognito.UserPoolIdentityProviderSamlMetadata_File(jsii.String("my-file-contents")),
	// Whether to require encrypted SAML assertions from IdP
	EncryptedResponses: jsii.Boolean(true),
	// The signing algorithm for the SAML requests
	RequestSigningAlgorithm: cognito.SigningAlgorithm_RSA_SHA256,
	// Enable IdP initiated SAML auth flow
	IdpInitiated: jsii.Boolean(true),
})

// specify the metadata as a URL
// specify the metadata as a URL
cognito.NewUserPoolIdentityProviderSaml(this, jsii.String("userpoolidpUrl"), &UserPoolIdentityProviderSamlProps{
	UserPool: userpool,
	Metadata: cognito.UserPoolIdentityProviderSamlMetadata_Url(jsii.String("https://my-metadata-url.com")),
})

type UserPoolOperation 

type UserPoolOperation interface {
	// The key to use in `CfnUserPool.LambdaConfigProperty`.
	OperationName() *string
}

User pool operations to which lambda triggers can be attached.

Example: 

authChallengeFn := lambda.NewFunction(this, jsii.String("authChallengeFn"), &FunctionProps{
	Runtime: lambda.Runtime_NODEJS_LATEST(),
	Handler: jsii.String("index.handler"),
	Code: lambda.Code_FromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
})

userpool := cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	LambdaTriggers: &UserPoolTriggers{
		CreateAuthChallenge: authChallengeFn,
	},
})

userpool.AddTrigger(cognito.UserPoolOperation_USER_MIGRATION(), lambda.NewFunction(this, jsii.String("userMigrationFn"), &FunctionProps{
	Runtime: lambda.Runtime_NODEJS_LATEST(),
	Handler: jsii.String("index.handler"),
	Code: lambda.Code_*FromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
}))

func UserPoolOperation_CREATE_AUTH_CHALLENGE 

func UserPoolOperation_CREATE_AUTH_CHALLENGE() UserPoolOperation

func UserPoolOperation_CUSTOM_EMAIL_SENDER added in v2.1.0 

func UserPoolOperation_CUSTOM_EMAIL_SENDER() UserPoolOperation

func UserPoolOperation_CUSTOM_MESSAGE 

func UserPoolOperation_CUSTOM_MESSAGE() UserPoolOperation

func UserPoolOperation_CUSTOM_SMS_SENDER added in v2.1.0 

func UserPoolOperation_CUSTOM_SMS_SENDER() UserPoolOperation

func UserPoolOperation_DEFINE_AUTH_CHALLENGE 

func UserPoolOperation_DEFINE_AUTH_CHALLENGE() UserPoolOperation

func UserPoolOperation_Of 

func UserPoolOperation_Of(name *string) UserPoolOperation

A custom user pool operation.

