awscognito

package
v2.29.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 23, 2022 License: Apache-2.0 Imports: 10 Imported by: 14

README

Amazon Cognito Construct Library

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. Identity Pool L2 Constructs can be found here.

This module is part of the AWS Cloud Development Kit project.

Table of Contents

User Pools

User pools allow creating and managing your own directory of users that can sign up and sign in. They enable easy integration with social identity providers such as Facebook, Google, Amazon, Microsoft Active Directory, etc. through SAML.

Using the CDK, a new user pool can be created as part of the stack using the construct's constructor. You may specify the userPoolName to give your own identifier to the user pool. If not, CloudFormation will generate a name.

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	userPoolName: jsii.String("myawesomeapp-userpool"),
})

The default set up for the user pool is configured such that only administrators will be allowed to create users. Features such as Multi-factor authentication (MFAs) and Lambda Triggers are not configured by default.

Use the grant() method to add an IAM policy statement associated with the user pool to an IAM principal's policy.

userPool := cognito.NewUserPool(this, jsii.String("myuserpool"))
role := iam.NewRole(this, jsii.String("role"), &roleProps{
	assumedBy: iam.NewServicePrincipal(jsii.String("foo")),
})
userPool.grant(role, jsii.String("cognito-idp:AdminCreateUser"))
Sign Up

Users can either be signed up by the app's administrators or can sign themselves up. Once a user has signed up, their account needs to be confirmed. Cognito provides several ways to sign users up and confirm their accounts. Learn more about user sign up here.

When a user signs up, email and SMS messages are used to verify their account and contact methods. The following code snippet configures a user pool with properties relevant to these verification messages -

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	selfSignUpEnabled: jsii.Boolean(true),
	userVerification: &userVerificationConfig{
		emailSubject: jsii.String("Verify your email for our awesome app!"),
		emailBody: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
		emailStyle: cognito.verificationEmailStyle_CODE,
		smsMessage: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
	},
})

By default, self sign up is disabled. Learn more about email and SMS verification messages here.

Besides users signing themselves up, an administrator of any user pool can sign users up. The user then receives an invitation to join the user pool. The following code snippet configures a user pool with properties relevant to the invitation messages -

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	userInvitation: &userInvitationConfig{
		emailSubject: jsii.String("Invite to join our awesome app!"),
		emailBody: jsii.String("Hello {username}, you have been invited to join our awesome app! Your temporary password is {####}"),
		smsMessage: jsii.String("Hello {username}, your temporary password for our awesome app is {####}"),
	},
})

All email subjects, bodies and SMS messages for both invitation and verification support Cognito's message templating. Learn more about message templates here.

Sign In

Users registering or signing in into your application can do so with multiple identifiers. There are 4 options available:

  • username: Allow signing in using the one time immutable user name that the user chose at the time of sign up.
  • email: Allow signing in using the email address that is associated with the account.
  • phone: Allow signing in using the phone number that is associated with the account.
  • preferredUsername: Allow signing in with an alternate user name that the user can change at any time. However, this is not available if the username option is not chosen.

The following code sets up a user pool so that the user can sign in with either their username or their email address -

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	// ...
	signInAliases: &signInAliases{
		username: jsii.Boolean(true),
		email: jsii.Boolean(true),
	},
})

User pools can either be configured so that user name is primary sign in form, but also allows for the other three to be used additionally; or it can be configured so that email and/or phone numbers are the only ways a user can register and sign in. Read more about this here.

⚠️ The Cognito service prevents changing the signInAlias property for an existing user pool.

To match with 'Option 1' in the above link, with a verified email, signInAliases should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

Cognito recommends that email and phone number be automatically verified, if they are one of the sign in methods for the user pool. Read more about that here. The CDK does this by default, when email and/or phone number are specified as part of signInAliases. This can be overridden by specifying the autoVerify property.

The following code snippet sets up only email as a sign in alias, but both email and phone number to be auto-verified.

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	// ...
	signInAliases: &signInAliases{
		username: jsii.Boolean(true),
		email: jsii.Boolean(true),
	},
	autoVerify: &autoVerifiedAttrs{
		email: jsii.Boolean(true),
		phone: jsii.Boolean(true),
	},
})

A user pool can optionally ignore case when evaluating sign-ins. When signInCaseSensitive is false, Cognito will not check the capitalization of the alias when signing in. Default is true.

Attributes

Attributes represent the various properties of each user that's collected and stored in the user pool. Cognito provides a set of standard attributes that are available for all user pools. Users are allowed to select any of these standard attributes to be required. Users will not be able to sign up to the user pool without providing the required attributes. Besides these, additional attributes can be further defined, and are known as custom attributes.

Learn more on attributes in Cognito's documentation.

The following code configures a user pool with two standard attributes (name and address) as required and mutable, and adds four custom attributes.

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	standardAttributes: &standardAttributes{
		fullname: &standardAttribute{
			required: jsii.Boolean(true),
			mutable: jsii.Boolean(false),
		},
		address: &standardAttribute{
			required: jsii.Boolean(false),
			mutable: jsii.Boolean(true),
		},
	},
	customAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

As shown in the code snippet, there are data types that are available for custom attributes. The 'String' and 'Number' data types allow for further constraints on their length and values, respectively.

Custom attributes cannot be marked as required.

All custom attributes share the property mutable that specifies whether the value of the attribute can be changed. The default value is false.

User pools come with two 'built-in' attributes - email_verified and phone_number_verified. These cannot be configured (required-ness or mutability) as part of user pool creation. However, user pool administrators can modify them for specific users using the AdminUpdateUserAttributes API.

Security

Cognito sends various messages to its users via SMS, for different actions, ranging from account verification to marketing. In order to send SMS messages, Cognito needs an IAM role that it can assume, with permissions that allow it to send SMS messages.

By default, the CDK looks at all of the specified properties (and their defaults when not explicitly specified) and automatically creates an SMS role, when needed. For example, if MFA second factor by SMS is enabled, the CDK will create a new role. The smsRole property can be used to specify the user supplied role that should be used instead. Additionally, the property enableSmsRole can be used to override the CDK's default behaviour to either enable or suppress automatic role creation.

poolSmsRole := iam.NewRole(this, jsii.String("userpoolsmsrole"), &roleProps{
	assumedBy: iam.NewServicePrincipal(jsii.String("foo")),
})

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	smsRole: poolSmsRole,
	smsRoleExternalId: jsii.String("c87467be-4f34-11ea-b77f-2e728ce88125"),
})

When the smsRole property is specified, the smsRoleExternalId may also be specified. The value of smsRoleExternalId will be used as the sts:ExternalId when the Cognito service assumes the role. In turn, the role's assume role policy should be configured to accept this value as the ExternalId. Learn more about ExternalId here.

Multi-factor Authentication (MFA)

User pools can be configured to enable multi-factor authentication (MFA). It can either be turned off, set to optional or made required. Setting MFA to optional means that individual users can choose to enable it. Additionally, the MFA code can be sent either via SMS text message or via a time-based software token. See the documentation on MFA to learn more.

The following code snippet marks MFA for the user pool as required. This means that all users are required to configure an MFA token and use it for sign in. It also allows for the users to use both SMS based MFA, as well, time-based one time password (TOTP).

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	mfa: cognito.mfa_REQUIRED,
	mfaSecondFactor: &mfaSecondFactor{
		sms: jsii.Boolean(true),
		otp: jsii.Boolean(true),
	},
})

User pools can be configured with policies around a user's password. This includes the password length and the character sets that they must contain.

Further to this, it can also be configured with the validity of the auto-generated temporary password. A temporary password is generated by the user pool either when an admin signs up a user or when a password reset is requested. The validity of this password dictates how long to give the user to use this password before expiring it.

The following code snippet configures these properties -

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	passwordPolicy: &passwordPolicy{
		minLength: jsii.Number(12),
		requireLowercase: jsii.Boolean(true),
		requireUppercase: jsii.Boolean(true),
		requireDigits: jsii.Boolean(true),
		requireSymbols: jsii.Boolean(true),
		tempPasswordValidity: awscdk.Duration.days(jsii.Number(3)),
	},
})

Note that, tempPasswordValidity can be specified only in whole days. Specifying fractional days would throw an error.

Account Recovery Settings

User pools can be configured on which method a user should use when recovering the password for their account. This can either be email and/or SMS. Read more at Recovering User Accounts

cognito.NewUserPool(this, jsii.String("UserPool"), &userPoolProps{
	// ...
	accountRecovery: cognito.accountRecovery_EMAIL_ONLY,
})

The default for account recovery is by phone if available and by email otherwise. A user will not be allowed to reset their password via phone if they are also using it for MFA.

Emails

Cognito sends emails to users in the user pool, when particular actions take place, such as welcome emails, invitation emails, password resets, etc. The address from which these emails are sent can be configured on the user pool. Read more at Email settings for User Pools.

By default, user pools are configured to use Cognito's built in email capability, which will send emails from no-reply@verificationemail.com. If you want to use a custom email address you can configure Cognito to send emails through Amazon SES, which is detailed below.

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	email: cognito.userPoolEmail.withCognito(jsii.String("support@myawesomeapp.com")),
})

For typical production environments, the default email limit is below the required delivery volume. To enable a higher delivery volume, you can configure the UserPool to send emails through Amazon SES. To do so, follow the steps in the Cognito Developer Guide to verify an email address, move the account out of the SES sandbox, and grant Cognito email permissions via an authorization policy.

Once the SES setup is complete, the UserPool can be configured to use the SES email.

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	email: cognito.userPoolEmail.withSES(&userPoolSESOptions{
		fromEmail: jsii.String("noreply@myawesomeapp.com"),
		fromName: jsii.String("Awesome App"),
		replyTo: jsii.String("support@myawesomeapp.com"),
	}),
})

Sending emails through SES requires that SES be configured (as described above) in a valid SES region. If the UserPool is being created in a different region, sesRegion must be used to specify the correct SES region.

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	email: cognito.userPoolEmail.withSES(&userPoolSESOptions{
		sesRegion: jsii.String("us-east-1"),
		fromEmail: jsii.String("noreply@myawesomeapp.com"),
		fromName: jsii.String("Awesome App"),
		replyTo: jsii.String("support@myawesomeapp.com"),
	}),
})

When sending emails from an SES verified domain, sesVerifiedDomain can be used to specify the domain. The email address does not need to be verified when sending emails from a verified domain, because the identity of the email configuration is can be determined from the domain alone.

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	email: cognito.userPoolEmail.withSES(&userPoolSESOptions{
		sesRegion: jsii.String("us-east-1"),
		fromEmail: jsii.String("noreply@myawesomeapp.com"),
		fromName: jsii.String("Awesome App"),
		replyTo: jsii.String("support@myawesomeapp.com"),
		sesVerifiedDomain: jsii.String("myawesomeapp.com"),
	}),
})
Device Tracking

User pools can be configured to track devices that users have logged in to. Read more at Device Tracking

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	deviceTracking: &deviceTracking{
		challengeRequiredOnNewDevice: jsii.Boolean(true),
		deviceOnlyRememberedOnUserPrompt: jsii.Boolean(true),
	},
})

The default is to not track devices.

Lambda Triggers

User pools can be configured such that AWS Lambda functions can be triggered when certain user operations or actions occur, such as, sign up, user confirmation, sign in, etc. They can also be used to add custom authentication challenges, user migrations and custom verification messages. Learn more about triggers at User Pool Workflows with Triggers.

Lambda triggers can either be specified as part of the UserPool initialization, or it can be added later, via methods on the construct, as so -

authChallengeFn := lambda.NewFunction(this, jsii.String("authChallengeFn"), &functionProps{
	runtime: lambda.runtime_NODEJS_14_X(),
	handler: jsii.String("index.handler"),
	code: lambda.code.fromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
})

userpool := cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	lambdaTriggers: &userPoolTriggers{
		createAuthChallenge: authChallengeFn,
	},
})

userpool.addTrigger(cognito.userPoolOperation_USER_MIGRATION(), lambda.NewFunction(this, jsii.String("userMigrationFn"), &functionProps{
	runtime: lambda.*runtime_NODEJS_14_X(),
	handler: jsii.String("index.handler"),
	code: lambda.*code.fromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
}))

The following table lists the set of triggers available, and their corresponding method to add it to the user pool. For more information on the function of these triggers and how to configure them, read User Pool Workflows with Triggers.

Trigger Permissions

The function.attachToRolePolicy() API can be used to add additional IAM permissions to the lambda trigger as necessary.

⚠️ Using the attachToRolePolicy API to provide permissions to your user pool will result in a circular dependency. See aws/aws-cdk#7016. Error message when running cdk synth or cdk deploy:

Circular dependency between resources: [pool056F3F7E, fnPostAuthFnCognitoA630A2B1, ...]

To work around the circular dependency issue, use the attachInlinePolicy() API instead, as shown below.

var postAuthFn function


userpool := cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	lambdaTriggers: &userPoolTriggers{
		postAuthentication: postAuthFn,
	},
})

// provide permissions to describe the user pool scoped to the ARN the user pool
postAuthFn.role.attachInlinePolicy(iam.NewPolicy(this, jsii.String("userpool-policy"), &policyProps{
	statements: []policyStatement{
		iam.NewPolicyStatement(&policyStatementProps{
			actions: []*string{
				jsii.String("cognito-idp:DescribeUserPool"),
			},
			resources: []*string{
				userpool.userPoolArn,
			},
		}),
	},
}))
Importing User Pools

Any user pool that has been created outside of this stack, can be imported into the CDK app. Importing a user pool allows for it to be used in other parts of the CDK app that reference an IUserPool. However, imported user pools have limited configurability. As a rule of thumb, none of the properties that are part of the AWS::Cognito::UserPool CloudFormation resource can be configured.

User pools can be imported either using their id via the UserPool.fromUserPoolId(), or by using their ARN, via the UserPool.fromUserPoolArn() API.

awesomePool := cognito.userPool.fromUserPoolId(this, jsii.String("awesome-user-pool"), jsii.String("us-east-1_oiuR12Abd"))

otherAwesomePool := cognito.userPool.fromUserPoolArn(this, jsii.String("other-awesome-user-pool"), jsii.String("arn:aws:cognito-idp:eu-west-1:123456789012:userpool/us-east-1_mtRyYQ14D"))
Identity Providers

Users that are part of a user pool can sign in either directly through a user pool, or federate through a third-party identity provider. Once configured, the Cognito backend will take care of integrating with the third-party provider. Read more about Adding User Pool Sign-in Through a Third Party.

The following third-party identity providers are currently supported in the CDK -

The following code configures a user pool to federate with the third party provider, 'Login with Amazon'. The identity provider needs to be configured with a set of credentials that the Cognito backend can use to federate with the third-party identity provider.

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

provider := cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &userPoolIdentityProviderAmazonProps{
	clientId: jsii.String("amzn-client-id"),
	clientSecret: jsii.String("amzn-client-secret"),
	userPool: userpool,
})

Attribute mapping allows mapping attributes provided by the third-party identity providers to standard and custom attributes of the user pool. Learn more about Specifying Identity Provider Attribute Mappings for Your User Pool.

The following code shows how different attributes provided by 'Login With Amazon' can be mapped to standard and custom user pool attributes.

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &userPoolIdentityProviderAmazonProps{
	clientId: jsii.String("amzn-client-id"),
	clientSecret: jsii.String("amzn-client-secret"),
	userPool: userpool,
	attributeMapping: &attributeMapping{
		email: cognito.providerAttribute_AMAZON_EMAIL(),
		website: cognito.*providerAttribute.other(jsii.String("url")),
		 // use other() when an attribute is not pre-defined in the CDK
		custom: map[string]*providerAttribute{
			// custom user pool attributes go here
			"uniqueId": cognito.*providerAttribute_AMAZON_USER_ID(),
		},
	},
})
App Clients

An app is an entity within a user pool that has permission to call unauthenticated APIs (APIs that do not have an authenticated user), such as APIs to register, sign in, and handle forgotten passwords. To call these APIs, you need an app client ID and an optional client secret. Read Configuring a User Pool App Client to learn more.

The following code creates an app client and retrieves the client id -

pool := cognito.NewUserPool(this, jsii.String("pool"))
client := pool.addClient(jsii.String("customer-app-client"))
clientId := client.userPoolClientId

Existing app clients can be imported into the CDK app using the UserPoolClient.fromUserPoolClientId() API. For new and imported user pools, clients can also be created via the UserPoolClient constructor, as so -

importedPool := cognito.userPool.fromUserPoolId(this, jsii.String("imported-pool"), jsii.String("us-east-1_oiuR12Abd"))
cognito.NewUserPoolClient(this, jsii.String("customer-app-client"), &userPoolClientProps{
	userPool: importedPool,
})

Clients can be configured with authentication flows. Authentication flows allow users on a client to be authenticated with a user pool. Cognito user pools provide several different types of authentication, such as, SRP (Secure Remote Password) authentication, username-and-password authentication, etc. Learn more about this at UserPool Authentication Flow.

The following code configures a client to use both SRP and username-and-password authentication -

pool := cognito.NewUserPool(this, jsii.String("pool"))
pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	authFlows: &authFlow{
		userPassword: jsii.Boolean(true),
		userSrp: jsii.Boolean(true),
	},
})

Custom authentication protocols can be configured by setting the custom property under authFlow and defining lambda functions for the corresponding user pool triggers. Learn more at Custom Authentication Flow.

In addition to these authentication mechanisms, Cognito user pools also support using OAuth 2.0 framework for authenticating users. User pool clients can be configured with OAuth 2.0 authorization flows and scopes. Learn more about the OAuth 2.0 authorization framework and Cognito user pool's implementation of OAuth2.0.

The following code configures an app client with the authorization code grant flow and registers the the app's welcome page as a callback (or redirect) URL. It also configures the access token scope to 'openid'. All of these concepts can be found in the OAuth 2.0 RFC.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	oAuth: &oAuthSettings{
		flows: &oAuthFlows{
			authorizationCodeGrant: jsii.Boolean(true),
		},
		scopes: []oAuthScope{
			cognito.*oAuthScope_OPENID(),
		},
		callbackUrls: []*string{
			jsii.String("https://my-app-domain.com/welcome"),
		},
		logoutUrls: []*string{
			jsii.String("https://my-app-domain.com/signin"),
		},
	},
})

An app client can be configured to prevent user existence errors. This instructs the Cognito authentication API to return generic authentication failure responses instead of an UserNotFoundException. By default, the flag is not set, which means the CloudFormation default (false) will be used. See the documentation for the full details on the behavior of this flag.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	preventUserExistenceErrors: jsii.Boolean(true),
})

All identity providers created in the CDK app are automatically registered into the corresponding user pool. All app clients created in the CDK have all of the identity providers enabled by default. The 'Cognito' identity provider, that allows users to register and sign in directly with the Cognito user pool, is also enabled by default. Alternatively, the list of supported identity providers for a client can be explicitly specified -

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	supportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
		cognito.*userPoolClientIdentityProvider_COGNITO(),
	},
})

If the identity provider and the app client are created in the same stack, specify the dependency between both constructs to make sure that the identity provider already exists when the app client will be created. The app client cannot handle the dependency to the identity provider automatically because the client does not have access to the provider's construct.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
provider := cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &userPoolIdentityProviderAmazonProps{
	userPool: pool,
	clientId: jsii.String("amzn-client-id"),
	clientSecret: jsii.String("amzn-client-secret"),
})

client := pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	supportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
	},
})

client.node.addDependency(provider)

In accordance with the OIDC open standard, Cognito user pool clients provide access tokens, ID tokens and refresh tokens. More information is available at Using Tokens with User Pools. The expiration time for these tokens can be configured as shown below.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	accessTokenValidity: awscdk.Duration.minutes(jsii.Number(60)),
	idTokenValidity: awscdk.Duration.minutes(jsii.Number(60)),
	refreshTokenValidity: awscdk.Duration.days(jsii.Number(30)),
})

Clients can (and should) be allowed to read and write relevant user attributes only. Usually every client can be allowed to read the given_name attribute but not every client should be allowed to set the email_verified attribute. The same criteria applies for both standard and custom attributes, more info is available at Attribute Permissions and Scopes. The default behaviour is to allow read and write permissions on all attributes. The following code shows how this can be configured for a client.

pool := cognito.NewUserPool(this, jsii.String("Pool"))

clientWriteAttributes := (cognito.NewClientAttributes()).withStandardAttributes(&standardAttributesMask{
	fullname: jsii.Boolean(true),
	email: jsii.Boolean(true),
}).withCustomAttributes(jsii.String("favouritePizza"), jsii.String("favouriteBeverage"))

clientReadAttributes := clientWriteAttributes.withStandardAttributes(&standardAttributesMask{
	emailVerified: jsii.Boolean(true),
}).withCustomAttributes(jsii.String("pointsEarned"))

pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	readAttributes: clientReadAttributes,
	writeAttributes: clientWriteAttributes,
})

Token revocation can be configured to be able to revoke refresh tokens in app clients. By default, token revocation is enabled for new user pools. The property can be used to enable the token revocation in existing app clients or to change the default behavior.

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	enableTokenRevocation: jsii.Boolean(true),
})
Resource Servers

A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an access token. See Defining Resource Servers for more information.

An application may choose to model custom permissions via OAuth. Resource Servers provide this capability via custom scopes that are attached to an app client. The following example sets up a resource server for the 'users' resource for two different app clients and configures the clients to use these scopes.

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("read"),
	scopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("*"),
	scopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &userPoolResourceServerOptions{
	identifier: jsii.String("users"),
	scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []*oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, fullAccessScope),
		},
	},
})
Domains

After setting up an app client, the address for the user pool's sign-up and sign-in webpages can be configured using domains. There are two ways to set up a domain - either the Amazon Cognito hosted domain can be chosen with an available domain prefix, or a custom domain name can be chosen. The custom domain must be one that is already owned, and whose certificate is registered in AWS Certificate Manager.

The following code sets up a user pool domain in Amazon Cognito hosted domain with the prefix 'my-awesome-app', and another domain with the custom domain 'user.myapp.com' -

pool := cognito.NewUserPool(this, jsii.String("Pool"))

pool.addDomain(jsii.String("CognitoDomain"), &userPoolDomainOptions{
	cognitoDomain: &cognitoDomainOptions{
		domainPrefix: jsii.String("my-awesome-app"),
	},
})

certificateArn := "arn:aws:acm:us-east-1:123456789012:certificate/11-3336f1-44483d-adc7-9cd375c5169d"

domainCert := certificatemanager.certificate.fromCertificateArn(this, jsii.String("domainCert"), certificateArn)
pool.addDomain(jsii.String("CustomDomain"), &userPoolDomainOptions{
	customDomain: &customDomainOptions{
		domainName: jsii.String("user.myapp.com"),
		certificate: domainCert,
	},
})

Read more about Using the Amazon Cognito Domain and Using Your Own Domain.

The signInUrl() methods returns the fully qualified URL to the login page for the user pool. This page comes from the hosted UI configured with Cognito. Learn more at Hosted UI with the Amazon Cognito Console.

userpool := cognito.NewUserPool(this, jsii.String("UserPool"), &userPoolProps{
})
client := userpool.addClient(jsii.String("Client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		flows: &oAuthFlows{
			implicitCodeGrant: jsii.Boolean(true),
		},
		callbackUrls: []*string{
			jsii.String("https://myapp.com/home"),
			jsii.String("https://myapp.com/users"),
		},
	},
})
domain := userpool.addDomain(jsii.String("Domain"), &userPoolDomainOptions{
})
signInUrl := domain.signInUrl(client, &signInUrlOptions{
	redirectUri: jsii.String("https://myapp.com/home"),
})

Existing domains can be imported into CDK apps using UserPoolDomain.fromDomainName() API

myUserPoolDomain := cognito.userPoolDomain.fromDomainName(this, jsii.String("my-user-pool-domain"), jsii.String("domain-name"))

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CfnIdentityPoolRoleAttachment_CFN_RESOURCE_TYPE_NAME 

func CfnIdentityPoolRoleAttachment_CFN_RESOURCE_TYPE_NAME() *string

func CfnIdentityPoolRoleAttachment_IsCfnElement 

func CfnIdentityPoolRoleAttachment_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnIdentityPoolRoleAttachment_IsCfnResource 

func CfnIdentityPoolRoleAttachment_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnIdentityPoolRoleAttachment_IsConstruct 

func CfnIdentityPoolRoleAttachment_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnIdentityPool_CFN_RESOURCE_TYPE_NAME 

func CfnIdentityPool_CFN_RESOURCE_TYPE_NAME() *string

func CfnIdentityPool_IsCfnElement 

func CfnIdentityPool_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnIdentityPool_IsCfnResource 

func CfnIdentityPool_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnIdentityPool_IsConstruct 

func CfnIdentityPool_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolClient_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolClient_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolClient_IsCfnElement 

func CfnUserPoolClient_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolClient_IsCfnResource 

func CfnUserPoolClient_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnUserPoolClient_IsConstruct 

func CfnUserPoolClient_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolDomain_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolDomain_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolDomain_IsCfnElement 

func CfnUserPoolDomain_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolDomain_IsCfnResource 

func CfnUserPoolDomain_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnUserPoolDomain_IsConstruct 

func CfnUserPoolDomain_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolGroup_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolGroup_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolGroup_IsCfnElement 

func CfnUserPoolGroup_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolGroup_IsCfnResource 

func CfnUserPoolGroup_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnUserPoolGroup_IsConstruct 

func CfnUserPoolGroup_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolIdentityProvider_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolIdentityProvider_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolIdentityProvider_IsCfnElement 

func CfnUserPoolIdentityProvider_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolIdentityProvider_IsCfnResource 

func CfnUserPoolIdentityProvider_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnUserPoolIdentityProvider_IsConstruct 

func CfnUserPoolIdentityProvider_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolResourceServer_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolResourceServer_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolResourceServer_IsCfnElement 

func CfnUserPoolResourceServer_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolResourceServer_IsCfnResource 

func CfnUserPoolResourceServer_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnUserPoolResourceServer_IsConstruct 

func CfnUserPoolResourceServer_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolRiskConfigurationAttachment_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolRiskConfigurationAttachment_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolRiskConfigurationAttachment_IsCfnElement 

func CfnUserPoolRiskConfigurationAttachment_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolRiskConfigurationAttachment_IsCfnResource 

func CfnUserPoolRiskConfigurationAttachment_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnUserPoolRiskConfigurationAttachment_IsConstruct 

func CfnUserPoolRiskConfigurationAttachment_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolUICustomizationAttachment_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolUICustomizationAttachment_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolUICustomizationAttachment_IsCfnElement 

func CfnUserPoolUICustomizationAttachment_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolUICustomizationAttachment_IsCfnResource 

func CfnUserPoolUICustomizationAttachment_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnUserPoolUICustomizationAttachment_IsConstruct 

func CfnUserPoolUICustomizationAttachment_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolUserToGroupAttachment_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolUserToGroupAttachment_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolUserToGroupAttachment_IsCfnElement 

func CfnUserPoolUserToGroupAttachment_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolUserToGroupAttachment_IsCfnResource 

func CfnUserPoolUserToGroupAttachment_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnUserPoolUserToGroupAttachment_IsConstruct 

func CfnUserPoolUserToGroupAttachment_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPoolUser_CFN_RESOURCE_TYPE_NAME 

func CfnUserPoolUser_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPoolUser_IsCfnElement 

func CfnUserPoolUser_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPoolUser_IsCfnResource 

func CfnUserPoolUser_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnUserPoolUser_IsConstruct 

func CfnUserPoolUser_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func CfnUserPool_CFN_RESOURCE_TYPE_NAME 

func CfnUserPool_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserPool_IsCfnElement 

func CfnUserPool_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element.

func CfnUserPool_IsCfnResource 

func CfnUserPool_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource.

func CfnUserPool_IsConstruct 

func CfnUserPool_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func NewBooleanAttribute_Override 

func NewBooleanAttribute_Override(b BooleanAttribute, props *CustomAttributeProps)

func NewCfnIdentityPoolRoleAttachment_Override 

func NewCfnIdentityPoolRoleAttachment_Override(c CfnIdentityPoolRoleAttachment, scope constructs.Construct, id *string, props *CfnIdentityPoolRoleAttachmentProps)

Create a new `AWS::Cognito::IdentityPoolRoleAttachment`.

func NewCfnIdentityPool_Override 

func NewCfnIdentityPool_Override(c CfnIdentityPool, scope constructs.Construct, id *string, props *CfnIdentityPoolProps)

Create a new `AWS::Cognito::IdentityPool`.

func NewCfnUserPoolClient_Override 

func NewCfnUserPoolClient_Override(c CfnUserPoolClient, scope constructs.Construct, id *string, props *CfnUserPoolClientProps)

Create a new `AWS::Cognito::UserPoolClient`.

func NewCfnUserPoolDomain_Override 

func NewCfnUserPoolDomain_Override(c CfnUserPoolDomain, scope constructs.Construct, id *string, props *CfnUserPoolDomainProps)

Create a new `AWS::Cognito::UserPoolDomain`.

func NewCfnUserPoolGroup_Override 

func NewCfnUserPoolGroup_Override(c CfnUserPoolGroup, scope constructs.Construct, id *string, props *CfnUserPoolGroupProps)

Create a new `AWS::Cognito::UserPoolGroup`.

func NewCfnUserPoolIdentityProvider_Override 

func NewCfnUserPoolIdentityProvider_Override(c CfnUserPoolIdentityProvider, scope constructs.Construct, id *string, props *CfnUserPoolIdentityProviderProps)

Create a new `AWS::Cognito::UserPoolIdentityProvider`.

func NewCfnUserPoolResourceServer_Override 

func NewCfnUserPoolResourceServer_Override(c CfnUserPoolResourceServer, scope constructs.Construct, id *string, props *CfnUserPoolResourceServerProps)

Create a new `AWS::Cognito::UserPoolResourceServer`.

func NewCfnUserPoolRiskConfigurationAttachment_Override 

func NewCfnUserPoolRiskConfigurationAttachment_Override(c CfnUserPoolRiskConfigurationAttachment, scope constructs.Construct, id *string, props *CfnUserPoolRiskConfigurationAttachmentProps)

Create a new `AWS::Cognito::UserPoolRiskConfigurationAttachment`.

func NewCfnUserPoolUICustomizationAttachment_Override 

func NewCfnUserPoolUICustomizationAttachment_Override(c CfnUserPoolUICustomizationAttachment, scope constructs.Construct, id *string, props *CfnUserPoolUICustomizationAttachmentProps)

Create a new `AWS::Cognito::UserPoolUICustomizationAttachment`.

func NewCfnUserPoolUserToGroupAttachment_Override 

func NewCfnUserPoolUserToGroupAttachment_Override(c CfnUserPoolUserToGroupAttachment, scope constructs.Construct, id *string, props *CfnUserPoolUserToGroupAttachmentProps)

Create a new `AWS::Cognito::UserPoolUserToGroupAttachment`.

func NewCfnUserPoolUser_Override 

func NewCfnUserPoolUser_Override(c CfnUserPoolUser, scope constructs.Construct, id *string, props *CfnUserPoolUserProps)

Create a new `AWS::Cognito::UserPoolUser`.

func NewCfnUserPool_Override 

func NewCfnUserPool_Override(c CfnUserPool, scope constructs.Construct, id *string, props *CfnUserPoolProps)

Create a new `AWS::Cognito::UserPool`.

func NewClientAttributes_Override 

func NewClientAttributes_Override(c ClientAttributes)

Creates a ClientAttributes with the specified attributes.

func NewDateTimeAttribute_Override 

func NewDateTimeAttribute_Override(d DateTimeAttribute, props *CustomAttributeProps)

func NewNumberAttribute_Override 

func NewNumberAttribute_Override(n NumberAttribute, props *NumberAttributeProps)

func NewResourceServerScope_Override 

func NewResourceServerScope_Override(r ResourceServerScope, props *ResourceServerScopeProps)

func NewStringAttribute_Override 

func NewStringAttribute_Override(s StringAttribute, props *StringAttributeProps)

func NewUserPoolClient_Override 

func NewUserPoolClient_Override(u UserPoolClient, scope constructs.Construct, id *string, props *UserPoolClientProps)

func NewUserPoolDomain_Override 

func NewUserPoolDomain_Override(u UserPoolDomain, scope constructs.Construct, id *string, props *UserPoolDomainProps)

func NewUserPoolEmail_Override 

func NewUserPoolEmail_Override(u UserPoolEmail)

func NewUserPoolIdentityProviderAmazon_Override 

func NewUserPoolIdentityProviderAmazon_Override(u UserPoolIdentityProviderAmazon, scope constructs.Construct, id *string, props *UserPoolIdentityProviderAmazonProps)

func NewUserPoolIdentityProviderApple_Override 

func NewUserPoolIdentityProviderApple_Override(u UserPoolIdentityProviderApple, scope constructs.Construct, id *string, props *UserPoolIdentityProviderAppleProps)

func NewUserPoolIdentityProviderFacebook_Override 

func NewUserPoolIdentityProviderFacebook_Override(u UserPoolIdentityProviderFacebook, scope constructs.Construct, id *string, props *UserPoolIdentityProviderFacebookProps)

func NewUserPoolIdentityProviderGoogle_Override 

func NewUserPoolIdentityProviderGoogle_Override(u UserPoolIdentityProviderGoogle, scope constructs.Construct, id *string, props *UserPoolIdentityProviderGoogleProps)

func NewUserPoolIdentityProviderOidc_Override added in v2.27.0 

func NewUserPoolIdentityProviderOidc_Override(u UserPoolIdentityProviderOidc, scope constructs.Construct, id *string, props *UserPoolIdentityProviderOidcProps)

func NewUserPoolResourceServer_Override 

func NewUserPoolResourceServer_Override(u UserPoolResourceServer, scope constructs.Construct, id *string, props *UserPoolResourceServerProps)

func NewUserPool_Override 

func NewUserPool_Override(u UserPool, scope constructs.Construct, id *string, props *UserPoolProps)

func UserPoolClient_IsConstruct 

func UserPoolClient_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolClient_IsResource 

func UserPoolClient_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolDomain_IsConstruct 

func UserPoolDomain_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolDomain_IsResource 

func UserPoolDomain_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderAmazon_IsConstruct 

func UserPoolIdentityProviderAmazon_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderAmazon_IsResource 

func UserPoolIdentityProviderAmazon_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderApple_IsConstruct 

func UserPoolIdentityProviderApple_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderApple_IsResource 

func UserPoolIdentityProviderApple_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderFacebook_IsConstruct 

func UserPoolIdentityProviderFacebook_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderFacebook_IsResource 

func UserPoolIdentityProviderFacebook_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderGoogle_IsConstruct 

func UserPoolIdentityProviderGoogle_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderGoogle_IsResource 

func UserPoolIdentityProviderGoogle_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolIdentityProviderOidc_IsConstruct added in v2.27.0 

func UserPoolIdentityProviderOidc_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolIdentityProviderOidc_IsResource added in v2.27.0 

func UserPoolIdentityProviderOidc_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPoolResourceServer_IsConstruct 

func UserPoolResourceServer_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPoolResourceServer_IsResource 

func UserPoolResourceServer_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func UserPool_IsConstruct 

func UserPool_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct` instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on disk are seen as independent, completely different libraries. As a consequence, the class `Construct` in each copy of the `constructs` library is seen as a different class, and an instance of one class will not test as `instanceof` the other class. `npm install` will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the `constructs` library can be accidentally installed, and `instanceof` will behave unpredictably. It is safest to avoid using `instanceof`, and using this type-testing method instead.

Returns: true if `x` is an object created from a class which extends `Construct`.

func UserPool_IsResource 

func UserPool_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

Types

type AccountRecovery 

type AccountRecovery string

How will a user be able to recover their account?

When a user forgets their password, they can have a code sent to their verified email or verified phone to recover their account. You can choose the preferred way to send codes below. We recommend not allowing phone to be used for both password resets and multi-factor authentication (MFA).

Example: 

cognito.NewUserPool(this, jsii.String("UserPool"), &userPoolProps{
	// ...
	accountRecovery: cognito.accountRecovery_EMAIL_ONLY,
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html 

const (
	// Email if available, otherwise phone, but don’t allow a user to reset their password via phone if they are also using it for MFA.
	AccountRecovery_EMAIL_AND_PHONE_WITHOUT_MFA AccountRecovery = "EMAIL_AND_PHONE_WITHOUT_MFA"
	// Phone if available, otherwise email, but don’t allow a user to reset their password via phone if they are also using it for MFA.
	AccountRecovery_PHONE_WITHOUT_MFA_AND_EMAIL AccountRecovery = "PHONE_WITHOUT_MFA_AND_EMAIL"
	// Email only.
	AccountRecovery_EMAIL_ONLY AccountRecovery = "EMAIL_ONLY"
	// Phone only, but don’t allow a user to reset their password via phone if they are also using it for MFA.
	AccountRecovery_PHONE_ONLY_WITHOUT_MFA AccountRecovery = "PHONE_ONLY_WITHOUT_MFA"
	// (Not Recommended) Phone if available, otherwise email, and do allow a user to reset their password via phone if they are also using it for MFA.
	AccountRecovery_PHONE_AND_EMAIL AccountRecovery = "PHONE_AND_EMAIL"
	// None – users will have to contact an administrator to reset their passwords.
	AccountRecovery_NONE AccountRecovery = "NONE"
)

type AttributeMapping 

type AttributeMapping struct {
	// The user's postal address is a required attribute.
	Address ProviderAttribute `field:"optional" json:"address" yaml:"address"`
	// The user's birthday.
	Birthdate ProviderAttribute `field:"optional" json:"birthdate" yaml:"birthdate"`
	// Specify custom attribute mapping here and mapping for any standard attributes not supported yet.
	Custom *map[string]ProviderAttribute `field:"optional" json:"custom" yaml:"custom"`
	// The user's e-mail address.
	Email ProviderAttribute `field:"optional" json:"email" yaml:"email"`
	// The surname or last name of user.
	FamilyName ProviderAttribute `field:"optional" json:"familyName" yaml:"familyName"`
	// The user's full name in displayable form.
	Fullname ProviderAttribute `field:"optional" json:"fullname" yaml:"fullname"`
	// The user's gender.
	Gender ProviderAttribute `field:"optional" json:"gender" yaml:"gender"`
	// The user's first name or give name.
	GivenName ProviderAttribute `field:"optional" json:"givenName" yaml:"givenName"`
	// Time, the user's information was last updated.
	LastUpdateTime ProviderAttribute `field:"optional" json:"lastUpdateTime" yaml:"lastUpdateTime"`
	// The user's locale.
	Locale ProviderAttribute `field:"optional" json:"locale" yaml:"locale"`
	// The user's middle name.
	MiddleName ProviderAttribute `field:"optional" json:"middleName" yaml:"middleName"`
	// The user's nickname or casual name.
	Nickname ProviderAttribute `field:"optional" json:"nickname" yaml:"nickname"`
	// The user's telephone number.
	PhoneNumber ProviderAttribute `field:"optional" json:"phoneNumber" yaml:"phoneNumber"`
	// The user's preferred username.
	PreferredUsername ProviderAttribute `field:"optional" json:"preferredUsername" yaml:"preferredUsername"`
	// The URL to the user's profile page.
	ProfilePage ProviderAttribute `field:"optional" json:"profilePage" yaml:"profilePage"`
	// The URL to the user's profile picture.
	ProfilePicture ProviderAttribute `field:"optional" json:"profilePicture" yaml:"profilePicture"`
	// The user's time zone.
	Timezone ProviderAttribute `field:"optional" json:"timezone" yaml:"timezone"`
	// The URL to the user's web page or blog.
	Website ProviderAttribute `field:"optional" json:"website" yaml:"website"`
}

The mapping of user pool attributes to the attributes provided by the identity providers.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &userPoolIdentityProviderAmazonProps{
	clientId: jsii.String("amzn-client-id"),
	clientSecret: jsii.String("amzn-client-secret"),
	userPool: userpool,
	attributeMapping: &attributeMapping{
		email: cognito.providerAttribute_AMAZON_EMAIL(),
		website: cognito.*providerAttribute.other(jsii.String("url")),
		 // use other() when an attribute is not pre-defined in the CDK
		custom: map[string]*providerAttribute{
			// custom user pool attributes go here
			"uniqueId": cognito.*providerAttribute_AMAZON_USER_ID(),
		},
	},
})

type AuthFlow 

type AuthFlow struct {
	// Enable admin based user password authentication flow.
	AdminUserPassword *bool `field:"optional" json:"adminUserPassword" yaml:"adminUserPassword"`
	// Enable custom authentication flow.
	Custom *bool `field:"optional" json:"custom" yaml:"custom"`
	// Enable auth using username & password.
	UserPassword *bool `field:"optional" json:"userPassword" yaml:"userPassword"`
	// Enable SRP based authentication.
	UserSrp *bool `field:"optional" json:"userSrp" yaml:"userSrp"`
}

Types of authentication flow.

Example: 

pool := cognito.NewUserPool(this, jsii.String("pool"))
pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	authFlows: &authFlow{
		userPassword: jsii.Boolean(true),
		userSrp: jsii.Boolean(true),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

type AutoVerifiedAttrs 

type AutoVerifiedAttrs struct {
	// Whether the email address of the user should be auto verified at sign up.
	//
	// Note: If both `email` and `phone` is set, Cognito only verifies the phone number. To also verify email, see here -
	// https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html
	Email *bool `field:"optional" json:"email" yaml:"email"`
	// Whether the phone number of the user should be auto verified at sign up.
	Phone *bool `field:"optional" json:"phone" yaml:"phone"`
}

Attributes that can be automatically verified for users in a user pool.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	// ...
	signInAliases: &signInAliases{
		username: jsii.Boolean(true),
		email: jsii.Boolean(true),
	},
	autoVerify: &autoVerifiedAttrs{
		email: jsii.Boolean(true),
		phone: jsii.Boolean(true),
	},
})

type BaseUrlOptions added in v2.24.0 

type BaseUrlOptions struct {
	// Whether to return the FIPS-compliant endpoint.
	Fips *bool `field:"optional" json:"fips" yaml:"fips"`
}

Options to customize the behaviour of `baseUrl()`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

baseUrlOptions := &baseUrlOptions{
	fips: jsii.Boolean(false),
}

type BooleanAttribute 

type BooleanAttribute interface {
	ICustomAttribute
	// Bind this custom attribute type to the values as expected by CloudFormation.
	Bind() *CustomAttributeConfig
}

The Boolean custom attribute type.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	standardAttributes: &standardAttributes{
		fullname: &standardAttribute{
			required: jsii.Boolean(true),
			mutable: jsii.Boolean(false),
		},
		address: &standardAttribute{
			required: jsii.Boolean(false),
			mutable: jsii.Boolean(true),
		},
	},
	customAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

func NewBooleanAttribute 

func NewBooleanAttribute(props *CustomAttributeProps) BooleanAttribute

type CfnIdentityPool 

type CfnIdentityPool interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Enables the Basic (Classic) authentication flow.
	AllowClassicFlow() interface{}
	SetAllowClassicFlow(val interface{})
	// Specifies whether the identity pool supports unauthenticated logins.
	AllowUnauthenticatedIdentities() interface{}
	SetAllowUnauthenticatedIdentities(val interface{})
	// The name of the Amazon Cognito identity pool, returned as a string.
	AttrName() *string
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// The events to configure.
	CognitoEvents() interface{}
	SetCognitoEvents(val interface{})
	// The Amazon Cognito user pools and their client IDs.
	CognitoIdentityProviders() interface{}
	SetCognitoIdentityProviders(val interface{})
	// Configuration options for configuring Amazon Cognito streams.
	CognitoStreams() interface{}
	SetCognitoStreams(val interface{})
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The "domain" Amazon Cognito uses when referencing your users.
	//
	// This name acts as a placeholder that allows your backend and the Amazon Cognito service to communicate about the developer provider. For the `DeveloperProviderName` , you can use letters and periods (.), underscores (_), and dashes (-).
	//
	// *Minimum length* : 1
	//
	// *Maximum length* : 100.
	DeveloperProviderName() *string
	SetDeveloperProviderName(val *string)
	// The name of your Amazon Cognito identity pool.
	//
	// *Minimum length* : 1
	//
	// *Maximum length* : 128
	//
	// *Pattern* : `[\w\s+=,.@-]+`
	IdentityPoolName() *string
	SetIdentityPoolName(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// The Amazon Resource Names (ARNs) of the OpenID connect providers.
	OpenIdConnectProviderArns() *[]*string
	SetOpenIdConnectProviderArns(val *[]*string)
	// The configuration options to be applied to the identity pool.
	PushSync() interface{}
	SetPushSync(val interface{})
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The Amazon Resource Names (ARNs) of the Security Assertion Markup Language (SAML) providers.
	SamlProviderArns() *[]*string
	SetSamlProviderArns(val *[]*string)
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Key-value pairs that map provider names to provider app IDs.
	SupportedLoginProviders() interface{}
	SetSupportedLoginProviders(val interface{})
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::IdentityPool`.

The `AWS::Cognito::IdentityPool` resource creates an Amazon Cognito identity pool.

To avoid deleting the resource accidentally from AWS CloudFormation , use [DeletionPolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) and the [UpdateReplacePolicy Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-updatereplacepolicy.html) to retain the resource on deletion or replacement.

Example: 

import cognito "github.com/aws/aws-cdk-go/awscdk"

var myProvider openIdConnectProvider

cognito.NewCfnIdentityPool(this, jsii.String("IdentityPool"), &cfnIdentityPoolProps{
	openIdConnectProviderArns: []*string{
		myProvider.openIdConnectProviderArn,
	},
	// And the other properties for your identity pool
	allowUnauthenticatedIdentities: jsii.Boolean(false),
})

func NewCfnIdentityPool 

func NewCfnIdentityPool(scope constructs.Construct, id *string, props *CfnIdentityPoolProps) CfnIdentityPool

Create a new `AWS::Cognito::IdentityPool`.

type CfnIdentityPoolProps 

type CfnIdentityPoolProps struct {
	// Specifies whether the identity pool supports unauthenticated logins.
	AllowUnauthenticatedIdentities interface{} `field:"required" json:"allowUnauthenticatedIdentities" yaml:"allowUnauthenticatedIdentities"`
	// Enables the Basic (Classic) authentication flow.
	AllowClassicFlow interface{} `field:"optional" json:"allowClassicFlow" yaml:"allowClassicFlow"`
	// The events to configure.
	CognitoEvents interface{} `field:"optional" json:"cognitoEvents" yaml:"cognitoEvents"`
	// The Amazon Cognito user pools and their client IDs.
	CognitoIdentityProviders interface{} `field:"optional" json:"cognitoIdentityProviders" yaml:"cognitoIdentityProviders"`
	// Configuration options for configuring Amazon Cognito streams.
	CognitoStreams interface{} `field:"optional" json:"cognitoStreams" yaml:"cognitoStreams"`
	// The "domain" Amazon Cognito uses when referencing your users.
	//
	// This name acts as a placeholder that allows your backend and the Amazon Cognito service to communicate about the developer provider. For the `DeveloperProviderName` , you can use letters and periods (.), underscores (_), and dashes (-).
	//
	// *Minimum length* : 1
	//
	// *Maximum length* : 100.
	DeveloperProviderName *string `field:"optional" json:"developerProviderName" yaml:"developerProviderName"`
	// The name of your Amazon Cognito identity pool.
	//
	// *Minimum length* : 1
	//
	// *Maximum length* : 128
	//
	// *Pattern* : `[\w\s+=,.@-]+`
	IdentityPoolName *string `field:"optional" json:"identityPoolName" yaml:"identityPoolName"`
	// The Amazon Resource Names (ARNs) of the OpenID connect providers.
	OpenIdConnectProviderArns *[]*string `field:"optional" json:"openIdConnectProviderArns" yaml:"openIdConnectProviderArns"`
	// The configuration options to be applied to the identity pool.
	PushSync interface{} `field:"optional" json:"pushSync" yaml:"pushSync"`
	// The Amazon Resource Names (ARNs) of the Security Assertion Markup Language (SAML) providers.
	SamlProviderArns *[]*string `field:"optional" json:"samlProviderArns" yaml:"samlProviderArns"`
	// Key-value pairs that map provider names to provider app IDs.
	SupportedLoginProviders interface{} `field:"optional" json:"supportedLoginProviders" yaml:"supportedLoginProviders"`
}

Properties for defining a `CfnIdentityPool`.

Example: 

import cognito "github.com/aws/aws-cdk-go/awscdk"

var myProvider openIdConnectProvider

cognito.NewCfnIdentityPool(this, jsii.String("IdentityPool"), &cfnIdentityPoolProps{
	openIdConnectProviderArns: []*string{
		myProvider.openIdConnectProviderArn,
	},
	// And the other properties for your identity pool
	allowUnauthenticatedIdentities: jsii.Boolean(false),
})

type CfnIdentityPoolRoleAttachment 

type CfnIdentityPoolRoleAttachment interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// An identity pool ID in the format `REGION:GUID` .
	IdentityPoolId() *string
	SetIdentityPoolId(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// How users for a specific identity provider are mapped to roles.
	//
	// This is a string to the `RoleMapping` object map. The string identifies the identity provider. For example: `graph.facebook.com` or `cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id` .
	//
	// If the `IdentityProvider` field isn't provided in this object, the string is used as the identity provider name.
	//
	// For more information, see the [RoleMapping property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html) .
	RoleMappings() interface{}
	SetRoleMappings(val interface{})
	// The map of the roles associated with this pool.
	//
	// For a given role, the key is either "authenticated" or "unauthenticated". The value is the role ARN.
	Roles() interface{}
	SetRoles(val interface{})
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::IdentityPoolRoleAttachment`.