func UserPoolOperation_POST_AUTHENTICATION 

func UserPoolOperation_POST_AUTHENTICATION() UserPoolOperation

func UserPoolOperation_POST_CONFIRMATION 

func UserPoolOperation_POST_CONFIRMATION() UserPoolOperation

func UserPoolOperation_PRE_AUTHENTICATION 

func UserPoolOperation_PRE_AUTHENTICATION() UserPoolOperation

func UserPoolOperation_PRE_SIGN_UP 

func UserPoolOperation_PRE_SIGN_UP() UserPoolOperation

func UserPoolOperation_PRE_TOKEN_GENERATION 

func UserPoolOperation_PRE_TOKEN_GENERATION() UserPoolOperation

func UserPoolOperation_PRE_TOKEN_GENERATION_CONFIG added in v2.127.0 

func UserPoolOperation_PRE_TOKEN_GENERATION_CONFIG() UserPoolOperation

func UserPoolOperation_USER_MIGRATION 

func UserPoolOperation_USER_MIGRATION() UserPoolOperation

func UserPoolOperation_VERIFY_AUTH_CHALLENGE_RESPONSE 

func UserPoolOperation_VERIFY_AUTH_CHALLENGE_RESPONSE() UserPoolOperation

type UserPoolProps 

type UserPoolProps struct {
	// How will a user be able to recover their account?
	// Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL
	//
	AccountRecovery AccountRecovery `field:"optional" json:"accountRecovery" yaml:"accountRecovery"`
	// The user pool's Advanced Security Mode.
	// Default: - no value.
	//
	// Deprecated: Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level.
	AdvancedSecurityMode AdvancedSecurityMode `field:"optional" json:"advancedSecurityMode" yaml:"advancedSecurityMode"`
	// Attributes which Cognito will look to verify automatically upon user sign up.
	//
	// EMAIL and PHONE are the only available options.
	// Default: - If `signInAlias` includes email and/or phone, they will be included in `autoVerifiedAttributes` by default.
	// If absent, no attributes will be auto-verified.
	//
	AutoVerify *AutoVerifiedAttrs `field:"optional" json:"autoVerify" yaml:"autoVerify"`
	// Define a set of custom attributes that can be configured for each user in the user pool.
	// Default: - No custom attributes.
	//
	CustomAttributes *map[string]ICustomAttribute `field:"optional" json:"customAttributes" yaml:"customAttributes"`
	// This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html
	//
	// Default: - no key ID configured.
	//
	CustomSenderKmsKey awskms.IKey `field:"optional" json:"customSenderKmsKey" yaml:"customSenderKmsKey"`
	// The Type of Threat Protection Enabled for Custom Authentication.
	//
	// This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
	//
	// Default: - no value.
	//
	CustomThreatProtectionMode CustomThreatProtectionMode `field:"optional" json:"customThreatProtectionMode" yaml:"customThreatProtectionMode"`
	// Indicates whether the user pool should have deletion protection enabled.
	// Default: false.
	//
	DeletionProtection *bool `field:"optional" json:"deletionProtection" yaml:"deletionProtection"`
	// Device tracking settings.
	// Default: - see defaults on each property of DeviceTracking.
	//
	DeviceTracking *DeviceTracking `field:"optional" json:"deviceTracking" yaml:"deviceTracking"`
	// Email settings for a user pool.
	// Default: - cognito will use the default email configuration.
	//
	Email UserPoolEmail `field:"optional" json:"email" yaml:"email"`
	// Setting this would explicitly enable or disable SMS role creation.
	//
	// When left unspecified, CDK will determine based on other properties if a role is needed or not.
	// Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.
	//
	EnableSmsRole *bool `field:"optional" json:"enableSmsRole" yaml:"enableSmsRole"`
	// The user pool feature plan, or tier.
	//
	// This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
	//
	// Default: - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise
	//
	FeaturePlan FeaturePlan `field:"optional" json:"featurePlan" yaml:"featurePlan"`
	// Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
	//
	// EMAIL and PHONE are the only available options.
	// Default: - Nothing is kept.
	//
	KeepOriginal *KeepOriginalAttrs `field:"optional" json:"keepOriginal" yaml:"keepOriginal"`
	// Lambda functions to use for supported Cognito triggers.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
	//
	// Default: - No Lambda triggers.
	//
	LambdaTriggers *UserPoolTriggers `field:"optional" json:"lambdaTriggers" yaml:"lambdaTriggers"`
	// Configure whether users of this user pool can or are required use MFA to sign in.
	// Default: Mfa.OFF
	//
	Mfa Mfa `field:"optional" json:"mfa" yaml:"mfa"`
	// The SMS message template sent during MFA verification.
	//
	// Use '{####}' in the template where Cognito should insert the verification code.
	// Default: 'Your authentication code is {####}.'
	//
	MfaMessage *string `field:"optional" json:"mfaMessage" yaml:"mfaMessage"`
	// Configure the MFA types that users can use in this user pool.
	//
	// Ignored if `mfa` is set to `OFF`.
	// Default: - { sms: true, otp: false, email: false }, if `mfa` is set to `OPTIONAL` or `REQUIRED`.
	// { sms: false, otp: false, email:false }, otherwise.
	//
	MfaSecondFactor *MfaSecondFactor `field:"optional" json:"mfaSecondFactor" yaml:"mfaSecondFactor"`
	// The authentication domain that passkey providers must use as a relying party (RP) in their configuration.