The `AWS::Cognito::IdentityPoolRoleAttachment` resource manages the role configuration for an Amazon Cognito identity pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var roles interface{}

cfnIdentityPoolRoleAttachment := awscdk.Aws_cognito.NewCfnIdentityPoolRoleAttachment(this, jsii.String("MyCfnIdentityPoolRoleAttachment"), &cfnIdentityPoolRoleAttachmentProps{
	identityPoolId: jsii.String("identityPoolId"),

	// the properties below are optional
	roleMappings: map[string]interface{}{
		"roleMappingsKey": &RoleMappingProperty{
			"type": jsii.String("type"),

			// the properties below are optional
			"ambiguousRoleResolution": jsii.String("ambiguousRoleResolution"),
			"identityProvider": jsii.String("identityProvider"),
			"rulesConfiguration": &RulesConfigurationTypeProperty{
				"rules": []interface{}{
					&MappingRuleProperty{
						"claim": jsii.String("claim"),
						"matchType": jsii.String("matchType"),
						"roleArn": jsii.String("roleArn"),
						"value": jsii.String("value"),
					},
				},
			},
		},
	},
	roles: roles,
})

func NewCfnIdentityPoolRoleAttachment 

func NewCfnIdentityPoolRoleAttachment(scope constructs.Construct, id *string, props *CfnIdentityPoolRoleAttachmentProps) CfnIdentityPoolRoleAttachment

Create a new `AWS::Cognito::IdentityPoolRoleAttachment`.

type CfnIdentityPoolRoleAttachmentProps 

type CfnIdentityPoolRoleAttachmentProps struct {
	// An identity pool ID in the format `REGION:GUID` .
	IdentityPoolId *string `field:"required" json:"identityPoolId" yaml:"identityPoolId"`
	// How users for a specific identity provider are mapped to roles.
	//
	// This is a string to the `RoleMapping` object map. The string identifies the identity provider. For example: `graph.facebook.com` or `cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id` .
	//
	// If the `IdentityProvider` field isn't provided in this object, the string is used as the identity provider name.
	//
	// For more information, see the [RoleMapping property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html) .
	RoleMappings interface{} `field:"optional" json:"roleMappings" yaml:"roleMappings"`
	// The map of the roles associated with this pool.
	//
	// For a given role, the key is either "authenticated" or "unauthenticated". The value is the role ARN.
	Roles interface{} `field:"optional" json:"roles" yaml:"roles"`
}

Properties for defining a `CfnIdentityPoolRoleAttachment`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var roles interface{}

cfnIdentityPoolRoleAttachmentProps := &cfnIdentityPoolRoleAttachmentProps{
	identityPoolId: jsii.String("identityPoolId"),

	// the properties below are optional
	roleMappings: map[string]interface{}{
		"roleMappingsKey": &RoleMappingProperty{
			"type": jsii.String("type"),

			// the properties below are optional
			"ambiguousRoleResolution": jsii.String("ambiguousRoleResolution"),
			"identityProvider": jsii.String("identityProvider"),
			"rulesConfiguration": &RulesConfigurationTypeProperty{
				"rules": []interface{}{
					&MappingRuleProperty{
						"claim": jsii.String("claim"),
						"matchType": jsii.String("matchType"),
						"roleArn": jsii.String("roleArn"),
						"value": jsii.String("value"),
					},
				},
			},
		},
	},
	roles: roles,
}

type CfnIdentityPoolRoleAttachment_MappingRuleProperty 

type CfnIdentityPoolRoleAttachment_MappingRuleProperty struct {
	// The claim name that must be present in the token.
	//
	// For example: "isAdmin" or "paid".
	Claim *string `field:"required" json:"claim" yaml:"claim"`
	// The match condition that specifies how closely the claim value in the IdP token must match `Value` .
	//
	// Valid values are: `Equals` , `Contains` , `StartsWith` , and `NotEqual` .
	MatchType *string `field:"required" json:"matchType" yaml:"matchType"`
	// The Amazon Resource Name (ARN) of the role.
	RoleArn *string `field:"required" json:"roleArn" yaml:"roleArn"`
	// A brief string that the claim must match.
	//
	// For example, "paid" or "yes".
	Value *string `field:"required" json:"value" yaml:"value"`
}

Defines how to map a claim to a role ARN.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

mappingRuleProperty := &mappingRuleProperty{
	claim: jsii.String("claim"),
	matchType: jsii.String("matchType"),
	roleArn: jsii.String("roleArn"),
	value: jsii.String("value"),
}

type CfnIdentityPoolRoleAttachment_RoleMappingProperty 

type CfnIdentityPoolRoleAttachment_RoleMappingProperty struct {
	// The role-mapping type.
	//
	// `Token` uses `cognito:roles` and `cognito:preferred_role` claims from the Amazon Cognito identity provider token to map groups to roles. `Rules` attempts to match claims from the token to map to a role.
	//
	// Valid values are `Token` or `Rules` .
	Type *string `field:"required" json:"type" yaml:"type"`
	// Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no `cognito:preferred_role` claim and there are multiple `cognito:roles` matches for the Token type.
	//
	// If you specify Token or Rules as the Type, AmbiguousRoleResolution is required.
	//
	// Valid values are `AuthenticatedRole` or `Deny` .
	AmbiguousRoleResolution *string `field:"optional" json:"ambiguousRoleResolution" yaml:"ambiguousRoleResolution"`
	// Identifier for the identity provider for which the role is mapped.
	//
	// For example: `graph.facebook.com` or `cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id (http://cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id)` . This is the identity provider that is used by the user for authentication.
	//
	// If the identity provider property isn't provided, the key of the entry in the `RoleMappings` map is used as the identity provider.
	IdentityProvider *string `field:"optional" json:"identityProvider" yaml:"identityProvider"`
	// The rules to be used for mapping users to roles.
	//
	// If you specify "Rules" as the role-mapping type, RulesConfiguration is required.
	RulesConfiguration interface{} `field:"optional" json:"rulesConfiguration" yaml:"rulesConfiguration"`
}

`RoleMapping` is a property of the [AWS::Cognito::IdentityPoolRoleAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html) resource that defines the role-mapping attributes of an Amazon Cognito identity pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

roleMappingProperty := &roleMappingProperty{
	type: jsii.String("type"),

	// the properties below are optional
	ambiguousRoleResolution: jsii.String("ambiguousRoleResolution"),
	identityProvider: jsii.String("identityProvider"),
	rulesConfiguration: &rulesConfigurationTypeProperty{
		rules: []interface{}{
			&mappingRuleProperty{
				claim: jsii.String("claim"),
				matchType: jsii.String("matchType"),
				roleArn: jsii.String("roleArn"),
				value: jsii.String("value"),
			},
		},
	},
}

type CfnIdentityPoolRoleAttachment_RulesConfigurationTypeProperty 

type CfnIdentityPoolRoleAttachment_RulesConfigurationTypeProperty struct {
	// The rules.
	//
	// You can specify up to 25 rules per identity provider.
	Rules interface{} `field:"required" json:"rules" yaml:"rules"`
}

`RulesConfigurationType` is a subproperty of the [RoleMapping](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html) property that defines the rules to be used for mapping users to roles.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

rulesConfigurationTypeProperty := &rulesConfigurationTypeProperty{
	rules: []interface{}{
		&mappingRuleProperty{
			claim: jsii.String("claim"),
			matchType: jsii.String("matchType"),
			roleArn: jsii.String("roleArn"),
			value: jsii.String("value"),
		},
	},
}

type CfnIdentityPool_CognitoIdentityProviderProperty 

type CfnIdentityPool_CognitoIdentityProviderProperty struct {
	// The client ID for the Amazon Cognito user pool.
	ClientId *string `field:"optional" json:"clientId" yaml:"clientId"`
	// The provider name for an Amazon Cognito user pool.
	//
	// For example: `cognito-idp.us-east-2.amazonaws.com/us-east-2_123456789` .
	ProviderName *string `field:"optional" json:"providerName" yaml:"providerName"`
	// TRUE if server-side token validation is enabled for the identity provider’s token.
	//
	// After you set the `ServerSideTokenCheck` to TRUE for an identity pool, that identity pool checks with the integrated user pools to make sure the user has not been globally signed out or deleted before the identity pool provides an OIDC token or AWS credentials for the user.
	//
	// If the user is signed out or deleted, the identity pool returns a 400 Not Authorized error.
	ServerSideTokenCheck interface{} `field:"optional" json:"serverSideTokenCheck" yaml:"serverSideTokenCheck"`
}

`CognitoIdentityProvider` is a property of the [AWS::Cognito::IdentityPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html) resource that represents an Amazon Cognito user pool and its client ID.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cognitoIdentityProviderProperty := &cognitoIdentityProviderProperty{
	clientId: jsii.String("clientId"),
	providerName: jsii.String("providerName"),
	serverSideTokenCheck: jsii.Boolean(false),
}

type CfnIdentityPool_CognitoStreamsProperty 

type CfnIdentityPool_CognitoStreamsProperty struct {
	// The Amazon Resource Name (ARN) of the role Amazon Cognito can assume to publish to the stream.
	//
	// This role must grant access to Amazon Cognito (cognito-sync) to invoke `PutRecord` on your Amazon Cognito stream.
	RoleArn *string `field:"optional" json:"roleArn" yaml:"roleArn"`
	// Status of the Amazon Cognito streams.
	//
	// Valid values are: `ENABLED` or `DISABLED` .
	StreamingStatus *string `field:"optional" json:"streamingStatus" yaml:"streamingStatus"`
	// The name of the Amazon Cognito stream to receive updates.
	//
	// This stream must be in the developer's account and in the same Region as the identity pool.
	StreamName *string `field:"optional" json:"streamName" yaml:"streamName"`
}

`CognitoStreams` is a property of the [AWS::Cognito::IdentityPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html) resource that defines configuration options for Amazon Cognito streams.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cognitoStreamsProperty := &cognitoStreamsProperty{
	roleArn: jsii.String("roleArn"),
	streamingStatus: jsii.String("streamingStatus"),
	streamName: jsii.String("streamName"),
}

type CfnIdentityPool_PushSyncProperty 

type CfnIdentityPool_PushSyncProperty struct {
	// The ARNs of the Amazon SNS platform applications that could be used by clients.
	ApplicationArns *[]*string `field:"optional" json:"applicationArns" yaml:"applicationArns"`
	// An IAM role configured to allow Amazon Cognito to call Amazon SNS on behalf of the developer.
	RoleArn *string `field:"optional" json:"roleArn" yaml:"roleArn"`
}

`PushSync` is a property of the [AWS::Cognito::IdentityPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html) resource that defines the configuration options to be applied to an Amazon Cognito identity pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

pushSyncProperty := &pushSyncProperty{
	applicationArns: []*string{
		jsii.String("applicationArns"),
	},
	roleArn: jsii.String("roleArn"),
}

type CfnUserPool 

type CfnUserPool interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Use this setting to define which verified available method a user can use to recover their password when they call `ForgotPassword` .
	//
	// It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
	AccountRecoverySetting() interface{}
	SetAccountRecoverySetting(val interface{})
	// The configuration for creating a new user profile.
	AdminCreateUserConfig() interface{}
	SetAdminCreateUserConfig(val interface{})
	// Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* .
	//
	// > This user pool property cannot be updated.
	AliasAttributes() *[]*string
	SetAliasAttributes(val *[]*string)
	// The Amazon Resource Name (ARN) of the user pool, such as `arn:aws:cognito-idp:us-east-1:123412341234:userpool/us-east-1_123412341` .
	AttrArn() *string
	// The provider name of the Amazon Cognito user pool, specified as a `String` .
	AttrProviderName() *string
	// The URL of the provider of the Amazon Cognito user pool, specified as a `String` .
	AttrProviderUrl() *string
	// The attributes to be auto-verified.
	//
	// Possible values: *email* , *phone_number* .
	AutoVerifiedAttributes() *[]*string
	SetAutoVerifiedAttributes(val *[]*string)
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The device configuration.
	DeviceConfiguration() interface{}
	SetDeviceConfiguration(val interface{})
	// The email configuration of your user pool.
	//
	// The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
	EmailConfiguration() interface{}
	SetEmailConfiguration(val interface{})
	// A string representing the email verification message.
	//
	// EmailVerificationMessage is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.
	EmailVerificationMessage() *string
	SetEmailVerificationMessage(val *string)
	// A string representing the email verification subject.
	//
	// EmailVerificationSubject is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.
	EmailVerificationSubject() *string
	SetEmailVerificationSubject(val *string)
	// Enables MFA on a specified user pool.
	//
	// To disable all MFAs after it has been enabled, set MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting MfaConfiguration to “OFF”. Can be one of the following values:
	//
	// - `SMS_MFA` - Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS configuration is provided.
	// - `SOFTWARE_TOKEN_MFA` - Enables software token MFA for the user pool.
	//
	// Allowed values: `SMS_MFA` | `SOFTWARE_TOKEN_MFA`.
	EnabledMfas() *[]*string
	SetEnabledMfas(val *[]*string)
	// The Lambda trigger configuration information for the new user pool.
	//
	// > In a push model, event sources (such as Amazon S3 and custom applications) need permission to invoke a function. So you must make an extra call to add permission for these event sources to invoke your Lambda function.
	// >
	// > For more information on using the Lambda API to add permission, see [AddPermission](https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html) .
	// >
	// > For adding permission using the AWS CLI , see [add-permission](https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html) .
	LambdaConfig() interface{}
	SetLambdaConfig(val interface{})
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The multi-factor (MFA) configuration. Valid values include:.
	//
	// - `OFF` MFA won't be used for any users.
	// - `ON` MFA is required for all users to sign in.
	// - `OPTIONAL` MFA will be required only for individual users who have an MFA factor activated.
	MfaConfiguration() *string
	SetMfaConfiguration(val *string)
	// The tree node.
	Node() constructs.Node
	// The policy associated with a user pool.
	Policies() interface{}
	SetPolicies(val interface{})
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The schema attributes for the new user pool. These attributes can be standard or custom attributes.
	//
	// > During a user pool update, you can add new schema attributes but you cannot modify or delete an existing schema attribute.
	Schema() interface{}
	SetSchema(val interface{})
	// A string representing the SMS authentication message.
	SmsAuthenticationMessage() *string
	SetSmsAuthenticationMessage(val *string)
	// The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service.
	//
	// To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
	SmsConfiguration() interface{}
	SetSmsConfiguration(val interface{})
	// A string representing the SMS verification message.
	SmsVerificationMessage() *string
	SetSmsVerificationMessage(val *string)
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// The tag keys and values to assign to the user pool.
	//
	// A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
	Tags() awscdk.TagManager
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// The settings for updates to user attributes.
	//
	// These settings include the property `AttributesRequireVerificationBeforeUpdate` ,
	// a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For
	// more information, see [Verifying updates to to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates) .
	UserAttributeUpdateSettings() interface{}
	SetUserAttributeUpdateSettings(val interface{})
	// Determines whether email addresses or phone numbers can be specified as user names when a user signs up.
	//
	// Possible values: `phone_number` or `email` .
	//
	// This user pool property cannot be updated.
	UsernameAttributes() *[]*string
	SetUsernameAttributes(val *[]*string)
	// You can choose to set case sensitivity on the username input for the selected sign-in option.
	//
	// For example, when this is set to `False` , users will be able to sign in using either "username" or "Username". This configuration is immutable once it has been set.
	UsernameConfiguration() interface{}
	SetUsernameConfiguration(val interface{})
	// Enables advanced security risk detection.
	//
	// Set the key `AdvancedSecurityMode` to the value "AUDIT".
	UserPoolAddOns() interface{}
	SetUserPoolAddOns(val interface{})
	// A string used to name the user pool.
	UserPoolName() *string
	SetUserPoolName(val *string)
	// The template for the verification message that the user sees when the app requests permission to access the user's information.
	VerificationMessageTemplate() interface{}
	SetVerificationMessageTemplate(val interface{})
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::UserPool`.

The `AWS::Cognito::UserPool` resource creates an Amazon Cognito user pool. For more information on working with Amazon Cognito user pools, see [Amazon Cognito User Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) and [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) .

> If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var userPoolTags interface{}

cfnUserPool := awscdk.Aws_cognito.NewCfnUserPool(this, jsii.String("MyCfnUserPool"), &cfnUserPoolProps{
	accountRecoverySetting: &accountRecoverySettingProperty{
		recoveryMechanisms: []interface{}{
			&recoveryOptionProperty{
				name: jsii.String("name"),
				priority: jsii.Number(123),
			},
		},
	},
	adminCreateUserConfig: &adminCreateUserConfigProperty{
		allowAdminCreateUserOnly: jsii.Boolean(false),
		inviteMessageTemplate: &inviteMessageTemplateProperty{
			emailMessage: jsii.String("emailMessage"),
			emailSubject: jsii.String("emailSubject"),
			smsMessage: jsii.String("smsMessage"),
		},
		unusedAccountValidityDays: jsii.Number(123),
	},
	aliasAttributes: []*string{
		jsii.String("aliasAttributes"),
	},
	autoVerifiedAttributes: []*string{
		jsii.String("autoVerifiedAttributes"),
	},
	deviceConfiguration: &deviceConfigurationProperty{
		challengeRequiredOnNewDevice: jsii.Boolean(false),
		deviceOnlyRememberedOnUserPrompt: jsii.Boolean(false),
	},
	emailConfiguration: &emailConfigurationProperty{
		configurationSet: jsii.String("configurationSet"),
		emailSendingAccount: jsii.String("emailSendingAccount"),
		from: jsii.String("from"),
		replyToEmailAddress: jsii.String("replyToEmailAddress"),
		sourceArn: jsii.String("sourceArn"),
	},
	emailVerificationMessage: jsii.String("emailVerificationMessage"),
	emailVerificationSubject: jsii.String("emailVerificationSubject"),
	enabledMfas: []*string{
		jsii.String("enabledMfas"),
	},
	lambdaConfig: &lambdaConfigProperty{
		createAuthChallenge: jsii.String("createAuthChallenge"),
		customEmailSender: &customEmailSenderProperty{
			lambdaArn: jsii.String("lambdaArn"),
			lambdaVersion: jsii.String("lambdaVersion"),
		},
		customMessage: jsii.String("customMessage"),
		customSmsSender: &customSMSSenderProperty{
			lambdaArn: jsii.String("lambdaArn"),
			lambdaVersion: jsii.String("lambdaVersion"),
		},
		defineAuthChallenge: jsii.String("defineAuthChallenge"),
		kmsKeyId: jsii.String("kmsKeyId"),
		postAuthentication: jsii.String("postAuthentication"),
		postConfirmation: jsii.String("postConfirmation"),
		preAuthentication: jsii.String("preAuthentication"),
		preSignUp: jsii.String("preSignUp"),
		preTokenGeneration: jsii.String("preTokenGeneration"),
		userMigration: jsii.String("userMigration"),
		verifyAuthChallengeResponse: jsii.String("verifyAuthChallengeResponse"),
	},
	mfaConfiguration: jsii.String("mfaConfiguration"),
	policies: &policiesProperty{
		passwordPolicy: &passwordPolicyProperty{
			minimumLength: jsii.Number(123),
			requireLowercase: jsii.Boolean(false),
			requireNumbers: jsii.Boolean(false),
			requireSymbols: jsii.Boolean(false),
			requireUppercase: jsii.Boolean(false),
			temporaryPasswordValidityDays: jsii.Number(123),
		},
	},
	schema: []interface{}{
		&schemaAttributeProperty{
			attributeDataType: jsii.String("attributeDataType"),
			developerOnlyAttribute: jsii.Boolean(false),
			mutable: jsii.Boolean(false),
			name: jsii.String("name"),
			numberAttributeConstraints: &numberAttributeConstraintsProperty{
				maxValue: jsii.String("maxValue"),
				minValue: jsii.String("minValue"),
			},
			required: jsii.Boolean(false),
			stringAttributeConstraints: &stringAttributeConstraintsProperty{
				maxLength: jsii.String("maxLength"),
				minLength: jsii.String("minLength"),
			},
		},
	},
	smsAuthenticationMessage: jsii.String("smsAuthenticationMessage"),
	smsConfiguration: &smsConfigurationProperty{
		externalId: jsii.String("externalId"),
		snsCallerArn: jsii.String("snsCallerArn"),
		snsRegion: jsii.String("snsRegion"),
	},
	smsVerificationMessage: jsii.String("smsVerificationMessage"),
	userAttributeUpdateSettings: &userAttributeUpdateSettingsProperty{
		attributesRequireVerificationBeforeUpdate: []*string{
			jsii.String("attributesRequireVerificationBeforeUpdate"),
		},
	},
	usernameAttributes: []*string{
		jsii.String("usernameAttributes"),
	},
	usernameConfiguration: &usernameConfigurationProperty{
		caseSensitive: jsii.Boolean(false),
	},
	userPoolAddOns: &userPoolAddOnsProperty{
		advancedSecurityMode: jsii.String("advancedSecurityMode"),
	},
	userPoolName: jsii.String("userPoolName"),
	userPoolTags: userPoolTags,
	verificationMessageTemplate: &verificationMessageTemplateProperty{
		defaultEmailOption: jsii.String("defaultEmailOption"),
		emailMessage: jsii.String("emailMessage"),
		emailMessageByLink: jsii.String("emailMessageByLink"),
		emailSubject: jsii.String("emailSubject"),
		emailSubjectByLink: jsii.String("emailSubjectByLink"),
		smsMessage: jsii.String("smsMessage"),
	},
})

func NewCfnUserPool 

func NewCfnUserPool(scope constructs.Construct, id *string, props *CfnUserPoolProps) CfnUserPool

Create a new `AWS::Cognito::UserPool`.

type CfnUserPoolClient 

type CfnUserPoolClient interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// The access token time limit.
	//
	// After this limit expires, your user can't use their access token. To specify the time unit for `AccessTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.
	//
	// For example, when you set `AccessTokenValidity` to `10` and `TokenValidityUnits` to `hours` , your user can authorize access with their access token for 10 hours.
	//
	// The default time unit for `AccessTokenValidity` in an API request is hours.
	AccessTokenValidity() *float64
	SetAccessTokenValidity(val *float64)
	// The allowed OAuth flows.
	//
	// - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.
	// - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.
	// - **client_credentials** - Issue the access token from the `/oauth2/token` endpoint directly to a non-person user using a combination of the client ID and client secret.
	AllowedOAuthFlows() *[]*string
	SetAllowedOAuthFlows(val *[]*string)
	// Set to true if the client is allowed to follow the OAuth protocol when interacting with Amazon Cognito user pools.
	AllowedOAuthFlowsUserPoolClient() interface{}
	SetAllowedOAuthFlowsUserPoolClient(val interface{})
	// The allowed OAuth scopes.
	//
	// Possible values provided by OAuth are `phone` , `email` , `openid` , and `profile` . Possible values provided by AWS are `aws.cognito.signin.user.admin` . Custom scopes created in Resource Servers are also supported.
	AllowedOAuthScopes() *[]*string
	SetAllowedOAuthScopes(val *[]*string)
	// The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.
	//
	// > In AWS Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in AWS Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
	AnalyticsConfiguration() interface{}
	SetAnalyticsConfiguration(val interface{})
	AttrClientSecret() *string
	AttrName() *string
	// A list of allowed redirect (callback) URLs for the IdPs.
	//
	// A redirect URI must:
	//
	// - Be an absolute URI.
	// - Be registered with the authorization server.
	// - Not include a fragment component.
	//
	// See [OAuth 2.0 - Redirection Endpoint](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2) .
	//
	// Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
	//
	// App callback URLs such as myapp://example are also supported.
	CallbackUrLs() *[]*string
	SetCallbackUrLs(val *[]*string)
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// The client name for the user pool client you would like to create.
	ClientName() *string
	SetClientName(val *string)
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The default redirect URI. Must be in the `CallbackURLs` list.
	//
	// A redirect URI must:
	//
	// - Be an absolute URI.
	// - Be registered with the authorization server.
	// - Not include a fragment component.
	//
	// See [OAuth 2.0 - Redirection Endpoint](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2) .
	//
	// Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
	//
	// App callback URLs such as myapp://example are also supported.
	DefaultRedirectUri() *string
	SetDefaultRedirectUri(val *string)
	// `AWS::Cognito::UserPoolClient.EnablePropagateAdditionalUserContextData`.
	EnablePropagateAdditionalUserContextData() interface{}
	SetEnablePropagateAdditionalUserContextData(val interface{})
	// Activates or deactivates token revocation. For more information about revoking tokens, see [RevokeToken](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html) .
	//
	// If you don't include this parameter, token revocation is automatically activated for the new user pool client.
	EnableTokenRevocation() interface{}
	SetEnableTokenRevocation(val interface{})
	// The authentication flows that are supported by the user pool clients.
	//
	// Flow names without the `ALLOW_` prefix are no longer supported, in favor of new names with the `ALLOW_` prefix.
	//
	// > Values with `ALLOW_` prefix must be used only along with the `ALLOW_` prefix.
	//
	// Valid values include:
	//
	// - `ALLOW_ADMIN_USER_PASSWORD_AUTH` : Enable admin based user password authentication flow `ADMIN_USER_PASSWORD_AUTH` . This setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this authentication flow, Amazon Cognito receives the password in the request instead of using the Secure Remote Password (SRP) protocol to verify passwords.
	// - `ALLOW_CUSTOM_AUTH` : Enable AWS Lambda trigger based authentication.
	// - `ALLOW_USER_PASSWORD_AUTH` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.
	// - `ALLOW_USER_SRP_AUTH` : Enable SRP-based authentication.
	// - `ALLOW_REFRESH_TOKEN_AUTH` : Enable authflow to refresh tokens.
	//
	// If you don't specify a value for `ExplicitAuthFlows` , your app client activates the `ALLOW_USER_SRP_AUTH` and `ALLOW_CUSTOM_AUTH` authentication flows.
	ExplicitAuthFlows() *[]*string
	SetExplicitAuthFlows(val *[]*string)
	// Boolean to specify whether you want to generate a secret for the user pool client being created.
	GenerateSecret() interface{}
	SetGenerateSecret(val interface{})
	// The ID token time limit.
	//
	// After this limit expires, your user can't use their ID token. To specify the time unit for `IdTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.
	//
	// For example, when you set `IdTokenValidity` as `10` and `TokenValidityUnits` as `hours` , your user can authenticate their session with their ID token for 10 hours.
	//
	// The default time unit for `AccessTokenValidity` in an API request is hours.
	IdTokenValidity() *float64
	SetIdTokenValidity(val *float64)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// A list of allowed logout URLs for the IdPs.
	LogoutUrLs() *[]*string
	SetLogoutUrLs(val *[]*string)
	// The tree node.
	Node() constructs.Node
	// Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool.
	//
	// When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY` , those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.
	PreventUserExistenceErrors() *string
	SetPreventUserExistenceErrors(val *string)
	// The read attributes.
	ReadAttributes() *[]*string
	SetReadAttributes(val *[]*string)
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The refresh token time limit.
	//
	// After this limit expires, your user can't use their refresh token. To specify the time unit for `RefreshTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.
	//
	// For example, when you set `RefreshTokenValidity` as `10` and `TokenValidityUnits` as `days` , your user can refresh their session and retrieve new access and ID tokens for 10 days.
	//
	// The default time unit for `RefreshTokenValidity` in an API request is days. You can't set `RefreshTokenValidity` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.
	RefreshTokenValidity() *float64
	SetRefreshTokenValidity(val *float64)
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// A list of provider names for the IdPs that this client supports.
	//
	// The following are supported: `COGNITO` , `Facebook` , `Google` `LoginWithAmazon` , and the names of your own SAML and OIDC providers.
	SupportedIdentityProviders() *[]*string
	SetSupportedIdentityProviders(val *[]*string)
	// The units in which the validity times are represented.
	//
	// The default unit for RefreshToken is days, and default for ID and access tokens are hours.
	TokenValidityUnits() interface{}
	SetTokenValidityUnits(val interface{})
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// The user pool ID for the user pool where you want to create a user pool client.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// The user pool attributes that the app client can write to.
	//
	// If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .
	WriteAttributes() *[]*string
	SetWriteAttributes(val *[]*string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::UserPoolClient`.

The `AWS::Cognito::UserPoolClient` resource specifies an Amazon Cognito user pool client.

> If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.

Example: 

import cognito "github.com/aws/aws-cdk-go/awscdk"
import ec2 "github.com/aws/aws-cdk-go/awscdk"
import elbv2 "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/constructs-go/constructs"
import actions "github.com/aws/aws-cdk-go/awscdk"

cognitoStack struct {
stack
}

lb := elbv2.NewApplicationLoadBalancer(this, jsii.String("LB"), &applicationLoadBalancerProps{
	vpc: vpc,
	internetFacing: jsii.Boolean(true),
})

userPool := cognito.NewUserPool(this, jsii.String("UserPool"))
userPoolClient := cognito.NewUserPoolClient(this, jsii.String("Client"), &userPoolClientProps{
	userPool: userPool,

	// Required minimal configuration for use with an ELB
	generateSecret: jsii.Boolean(true),
	authFlows: &authFlow{
		userPassword: jsii.Boolean(true),
	},
	oAuth: &oAuthSettings{
		flows: &oAuthFlows{
			authorizationCodeGrant: jsii.Boolean(true),
		},
		scopes: []oAuthScope{
			cognito.*oAuthScope_EMAIL(),
		},
		callbackUrls: []*string{
			fmt.Sprintf("https://%v/oauth2/idpresponse", lb.loadBalancerDnsName),
		},
	},
})
cfnClient := userPoolClient.node.defaultChild.(cfnUserPoolClient)
cfnClient.addPropertyOverride(jsii.String("RefreshTokenValidity"), jsii.Number(1))
cfnClient.addPropertyOverride(jsii.String("SupportedIdentityProviders"), []interface{}{
	jsii.String("COGNITO"),
})

userPoolDomain := cognito.NewUserPoolDomain(this, jsii.String("Domain"), &userPoolDomainProps{
	userPool: userPool,
	cognitoDomain: &cognitoDomainOptions{
		domainPrefix: jsii.String("test-cdk-prefix"),
	},
})

lb.addListener(jsii.String("Listener"), &baseApplicationListenerProps{
	port: jsii.Number(443),
	certificates: []iListenerCertificate{
		certificate,
	},
	defaultAction: actions.NewAuthenticateCognitoAction(&authenticateCognitoActionProps{
		userPool: userPool,
		userPoolClient: userPoolClient,
		userPoolDomain: userPoolDomain,
		next: elbv2.listenerAction.fixedResponse(jsii.Number(200), &fixedResponseOptions{
			contentType: jsii.String("text/plain"),
			messageBody: jsii.String("Authenticated"),
		}),
	}),
})

awscdk.NewCfnOutput(this, jsii.String("DNS"), &cfnOutputProps{
	value: lb.loadBalancerDnsName,
})

app := awscdk.NewApp()
NewCognitoStack(app, jsii.String("integ-cognito"))
app.synth()

func NewCfnUserPoolClient 

func NewCfnUserPoolClient(scope constructs.Construct, id *string, props *CfnUserPoolClientProps) CfnUserPoolClient

Create a new `AWS::Cognito::UserPoolClient`.

type CfnUserPoolClientProps 

type CfnUserPoolClientProps struct {
	// The user pool ID for the user pool where you want to create a user pool client.
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// The access token time limit.
	//
	// After this limit expires, your user can't use their access token. To specify the time unit for `AccessTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.
	//
	// For example, when you set `AccessTokenValidity` to `10` and `TokenValidityUnits` to `hours` , your user can authorize access with their access token for 10 hours.
	//
	// The default time unit for `AccessTokenValidity` in an API request is hours.
	AccessTokenValidity *float64 `field:"optional" json:"accessTokenValidity" yaml:"accessTokenValidity"`
	// The allowed OAuth flows.
	//
	// - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.
	// - **implicit** - Issue the access token (and, optionally, ID token, based on scopes) directly to your user.
	// - **client_credentials** - Issue the access token from the `/oauth2/token` endpoint directly to a non-person user using a combination of the client ID and client secret.
	AllowedOAuthFlows *[]*string `field:"optional" json:"allowedOAuthFlows" yaml:"allowedOAuthFlows"`
	// Set to true if the client is allowed to follow the OAuth protocol when interacting with Amazon Cognito user pools.
	AllowedOAuthFlowsUserPoolClient interface{} `field:"optional" json:"allowedOAuthFlowsUserPoolClient" yaml:"allowedOAuthFlowsUserPoolClient"`
	// The allowed OAuth scopes.
	//
	// Possible values provided by OAuth are `phone` , `email` , `openid` , and `profile` . Possible values provided by AWS are `aws.cognito.signin.user.admin` . Custom scopes created in Resource Servers are also supported.
	AllowedOAuthScopes *[]*string `field:"optional" json:"allowedOAuthScopes" yaml:"allowedOAuthScopes"`
	// The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.
	//
	// > In AWS Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in AWS Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
	AnalyticsConfiguration interface{} `field:"optional" json:"analyticsConfiguration" yaml:"analyticsConfiguration"`
	// A list of allowed redirect (callback) URLs for the IdPs.
	//
	// A redirect URI must:
	//
	// - Be an absolute URI.
	// - Be registered with the authorization server.
	// - Not include a fragment component.
	//
	// See [OAuth 2.0 - Redirection Endpoint](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2) .
	//
	// Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
	//
	// App callback URLs such as myapp://example are also supported.
	CallbackUrLs *[]*string `field:"optional" json:"callbackUrLs" yaml:"callbackUrLs"`
	// The client name for the user pool client you would like to create.
	ClientName *string `field:"optional" json:"clientName" yaml:"clientName"`
	// The default redirect URI. Must be in the `CallbackURLs` list.
	//
	// A redirect URI must:
	//
	// - Be an absolute URI.
	// - Be registered with the authorization server.
	// - Not include a fragment component.
	//
	// See [OAuth 2.0 - Redirection Endpoint](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2) .
	//
	// Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
	//
	// App callback URLs such as myapp://example are also supported.
	DefaultRedirectUri *string `field:"optional" json:"defaultRedirectUri" yaml:"defaultRedirectUri"`
	// `AWS::Cognito::UserPoolClient.EnablePropagateAdditionalUserContextData`.
	EnablePropagateAdditionalUserContextData interface{} `field:"optional" json:"enablePropagateAdditionalUserContextData" yaml:"enablePropagateAdditionalUserContextData"`
	// Activates or deactivates token revocation. For more information about revoking tokens, see [RevokeToken](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html) .
	//
	// If you don't include this parameter, token revocation is automatically activated for the new user pool client.
	EnableTokenRevocation interface{} `field:"optional" json:"enableTokenRevocation" yaml:"enableTokenRevocation"`
	// The authentication flows that are supported by the user pool clients.
	//
	// Flow names without the `ALLOW_` prefix are no longer supported, in favor of new names with the `ALLOW_` prefix.
	//
	// > Values with `ALLOW_` prefix must be used only along with the `ALLOW_` prefix.
	//
	// Valid values include:
	//
	// - `ALLOW_ADMIN_USER_PASSWORD_AUTH` : Enable admin based user password authentication flow `ADMIN_USER_PASSWORD_AUTH` . This setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this authentication flow, Amazon Cognito receives the password in the request instead of using the Secure Remote Password (SRP) protocol to verify passwords.
	// - `ALLOW_CUSTOM_AUTH` : Enable AWS Lambda trigger based authentication.
	// - `ALLOW_USER_PASSWORD_AUTH` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.
	// - `ALLOW_USER_SRP_AUTH` : Enable SRP-based authentication.
	// - `ALLOW_REFRESH_TOKEN_AUTH` : Enable authflow to refresh tokens.
	//
	// If you don't specify a value for `ExplicitAuthFlows` , your app client activates the `ALLOW_USER_SRP_AUTH` and `ALLOW_CUSTOM_AUTH` authentication flows.
	ExplicitAuthFlows *[]*string `field:"optional" json:"explicitAuthFlows" yaml:"explicitAuthFlows"`
	// Boolean to specify whether you want to generate a secret for the user pool client being created.
	GenerateSecret interface{} `field:"optional" json:"generateSecret" yaml:"generateSecret"`
	// The ID token time limit.
	//
	// After this limit expires, your user can't use their ID token. To specify the time unit for `IdTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.
	//
	// For example, when you set `IdTokenValidity` as `10` and `TokenValidityUnits` as `hours` , your user can authenticate their session with their ID token for 10 hours.
	//
	// The default time unit for `AccessTokenValidity` in an API request is hours.
	IdTokenValidity *float64 `field:"optional" json:"idTokenValidity" yaml:"idTokenValidity"`
	// A list of allowed logout URLs for the IdPs.
	LogoutUrLs *[]*string `field:"optional" json:"logoutUrLs" yaml:"logoutUrLs"`
	// Use this setting to choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool.
	//
	// When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY` , those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.
	PreventUserExistenceErrors *string `field:"optional" json:"preventUserExistenceErrors" yaml:"preventUserExistenceErrors"`
	// The read attributes.
	ReadAttributes *[]*string `field:"optional" json:"readAttributes" yaml:"readAttributes"`
	// The refresh token time limit.
	//
	// After this limit expires, your user can't use their refresh token. To specify the time unit for `RefreshTokenValidity` as `seconds` , `minutes` , `hours` , or `days` , set a `TokenValidityUnits` value in your API request.
	//
	// For example, when you set `RefreshTokenValidity` as `10` and `TokenValidityUnits` as `days` , your user can refresh their session and retrieve new access and ID tokens for 10 days.
	//
	// The default time unit for `RefreshTokenValidity` in an API request is days. You can't set `RefreshTokenValidity` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days.
	RefreshTokenValidity *float64 `field:"optional" json:"refreshTokenValidity" yaml:"refreshTokenValidity"`
	// A list of provider names for the IdPs that this client supports.
	//
	// The following are supported: `COGNITO` , `Facebook` , `Google` `LoginWithAmazon` , and the names of your own SAML and OIDC providers.
	SupportedIdentityProviders *[]*string `field:"optional" json:"supportedIdentityProviders" yaml:"supportedIdentityProviders"`
	// The units in which the validity times are represented.
	//
	// The default unit for RefreshToken is days, and default for ID and access tokens are hours.
	TokenValidityUnits interface{} `field:"optional" json:"tokenValidityUnits" yaml:"tokenValidityUnits"`
	// The user pool attributes that the app client can write to.
	//
	// If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .
	WriteAttributes *[]*string `field:"optional" json:"writeAttributes" yaml:"writeAttributes"`
}

Properties for defining a `CfnUserPoolClient`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolClientProps := &cfnUserPoolClientProps{
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	accessTokenValidity: jsii.Number(123),
	allowedOAuthFlows: []*string{
		jsii.String("allowedOAuthFlows"),
	},
	allowedOAuthFlowsUserPoolClient: jsii.Boolean(false),
	allowedOAuthScopes: []*string{
		jsii.String("allowedOAuthScopes"),
	},
	analyticsConfiguration: &analyticsConfigurationProperty{
		applicationArn: jsii.String("applicationArn"),
		applicationId: jsii.String("applicationId"),
		externalId: jsii.String("externalId"),
		roleArn: jsii.String("roleArn"),
		userDataShared: jsii.Boolean(false),
	},
	callbackUrLs: []*string{
		jsii.String("callbackUrLs"),
	},
	clientName: jsii.String("clientName"),
	defaultRedirectUri: jsii.String("defaultRedirectUri"),
	enablePropagateAdditionalUserContextData: jsii.Boolean(false),
	enableTokenRevocation: jsii.Boolean(false),
	explicitAuthFlows: []*string{
		jsii.String("explicitAuthFlows"),
	},
	generateSecret: jsii.Boolean(false),
	idTokenValidity: jsii.Number(123),
	logoutUrLs: []*string{
		jsii.String("logoutUrLs"),
	},
	preventUserExistenceErrors: jsii.String("preventUserExistenceErrors"),
	readAttributes: []*string{
		jsii.String("readAttributes"),
	},
	refreshTokenValidity: jsii.Number(123),
	supportedIdentityProviders: []*string{
		jsii.String("supportedIdentityProviders"),
	},
	tokenValidityUnits: &tokenValidityUnitsProperty{
		accessToken: jsii.String("accessToken"),
		idToken: jsii.String("idToken"),
		refreshToken: jsii.String("refreshToken"),
	},
	writeAttributes: []*string{
		jsii.String("writeAttributes"),
	},
}

type CfnUserPoolClient_AnalyticsConfigurationProperty 

type CfnUserPoolClient_AnalyticsConfigurationProperty struct {
	// The Amazon Resource Name (ARN) of an Amazon Pinpoint project.
	//
	// You can use the Amazon Pinpoint project for integration with the chosen user pool client. Amazon Cognito publishes events to the Amazon Pinpoint project that the app ARN declares.
	ApplicationArn *string `field:"optional" json:"applicationArn" yaml:"applicationArn"`
	// The application ID for an Amazon Pinpoint application.
	ApplicationId *string `field:"optional" json:"applicationId" yaml:"applicationId"`
	// The external ID.
	ExternalId *string `field:"optional" json:"externalId" yaml:"externalId"`
	// The ARN of an AWS Identity and Access Management role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
	RoleArn *string `field:"optional" json:"roleArn" yaml:"roleArn"`
	// If `UserDataShared` is `true` , Amazon Cognito includes user data in the events that it publishes to Amazon Pinpoint analytics.
	UserDataShared interface{} `field:"optional" json:"userDataShared" yaml:"userDataShared"`
}

The Amazon Pinpoint analytics configuration necessary to collect metrics for a user pool.

> In Regions where Amazon Pinpointisn't available, user pools only support sending events to Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

analyticsConfigurationProperty := &analyticsConfigurationProperty{
	applicationArn: jsii.String("applicationArn"),
	applicationId: jsii.String("applicationId"),
	externalId: jsii.String("externalId"),
	roleArn: jsii.String("roleArn"),
	userDataShared: jsii.Boolean(false),
}

type CfnUserPoolClient_TokenValidityUnitsProperty 

type CfnUserPoolClient_TokenValidityUnitsProperty struct {
	// A time unit in “seconds”, “minutes”, “hours”, or “days” for the value in AccessTokenValidity, defaulting to hours.
	AccessToken *string `field:"optional" json:"accessToken" yaml:"accessToken"`
	// A time unit in “seconds”, “minutes”, “hours”, or “days” for the value in IdTokenValidity, defaulting to hours.
	IdToken *string `field:"optional" json:"idToken" yaml:"idToken"`
	// A time unit in “seconds”, “minutes”, “hours”, or “days” for the value in RefreshTokenValidity, defaulting to days.
	RefreshToken *string `field:"optional" json:"refreshToken" yaml:"refreshToken"`
}

The units in which the validity times are represented.

The default unit for RefreshToken is days, and the default for ID and access tokens is hours.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

tokenValidityUnitsProperty := &tokenValidityUnitsProperty{
	accessToken: jsii.String("accessToken"),
	idToken: jsii.String("idToken"),
	refreshToken: jsii.String("refreshToken"),
}

type CfnUserPoolDomain 

type CfnUserPoolDomain interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The configuration for a custom domain that hosts the sign-up and sign-in pages for your application.
	//
	// Use this object to specify an SSL certificate that is managed by ACM.
	CustomDomainConfig() interface{}
	SetCustomDomainConfig(val interface{})
	// The domain name for the domain that hosts the sign-up and sign-in pages for your application.
	//
	// For example: `auth.example.com` . If you're using a prefix domain, this field denotes the first part of the domain before `.auth.[region].amazoncognito.com` .
	//
	// This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
	Domain() *string
	SetDomain(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// The user pool ID for the user pool where you want to associate a user pool domain.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::UserPoolDomain`.

The AWS::Cognito::UserPoolDomain resource creates a new domain for a user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolDomain := awscdk.Aws_cognito.NewCfnUserPoolDomain(this, jsii.String("MyCfnUserPoolDomain"), &cfnUserPoolDomainProps{
	domain: jsii.String("domain"),
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	customDomainConfig: &customDomainConfigTypeProperty{
		certificateArn: jsii.String("certificateArn"),
	},
})

func NewCfnUserPoolDomain 

func NewCfnUserPoolDomain(scope constructs.Construct, id *string, props *CfnUserPoolDomainProps) CfnUserPoolDomain

Create a new `AWS::Cognito::UserPoolDomain`.

type CfnUserPoolDomainProps 

type CfnUserPoolDomainProps struct {
	// The domain name for the domain that hosts the sign-up and sign-in pages for your application.
	//
	// For example: `auth.example.com` . If you're using a prefix domain, this field denotes the first part of the domain before `.auth.[region].amazoncognito.com` .
	//
	// This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
	Domain *string `field:"required" json:"domain" yaml:"domain"`
	// The user pool ID for the user pool where you want to associate a user pool domain.
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// The configuration for a custom domain that hosts the sign-up and sign-in pages for your application.
	//
	// Use this object to specify an SSL certificate that is managed by ACM.
	CustomDomainConfig interface{} `field:"optional" json:"customDomainConfig" yaml:"customDomainConfig"`
}

Properties for defining a `CfnUserPoolDomain`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolDomainProps := &cfnUserPoolDomainProps{
	domain: jsii.String("domain"),
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	customDomainConfig: &customDomainConfigTypeProperty{
		certificateArn: jsii.String("certificateArn"),
	},
}

type CfnUserPoolDomain_CustomDomainConfigTypeProperty 

type CfnUserPoolDomain_CustomDomainConfigTypeProperty struct {
	// The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate.
	//
	// You use this certificate for the subdomain of your custom domain.
	CertificateArn *string `field:"optional" json:"certificateArn" yaml:"certificateArn"`
}

The configuration for a custom domain that hosts the sign-up and sign-in webpages for your application.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

customDomainConfigTypeProperty := &customDomainConfigTypeProperty{
	certificateArn: jsii.String("certificateArn"),
}

type CfnUserPoolGroup 

type CfnUserPoolGroup interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// A string containing the description of the group.
	Description() *string
	SetDescription(val *string)
	// The name of the group.
	//
	// Must be unique.
	GroupName() *string
	SetGroupName(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool.
	//
	// Zero is the highest precedence value. Groups with lower `Precedence` values take precedence over groups with higher or null `Precedence` values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the `cognito:roles` and `cognito:preferred_role` claims.
	//
	// Two groups can have the same `Precedence` value. If this happens, neither group takes precedence over the other. If two groups with the same `Precedence` have the same role ARN, that role is used in the `cognito:preferred_role` claim in tokens for users in each group. If the two groups have different role ARNs, the `cognito:preferred_role` claim isn't set in users' tokens.
	//
	// The default `Precedence` value is null. The maximum `Precedence` value is `2^31-1` .
	Precedence() *float64
	SetPrecedence(val *float64)
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The role Amazon Resource Name (ARN) for the group.
	RoleArn() *string
	SetRoleArn(val *string)
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// The user pool ID for the user pool.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::UserPoolGroup`.

Specifies a new group in the identified user pool.

Calling this action requires developer credentials.

> If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolGroup := awscdk.Aws_cognito.NewCfnUserPoolGroup(this, jsii.String("MyCfnUserPoolGroup"), &cfnUserPoolGroupProps{
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	description: jsii.String("description"),
	groupName: jsii.String("groupName"),
	precedence: jsii.Number(123),
	roleArn: jsii.String("roleArn"),
})

func NewCfnUserPoolGroup 

func NewCfnUserPoolGroup(scope constructs.Construct, id *string, props *CfnUserPoolGroupProps) CfnUserPoolGroup

Create a new `AWS::Cognito::UserPoolGroup`.

type CfnUserPoolGroupProps 

type CfnUserPoolGroupProps struct {
	// The user pool ID for the user pool.
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// A string containing the description of the group.
	Description *string `field:"optional" json:"description" yaml:"description"`
	// The name of the group.
	//
	// Must be unique.
	GroupName *string `field:"optional" json:"groupName" yaml:"groupName"`
	// A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool.
	//
	// Zero is the highest precedence value. Groups with lower `Precedence` values take precedence over groups with higher or null `Precedence` values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the `cognito:roles` and `cognito:preferred_role` claims.
	//
	// Two groups can have the same `Precedence` value. If this happens, neither group takes precedence over the other. If two groups with the same `Precedence` have the same role ARN, that role is used in the `cognito:preferred_role` claim in tokens for users in each group. If the two groups have different role ARNs, the `cognito:preferred_role` claim isn't set in users' tokens.
	//
	// The default `Precedence` value is null. The maximum `Precedence` value is `2^31-1` .
	Precedence *float64 `field:"optional" json:"precedence" yaml:"precedence"`
	// The role Amazon Resource Name (ARN) for the group.
	RoleArn *string `field:"optional" json:"roleArn" yaml:"roleArn"`
}

Properties for defining a `CfnUserPoolGroup`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolGroupProps := &cfnUserPoolGroupProps{
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	description: jsii.String("description"),
	groupName: jsii.String("groupName"),
	precedence: jsii.Number(123),
	roleArn: jsii.String("roleArn"),
}

type CfnUserPoolIdentityProvider 

type CfnUserPoolIdentityProvider interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// A mapping of IdP attributes to standard and custom user pool attributes.
	AttributeMapping() interface{}
	SetAttributeMapping(val interface{})
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// A list of IdP identifiers.
	IdpIdentifiers() *[]*string
	SetIdpIdentifiers(val *[]*string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// The IdP details. The following list describes the provider detail keys for each IdP type.
	//
	// - For Google and Login with Amazon:
	//
	// - client_id
	// - client_secret
	// - authorize_scopes
	// - For Facebook:
	//
	// - client_id
	// - client_secret
	// - authorize_scopes
	// - api_version
	// - For Sign in with Apple:
	//
	// - client_id
	// - team_id
	// - key_id
	// - private_key
	// - authorize_scopes
	// - For OpenID Connect (OIDC) providers:
	//
	// - client_id
	// - client_secret
	// - attributes_request_method
	// - oidc_issuer
	// - authorize_scopes
	// - The following keys are only present if Amazon Cognito didn't discover them at the `oidc_issuer` URL.
	//
	// - authorize_url
	// - token_url
	// - attributes_url
	// - jwks_uri
	// - Amazon Cognito sets the value of the following keys automatically. They are read-only.
	//
	// - attributes_url_add_attributes
	// - For SAML providers:
	//
	// - MetadataFile or MetadataURL
	// - IDPSignout *optional*.
	ProviderDetails() interface{}
	SetProviderDetails(val interface{})
	// The IdP name.
	ProviderName() *string
	SetProviderName(val *string)
	// The IdP type.
	ProviderType() *string
	SetProviderType(val *string)
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// The user pool ID.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::UserPoolIdentityProvider`.