	//
	// Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain:
	// - The user pool is configured for passkey authentication.
	// - The user pool has a custom domain, whether or not it also has a prefix domain.
	// - Your application performs authentication with managed login or the classic hosted UI.
	// Default: - No authentication domain.
	//
	PasskeyRelyingPartyId *string `field:"optional" json:"passkeyRelyingPartyId" yaml:"passkeyRelyingPartyId"`
	// Your user-pool treatment for MFA with a passkey.
	//
	// You can override other MFA options and require passkey MFA, or you can set it as preferred.
	// When passkey MFA is preferred, the hosted UI encourages users to register a passkey at sign-in.
	// Default: - Cognito default setting is PasskeyUserVerification.PREFERRED
	//
	PasskeyUserVerification PasskeyUserVerification `field:"optional" json:"passkeyUserVerification" yaml:"passkeyUserVerification"`
	// Password policy for this user pool.
	// Default: - see defaults on each property of PasswordPolicy.
	//
	PasswordPolicy *PasswordPolicy `field:"optional" json:"passwordPolicy" yaml:"passwordPolicy"`
	// Policy to apply when the user pool is removed from the stack.
	// Default: RemovalPolicy.RETAIN
	//
	RemovalPolicy awscdk.RemovalPolicy `field:"optional" json:"removalPolicy" yaml:"removalPolicy"`
	// Whether self sign-up should be enabled.
	//
	// To configure self sign-up configuration use the `userVerification` property.
	// Default: - false.
	//
	SelfSignUpEnabled *bool `field:"optional" json:"selfSignUpEnabled" yaml:"selfSignUpEnabled"`
	// Methods in which a user registers or signs in to a user pool.
	//
	// Allows either username with aliases OR sign in with email, phone, or both.
	//
	// Read the sections on usernames and aliases to learn more -
	// https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
	//
	// To match with 'Option 1' in the above link, with a verified email, this property should be set to
	// `{ username: true, email: true }`. To match with 'Option 2' in the above link with both a verified email and phone
	// number, this property should be set to `{ email: true, phone: true }`.
	// Default: { username: true }.
	//
	SignInAliases *SignInAliases `field:"optional" json:"signInAliases" yaml:"signInAliases"`
	// Whether sign-in aliases should be evaluated with case sensitivity.
	//
	// For example, when this option is set to false, users will be able to sign in using either `MyUsername` or `myusername`.
	// Default: true.
	//
	SignInCaseSensitive *bool `field:"optional" json:"signInCaseSensitive" yaml:"signInCaseSensitive"`
	// Sign-in policy for this user pool.
	// Default: - see defaults on each property of SignInPolicy.
	//
	SignInPolicy *SignInPolicy `field:"optional" json:"signInPolicy" yaml:"signInPolicy"`
	// The IAM role that Cognito will assume while sending SMS messages.
	// Default: - a new IAM role is created.
	//
	SmsRole awsiam.IRole `field:"optional" json:"smsRole" yaml:"smsRole"`
	// The 'ExternalId' that Cognito service must be using when assuming the `smsRole`, if the role is restricted with an 'sts:ExternalId' conditional.
	//
	// Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
	//
	// This property will be ignored if `smsRole` is not specified.
	// Default: - No external id will be configured.
	//
	SmsRoleExternalId *string `field:"optional" json:"smsRoleExternalId" yaml:"smsRoleExternalId"`
	// The region to integrate with SNS to send SMS messages.
	//
	// This property will do nothing if SMS configuration is not configured.
	// Default: - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time
	//
	SnsRegion *string `field:"optional" json:"snsRegion" yaml:"snsRegion"`
	// The set of attributes that are required for every user in the user pool.
	//
	// Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
	// Default: - All standard attributes are optional and mutable.
	//
	StandardAttributes *StandardAttributes `field:"optional" json:"standardAttributes" yaml:"standardAttributes"`
	// The Type of Threat Protection Enabled for Standard Authentication.
	//
	// This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
	//
	// Default: - StandardThreatProtectionMode.NO_ENFORCEMENT
	//
	StandardThreatProtectionMode StandardThreatProtectionMode `field:"optional" json:"standardThreatProtectionMode" yaml:"standardThreatProtectionMode"`
	// Configuration around admins signing up users into a user pool.
	// Default: - see defaults in UserInvitationConfig.
	//
	UserInvitation *UserInvitationConfig `field:"optional" json:"userInvitation" yaml:"userInvitation"`
	// Name of the user pool.
	// Default: - automatically generated name by CloudFormation at deploy time.
	//
	UserPoolName *string `field:"optional" json:"userPoolName" yaml:"userPoolName"`
	// Configuration around users signing themselves up to the user pool.
	//
	// Enable or disable self sign-up via the `selfSignUpEnabled` property.
	// Default: - see defaults in UserVerificationConfig.
	//
	UserVerification *UserVerificationConfig `field:"optional" json:"userVerification" yaml:"userVerification"`
}