The `AWS::Cognito::UserPoolIdentityProvider` resource creates an identity provider for a user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var attributeMapping interface{}
var providerDetails interface{}

cfnUserPoolIdentityProvider := awscdk.Aws_cognito.NewCfnUserPoolIdentityProvider(this, jsii.String("MyCfnUserPoolIdentityProvider"), &cfnUserPoolIdentityProviderProps{
	providerName: jsii.String("providerName"),
	providerType: jsii.String("providerType"),
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	attributeMapping: attributeMapping,
	idpIdentifiers: []*string{
		jsii.String("idpIdentifiers"),
	},
	providerDetails: providerDetails,
})

func NewCfnUserPoolIdentityProvider 

func NewCfnUserPoolIdentityProvider(scope constructs.Construct, id *string, props *CfnUserPoolIdentityProviderProps) CfnUserPoolIdentityProvider

Create a new `AWS::Cognito::UserPoolIdentityProvider`.

type CfnUserPoolIdentityProviderProps 

type CfnUserPoolIdentityProviderProps struct {
	// The IdP name.
	ProviderName *string `field:"required" json:"providerName" yaml:"providerName"`
	// The IdP type.
	ProviderType *string `field:"required" json:"providerType" yaml:"providerType"`
	// The user pool ID.
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// A mapping of IdP attributes to standard and custom user pool attributes.
	AttributeMapping interface{} `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// A list of IdP identifiers.
	IdpIdentifiers *[]*string `field:"optional" json:"idpIdentifiers" yaml:"idpIdentifiers"`
	// The IdP details. The following list describes the provider detail keys for each IdP type.
	//
	// - For Google and Login with Amazon:
	//
	// - client_id
	// - client_secret
	// - authorize_scopes
	// - For Facebook:
	//
	// - client_id
	// - client_secret
	// - authorize_scopes
	// - api_version
	// - For Sign in with Apple:
	//
	// - client_id
	// - team_id
	// - key_id
	// - private_key
	// - authorize_scopes
	// - For OpenID Connect (OIDC) providers:
	//
	// - client_id
	// - client_secret
	// - attributes_request_method
	// - oidc_issuer
	// - authorize_scopes
	// - The following keys are only present if Amazon Cognito didn't discover them at the `oidc_issuer` URL.
	//
	// - authorize_url
	// - token_url
	// - attributes_url
	// - jwks_uri
	// - Amazon Cognito sets the value of the following keys automatically. They are read-only.
	//
	// - attributes_url_add_attributes
	// - For SAML providers:
	//
	// - MetadataFile or MetadataURL
	// - IDPSignout *optional*.
	ProviderDetails interface{} `field:"optional" json:"providerDetails" yaml:"providerDetails"`
}

Properties for defining a `CfnUserPoolIdentityProvider`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var attributeMapping interface{}
var providerDetails interface{}

cfnUserPoolIdentityProviderProps := &cfnUserPoolIdentityProviderProps{
	providerName: jsii.String("providerName"),
	providerType: jsii.String("providerType"),
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	attributeMapping: attributeMapping,
	idpIdentifiers: []*string{
		jsii.String("idpIdentifiers"),
	},
	providerDetails: providerDetails,
}

type CfnUserPoolProps 

type CfnUserPoolProps struct {
	// Use this setting to define which verified available method a user can use to recover their password when they call `ForgotPassword` .
	//
	// It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
	AccountRecoverySetting interface{} `field:"optional" json:"accountRecoverySetting" yaml:"accountRecoverySetting"`
	// The configuration for creating a new user profile.
	AdminCreateUserConfig interface{} `field:"optional" json:"adminCreateUserConfig" yaml:"adminCreateUserConfig"`
	// Attributes supported as an alias for this user pool. Possible values: *phone_number* , *email* , or *preferred_username* .
	//
	// > This user pool property cannot be updated.
	AliasAttributes *[]*string `field:"optional" json:"aliasAttributes" yaml:"aliasAttributes"`
	// The attributes to be auto-verified.
	//
	// Possible values: *email* , *phone_number* .
	AutoVerifiedAttributes *[]*string `field:"optional" json:"autoVerifiedAttributes" yaml:"autoVerifiedAttributes"`
	// The device configuration.
	DeviceConfiguration interface{} `field:"optional" json:"deviceConfiguration" yaml:"deviceConfiguration"`
	// The email configuration of your user pool.
	//
	// The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.
	EmailConfiguration interface{} `field:"optional" json:"emailConfiguration" yaml:"emailConfiguration"`
	// A string representing the email verification message.
	//
	// EmailVerificationMessage is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.
	EmailVerificationMessage *string `field:"optional" json:"emailVerificationMessage" yaml:"emailVerificationMessage"`
	// A string representing the email verification subject.
	//
	// EmailVerificationSubject is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.
	EmailVerificationSubject *string `field:"optional" json:"emailVerificationSubject" yaml:"emailVerificationSubject"`
	// Enables MFA on a specified user pool.
	//
	// To disable all MFAs after it has been enabled, set MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting MfaConfiguration to “OFF”. Can be one of the following values:
	//
	// - `SMS_MFA` - Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS configuration is provided.
	// - `SOFTWARE_TOKEN_MFA` - Enables software token MFA for the user pool.
	//
	// Allowed values: `SMS_MFA` | `SOFTWARE_TOKEN_MFA`.
	EnabledMfas *[]*string `field:"optional" json:"enabledMfas" yaml:"enabledMfas"`
	// The Lambda trigger configuration information for the new user pool.
	//
	// > In a push model, event sources (such as Amazon S3 and custom applications) need permission to invoke a function. So you must make an extra call to add permission for these event sources to invoke your Lambda function.
	// >
	// > For more information on using the Lambda API to add permission, see [AddPermission](https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html) .
	// >
	// > For adding permission using the AWS CLI , see [add-permission](https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html) .
	LambdaConfig interface{} `field:"optional" json:"lambdaConfig" yaml:"lambdaConfig"`
	// The multi-factor (MFA) configuration. Valid values include:.
	//
	// - `OFF` MFA won't be used for any users.
	// - `ON` MFA is required for all users to sign in.
	// - `OPTIONAL` MFA will be required only for individual users who have an MFA factor activated.
	MfaConfiguration *string `field:"optional" json:"mfaConfiguration" yaml:"mfaConfiguration"`
	// The policy associated with a user pool.
	Policies interface{} `field:"optional" json:"policies" yaml:"policies"`
	// The schema attributes for the new user pool. These attributes can be standard or custom attributes.
	//
	// > During a user pool update, you can add new schema attributes but you cannot modify or delete an existing schema attribute.
	Schema interface{} `field:"optional" json:"schema" yaml:"schema"`
	// A string representing the SMS authentication message.
	SmsAuthenticationMessage *string `field:"optional" json:"smsAuthenticationMessage" yaml:"smsAuthenticationMessage"`
	// The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your AWS account through Amazon Simple Notification Service.
	//
	// To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
	SmsConfiguration interface{} `field:"optional" json:"smsConfiguration" yaml:"smsConfiguration"`
	// A string representing the SMS verification message.
	SmsVerificationMessage *string `field:"optional" json:"smsVerificationMessage" yaml:"smsVerificationMessage"`
	// The settings for updates to user attributes.
	//
	// These settings include the property `AttributesRequireVerificationBeforeUpdate` ,
	// a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For
	// more information, see [Verifying updates to to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates) .
	UserAttributeUpdateSettings interface{} `field:"optional" json:"userAttributeUpdateSettings" yaml:"userAttributeUpdateSettings"`
	// Determines whether email addresses or phone numbers can be specified as user names when a user signs up.
	//
	// Possible values: `phone_number` or `email` .
	//
	// This user pool property cannot be updated.
	UsernameAttributes *[]*string `field:"optional" json:"usernameAttributes" yaml:"usernameAttributes"`
	// You can choose to set case sensitivity on the username input for the selected sign-in option.
	//
	// For example, when this is set to `False` , users will be able to sign in using either "username" or "Username". This configuration is immutable once it has been set.
	UsernameConfiguration interface{} `field:"optional" json:"usernameConfiguration" yaml:"usernameConfiguration"`
	// Enables advanced security risk detection.
	//
	// Set the key `AdvancedSecurityMode` to the value "AUDIT".
	UserPoolAddOns interface{} `field:"optional" json:"userPoolAddOns" yaml:"userPoolAddOns"`
	// A string used to name the user pool.
	UserPoolName *string `field:"optional" json:"userPoolName" yaml:"userPoolName"`
	// The tag keys and values to assign to the user pool.
	//
	// A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
	UserPoolTags interface{} `field:"optional" json:"userPoolTags" yaml:"userPoolTags"`
	// The template for the verification message that the user sees when the app requests permission to access the user's information.
	VerificationMessageTemplate interface{} `field:"optional" json:"verificationMessageTemplate" yaml:"verificationMessageTemplate"`
}

Properties for defining a `CfnUserPool`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var userPoolTags interface{}

cfnUserPoolProps := &cfnUserPoolProps{
	accountRecoverySetting: &accountRecoverySettingProperty{
		recoveryMechanisms: []interface{}{
			&recoveryOptionProperty{
				name: jsii.String("name"),
				priority: jsii.Number(123),
			},
		},
	},
	adminCreateUserConfig: &adminCreateUserConfigProperty{
		allowAdminCreateUserOnly: jsii.Boolean(false),
		inviteMessageTemplate: &inviteMessageTemplateProperty{
			emailMessage: jsii.String("emailMessage"),
			emailSubject: jsii.String("emailSubject"),
			smsMessage: jsii.String("smsMessage"),
		},
		unusedAccountValidityDays: jsii.Number(123),
	},
	aliasAttributes: []*string{
		jsii.String("aliasAttributes"),
	},
	autoVerifiedAttributes: []*string{
		jsii.String("autoVerifiedAttributes"),
	},
	deviceConfiguration: &deviceConfigurationProperty{
		challengeRequiredOnNewDevice: jsii.Boolean(false),
		deviceOnlyRememberedOnUserPrompt: jsii.Boolean(false),
	},
	emailConfiguration: &emailConfigurationProperty{
		configurationSet: jsii.String("configurationSet"),
		emailSendingAccount: jsii.String("emailSendingAccount"),
		from: jsii.String("from"),
		replyToEmailAddress: jsii.String("replyToEmailAddress"),
		sourceArn: jsii.String("sourceArn"),
	},
	emailVerificationMessage: jsii.String("emailVerificationMessage"),
	emailVerificationSubject: jsii.String("emailVerificationSubject"),
	enabledMfas: []*string{
		jsii.String("enabledMfas"),
	},
	lambdaConfig: &lambdaConfigProperty{
		createAuthChallenge: jsii.String("createAuthChallenge"),
		customEmailSender: &customEmailSenderProperty{
			lambdaArn: jsii.String("lambdaArn"),
			lambdaVersion: jsii.String("lambdaVersion"),
		},
		customMessage: jsii.String("customMessage"),
		customSmsSender: &customSMSSenderProperty{
			lambdaArn: jsii.String("lambdaArn"),
			lambdaVersion: jsii.String("lambdaVersion"),
		},
		defineAuthChallenge: jsii.String("defineAuthChallenge"),
		kmsKeyId: jsii.String("kmsKeyId"),
		postAuthentication: jsii.String("postAuthentication"),
		postConfirmation: jsii.String("postConfirmation"),
		preAuthentication: jsii.String("preAuthentication"),
		preSignUp: jsii.String("preSignUp"),
		preTokenGeneration: jsii.String("preTokenGeneration"),
		userMigration: jsii.String("userMigration"),
		verifyAuthChallengeResponse: jsii.String("verifyAuthChallengeResponse"),
	},
	mfaConfiguration: jsii.String("mfaConfiguration"),
	policies: &policiesProperty{
		passwordPolicy: &passwordPolicyProperty{
			minimumLength: jsii.Number(123),
			requireLowercase: jsii.Boolean(false),
			requireNumbers: jsii.Boolean(false),
			requireSymbols: jsii.Boolean(false),
			requireUppercase: jsii.Boolean(false),
			temporaryPasswordValidityDays: jsii.Number(123),
		},
	},
	schema: []interface{}{
		&schemaAttributeProperty{
			attributeDataType: jsii.String("attributeDataType"),
			developerOnlyAttribute: jsii.Boolean(false),
			mutable: jsii.Boolean(false),
			name: jsii.String("name"),
			numberAttributeConstraints: &numberAttributeConstraintsProperty{
				maxValue: jsii.String("maxValue"),
				minValue: jsii.String("minValue"),
			},
			required: jsii.Boolean(false),
			stringAttributeConstraints: &stringAttributeConstraintsProperty{
				maxLength: jsii.String("maxLength"),
				minLength: jsii.String("minLength"),
			},
		},
	},
	smsAuthenticationMessage: jsii.String("smsAuthenticationMessage"),
	smsConfiguration: &smsConfigurationProperty{
		externalId: jsii.String("externalId"),
		snsCallerArn: jsii.String("snsCallerArn"),
		snsRegion: jsii.String("snsRegion"),
	},
	smsVerificationMessage: jsii.String("smsVerificationMessage"),
	userAttributeUpdateSettings: &userAttributeUpdateSettingsProperty{
		attributesRequireVerificationBeforeUpdate: []*string{
			jsii.String("attributesRequireVerificationBeforeUpdate"),
		},
	},
	usernameAttributes: []*string{
		jsii.String("usernameAttributes"),
	},
	usernameConfiguration: &usernameConfigurationProperty{
		caseSensitive: jsii.Boolean(false),
	},
	userPoolAddOns: &userPoolAddOnsProperty{
		advancedSecurityMode: jsii.String("advancedSecurityMode"),
	},
	userPoolName: jsii.String("userPoolName"),
	userPoolTags: userPoolTags,
	verificationMessageTemplate: &verificationMessageTemplateProperty{
		defaultEmailOption: jsii.String("defaultEmailOption"),
		emailMessage: jsii.String("emailMessage"),
		emailMessageByLink: jsii.String("emailMessageByLink"),
		emailSubject: jsii.String("emailSubject"),
		emailSubjectByLink: jsii.String("emailSubjectByLink"),
		smsMessage: jsii.String("smsMessage"),
	},
}

type CfnUserPoolResourceServer 

type CfnUserPoolResourceServer interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// A unique resource server identifier for the resource server.
	//
	// This could be an HTTPS endpoint where the resource server is located. For example: `https://my-weather-api.example.com` .
	Identifier() *string
	SetIdentifier(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// A friendly name for the resource server.
	Name() *string
	SetName(val *string)
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// A list of scopes.
	//
	// Each scope is a map with keys `ScopeName` and `ScopeDescription` .
	Scopes() interface{}
	SetScopes(val interface{})
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// The user pool ID for the user pool.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::UserPoolResourceServer`.

The `AWS::Cognito::UserPoolResourceServer` resource creates a new OAuth2.0 resource server and defines custom scopes in it.

> If you don't specify a value for a parameter, Amazon Cognito sets it to a default value.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolResourceServer := awscdk.Aws_cognito.NewCfnUserPoolResourceServer(this, jsii.String("MyCfnUserPoolResourceServer"), &cfnUserPoolResourceServerProps{
	identifier: jsii.String("identifier"),
	name: jsii.String("name"),
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	scopes: []interface{}{
		&resourceServerScopeTypeProperty{
			scopeDescription: jsii.String("scopeDescription"),
			scopeName: jsii.String("scopeName"),
		},
	},
})

func NewCfnUserPoolResourceServer 

func NewCfnUserPoolResourceServer(scope constructs.Construct, id *string, props *CfnUserPoolResourceServerProps) CfnUserPoolResourceServer

Create a new `AWS::Cognito::UserPoolResourceServer`.

type CfnUserPoolResourceServerProps 

type CfnUserPoolResourceServerProps struct {
	// A unique resource server identifier for the resource server.
	//
	// This could be an HTTPS endpoint where the resource server is located. For example: `https://my-weather-api.example.com` .
	Identifier *string `field:"required" json:"identifier" yaml:"identifier"`
	// A friendly name for the resource server.
	Name *string `field:"required" json:"name" yaml:"name"`
	// The user pool ID for the user pool.
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// A list of scopes.
	//
	// Each scope is a map with keys `ScopeName` and `ScopeDescription` .
	Scopes interface{} `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties for defining a `CfnUserPoolResourceServer`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolResourceServerProps := &cfnUserPoolResourceServerProps{
	identifier: jsii.String("identifier"),
	name: jsii.String("name"),
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	scopes: []interface{}{
		&resourceServerScopeTypeProperty{
			scopeDescription: jsii.String("scopeDescription"),
			scopeName: jsii.String("scopeName"),
		},
	},
}

type CfnUserPoolResourceServer_ResourceServerScopeTypeProperty 

type CfnUserPoolResourceServer_ResourceServerScopeTypeProperty struct {
	// A description of the scope.
	ScopeDescription *string `field:"required" json:"scopeDescription" yaml:"scopeDescription"`
	// The name of the scope.
	ScopeName *string `field:"required" json:"scopeName" yaml:"scopeName"`
}

A resource server scope.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

resourceServerScopeTypeProperty := &resourceServerScopeTypeProperty{
	scopeDescription: jsii.String("scopeDescription"),
	scopeName: jsii.String("scopeName"),
}

type CfnUserPoolRiskConfigurationAttachment 

type CfnUserPoolRiskConfigurationAttachment interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// The account takeover risk configuration object, including the `NotifyConfiguration` object and `Actions` to take if there is an account takeover.
	AccountTakeoverRiskConfiguration() interface{}
	SetAccountTakeoverRiskConfiguration(val interface{})
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// The app client ID.
	//
	// You can specify the risk configuration for a single client (with a specific ClientId) or for all clients (by setting the ClientId to `ALL` ).
	ClientId() *string
	SetClientId(val *string)
	// The compromised credentials risk configuration object, including the `EventFilter` and the `EventAction` .
	CompromisedCredentialsRiskConfiguration() interface{}
	SetCompromisedCredentialsRiskConfiguration(val interface{})
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The configuration to override the risk decision.
	RiskExceptionConfiguration() interface{}
	SetRiskExceptionConfiguration(val interface{})
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// The user pool ID.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::UserPoolRiskConfigurationAttachment`.

The `AWS::Cognito::UserPoolRiskConfigurationAttachment` resource sets the risk configuration that is used for Amazon Cognito advanced security features.

You can specify risk configuration for a single client (with a specific `clientId` ) or for all clients (by setting the `clientId` to `ALL` ). If you specify `ALL` , the default configuration is used for every client that has had no risk configuration set previously. If you specify risk configuration for a particular client, it no longer falls back to the `ALL` configuration.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolRiskConfigurationAttachment := awscdk.Aws_cognito.NewCfnUserPoolRiskConfigurationAttachment(this, jsii.String("MyCfnUserPoolRiskConfigurationAttachment"), &cfnUserPoolRiskConfigurationAttachmentProps{
	clientId: jsii.String("clientId"),
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	accountTakeoverRiskConfiguration: &accountTakeoverRiskConfigurationTypeProperty{
		actions: &accountTakeoverActionsTypeProperty{
			highAction: &accountTakeoverActionTypeProperty{
				eventAction: jsii.String("eventAction"),
				notify: jsii.Boolean(false),
			},
			lowAction: &accountTakeoverActionTypeProperty{
				eventAction: jsii.String("eventAction"),
				notify: jsii.Boolean(false),
			},
			mediumAction: &accountTakeoverActionTypeProperty{
				eventAction: jsii.String("eventAction"),
				notify: jsii.Boolean(false),
			},
		},

		// the properties below are optional
		notifyConfiguration: &notifyConfigurationTypeProperty{
			sourceArn: jsii.String("sourceArn"),

			// the properties below are optional
			blockEmail: &notifyEmailTypeProperty{
				subject: jsii.String("subject"),

				// the properties below are optional
				htmlBody: jsii.String("htmlBody"),
				textBody: jsii.String("textBody"),
			},
			from: jsii.String("from"),
			mfaEmail: &notifyEmailTypeProperty{
				subject: jsii.String("subject"),

				// the properties below are optional
				htmlBody: jsii.String("htmlBody"),
				textBody: jsii.String("textBody"),
			},
			noActionEmail: &notifyEmailTypeProperty{
				subject: jsii.String("subject"),

				// the properties below are optional
				htmlBody: jsii.String("htmlBody"),
				textBody: jsii.String("textBody"),
			},
			replyTo: jsii.String("replyTo"),
		},
	},
	compromisedCredentialsRiskConfiguration: &compromisedCredentialsRiskConfigurationTypeProperty{
		actions: &compromisedCredentialsActionsTypeProperty{
			eventAction: jsii.String("eventAction"),
		},

		// the properties below are optional
		eventFilter: []*string{
			jsii.String("eventFilter"),
		},
	},
	riskExceptionConfiguration: &riskExceptionConfigurationTypeProperty{
		blockedIpRangeList: []*string{
			jsii.String("blockedIpRangeList"),
		},
		skippedIpRangeList: []*string{
			jsii.String("skippedIpRangeList"),
		},
	},
})

func NewCfnUserPoolRiskConfigurationAttachment 

func NewCfnUserPoolRiskConfigurationAttachment(scope constructs.Construct, id *string, props *CfnUserPoolRiskConfigurationAttachmentProps) CfnUserPoolRiskConfigurationAttachment

Create a new `AWS::Cognito::UserPoolRiskConfigurationAttachment`.

type CfnUserPoolRiskConfigurationAttachmentProps 

type CfnUserPoolRiskConfigurationAttachmentProps struct {
	// The app client ID.
	//
	// You can specify the risk configuration for a single client (with a specific ClientId) or for all clients (by setting the ClientId to `ALL` ).
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The user pool ID.
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// The account takeover risk configuration object, including the `NotifyConfiguration` object and `Actions` to take if there is an account takeover.
	AccountTakeoverRiskConfiguration interface{} `field:"optional" json:"accountTakeoverRiskConfiguration" yaml:"accountTakeoverRiskConfiguration"`
	// The compromised credentials risk configuration object, including the `EventFilter` and the `EventAction` .
	CompromisedCredentialsRiskConfiguration interface{} `field:"optional" json:"compromisedCredentialsRiskConfiguration" yaml:"compromisedCredentialsRiskConfiguration"`
	// The configuration to override the risk decision.
	RiskExceptionConfiguration interface{} `field:"optional" json:"riskExceptionConfiguration" yaml:"riskExceptionConfiguration"`
}

Properties for defining a `CfnUserPoolRiskConfigurationAttachment`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolRiskConfigurationAttachmentProps := &cfnUserPoolRiskConfigurationAttachmentProps{
	clientId: jsii.String("clientId"),
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	accountTakeoverRiskConfiguration: &accountTakeoverRiskConfigurationTypeProperty{
		actions: &accountTakeoverActionsTypeProperty{
			highAction: &accountTakeoverActionTypeProperty{
				eventAction: jsii.String("eventAction"),
				notify: jsii.Boolean(false),
			},
			lowAction: &accountTakeoverActionTypeProperty{
				eventAction: jsii.String("eventAction"),
				notify: jsii.Boolean(false),
			},
			mediumAction: &accountTakeoverActionTypeProperty{
				eventAction: jsii.String("eventAction"),
				notify: jsii.Boolean(false),
			},
		},

		// the properties below are optional
		notifyConfiguration: &notifyConfigurationTypeProperty{
			sourceArn: jsii.String("sourceArn"),

			// the properties below are optional
			blockEmail: &notifyEmailTypeProperty{
				subject: jsii.String("subject"),

				// the properties below are optional
				htmlBody: jsii.String("htmlBody"),
				textBody: jsii.String("textBody"),
			},
			from: jsii.String("from"),
			mfaEmail: &notifyEmailTypeProperty{
				subject: jsii.String("subject"),

				// the properties below are optional
				htmlBody: jsii.String("htmlBody"),
				textBody: jsii.String("textBody"),
			},
			noActionEmail: &notifyEmailTypeProperty{
				subject: jsii.String("subject"),

				// the properties below are optional
				htmlBody: jsii.String("htmlBody"),
				textBody: jsii.String("textBody"),
			},
			replyTo: jsii.String("replyTo"),
		},
	},
	compromisedCredentialsRiskConfiguration: &compromisedCredentialsRiskConfigurationTypeProperty{
		actions: &compromisedCredentialsActionsTypeProperty{
			eventAction: jsii.String("eventAction"),
		},

		// the properties below are optional
		eventFilter: []*string{
			jsii.String("eventFilter"),
		},
	},
	riskExceptionConfiguration: &riskExceptionConfigurationTypeProperty{
		blockedIpRangeList: []*string{
			jsii.String("blockedIpRangeList"),
		},
		skippedIpRangeList: []*string{
			jsii.String("skippedIpRangeList"),
		},
	},
}

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverActionTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverActionTypeProperty struct {
	// The action to take in response to the account takeover action. Valid values are as follows:.
	//
	// - `BLOCK` Choosing this action will block the request.
	// - `MFA_IF_CONFIGURED` Present an MFA challenge if user has configured it, else allow the request.
	// - `MFA_REQUIRED` Present an MFA challenge if user has configured it, else block the request.
	// - `NO_ACTION` Allow the user to sign in.
	EventAction *string `field:"required" json:"eventAction" yaml:"eventAction"`
	// Flag specifying whether to send a notification.
	Notify interface{} `field:"required" json:"notify" yaml:"notify"`
}

Account takeover action type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

accountTakeoverActionTypeProperty := &accountTakeoverActionTypeProperty{
	eventAction: jsii.String("eventAction"),
	notify: jsii.Boolean(false),
}

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverActionsTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverActionsTypeProperty struct {
	// Action to take for a high risk.
	HighAction interface{} `field:"optional" json:"highAction" yaml:"highAction"`
	// Action to take for a low risk.
	LowAction interface{} `field:"optional" json:"lowAction" yaml:"lowAction"`
	// Action to take for a medium risk.
	MediumAction interface{} `field:"optional" json:"mediumAction" yaml:"mediumAction"`
}

Account takeover actions type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

accountTakeoverActionsTypeProperty := &accountTakeoverActionsTypeProperty{
	highAction: &accountTakeoverActionTypeProperty{
		eventAction: jsii.String("eventAction"),
		notify: jsii.Boolean(false),
	},
	lowAction: &accountTakeoverActionTypeProperty{
		eventAction: jsii.String("eventAction"),
		notify: jsii.Boolean(false),
	},
	mediumAction: &accountTakeoverActionTypeProperty{
		eventAction: jsii.String("eventAction"),
		notify: jsii.Boolean(false),
	},
}

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverRiskConfigurationTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_AccountTakeoverRiskConfigurationTypeProperty struct {
	// Account takeover risk configuration actions.
	Actions interface{} `field:"required" json:"actions" yaml:"actions"`
	// The notify configuration used to construct email notifications.
	NotifyConfiguration interface{} `field:"optional" json:"notifyConfiguration" yaml:"notifyConfiguration"`
}

Configuration for mitigation actions and notification for different levels of risk detected for a potential account takeover.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

accountTakeoverRiskConfigurationTypeProperty := &accountTakeoverRiskConfigurationTypeProperty{
	actions: &accountTakeoverActionsTypeProperty{
		highAction: &accountTakeoverActionTypeProperty{
			eventAction: jsii.String("eventAction"),
			notify: jsii.Boolean(false),
		},
		lowAction: &accountTakeoverActionTypeProperty{
			eventAction: jsii.String("eventAction"),
			notify: jsii.Boolean(false),
		},
		mediumAction: &accountTakeoverActionTypeProperty{
			eventAction: jsii.String("eventAction"),
			notify: jsii.Boolean(false),
		},
	},

	// the properties below are optional
	notifyConfiguration: &notifyConfigurationTypeProperty{
		sourceArn: jsii.String("sourceArn"),

		// the properties below are optional
		blockEmail: &notifyEmailTypeProperty{
			subject: jsii.String("subject"),

			// the properties below are optional
			htmlBody: jsii.String("htmlBody"),
			textBody: jsii.String("textBody"),
		},
		from: jsii.String("from"),
		mfaEmail: &notifyEmailTypeProperty{
			subject: jsii.String("subject"),

			// the properties below are optional
			htmlBody: jsii.String("htmlBody"),
			textBody: jsii.String("textBody"),
		},
		noActionEmail: &notifyEmailTypeProperty{
			subject: jsii.String("subject"),

			// the properties below are optional
			htmlBody: jsii.String("htmlBody"),
			textBody: jsii.String("textBody"),
		},
		replyTo: jsii.String("replyTo"),
	},
}

type CfnUserPoolRiskConfigurationAttachment_CompromisedCredentialsActionsTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_CompromisedCredentialsActionsTypeProperty struct {
	// The event action.
	EventAction *string `field:"required" json:"eventAction" yaml:"eventAction"`
}

The compromised credentials actions type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

compromisedCredentialsActionsTypeProperty := &compromisedCredentialsActionsTypeProperty{
	eventAction: jsii.String("eventAction"),
}

type CfnUserPoolRiskConfigurationAttachment_CompromisedCredentialsRiskConfigurationTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_CompromisedCredentialsRiskConfigurationTypeProperty struct {
	// The compromised credentials risk configuration actions.
	Actions interface{} `field:"required" json:"actions" yaml:"actions"`
	// Perform the action for these events.
	//
	// The default is to perform all events if no event filter is specified.
	EventFilter *[]*string `field:"optional" json:"eventFilter" yaml:"eventFilter"`
}

The compromised credentials risk configuration type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

compromisedCredentialsRiskConfigurationTypeProperty := &compromisedCredentialsRiskConfigurationTypeProperty{
	actions: &compromisedCredentialsActionsTypeProperty{
		eventAction: jsii.String("eventAction"),
	},

	// the properties below are optional
	eventFilter: []*string{
		jsii.String("eventFilter"),
	},
}

type CfnUserPoolRiskConfigurationAttachment_NotifyConfigurationTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_NotifyConfigurationTypeProperty struct {
	// The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy.
	//
	// This identity permits Amazon Cognito to send for the email address specified in the `From` parameter.
	SourceArn *string `field:"required" json:"sourceArn" yaml:"sourceArn"`
	// Email template used when a detected risk event is blocked.
	BlockEmail interface{} `field:"optional" json:"blockEmail" yaml:"blockEmail"`
	// The email address that is sending the email.
	//
	// The address must be either individually verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.
	From *string `field:"optional" json:"from" yaml:"from"`
	// The multi-factor authentication (MFA) email template used when MFA is challenged as part of a detected risk.
	MfaEmail interface{} `field:"optional" json:"mfaEmail" yaml:"mfaEmail"`
	// The email template used when a detected risk event is allowed.
	NoActionEmail interface{} `field:"optional" json:"noActionEmail" yaml:"noActionEmail"`
	// The destination to which the receiver of an email should reply to.
	ReplyTo *string `field:"optional" json:"replyTo" yaml:"replyTo"`
}

The notify configuration type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

notifyConfigurationTypeProperty := &notifyConfigurationTypeProperty{
	sourceArn: jsii.String("sourceArn"),

	// the properties below are optional
	blockEmail: &notifyEmailTypeProperty{
		subject: jsii.String("subject"),

		// the properties below are optional
		htmlBody: jsii.String("htmlBody"),
		textBody: jsii.String("textBody"),
	},
	from: jsii.String("from"),
	mfaEmail: &notifyEmailTypeProperty{
		subject: jsii.String("subject"),

		// the properties below are optional
		htmlBody: jsii.String("htmlBody"),
		textBody: jsii.String("textBody"),
	},
	noActionEmail: &notifyEmailTypeProperty{
		subject: jsii.String("subject"),

		// the properties below are optional
		htmlBody: jsii.String("htmlBody"),
		textBody: jsii.String("textBody"),
	},
	replyTo: jsii.String("replyTo"),
}

type CfnUserPoolRiskConfigurationAttachment_NotifyEmailTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_NotifyEmailTypeProperty struct {
	// The email subject.
	Subject *string `field:"required" json:"subject" yaml:"subject"`
	// The email HTML body.
	HtmlBody *string `field:"optional" json:"htmlBody" yaml:"htmlBody"`
	// The email text body.
	TextBody *string `field:"optional" json:"textBody" yaml:"textBody"`
}

The notify email type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

notifyEmailTypeProperty := &notifyEmailTypeProperty{
	subject: jsii.String("subject"),

	// the properties below are optional
	htmlBody: jsii.String("htmlBody"),
	textBody: jsii.String("textBody"),
}

type CfnUserPoolRiskConfigurationAttachment_RiskExceptionConfigurationTypeProperty 

type CfnUserPoolRiskConfigurationAttachment_RiskExceptionConfigurationTypeProperty struct {
	// Overrides the risk decision to always block the pre-authentication requests.
	//
	// The IP range is in CIDR notation, a compact representation of an IP address and its routing prefix.
	BlockedIpRangeList *[]*string `field:"optional" json:"blockedIpRangeList" yaml:"blockedIpRangeList"`
	// Risk detection isn't performed on the IP addresses in this range list.
	//
	// The IP range is in CIDR notation.
	SkippedIpRangeList *[]*string `field:"optional" json:"skippedIpRangeList" yaml:"skippedIpRangeList"`
}

The type of the configuration to override the risk decision.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

riskExceptionConfigurationTypeProperty := &riskExceptionConfigurationTypeProperty{
	blockedIpRangeList: []*string{
		jsii.String("blockedIpRangeList"),
	},
	skippedIpRangeList: []*string{
		jsii.String("skippedIpRangeList"),
	},
}

type CfnUserPoolUICustomizationAttachment 

type CfnUserPoolUICustomizationAttachment interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// The client ID for the client app.
	//
	// You can specify the UI customization settings for a single client (with a specific clientId) or for all clients (by setting the clientId to `ALL` ).
	ClientId() *string
	SetClientId(val *string)
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The CSS values in the UI customization.
	Css() *string
	SetCss(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// The user pool ID for the user pool.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::UserPoolUICustomizationAttachment`.

The `AWS::Cognito::UserPoolUICustomizationAttachment` resource sets the UI customization information for a user pool's built-in app UI.

You can specify app UI customization settings for a single client (with a specific `clientId` ) or for all clients (by setting the `clientId` to `ALL` ). If you specify `ALL` , the default configuration is used for every client that has had no UI customization set previously. If you specify UI customization settings for a particular client, it no longer falls back to the `ALL` configuration.

> Before you create this resource, your user pool must have a domain associated with it. You can create an `AWS::Cognito::UserPoolDomain` resource first in this user pool.

Setting a logo image isn't supported from AWS CloudFormation . Use the Amazon Cognito [SetUICustomization](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUICustomization.html#API_SetUICustomization_RequestSyntax) API operation to set the image.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolUICustomizationAttachment := awscdk.Aws_cognito.NewCfnUserPoolUICustomizationAttachment(this, jsii.String("MyCfnUserPoolUICustomizationAttachment"), &cfnUserPoolUICustomizationAttachmentProps{
	clientId: jsii.String("clientId"),
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	css: jsii.String("css"),
})

func NewCfnUserPoolUICustomizationAttachment 

func NewCfnUserPoolUICustomizationAttachment(scope constructs.Construct, id *string, props *CfnUserPoolUICustomizationAttachmentProps) CfnUserPoolUICustomizationAttachment

Create a new `AWS::Cognito::UserPoolUICustomizationAttachment`.

type CfnUserPoolUICustomizationAttachmentProps 

type CfnUserPoolUICustomizationAttachmentProps struct {
	// The client ID for the client app.
	//
	// You can specify the UI customization settings for a single client (with a specific clientId) or for all clients (by setting the clientId to `ALL` ).
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The user pool ID for the user pool.
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// The CSS values in the UI customization.
	Css *string `field:"optional" json:"css" yaml:"css"`
}

Properties for defining a `CfnUserPoolUICustomizationAttachment`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolUICustomizationAttachmentProps := &cfnUserPoolUICustomizationAttachmentProps{
	clientId: jsii.String("clientId"),
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	css: jsii.String("css"),
}

type CfnUserPoolUser 

type CfnUserPoolUser interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// A map of custom key-value pairs that you can provide as input for the custom workflow that is invoked by the *pre sign-up* trigger.
	//
	// You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you create a `UserPoolUser` resource and include the `ClientMetadata` property, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute, which provides the data that you assigned to the ClientMetadata property. In your function code in AWS Lambda , you can process the `clientMetadata` value to enhance your workflow for your specific needs.
	//
	// For more information, see [Customizing User Pool Workflows with Lambda Triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html) in the *Amazon Cognito Developer Guide* .
	//
	// > Take the following limitations into consideration when you use the ClientMetadata parameter:
	// >
	// > - Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
	// > - Amazon Cognito does not validate the ClientMetadata value.
	// > - Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
	ClientMetadata() interface{}
	SetClientMetadata(val interface{})
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// Specify `"EMAIL"` if email will be used to send the welcome message.
	//
	// Specify `"SMS"` if the phone number will be used. The default value is `"SMS"` . You can specify more than one value.
	DesiredDeliveryMediums() *[]*string
	SetDesiredDeliveryMediums(val *[]*string)
	// This parameter is used only if the `phone_number_verified` or `email_verified` attribute is set to `True` .
	//
	// Otherwise, it is ignored.
	//
	// If this parameter is set to `True` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias.
	//
	// If this parameter is set to `False` , the API throws an `AliasExistsException` error if the alias already exists. The default value is `False` .
	ForceAliasCreation() interface{}
	SetForceAliasCreation(val interface{})
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// Set to `RESEND` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account.
	//
	// Set to `SUPPRESS` to suppress sending the message. You can specify only one value.
	MessageAction() *string
	SetMessageAction(val *string)
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// The user attributes and attribute values to be set for the user to be created.
	//
	// These are name-value pairs You can create a user without specifying any attributes other than `Username` . However, any attributes that you specify as required (in [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) or in the *Attributes* tab of the console) must be supplied either by you (in your call to `AdminCreateUser` ) or by the user (when they sign up in response to your welcome message).
	//
	// For custom attributes, you must prepend the `custom:` prefix to the attribute name.
	//
	// To send a message inviting the user to sign up, you must specify the user's email address or phone number. This can be done in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.
	//
	// In your call to `AdminCreateUser` , you can set the `email_verified` attribute to `True` , and you can set the `phone_number_verified` attribute to `True` . (You can also do this by calling [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) .)
	//
	// - *email* : The email address of the user to whom the message that contains the code and user name will be sent. Required if the `email_verified` attribute is set to `True` , or if `"EMAIL"` is specified in the `DesiredDeliveryMediums` parameter.
	// - *phone_number* : The phone number of the user to whom the message that contains the code and user name will be sent. Required if the `phone_number_verified` attribute is set to `True` , or if `"SMS"` is specified in the `DesiredDeliveryMediums` parameter.
	UserAttributes() interface{}
	SetUserAttributes(val interface{})
	// The username for the user.
	//
	// Must be unique within the user pool. Must be a UTF-8 string between 1 and 128 characters. After the user is created, the username can't be changed.
	Username() *string
	SetUsername(val *string)
	// The user pool ID for the user pool where the user will be created.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// The user's validation data.
	//
	// This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. For example, you might choose to allow or disallow user sign-up based on the user's domain.
	//
	// To configure custom validation, you must create a Pre Sign-up AWS Lambda trigger for the user pool as described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data and uses it in the validation process.
	//
	// The user's validation data isn't persisted.
	ValidationData() interface{}
	SetValidationData(val interface{})
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::UserPoolUser`.

The `AWS::Cognito::UserPoolUser` resource creates an Amazon Cognito user pool user.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var clientMetadata interface{}

cfnUserPoolUser := awscdk.Aws_cognito.NewCfnUserPoolUser(this, jsii.String("MyCfnUserPoolUser"), &cfnUserPoolUserProps{
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	clientMetadata: clientMetadata,
	desiredDeliveryMediums: []*string{
		jsii.String("desiredDeliveryMediums"),
	},
	forceAliasCreation: jsii.Boolean(false),
	messageAction: jsii.String("messageAction"),
	userAttributes: []interface{}{
		&attributeTypeProperty{
			name: jsii.String("name"),
			value: jsii.String("value"),
		},
	},
	username: jsii.String("username"),
	validationData: []interface{}{
		&attributeTypeProperty{
			name: jsii.String("name"),
			value: jsii.String("value"),
		},
	},
})

func NewCfnUserPoolUser 

func NewCfnUserPoolUser(scope constructs.Construct, id *string, props *CfnUserPoolUserProps) CfnUserPoolUser

Create a new `AWS::Cognito::UserPoolUser`.

type CfnUserPoolUserProps 

type CfnUserPoolUserProps struct {
	// The user pool ID for the user pool where the user will be created.
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
	// A map of custom key-value pairs that you can provide as input for the custom workflow that is invoked by the *pre sign-up* trigger.
	//
	// You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you create a `UserPoolUser` resource and include the `ClientMetadata` property, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute, which provides the data that you assigned to the ClientMetadata property. In your function code in AWS Lambda , you can process the `clientMetadata` value to enhance your workflow for your specific needs.
	//
	// For more information, see [Customizing User Pool Workflows with Lambda Triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html) in the *Amazon Cognito Developer Guide* .
	//
	// > Take the following limitations into consideration when you use the ClientMetadata parameter:
	// >
	// > - Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
	// > - Amazon Cognito does not validate the ClientMetadata value.
	// > - Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
	ClientMetadata interface{} `field:"optional" json:"clientMetadata" yaml:"clientMetadata"`
	// Specify `"EMAIL"` if email will be used to send the welcome message.
	//
	// Specify `"SMS"` if the phone number will be used. The default value is `"SMS"` . You can specify more than one value.
	DesiredDeliveryMediums *[]*string `field:"optional" json:"desiredDeliveryMediums" yaml:"desiredDeliveryMediums"`
	// This parameter is used only if the `phone_number_verified` or `email_verified` attribute is set to `True` .
	//
	// Otherwise, it is ignored.
	//
	// If this parameter is set to `True` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias.
	//
	// If this parameter is set to `False` , the API throws an `AliasExistsException` error if the alias already exists. The default value is `False` .
	ForceAliasCreation interface{} `field:"optional" json:"forceAliasCreation" yaml:"forceAliasCreation"`
	// Set to `RESEND` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account.
	//
	// Set to `SUPPRESS` to suppress sending the message. You can specify only one value.
	MessageAction *string `field:"optional" json:"messageAction" yaml:"messageAction"`
	// The user attributes and attribute values to be set for the user to be created.
	//
	// These are name-value pairs You can create a user without specifying any attributes other than `Username` . However, any attributes that you specify as required (in [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) or in the *Attributes* tab of the console) must be supplied either by you (in your call to `AdminCreateUser` ) or by the user (when they sign up in response to your welcome message).
	//
	// For custom attributes, you must prepend the `custom:` prefix to the attribute name.
	//
	// To send a message inviting the user to sign up, you must specify the user's email address or phone number. This can be done in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools.
	//
	// In your call to `AdminCreateUser` , you can set the `email_verified` attribute to `True` , and you can set the `phone_number_verified` attribute to `True` . (You can also do this by calling [](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) .)
	//
	// - *email* : The email address of the user to whom the message that contains the code and user name will be sent. Required if the `email_verified` attribute is set to `True` , or if `"EMAIL"` is specified in the `DesiredDeliveryMediums` parameter.
	// - *phone_number* : The phone number of the user to whom the message that contains the code and user name will be sent. Required if the `phone_number_verified` attribute is set to `True` , or if `"SMS"` is specified in the `DesiredDeliveryMediums` parameter.
	UserAttributes interface{} `field:"optional" json:"userAttributes" yaml:"userAttributes"`
	// The username for the user.
	//
	// Must be unique within the user pool. Must be a UTF-8 string between 1 and 128 characters. After the user is created, the username can't be changed.
	Username *string `field:"optional" json:"username" yaml:"username"`
	// The user's validation data.
	//
	// This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. For example, you might choose to allow or disallow user sign-up based on the user's domain.
	//
	// To configure custom validation, you must create a Pre Sign-up AWS Lambda trigger for the user pool as described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data and uses it in the validation process.
	//
	// The user's validation data isn't persisted.
	ValidationData interface{} `field:"optional" json:"validationData" yaml:"validationData"`
}

Properties for defining a `CfnUserPoolUser`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var clientMetadata interface{}

cfnUserPoolUserProps := &cfnUserPoolUserProps{
	userPoolId: jsii.String("userPoolId"),

	// the properties below are optional
	clientMetadata: clientMetadata,
	desiredDeliveryMediums: []*string{
		jsii.String("desiredDeliveryMediums"),
	},
	forceAliasCreation: jsii.Boolean(false),
	messageAction: jsii.String("messageAction"),
	userAttributes: []interface{}{
		&attributeTypeProperty{
			name: jsii.String("name"),
			value: jsii.String("value"),
		},
	},
	username: jsii.String("username"),
	validationData: []interface{}{
		&attributeTypeProperty{
			name: jsii.String("name"),
			value: jsii.String("value"),
		},
	},
}

type CfnUserPoolUserToGroupAttachment 

type CfnUserPoolUserToGroupAttachment interface {
	awscdk.CfnResource
	awscdk.IInspectable
	// Options for this resource, such as condition, update policy etc.
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	// AWS resource type.
	CfnResourceType() *string
	// Returns: the stack trace of the point where this Resource was created from, sourced
	// from the +metadata+ entry typed +aws:cdk:logicalId+, and with the bottom-most
	// node +internal+ entries filtered.
	CreationStack() *[]*string
	// The group name.
	GroupName() *string
	SetGroupName(val *string)
	// The logical ID for this CloudFormation stack element.
	//
	// The logical ID of the element
	// is calculated from the path of the resource node in the construct tree.
	//
	// To override this value, use `overrideLogicalId(newLogicalId)`.
	//
	// Returns: the logical ID as a stringified token. This value will only get
	// resolved during synthesis.
	LogicalId() *string
	// The tree node.
	Node() constructs.Node
	// Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
	//
	// If, by any chance, the intrinsic reference of a resource is not a string, you could
	// coerce it to an IResolvable through `Lazy.any({ produce: resource.ref })`.
	Ref() *string
	// The stack in which this element is defined.
	//
	// CfnElements must be defined within a stack scope (directly or indirectly).
	Stack() awscdk.Stack
	// Return properties modified after initiation.
	//
	// Resources that expose mutable properties should override this function to
	// collect and return the properties object for this resource.
	UpdatedProperites() *map[string]interface{}
	// The username for the user.
	Username() *string
	SetUsername(val *string)
	// The user pool ID for the user pool.
	UserPoolId() *string
	SetUserPoolId(val *string)
	// Syntactic sugar for `addOverride(path, undefined)`.
	AddDeletionOverride(path *string)
	// Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
	//
	// This can be used for resources across stacks (or nested stack) boundaries
	// and the dependency will automatically be transferred to the relevant scope.
	AddDependsOn(target awscdk.CfnResource)
	// Add a value to the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	AddMetadata(key *string, value interface{})
	// Adds an override to the synthesized CloudFormation resource.
	//
	// To add a
	// property override, either use `addPropertyOverride` or prefix `path` with
	// "Properties." (i.e. `Properties.TopicName`).
	//
	// If the override is nested, separate each nested level using a dot (.) in the path parameter.
	// If there is an array as part of the nesting, specify the index in the path.
	//
	// To include a literal `.` in the property name, prefix with a `\`. In most
	// programming languages you will need to write this as `"\\."` because the
	// `\` itself will need to be escaped.
	//
	// For example,
	// “`typescript
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
	// cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
	// “`
	// would add the overrides
	// “`json
	// "Properties": {
	//    "GlobalSecondaryIndexes": [
	//      {
	//        "Projection": {
	//          "NonKeyAttributes": [ "myattribute" ]
	//          ...
	//        }
	//        ...
	//      },
	//      {
	//        "ProjectionType": "INCLUDE"
	//        ...
	//      },
	//    ]
	//    ...
	// }
	// “`
	//
	// The `value` argument to `addOverride` will not be processed or translated
	// in any way. Pass raw JSON values in here with the correct capitalization
	// for CloudFormation. If you pass CDK classes or structs, they will be
	// rendered with lowercased key names, and CloudFormation will reject the
	// template.
	AddOverride(path *string, value interface{})
	// Adds an override that deletes the value of a property from the resource definition.
	AddPropertyDeletionOverride(propertyPath *string)
	// Adds an override to a resource property.
	//
	// Syntactic sugar for `addOverride("Properties.<...>", value)`.
	AddPropertyOverride(propertyPath *string, value interface{})
	// Sets the deletion policy of the resource based on the removal policy specified.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`). In some
	// cases, a snapshot can be taken of the resource prior to deletion
	// (`RemovalPolicy.SNAPSHOT`). A list of resources that support this policy
	// can be found in the following link:.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options
	//
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	// Returns a token for an runtime attribute of this resource.
	//
	// Ideally, use generated attribute accessors (e.g. `resource.arn`), but this can be used for future compatibility
	// in case there is no generated attribute.
	GetAtt(attributeName *string) awscdk.Reference
	// Retrieve a value value from the CloudFormation Resource Metadata.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
	//
	// Note that this is a different set of metadata from CDK node metadata; this
	// metadata ends up in the stack template under the resource, whereas CDK
	// node metadata ends up in the Cloud Assembly.
	//
	GetMetadata(key *string) interface{}
	// Examines the CloudFormation resource and discloses attributes.
	Inspect(inspector awscdk.TreeInspector)
	// Overrides the auto-generated logical ID with a specific ID.
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	// Can be overridden by subclasses to determine if this resource will be rendered into the cloudformation template.
	//
	// Returns: `true` if the resource should be included or `false` is the resource
	// should be omitted.
	ShouldSynthesize() *bool
	// Returns a string representation of this construct.
	//
	// Returns: a string representation of this resource.
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::Cognito::UserPoolUserToGroupAttachment`.