Props for the UserPool construct.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	SignInPolicy: &SignInPolicy{
		AllowedFirstAuthFactors: &AllowedFirstAuthFactors{
			Password: jsii.Boolean(true),
			Passkey: jsii.Boolean(true),
		},
	},
	PasskeyRelyingPartyId: jsii.String("auth.example.com"),
	PasskeyUserVerification: cognito.PasskeyUserVerification_REQUIRED,
})

type UserPoolResourceServer 

type UserPoolResourceServer interface {
	awscdk.Resource
	IUserPoolResourceServer
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Resource server id.
	UserPoolResourceServerId() *string
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Defines a User Pool OAuth2.0 Resource Server.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("read"),
	ScopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("*"),
	ScopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &UserPoolResourceServerOptions{
	Identifier: jsii.String("users"),
	Scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []oAuthScope{
			cognito.*oAuthScope_ResourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []*oAuthScope{
			cognito.*oAuthScope_*ResourceServer(userServer, fullAccessScope),
		},
	},
})

func NewUserPoolResourceServer 

func NewUserPoolResourceServer(scope constructs.Construct, id *string, props *UserPoolResourceServerProps) UserPoolResourceServer

type UserPoolResourceServerOptions 

type UserPoolResourceServerOptions struct {
	// A unique resource server identifier for the resource server.
	Identifier *string `field:"required" json:"identifier" yaml:"identifier"`
	// Oauth scopes.
	// Default: - No scopes will be added.
	//
	Scopes *[]ResourceServerScope `field:"optional" json:"scopes" yaml:"scopes"`
	// A friendly name for the resource server.
	// Default: - same as `identifier`.
	//
	UserPoolResourceServerName *string `field:"optional" json:"userPoolResourceServerName" yaml:"userPoolResourceServerName"`
}

Options to create a UserPoolResourceServer.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("read"),
	ScopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&ResourceServerScopeProps{
	ScopeName: jsii.String("*"),
	ScopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &UserPoolResourceServerOptions{
	Identifier: jsii.String("users"),
	Scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []oAuthScope{
			cognito.*oAuthScope_ResourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &UserPoolClientOptions{
	// ...
	OAuth: &OAuthSettings{
		// ...
		Scopes: []*oAuthScope{
			cognito.*oAuthScope_*ResourceServer(userServer, fullAccessScope),
		},
	},
})

type UserPoolResourceServerProps 

type UserPoolResourceServerProps struct {
	// A unique resource server identifier for the resource server.
	Identifier *string `field:"required" json:"identifier" yaml:"identifier"`
	// Oauth scopes.
	// Default: - No scopes will be added.
	//
	Scopes *[]ResourceServerScope `field:"optional" json:"scopes" yaml:"scopes"`
	// A friendly name for the resource server.
	// Default: - same as `identifier`.
	//
	UserPoolResourceServerName *string `field:"optional" json:"userPoolResourceServerName" yaml:"userPoolResourceServerName"`
	// The user pool to add this resource server to.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
}

Properties for the UserPoolResourceServer construct.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var resourceServerScope resourceServerScope
var userPool userPool

userPoolResourceServerProps := &UserPoolResourceServerProps{
	Identifier: jsii.String("identifier"),
	UserPool: userPool,