Adds the specified user to the specified group.

Calling this action requires developer credentials.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolUserToGroupAttachment := awscdk.Aws_cognito.NewCfnUserPoolUserToGroupAttachment(this, jsii.String("MyCfnUserPoolUserToGroupAttachment"), &cfnUserPoolUserToGroupAttachmentProps{
	groupName: jsii.String("groupName"),
	username: jsii.String("username"),
	userPoolId: jsii.String("userPoolId"),
})

func NewCfnUserPoolUserToGroupAttachment 

func NewCfnUserPoolUserToGroupAttachment(scope constructs.Construct, id *string, props *CfnUserPoolUserToGroupAttachmentProps) CfnUserPoolUserToGroupAttachment

Create a new `AWS::Cognito::UserPoolUserToGroupAttachment`.

type CfnUserPoolUserToGroupAttachmentProps 

type CfnUserPoolUserToGroupAttachmentProps struct {
	// The group name.
	GroupName *string `field:"required" json:"groupName" yaml:"groupName"`
	// The username for the user.
	Username *string `field:"required" json:"username" yaml:"username"`
	// The user pool ID for the user pool.
	UserPoolId *string `field:"required" json:"userPoolId" yaml:"userPoolId"`
}

Properties for defining a `CfnUserPoolUserToGroupAttachment`.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

cfnUserPoolUserToGroupAttachmentProps := &cfnUserPoolUserToGroupAttachmentProps{
	groupName: jsii.String("groupName"),
	username: jsii.String("username"),
	userPoolId: jsii.String("userPoolId"),
}

type CfnUserPoolUser_AttributeTypeProperty 

type CfnUserPoolUser_AttributeTypeProperty struct {
	// The name of the attribute.
	Name *string `field:"optional" json:"name" yaml:"name"`
	// The value of the attribute.
	Value *string `field:"optional" json:"value" yaml:"value"`
}

Specifies whether the attribute is standard or custom.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

attributeTypeProperty := &attributeTypeProperty{
	name: jsii.String("name"),
	value: jsii.String("value"),
}

type CfnUserPool_AccountRecoverySettingProperty 

type CfnUserPool_AccountRecoverySettingProperty struct {
	// The list of `RecoveryOptionTypes` .
	RecoveryMechanisms interface{} `field:"optional" json:"recoveryMechanisms" yaml:"recoveryMechanisms"`
}

Use this setting to define which verified available method a user can use to recover their password when they call `ForgotPassword` .

It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

accountRecoverySettingProperty := &accountRecoverySettingProperty{
	recoveryMechanisms: []interface{}{
		&recoveryOptionProperty{
			name: jsii.String("name"),
			priority: jsii.Number(123),
		},
	},
}

type CfnUserPool_AdminCreateUserConfigProperty 

type CfnUserPool_AdminCreateUserConfigProperty struct {
	// Set to `True` if only the administrator is allowed to create user profiles.
	//
	// Set to `False` if users can sign themselves up via an app.
	AllowAdminCreateUserOnly interface{} `field:"optional" json:"allowAdminCreateUserOnly" yaml:"allowAdminCreateUserOnly"`
	// The message template to be used for the welcome message to new users.
	//
	// See also [Customizing User Invitation Messages](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization) .
	InviteMessageTemplate interface{} `field:"optional" json:"inviteMessageTemplate" yaml:"inviteMessageTemplate"`
	// The user account expiration limit, in days, after which a new account that hasn't signed in is no longer usable.
	//
	// To reset the account after that time limit, you must call `AdminCreateUser` again, specifying `"RESEND"` for the `MessageAction` parameter. The default value for this parameter is 7.
	//
	// > If you set a value for `TemporaryPasswordValidityDays` in `PasswordPolicy` , that value will be used, and `UnusedAccountValidityDays` will be no longer be an available parameter for that user pool.
	UnusedAccountValidityDays *float64 `field:"optional" json:"unusedAccountValidityDays" yaml:"unusedAccountValidityDays"`
}

The configuration for `AdminCreateUser` requests.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

adminCreateUserConfigProperty := &adminCreateUserConfigProperty{
	allowAdminCreateUserOnly: jsii.Boolean(false),
	inviteMessageTemplate: &inviteMessageTemplateProperty{
		emailMessage: jsii.String("emailMessage"),
		emailSubject: jsii.String("emailSubject"),
		smsMessage: jsii.String("smsMessage"),
	},
	unusedAccountValidityDays: jsii.Number(123),
}

type CfnUserPool_CustomEmailSenderProperty 

type CfnUserPool_CustomEmailSenderProperty struct {
	// The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon Cognito triggers to send email notifications to users.
	LambdaArn *string `field:"optional" json:"lambdaArn" yaml:"lambdaArn"`
	// The Lambda version represents the signature of the "request" attribute in the "event" information that Amazon Cognito passes to your custom email sender AWS Lambda function.
	//
	// The only supported value is `V1_0` .
	LambdaVersion *string `field:"optional" json:"lambdaVersion" yaml:"lambdaVersion"`
}

A custom email sender AWS Lambda trigger.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

customEmailSenderProperty := &customEmailSenderProperty{
	lambdaArn: jsii.String("lambdaArn"),
	lambdaVersion: jsii.String("lambdaVersion"),
}

type CfnUserPool_CustomSMSSenderProperty 

type CfnUserPool_CustomSMSSenderProperty struct {
	// The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon Cognito triggers to send SMS notifications to users.
	LambdaArn *string `field:"optional" json:"lambdaArn" yaml:"lambdaArn"`
	// The Lambda version represents the signature of the "request" attribute in the "event" information Amazon Cognito passes to your custom SMS sender Lambda function.
	//
	// The only supported value is `V1_0` .
	LambdaVersion *string `field:"optional" json:"lambdaVersion" yaml:"lambdaVersion"`
}

A custom SMS sender AWS Lambda trigger.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

customSMSSenderProperty := &customSMSSenderProperty{
	lambdaArn: jsii.String("lambdaArn"),
	lambdaVersion: jsii.String("lambdaVersion"),
}

type CfnUserPool_DeviceConfigurationProperty 

type CfnUserPool_DeviceConfigurationProperty struct {
	// When true, device authentication can replace SMS and time-based one-time password (TOTP) factors for multi-factor authentication (MFA).
	//
	// > Users that sign in with devices that have not been confirmed or remembered will still have to provide a second factor, whether or not ChallengeRequiredOnNewDevice is true, when your user pool requires MFA.
	ChallengeRequiredOnNewDevice interface{} `field:"optional" json:"challengeRequiredOnNewDevice" yaml:"challengeRequiredOnNewDevice"`
	// When true, users can opt in to remembering their device.
	//
	// Your app code must use callback functions to return the user's choice.
	DeviceOnlyRememberedOnUserPrompt interface{} `field:"optional" json:"deviceOnlyRememberedOnUserPrompt" yaml:"deviceOnlyRememberedOnUserPrompt"`
}

The device tracking configuration for a user pool. A user pool with device tracking deactivated returns a null value.

> When you provide values for any DeviceConfiguration field, you activate device tracking.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

deviceConfigurationProperty := &deviceConfigurationProperty{
	challengeRequiredOnNewDevice: jsii.Boolean(false),
	deviceOnlyRememberedOnUserPrompt: jsii.Boolean(false),
}

type CfnUserPool_EmailConfigurationProperty 

type CfnUserPool_EmailConfigurationProperty struct {
	// The set of configuration rules that can be applied to emails sent using Amazon SES.
	//
	// A configuration set is applied to an email by including a reference to the configuration set in the headers of the email. Once applied, all of the rules in that configuration set are applied to the email. Configuration sets can be used to apply the following types of rules to emails:
	//
	// - Event publishing – Amazon SES can track the number of send, delivery, open, click, bounce, and complaint events for each email sent. Use event publishing to send information about these events to other AWS services such as SNS and CloudWatch.
	// - IP pool management – When leasing dedicated IP addresses with Amazon SES, you can create groups of IP addresses, called dedicated IP pools. You can then associate the dedicated IP pools with configuration sets.
	ConfigurationSet *string `field:"optional" json:"configurationSet" yaml:"configurationSet"`
	// Specifies whether Amazon Cognito uses its built-in functionality to send your users email messages, or uses your Amazon Simple Email Service email configuration.
	//
	// Specify one of the following values:
	//
	// - **COGNITO_DEFAULT** - When Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is less than the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration.
	//
	// To look up the email delivery limit for the default option, see [Limits in](https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html) in the *Developer Guide* .
	//
	// The default FROM address is `no-reply@verificationemail.com` . To customize the FROM address, provide the Amazon Resource Name (ARN) of an Amazon SES verified email address for the `SourceArn` parameter.
	// - **DEVELOPER** - When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your AWS account .
	//
	// If you use this option, provide the ARN of an Amazon SES verified email address for the `SourceArn` parameter.
	//
	// Before Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a *service-linked role* , which is a type of role, in your AWS account . This role contains the permissions that allow to access Amazon SES and send email messages with your address. For more information about the service-linked role that Amazon Cognito creates, see [Using Service-Linked Roles for Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/using-service-linked-roles.html) in the *Amazon Cognito Developer Guide* .
	EmailSendingAccount *string `field:"optional" json:"emailSendingAccount" yaml:"emailSendingAccount"`
	// Identifies either the sender's email address or the sender's name with their email address.
	//
	// For example, `testuser@example.com` or `Test User <testuser@example.com>` . This address appears before the body of the email.
	From *string `field:"optional" json:"from" yaml:"from"`
	// The destination to which the receiver of the email should reply.
	ReplyToEmailAddress *string `field:"optional" json:"replyToEmailAddress" yaml:"replyToEmailAddress"`
	// The ARN of a verified email address in Amazon SES.
	//
	// Amazon Cognito uses this email address in one of the following ways, depending on the value that you specify for the `EmailSendingAccount` parameter:
	//
	// - If you specify `COGNITO_DEFAULT` , Amazon Cognito uses this address as the custom FROM address when it emails your users using its built-in email account.
	// - If you specify `DEVELOPER` , Amazon Cognito emails your users with this address by calling Amazon SES on your behalf.
	//
	// The Region value of the `SourceArn` parameter must indicate a supported AWS Region of your user pool. Typically, the Region in the `SourceArn` and the user pool Region are the same. For more information, see [Amazon SES email configuration regions](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-developer-region-mapping) in the [Amazon Cognito Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) .
	SourceArn *string `field:"optional" json:"sourceArn" yaml:"sourceArn"`
}

The email configuration of your user pool.

The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

emailConfigurationProperty := &emailConfigurationProperty{
	configurationSet: jsii.String("configurationSet"),
	emailSendingAccount: jsii.String("emailSendingAccount"),
	from: jsii.String("from"),
	replyToEmailAddress: jsii.String("replyToEmailAddress"),
	sourceArn: jsii.String("sourceArn"),
}

type CfnUserPool_InviteMessageTemplateProperty 

type CfnUserPool_InviteMessageTemplateProperty struct {
	// The message template for email messages.
	//
	// EmailMessage is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.
	EmailMessage *string `field:"optional" json:"emailMessage" yaml:"emailMessage"`
	// The subject line for email messages.
	//
	// EmailSubject is allowed only if [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is DEVELOPER.
	EmailSubject *string `field:"optional" json:"emailSubject" yaml:"emailSubject"`
	// The message template for SMS messages.
	SmsMessage *string `field:"optional" json:"smsMessage" yaml:"smsMessage"`
}

The message template to be used for the welcome message to new users.

See also [Customizing User Invitation Messages](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization) .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

inviteMessageTemplateProperty := &inviteMessageTemplateProperty{
	emailMessage: jsii.String("emailMessage"),
	emailSubject: jsii.String("emailSubject"),
	smsMessage: jsii.String("smsMessage"),
}

type CfnUserPool_LambdaConfigProperty 

type CfnUserPool_LambdaConfigProperty struct {
	// Creates an authentication challenge.
	CreateAuthChallenge *string `field:"optional" json:"createAuthChallenge" yaml:"createAuthChallenge"`
	// A custom email sender AWS Lambda trigger.
	CustomEmailSender interface{} `field:"optional" json:"customEmailSender" yaml:"customEmailSender"`
	// A custom Message AWS Lambda trigger.
	CustomMessage *string `field:"optional" json:"customMessage" yaml:"customMessage"`
	// A custom SMS sender AWS Lambda trigger.
	CustomSmsSender interface{} `field:"optional" json:"customSmsSender" yaml:"customSmsSender"`
	// Defines the authentication challenge.
	DefineAuthChallenge *string `field:"optional" json:"defineAuthChallenge" yaml:"defineAuthChallenge"`
	// The Amazon Resource Name of a AWS Key Management Service ( AWS KMS ) key.
	//
	// Amazon Cognito uses the key to encrypt codes and temporary passwords sent to `CustomEmailSender` and `CustomSMSSender` .
	KmsKeyId *string `field:"optional" json:"kmsKeyId" yaml:"kmsKeyId"`
	// A post-authentication AWS Lambda trigger.
	PostAuthentication *string `field:"optional" json:"postAuthentication" yaml:"postAuthentication"`
	// A post-confirmation AWS Lambda trigger.
	PostConfirmation *string `field:"optional" json:"postConfirmation" yaml:"postConfirmation"`
	// A pre-authentication AWS Lambda trigger.
	PreAuthentication *string `field:"optional" json:"preAuthentication" yaml:"preAuthentication"`
	// A pre-registration AWS Lambda trigger.
	PreSignUp *string `field:"optional" json:"preSignUp" yaml:"preSignUp"`
	// A Lambda trigger that is invoked before token generation.
	PreTokenGeneration *string `field:"optional" json:"preTokenGeneration" yaml:"preTokenGeneration"`
	// The user migration Lambda config type.
	UserMigration *string `field:"optional" json:"userMigration" yaml:"userMigration"`
	// Verifies the authentication challenge response.
	VerifyAuthChallengeResponse *string `field:"optional" json:"verifyAuthChallengeResponse" yaml:"verifyAuthChallengeResponse"`
}

Specifies the configuration for AWS Lambda triggers.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

lambdaConfigProperty := &lambdaConfigProperty{
	createAuthChallenge: jsii.String("createAuthChallenge"),
	customEmailSender: &customEmailSenderProperty{
		lambdaArn: jsii.String("lambdaArn"),
		lambdaVersion: jsii.String("lambdaVersion"),
	},
	customMessage: jsii.String("customMessage"),
	customSmsSender: &customSMSSenderProperty{
		lambdaArn: jsii.String("lambdaArn"),
		lambdaVersion: jsii.String("lambdaVersion"),
	},
	defineAuthChallenge: jsii.String("defineAuthChallenge"),
	kmsKeyId: jsii.String("kmsKeyId"),
	postAuthentication: jsii.String("postAuthentication"),
	postConfirmation: jsii.String("postConfirmation"),
	preAuthentication: jsii.String("preAuthentication"),
	preSignUp: jsii.String("preSignUp"),
	preTokenGeneration: jsii.String("preTokenGeneration"),
	userMigration: jsii.String("userMigration"),
	verifyAuthChallengeResponse: jsii.String("verifyAuthChallengeResponse"),
}

type CfnUserPool_NumberAttributeConstraintsProperty 

type CfnUserPool_NumberAttributeConstraintsProperty struct {
	// The maximum value of an attribute that is of the number data type.
	MaxValue *string `field:"optional" json:"maxValue" yaml:"maxValue"`
	// The minimum value of an attribute that is of the number data type.
	MinValue *string `field:"optional" json:"minValue" yaml:"minValue"`
}

The minimum and maximum values of an attribute that is of the number data type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

numberAttributeConstraintsProperty := &numberAttributeConstraintsProperty{
	maxValue: jsii.String("maxValue"),
	minValue: jsii.String("minValue"),
}

type CfnUserPool_PasswordPolicyProperty 

type CfnUserPool_PasswordPolicyProperty struct {
	// The minimum length of the password in the policy that you have set.
	//
	// This value can't be less than 6.
	MinimumLength *float64 `field:"optional" json:"minimumLength" yaml:"minimumLength"`
	// In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.
	RequireLowercase interface{} `field:"optional" json:"requireLowercase" yaml:"requireLowercase"`
	// In the password policy that you have set, refers to whether you have required users to use at least one number in their password.
	RequireNumbers interface{} `field:"optional" json:"requireNumbers" yaml:"requireNumbers"`
	// In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.
	RequireSymbols interface{} `field:"optional" json:"requireSymbols" yaml:"requireSymbols"`
	// In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.
	RequireUppercase interface{} `field:"optional" json:"requireUppercase" yaml:"requireUppercase"`
	// The number of days a temporary password is valid in the password policy.
	//
	// If the user doesn't sign in during this time, an administrator must reset their password.
	//
	// > When you set `TemporaryPasswordValidityDays` for a user pool, you can no longer set a value for the legacy `UnusedAccountValidityDays` parameter in that user pool.
	TemporaryPasswordValidityDays *float64 `field:"optional" json:"temporaryPasswordValidityDays" yaml:"temporaryPasswordValidityDays"`
}

The password policy type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

passwordPolicyProperty := &passwordPolicyProperty{
	minimumLength: jsii.Number(123),
	requireLowercase: jsii.Boolean(false),
	requireNumbers: jsii.Boolean(false),
	requireSymbols: jsii.Boolean(false),
	requireUppercase: jsii.Boolean(false),
	temporaryPasswordValidityDays: jsii.Number(123),
}

type CfnUserPool_PoliciesProperty 

type CfnUserPool_PoliciesProperty struct {
	// The password policy.
	PasswordPolicy interface{} `field:"optional" json:"passwordPolicy" yaml:"passwordPolicy"`
}

The policy associated with a user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

policiesProperty := &policiesProperty{
	passwordPolicy: &passwordPolicyProperty{
		minimumLength: jsii.Number(123),
		requireLowercase: jsii.Boolean(false),
		requireNumbers: jsii.Boolean(false),
		requireSymbols: jsii.Boolean(false),
		requireUppercase: jsii.Boolean(false),
		temporaryPasswordValidityDays: jsii.Number(123),
	},
}

type CfnUserPool_RecoveryOptionProperty 

type CfnUserPool_RecoveryOptionProperty struct {
	// Specifies the recovery method for a user.
	Name *string `field:"optional" json:"name" yaml:"name"`
	// A positive integer specifying priority of a method with 1 being the highest priority.
	Priority *float64 `field:"optional" json:"priority" yaml:"priority"`
}

A map containing a priority as a key, and recovery method name as a value.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

recoveryOptionProperty := &recoveryOptionProperty{
	name: jsii.String("name"),
	priority: jsii.Number(123),
}

type CfnUserPool_SchemaAttributeProperty 

type CfnUserPool_SchemaAttributeProperty struct {
	// The attribute data type.
	AttributeDataType *string `field:"optional" json:"attributeDataType" yaml:"attributeDataType"`
	// > We recommend that you use [WriteAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes) in the user pool client to control how attributes can be mutated for new use cases instead of using `DeveloperOnlyAttribute` .
	//
	// Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users will not be able to modify this attribute using their access token.
	DeveloperOnlyAttribute interface{} `field:"optional" json:"developerOnlyAttribute" yaml:"developerOnlyAttribute"`
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that is mapped to an IdP attribute, you must set this parameter to `true` . Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see [Specifying Identity Provider Attribute Mappings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) .
	Mutable interface{} `field:"optional" json:"mutable" yaml:"mutable"`
	// A schema attribute of the name type.
	Name *string `field:"optional" json:"name" yaml:"name"`
	// Specifies the constraints for an attribute of the number type.
	NumberAttributeConstraints interface{} `field:"optional" json:"numberAttributeConstraints" yaml:"numberAttributeConstraints"`
	// Specifies whether a user pool attribute is required.
	//
	// If the attribute is required and the user doesn't provide a value, registration or sign-in will fail.
	Required interface{} `field:"optional" json:"required" yaml:"required"`
	// Specifies the constraints for an attribute of the string type.
	StringAttributeConstraints interface{} `field:"optional" json:"stringAttributeConstraints" yaml:"stringAttributeConstraints"`
}

Contains information about the schema attribute.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

schemaAttributeProperty := &schemaAttributeProperty{
	attributeDataType: jsii.String("attributeDataType"),
	developerOnlyAttribute: jsii.Boolean(false),
	mutable: jsii.Boolean(false),
	name: jsii.String("name"),
	numberAttributeConstraints: &numberAttributeConstraintsProperty{
		maxValue: jsii.String("maxValue"),
		minValue: jsii.String("minValue"),
	},
	required: jsii.Boolean(false),
	stringAttributeConstraints: &stringAttributeConstraintsProperty{
		maxLength: jsii.String("maxLength"),
		minLength: jsii.String("minLength"),
	},
}

type CfnUserPool_SmsConfigurationProperty 

type CfnUserPool_SmsConfigurationProperty struct {
	// The external ID is a value.
	//
	// We recommend you use `ExternalId` to add security to your IAM role, which is used to call Amazon SNS to send SMS messages for your user pool. If you provide an `ExternalId` , the Cognito User Pool uses it when attempting to assume your IAM role. You can also set your roles trust policy to require the `ExternalID` . If you use the Cognito Management Console to create a role for SMS MFA, Cognito creates a role with the required permissions and a trust policy that uses `ExternalId` .
	ExternalId *string `field:"optional" json:"externalId" yaml:"externalId"`
	// The Amazon Resource Name (ARN) of the Amazon SNS caller.
	//
	// This is the ARN of the IAM role in your AWS account that Amazon Cognito will use to send SMS messages. SMS messages are subject to a [spending limit](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html) .
	SnsCallerArn *string `field:"optional" json:"snsCallerArn" yaml:"snsCallerArn"`
	// The AWS Region to use with Amazon SNS integration.
	//
	// You can choose the same Region as your user pool, or a supported *Legacy Amazon SNS alternate Region* .
	//
	// Amazon Cognito resources in the Asia Pacific (Seoul) AWS Region must use your Amazon SNS configuration in the Asia Pacific (Tokyo) Region. For more information, see [SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) .
	SnsRegion *string `field:"optional" json:"snsRegion" yaml:"snsRegion"`
}

The SMS configuration type that includes the settings the Cognito User Pool needs to call for the Amazon SNS service to send an SMS message from your AWS account .

The Cognito User Pool makes the request to the Amazon SNS Service by using an IAM role that you provide for your AWS account .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

smsConfigurationProperty := &smsConfigurationProperty{
	externalId: jsii.String("externalId"),
	snsCallerArn: jsii.String("snsCallerArn"),
	snsRegion: jsii.String("snsRegion"),
}

type CfnUserPool_StringAttributeConstraintsProperty 

type CfnUserPool_StringAttributeConstraintsProperty struct {
	// The maximum length.
	MaxLength *string `field:"optional" json:"maxLength" yaml:"maxLength"`
	// The minimum length.
	MinLength *string `field:"optional" json:"minLength" yaml:"minLength"`
}

The `StringAttributeConstraints` property type defines the string attribute constraints of an Amazon Cognito user pool.

`StringAttributeConstraints` is a subproperty of the [SchemaAttribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html) property type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

stringAttributeConstraintsProperty := &stringAttributeConstraintsProperty{
	maxLength: jsii.String("maxLength"),
	minLength: jsii.String("minLength"),
}

type CfnUserPool_UserAttributeUpdateSettingsProperty added in v2.27.0 

type CfnUserPool_UserAttributeUpdateSettingsProperty struct {
	// Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute.
	//
	// When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value.
	//
	// You can verify an updated email address or phone number with a [VerifyUserAttribute](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html) API request. You can also call the [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) or [AdminUpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) API and set `email_verified` or `phone_number_verified` to true.
	//
	// When `AttributesRequireVerificationBeforeUpdate` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where `AttributesRequireVerificationBeforeUpdate` is false, API operations that change attribute values can immediately update a user’s `email` or `phone_number` attribute.
	AttributesRequireVerificationBeforeUpdate *[]*string `field:"required" json:"attributesRequireVerificationBeforeUpdate" yaml:"attributesRequireVerificationBeforeUpdate"`
}

The settings for updates to user attributes.

These settings include the property `AttributesRequireVerificationBeforeUpdate` , a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see [Verifying updates to to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates) .