	// the properties below are optional
	Scopes: []*resourceServerScope{
		resourceServerScope,
	},
	UserPoolResourceServerName: jsii.String("userPoolResourceServerName"),
}

type UserPoolSESOptions 

type UserPoolSESOptions struct {
	// The verified Amazon SES email address that Cognito should use to send emails.
	//
	// The email address used must be a verified email address
	// in Amazon SES and must be configured to allow Cognito to
	// send emails.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html
	//
	FromEmail *string `field:"required" json:"fromEmail" yaml:"fromEmail"`
	// The name of a configuration set in Amazon SES that should be applied to emails sent via Cognito.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-emailconfiguration.html#cfn-cognito-userpool-emailconfiguration-configurationset
	//
	// Default: - no configuration set.
	//
	ConfigurationSetName *string `field:"optional" json:"configurationSetName" yaml:"configurationSetName"`
	// An optional name that should be used as the sender's name along with the email.
	// Default: - no name.
	//
	FromName *string `field:"optional" json:"fromName" yaml:"fromName"`
	// The destination to which the receiver of the email should reply to.
	// Default: - same as the fromEmail.
	//
	ReplyTo *string `field:"optional" json:"replyTo" yaml:"replyTo"`
	// Required if the UserPool region is different than the SES region.
	//
	// If sending emails with a Amazon SES verified email address,
	// and the region that SES is configured is different than the
	// region in which the UserPool is deployed, you must specify that
	// region here.
	// Default: - The same region as the Cognito UserPool.
	//
	SesRegion *string `field:"optional" json:"sesRegion" yaml:"sesRegion"`
	// SES Verified custom domain to be used to verify the identity.
	// Default: - no domain.
	//
	SesVerifiedDomain *string `field:"optional" json:"sesVerifiedDomain" yaml:"sesVerifiedDomain"`
}

Configuration for Cognito sending emails via Amazon SES.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	Email: cognito.UserPoolEmail_WithSES(&UserPoolSESOptions{
		FromEmail: jsii.String("noreply@myawesomeapp.com"),
		FromName: jsii.String("Awesome App"),
		ReplyTo: jsii.String("support@myawesomeapp.com"),
	}),
})

type UserPoolTriggers 

type UserPoolTriggers struct {
	// Creates an authentication challenge.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-create-auth-challenge.html
	//
	// Default: - no trigger configured.
	//
	CreateAuthChallenge awslambda.IFunction `field:"optional" json:"createAuthChallenge" yaml:"createAuthChallenge"`
	// Amazon Cognito invokes this trigger to send email notifications to users.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html
	//
	// Default: - no trigger configured.
	//
	CustomEmailSender awslambda.IFunction `field:"optional" json:"customEmailSender" yaml:"customEmailSender"`
	// A custom Message AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-message.html
	//
	// Default: - no trigger configured.
	//
	CustomMessage awslambda.IFunction `field:"optional" json:"customMessage" yaml:"customMessage"`
	// Amazon Cognito invokes this trigger to send SMS notifications to users.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html
	//
	// Default: - no trigger configured.
	//
	CustomSmsSender awslambda.IFunction `field:"optional" json:"customSmsSender" yaml:"customSmsSender"`
	// Defines the authentication challenge.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.html
	//
	// Default: - no trigger configured.
	//
	DefineAuthChallenge awslambda.IFunction `field:"optional" json:"defineAuthChallenge" yaml:"defineAuthChallenge"`
	// A post-authentication AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html
	//
	// Default: - no trigger configured.
	//
	PostAuthentication awslambda.IFunction `field:"optional" json:"postAuthentication" yaml:"postAuthentication"`
	// A post-confirmation AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html
	//
	// Default: - no trigger configured.
	//
	PostConfirmation awslambda.IFunction `field:"optional" json:"postConfirmation" yaml:"postConfirmation"`
	// A pre-authentication AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html
	//
	// Default: - no trigger configured.
	//
	PreAuthentication awslambda.IFunction `field:"optional" json:"preAuthentication" yaml:"preAuthentication"`
	// A pre-registration AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
	//
	// Default: - no trigger configured.
	//
	PreSignUp awslambda.IFunction `field:"optional" json:"preSignUp" yaml:"preSignUp"`
	// A pre-token-generation AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
	//
	// Default: - no trigger configured.
	//
	PreTokenGeneration awslambda.IFunction `field:"optional" json:"preTokenGeneration" yaml:"preTokenGeneration"`
	// A user-migration AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html
	//
	// Default: - no trigger configured.
	//
	UserMigration awslambda.IFunction `field:"optional" json:"userMigration" yaml:"userMigration"`
	// Verifies the authentication challenge response.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-verify-auth-challenge-response.html
	//
	// Default: - no trigger configured.
	//
	VerifyAuthChallengeResponse awslambda.IFunction `field:"optional" json:"verifyAuthChallengeResponse" yaml:"verifyAuthChallengeResponse"`
}

Triggers for a user pool.

Example: 

authChallengeFn := lambda.NewFunction(this, jsii.String("authChallengeFn"), &FunctionProps{
	Runtime: lambda.Runtime_NODEJS_LATEST(),
	Handler: jsii.String("index.handler"),
	Code: lambda.Code_FromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
})

userpool := cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	LambdaTriggers: &UserPoolTriggers{
		CreateAuthChallenge: authChallengeFn,
	},
})

userpool.AddTrigger(cognito.UserPoolOperation_USER_MIGRATION(), lambda.NewFunction(this, jsii.String("userMigrationFn"), &FunctionProps{
	Runtime: lambda.Runtime_NODEJS_LATEST(),
	Handler: jsii.String("index.handler"),
	Code: lambda.Code_*FromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
}))

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

type UserVerificationConfig 

type UserVerificationConfig struct {
	// The email body template for the verification email sent to the user upon sign up.
	//
	// See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-templates.html to
	// learn more about message templates.
	// Default: - 'The verification code to your new account is {####}' if VerificationEmailStyle.CODE is chosen,
	// 'Verify your account by clicking on {##Verify Email##}' if VerificationEmailStyle.LINK is chosen.
	//
	EmailBody *string `field:"optional" json:"emailBody" yaml:"emailBody"`
	// Emails can be verified either using a code or a link.
	//
	// Learn more at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-email-verification-message-customization.html
	// Default: VerificationEmailStyle.CODE
	//
	EmailStyle VerificationEmailStyle `field:"optional" json:"emailStyle" yaml:"emailStyle"`
	// The email subject template for the verification email sent to the user upon sign up.
	//
	// See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-templates.html to
	// learn more about message templates.
	// Default: 'Verify your new account'.
	//
	EmailSubject *string `field:"optional" json:"emailSubject" yaml:"emailSubject"`
	// The message template for the verification SMS sent to the user upon sign up.
	//
	// See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-templates.html to
	// learn more about message templates.
	// Default: - 'The verification code to your new account is {####}' if VerificationEmailStyle.CODE is chosen,
	// not configured if VerificationEmailStyle.LINK is chosen
	//
	SmsMessage *string `field:"optional" json:"smsMessage" yaml:"smsMessage"`
}

User pool configuration for user self sign up.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	SelfSignUpEnabled: jsii.Boolean(true),
	UserVerification: &UserVerificationConfig{
		EmailSubject: jsii.String("Verify your email for our awesome app!"),
		EmailBody: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
		EmailStyle: cognito.VerificationEmailStyle_CODE,
		SmsMessage: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
	},
})

type VerificationEmailStyle 

type VerificationEmailStyle string

The email verification style.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &UserPoolProps{
	// ...
	SelfSignUpEnabled: jsii.Boolean(true),
	UserVerification: &UserVerificationConfig{
		EmailSubject: jsii.String("Verify your email for our awesome app!"),
		EmailBody: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
		EmailStyle: cognito.VerificationEmailStyle_CODE,
		SmsMessage: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
	},
})

const (
	// Verify email via code.
	VerificationEmailStyle_CODE VerificationEmailStyle = "CODE"
	// Verify email via link.
	VerificationEmailStyle_LINK VerificationEmailStyle = "LINK"
)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.