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

userAttributeUpdateSettingsProperty := &userAttributeUpdateSettingsProperty{
	attributesRequireVerificationBeforeUpdate: []*string{
		jsii.String("attributesRequireVerificationBeforeUpdate"),
	},
}

type CfnUserPool_UserPoolAddOnsProperty 

type CfnUserPool_UserPoolAddOnsProperty struct {
	// The advanced security mode.
	AdvancedSecurityMode *string `field:"optional" json:"advancedSecurityMode" yaml:"advancedSecurityMode"`
}

The user pool add-ons type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

userPoolAddOnsProperty := &userPoolAddOnsProperty{
	advancedSecurityMode: jsii.String("advancedSecurityMode"),
}

type CfnUserPool_UsernameConfigurationProperty 

type CfnUserPool_UsernameConfigurationProperty struct {
	// Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs.
	//
	// Valid values include:
	//
	// - **True** - Enables case sensitivity for all username input. When this option is set to `True` , users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value.
	// - **False** - Enables case insensitivity for all username input. For example, when this option is set to `False` , users can sign in using either "username" or "Username". This option also enables both `preferred_username` and `email` alias to be case insensitive, in addition to the `username` attribute.
	CaseSensitive interface{} `field:"optional" json:"caseSensitive" yaml:"caseSensitive"`
}

The `UsernameConfiguration` property type specifies case sensitivity on the username input for the selected sign-in option.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

usernameConfigurationProperty := &usernameConfigurationProperty{
	caseSensitive: jsii.Boolean(false),
}

type CfnUserPool_VerificationMessageTemplateProperty 

type CfnUserPool_VerificationMessageTemplateProperty struct {
	// The default email option.
	DefaultEmailOption *string `field:"optional" json:"defaultEmailOption" yaml:"defaultEmailOption"`
	// The template for email messages that Amazon Cognito sends to your users.
	//
	// You can set an `EmailMessage` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.
	EmailMessage *string `field:"optional" json:"emailMessage" yaml:"emailMessage"`
	// The email message template for sending a confirmation link to the user.
	//
	// You can set an `EmailMessageByLink` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.
	EmailMessageByLink *string `field:"optional" json:"emailMessageByLink" yaml:"emailMessageByLink"`
	// The subject line for the email message template.
	//
	// You can set an `EmailSubject` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.
	EmailSubject *string `field:"optional" json:"emailSubject" yaml:"emailSubject"`
	// The subject line for the email message template for sending a confirmation link to the user.
	//
	// You can set an `EmailSubjectByLink` template only if the value of [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` . When your [EmailSendingAccount](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount) is `DEVELOPER` , your user pool sends email messages with your own Amazon SES configuration.
	EmailSubjectByLink *string `field:"optional" json:"emailSubjectByLink" yaml:"emailSubjectByLink"`
	// The template for SMS messages that Amazon Cognito sends to your users.
	SmsMessage *string `field:"optional" json:"smsMessage" yaml:"smsMessage"`
}

The template for verification messages.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

verificationMessageTemplateProperty := &verificationMessageTemplateProperty{
	defaultEmailOption: jsii.String("defaultEmailOption"),
	emailMessage: jsii.String("emailMessage"),
	emailMessageByLink: jsii.String("emailMessageByLink"),
	emailSubject: jsii.String("emailSubject"),
	emailSubjectByLink: jsii.String("emailSubjectByLink"),
	smsMessage: jsii.String("smsMessage"),
}

type ClientAttributes 

type ClientAttributes interface {
	// The list of attributes represented by this ClientAttributes.
	Attributes() *[]*string
	// Creates a custom ClientAttributes with the specified attributes.
	WithCustomAttributes(attributes ...*string) ClientAttributes
	// Creates a custom ClientAttributes with the specified attributes.
	WithStandardAttributes(attributes *StandardAttributesMask) ClientAttributes
}

A set of attributes, useful to set Read and Write attributes.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

clientWriteAttributes := (cognito.NewClientAttributes()).withStandardAttributes(&standardAttributesMask{
	fullname: jsii.Boolean(true),
	email: jsii.Boolean(true),
}).withCustomAttributes(jsii.String("favouritePizza"), jsii.String("favouriteBeverage"))

clientReadAttributes := clientWriteAttributes.withStandardAttributes(&standardAttributesMask{
	emailVerified: jsii.Boolean(true),
}).withCustomAttributes(jsii.String("pointsEarned"))

pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	readAttributes: clientReadAttributes,
	writeAttributes: clientWriteAttributes,
})

func NewClientAttributes 

func NewClientAttributes() ClientAttributes

Creates a ClientAttributes with the specified attributes.

type CognitoDomainOptions 

type CognitoDomainOptions struct {
	// The prefix to the Cognito hosted domain name that will be associated with the user pool.
	DomainPrefix *string `field:"required" json:"domainPrefix" yaml:"domainPrefix"`
}

Options while specifying a cognito prefix domain.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

pool.addDomain(jsii.String("CognitoDomain"), &userPoolDomainOptions{
	cognitoDomain: &cognitoDomainOptions{
		domainPrefix: jsii.String("my-awesome-app"),
	},
})

certificateArn := "arn:aws:acm:us-east-1:123456789012:certificate/11-3336f1-44483d-adc7-9cd375c5169d"

domainCert := certificatemanager.certificate.fromCertificateArn(this, jsii.String("domainCert"), certificateArn)
pool.addDomain(jsii.String("CustomDomain"), &userPoolDomainOptions{
	customDomain: &customDomainOptions{
		domainName: jsii.String("user.myapp.com"),
		certificate: domainCert,
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html

type CustomAttributeConfig 

type CustomAttributeConfig struct {
	// The data type of the custom attribute.
	// See: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html#CognitoUserPools-Type-SchemaAttributeType-AttributeDataType
	//
	DataType *string `field:"required" json:"dataType" yaml:"dataType"`
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that's mapped to an identity provider attribute, you must set this parameter to true.
	// Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider.
	// If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute.
	Mutable *bool `field:"optional" json:"mutable" yaml:"mutable"`
	// The constraints for a custom attribute of the 'Number' data type.
	NumberConstraints *NumberAttributeConstraints `field:"optional" json:"numberConstraints" yaml:"numberConstraints"`
	// The constraints for a custom attribute of 'String' data type.
	StringConstraints *StringAttributeConstraints `field:"optional" json:"stringConstraints" yaml:"stringConstraints"`
}

Configuration that will be fed into CloudFormation for any custom attribute type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

customAttributeConfig := &customAttributeConfig{
	dataType: jsii.String("dataType"),

	// the properties below are optional
	mutable: jsii.Boolean(false),
	numberConstraints: &numberAttributeConstraints{
		max: jsii.Number(123),
		min: jsii.Number(123),
	},
	stringConstraints: &stringAttributeConstraints{
		maxLen: jsii.Number(123),
		minLen: jsii.Number(123),
	},
}

type CustomAttributeProps 

type CustomAttributeProps struct {
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that's mapped to an identity provider attribute, you must set this parameter to true.
	// Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider.
	// If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute.
	Mutable *bool `field:"optional" json:"mutable" yaml:"mutable"`
}

Constraints that can be applied to a custom attribute of any type.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	standardAttributes: &standardAttributes{
		fullname: &standardAttribute{
			required: jsii.Boolean(true),
			mutable: jsii.Boolean(false),
		},
		address: &standardAttribute{
			required: jsii.Boolean(false),
			mutable: jsii.Boolean(true),
		},
	},
	customAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

type CustomDomainOptions 

type CustomDomainOptions struct {
	// The certificate to associate with this domain.
	Certificate awscertificatemanager.ICertificate `field:"required" json:"certificate" yaml:"certificate"`
	// The custom domain name that you would like to associate with this User Pool.
	DomainName *string `field:"required" json:"domainName" yaml:"domainName"`
}

Options while specifying custom domain.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

pool.addDomain(jsii.String("CognitoDomain"), &userPoolDomainOptions{
	cognitoDomain: &cognitoDomainOptions{
		domainPrefix: jsii.String("my-awesome-app"),
	},
})

certificateArn := "arn:aws:acm:us-east-1:123456789012:certificate/11-3336f1-44483d-adc7-9cd375c5169d"

domainCert := certificatemanager.certificate.fromCertificateArn(this, jsii.String("domainCert"), certificateArn)
pool.addDomain(jsii.String("CustomDomain"), &userPoolDomainOptions{
	customDomain: &customDomainOptions{
		domainName: jsii.String("user.myapp.com"),
		certificate: domainCert,
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html

type DateTimeAttribute 

type DateTimeAttribute interface {
	ICustomAttribute
	// Bind this custom attribute type to the values as expected by CloudFormation.
	Bind() *CustomAttributeConfig
}

The DateTime custom attribute type.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	standardAttributes: &standardAttributes{
		fullname: &standardAttribute{
			required: jsii.Boolean(true),
			mutable: jsii.Boolean(false),
		},
		address: &standardAttribute{
			required: jsii.Boolean(false),
			mutable: jsii.Boolean(true),
		},
	},
	customAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

func NewDateTimeAttribute 

func NewDateTimeAttribute(props *CustomAttributeProps) DateTimeAttribute

type DeviceTracking 

type DeviceTracking struct {
	// Indicates whether a challenge is required on a new device.
	//
	// Only applicable to a new device.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
	//
	ChallengeRequiredOnNewDevice *bool `field:"required" json:"challengeRequiredOnNewDevice" yaml:"challengeRequiredOnNewDevice"`
	// If true, a device is only remembered on user prompt.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
	//
	DeviceOnlyRememberedOnUserPrompt *bool `field:"required" json:"deviceOnlyRememberedOnUserPrompt" yaml:"deviceOnlyRememberedOnUserPrompt"`
}

Device tracking settings.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	deviceTracking: &deviceTracking{
		challengeRequiredOnNewDevice: jsii.Boolean(true),
		deviceOnlyRememberedOnUserPrompt: jsii.Boolean(true),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html

type EmailSettings 

type EmailSettings struct {
	// The 'from' address on the emails received by the user.
	From *string `field:"optional" json:"from" yaml:"from"`
	// The 'replyTo' address on the emails received by the user as defined by IETF RFC-5322.
	//
	// When set, most email clients recognize to change 'to' line to this address when a reply is drafted.
	ReplyTo *string `field:"optional" json:"replyTo" yaml:"replyTo"`
}

Email settings for the user pool.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

emailSettings := &emailSettings{
	from: jsii.String("from"),
	replyTo: jsii.String("replyTo"),
}

type ICustomAttribute 

type ICustomAttribute interface {
	// Bind this custom attribute type to the values as expected by CloudFormation.
	Bind() *CustomAttributeConfig
}

Represents a custom attribute type.

type IUserPool 

type IUserPool interface {
	awscdk.IResource
	// Add a new app client to this user pool.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html
	//
	AddClient(id *string, options *UserPoolClientOptions) UserPoolClient
	// Associate a domain to this user pool.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html
	//
	AddDomain(id *string, options *UserPoolDomainOptions) UserPoolDomain
	// Add a new resource server to this user pool.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-resource-servers.html
	//
	AddResourceServer(id *string, options *UserPoolResourceServerOptions) UserPoolResourceServer
	// Register an identity provider with this user pool.
	RegisterIdentityProvider(provider IUserPoolIdentityProvider)
	// Get all identity providers registered with this user pool.
	IdentityProviders() *[]IUserPoolIdentityProvider
	// The ARN of this user pool resource.
	UserPoolArn() *string
	// The physical ID of this user pool resource.
	UserPoolId() *string
}

Represents a Cognito UserPool.

func UserPool_FromUserPoolArn 

func UserPool_FromUserPoolArn(scope constructs.Construct, id *string, userPoolArn *string) IUserPool

Import an existing user pool based on its ARN.

func UserPool_FromUserPoolId 

func UserPool_FromUserPoolId(scope constructs.Construct, id *string, userPoolId *string) IUserPool

Import an existing user pool based on its id.

type IUserPoolClient 

type IUserPoolClient interface {
	awscdk.IResource
	// Name of the application client.
	UserPoolClientId() *string
}

Represents a Cognito user pool client.

func UserPoolClient_FromUserPoolClientId 

func UserPoolClient_FromUserPoolClientId(scope constructs.Construct, id *string, userPoolClientId *string) IUserPoolClient

Import a user pool client given its id.

type IUserPoolDomain 

type IUserPoolDomain interface {
	awscdk.IResource
	// The domain that was specified to be created.
	//
	// If `customDomain` was selected, this holds the full domain name that was specified.
	// If the `cognitoDomain` was used, it contains the prefix to the Cognito hosted domain.
	DomainName() *string
}

Represents a user pool domain.

func UserPoolDomain_FromDomainName 

func UserPoolDomain_FromDomainName(scope constructs.Construct, id *string, userPoolDomainName *string) IUserPoolDomain

Import a UserPoolDomain given its domain name.

type IUserPoolIdentityProvider 

type IUserPoolIdentityProvider interface {
	awscdk.IResource
	// The primary identifier of this identity provider.
	ProviderName() *string
}

Represents a UserPoolIdentityProvider.

func UserPoolIdentityProvider_FromProviderName 

func UserPoolIdentityProvider_FromProviderName(scope constructs.Construct, id *string, providerName *string) IUserPoolIdentityProvider

Import an existing UserPoolIdentityProvider.

type IUserPoolResourceServer 

type IUserPoolResourceServer interface {
	awscdk.IResource
	// Resource server id.
	UserPoolResourceServerId() *string
}

Represents a Cognito user pool resource server.

func UserPoolResourceServer_FromUserPoolResourceServerId 

func UserPoolResourceServer_FromUserPoolResourceServerId(scope constructs.Construct, id *string, userPoolResourceServerId *string) IUserPoolResourceServer

Import a user pool resource client given its id.

type Mfa 

type Mfa string

The different ways in which a user pool's MFA enforcement can be configured.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	mfa: cognito.mfa_REQUIRED,
	mfaSecondFactor: &mfaSecondFactor{
		sms: jsii.Boolean(true),
		otp: jsii.Boolean(true),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html 

const (
	// Users are not required to use MFA for sign in, and cannot configure one.
	Mfa_OFF Mfa = "OFF"
	// Users are not required to use MFA for sign in, but can configure one if they so choose to.
	Mfa_OPTIONAL Mfa = "OPTIONAL"
	// Users are required to configure an MFA, and have to use it to sign in.
	Mfa_REQUIRED Mfa = "REQUIRED"
)

type MfaSecondFactor 

type MfaSecondFactor struct {
	// The MFA token is a time-based one time password that is generated by a hardware or software token.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html
	//
	Otp *bool `field:"required" json:"otp" yaml:"otp"`
	// The MFA token is sent to the user via SMS to their verified phone numbers.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-text-message.html
	//
	Sms *bool `field:"required" json:"sms" yaml:"sms"`
}

The different ways in which a user pool can obtain their MFA token for sign in.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	mfa: cognito.mfa_REQUIRED,
	mfaSecondFactor: &mfaSecondFactor{
		sms: jsii.Boolean(true),
		otp: jsii.Boolean(true),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html

type NumberAttribute 

type NumberAttribute interface {
	ICustomAttribute
	// Bind this custom attribute type to the values as expected by CloudFormation.
	Bind() *CustomAttributeConfig
}

The Number custom attribute type.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	standardAttributes: &standardAttributes{
		fullname: &standardAttribute{
			required: jsii.Boolean(true),
			mutable: jsii.Boolean(false),
		},
		address: &standardAttribute{
			required: jsii.Boolean(false),
			mutable: jsii.Boolean(true),
		},
	},
	customAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

func NewNumberAttribute 

func NewNumberAttribute(props *NumberAttributeProps) NumberAttribute

type NumberAttributeConstraints 

type NumberAttributeConstraints struct {
	// Maximum value of this attribute.
	Max *float64 `field:"optional" json:"max" yaml:"max"`
	// Minimum value of this attribute.
	Min *float64 `field:"optional" json:"min" yaml:"min"`
}

Constraints that can be applied to a custom attribute of number type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

numberAttributeConstraints := &numberAttributeConstraints{
	max: jsii.Number(123),
	min: jsii.Number(123),
}

type NumberAttributeProps 

type NumberAttributeProps struct {
	// Maximum value of this attribute.
	Max *float64 `field:"optional" json:"max" yaml:"max"`
	// Minimum value of this attribute.
	Min *float64 `field:"optional" json:"min" yaml:"min"`
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that's mapped to an identity provider attribute, you must set this parameter to true.
	// Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider.
	// If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute.
	Mutable *bool `field:"optional" json:"mutable" yaml:"mutable"`
}

Props for NumberAttr.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	standardAttributes: &standardAttributes{
		fullname: &standardAttribute{
			required: jsii.Boolean(true),
			mutable: jsii.Boolean(false),
		},
		address: &standardAttribute{
			required: jsii.Boolean(false),
			mutable: jsii.Boolean(true),
		},
	},
	customAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

type OAuthFlows 

type OAuthFlows struct {
	// Initiate an authorization code grant flow, which provides an authorization code as the response.
	AuthorizationCodeGrant *bool `field:"optional" json:"authorizationCodeGrant" yaml:"authorizationCodeGrant"`
	// Client should get the access token and ID token from the token endpoint using a combination of client and client_secret.
	ClientCredentials *bool `field:"optional" json:"clientCredentials" yaml:"clientCredentials"`
	// The client should get the access token and ID token directly.
	ImplicitCodeGrant *bool `field:"optional" json:"implicitCodeGrant" yaml:"implicitCodeGrant"`
}

Types of OAuth grant flows.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("UserPool"), &userPoolProps{
})
client := userpool.addClient(jsii.String("Client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		flows: &oAuthFlows{
			implicitCodeGrant: jsii.Boolean(true),
		},
		callbackUrls: []*string{
			jsii.String("https://myapp.com/home"),
			jsii.String("https://myapp.com/users"),
		},
	},
})
domain := userpool.addDomain(jsii.String("Domain"), &userPoolDomainOptions{
})
signInUrl := domain.signInUrl(client, &signInUrlOptions{
	redirectUri: jsii.String("https://myapp.com/home"),
})

See: - the 'Allowed OAuth Flows' section at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html

type OAuthScope 

type OAuthScope interface {
	// The name of this scope as recognized by CloudFormation.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes
	//
	ScopeName() *string
}

OAuth scopes that are allowed with this client.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("read"),
	scopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("*"),
	scopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &userPoolResourceServerOptions{
	identifier: jsii.String("users"),
	scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []*oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, fullAccessScope),
		},
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html

func OAuthScope_COGNITO_ADMIN 

func OAuthScope_COGNITO_ADMIN() OAuthScope

func OAuthScope_Custom 

func OAuthScope_Custom(name *string) OAuthScope

Custom scope is one that you define for your own resource server in the Resource Servers.

The format is 'resource-server-identifier/scope'. See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html

func OAuthScope_EMAIL 

func OAuthScope_EMAIL() OAuthScope

func OAuthScope_OPENID 

func OAuthScope_OPENID() OAuthScope

func OAuthScope_PHONE 

func OAuthScope_PHONE() OAuthScope

func OAuthScope_PROFILE 

func OAuthScope_PROFILE() OAuthScope

func OAuthScope_ResourceServer 

func OAuthScope_ResourceServer(server IUserPoolResourceServer, scope ResourceServerScope) OAuthScope

Adds a custom scope that's tied to a resource server in your stack.

type OAuthSettings 

type OAuthSettings struct {
	// List of allowed redirect URLs for the identity providers.
	CallbackUrls *[]*string `field:"optional" json:"callbackUrls" yaml:"callbackUrls"`
	// OAuth flows that are allowed with this client.
	// See: - the 'Allowed OAuth Flows' section at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
	//
	Flows *OAuthFlows `field:"optional" json:"flows" yaml:"flows"`
	// List of allowed logout URLs for the identity providers.
	LogoutUrls *[]*string `field:"optional" json:"logoutUrls" yaml:"logoutUrls"`
	// OAuth scopes that are allowed with this client.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
	//
	Scopes *[]OAuthScope `field:"optional" json:"scopes" yaml:"scopes"`
}

OAuth settings to configure the interaction between the app and this client.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("read"),
	scopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("*"),
	scopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &userPoolResourceServerOptions{
	identifier: jsii.String("users"),
	scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []*oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, fullAccessScope),
		},
	},
})

type OidcAttributeRequestMethod added in v2.27.0 

type OidcAttributeRequestMethod string

The method to use to request attributes. 

const (
	// GET.
	OidcAttributeRequestMethod_GET OidcAttributeRequestMethod = "GET"
	// POST.
	OidcAttributeRequestMethod_POST OidcAttributeRequestMethod = "POST"
)

type OidcEndpoints added in v2.27.0 

type OidcEndpoints struct {
	// Authorization endpoint.
	Authorization *string `field:"required" json:"authorization" yaml:"authorization"`
	// Jwks_uri endpoint.
	JwksUri *string `field:"required" json:"jwksUri" yaml:"jwksUri"`
	// Token endpoint.
	Token *string `field:"required" json:"token" yaml:"token"`
	// UserInfo endpoint.
	UserInfo *string `field:"required" json:"userInfo" yaml:"userInfo"`
}

OpenID Connect endpoints.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

oidcEndpoints := &oidcEndpoints{
	authorization: jsii.String("authorization"),
	jwksUri: jsii.String("jwksUri"),
	token: jsii.String("token"),
	userInfo: jsii.String("userInfo"),
}

type PasswordPolicy 

type PasswordPolicy struct {
	// Minimum length required for a user's password.
	MinLength *float64 `field:"optional" json:"minLength" yaml:"minLength"`
	// Whether the user is required to have digits in their password.
	RequireDigits *bool `field:"optional" json:"requireDigits" yaml:"requireDigits"`
	// Whether the user is required to have lowercase characters in their password.
	RequireLowercase *bool `field:"optional" json:"requireLowercase" yaml:"requireLowercase"`
	// Whether the user is required to have symbols in their password.
	RequireSymbols *bool `field:"optional" json:"requireSymbols" yaml:"requireSymbols"`
	// Whether the user is required to have uppercase characters in their password.
	RequireUppercase *bool `field:"optional" json:"requireUppercase" yaml:"requireUppercase"`
	// The length of time the temporary password generated by an admin is valid.
	//
	// This must be provided as whole days, like Duration.days(3) or Duration.hours(48).
	// Fractional days, such as Duration.hours(20), will generate an error.
	TempPasswordValidity awscdk.Duration `field:"optional" json:"tempPasswordValidity" yaml:"tempPasswordValidity"`
}

Password policy for User Pools.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	passwordPolicy: &passwordPolicy{
		minLength: jsii.Number(12),
		requireLowercase: jsii.Boolean(true),
		requireUppercase: jsii.Boolean(true),
		requireDigits: jsii.Boolean(true),
		requireSymbols: jsii.Boolean(true),
		tempPasswordValidity: awscdk.Duration.days(jsii.Number(3)),
	},
})

type ProviderAttribute 

type ProviderAttribute interface {
	// The attribute value string as recognized by the provider.
	AttributeName() *string
}

An attribute available from a third party identity provider.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("Pool"))

cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &userPoolIdentityProviderAmazonProps{
	clientId: jsii.String("amzn-client-id"),
	clientSecret: jsii.String("amzn-client-secret"),
	userPool: userpool,
	attributeMapping: &attributeMapping{
		email: cognito.providerAttribute_AMAZON_EMAIL(),
		website: cognito.*providerAttribute.other(jsii.String("url")),
		 // use other() when an attribute is not pre-defined in the CDK
		custom: map[string]*providerAttribute{
			// custom user pool attributes go here
			"uniqueId": cognito.*providerAttribute_AMAZON_USER_ID(),
		},
	},
})

func ProviderAttribute_AMAZON_EMAIL 

func ProviderAttribute_AMAZON_EMAIL() ProviderAttribute

func ProviderAttribute_AMAZON_NAME 

func ProviderAttribute_AMAZON_NAME() ProviderAttribute

func ProviderAttribute_AMAZON_POSTAL_CODE 

func ProviderAttribute_AMAZON_POSTAL_CODE() ProviderAttribute

func ProviderAttribute_AMAZON_USER_ID 

func ProviderAttribute_AMAZON_USER_ID() ProviderAttribute

func ProviderAttribute_APPLE_EMAIL 

func ProviderAttribute_APPLE_EMAIL() ProviderAttribute

func ProviderAttribute_APPLE_FIRST_NAME 

func ProviderAttribute_APPLE_FIRST_NAME() ProviderAttribute

func ProviderAttribute_APPLE_LAST_NAME 

func ProviderAttribute_APPLE_LAST_NAME() ProviderAttribute

func ProviderAttribute_APPLE_NAME 

func ProviderAttribute_APPLE_NAME() ProviderAttribute

func ProviderAttribute_FACEBOOK_BIRTHDAY 

func ProviderAttribute_FACEBOOK_BIRTHDAY() ProviderAttribute

func ProviderAttribute_FACEBOOK_EMAIL 

func ProviderAttribute_FACEBOOK_EMAIL() ProviderAttribute

func ProviderAttribute_FACEBOOK_FIRST_NAME 

func ProviderAttribute_FACEBOOK_FIRST_NAME() ProviderAttribute

func ProviderAttribute_FACEBOOK_GENDER 

func ProviderAttribute_FACEBOOK_GENDER() ProviderAttribute

func ProviderAttribute_FACEBOOK_ID 

func ProviderAttribute_FACEBOOK_ID() ProviderAttribute

func ProviderAttribute_FACEBOOK_LAST_NAME 

func ProviderAttribute_FACEBOOK_LAST_NAME() ProviderAttribute

func ProviderAttribute_FACEBOOK_LOCALE 

func ProviderAttribute_FACEBOOK_LOCALE() ProviderAttribute

func ProviderAttribute_FACEBOOK_MIDDLE_NAME 

func ProviderAttribute_FACEBOOK_MIDDLE_NAME() ProviderAttribute

func ProviderAttribute_FACEBOOK_NAME 

func ProviderAttribute_FACEBOOK_NAME() ProviderAttribute

func ProviderAttribute_GOOGLE_BIRTHDAYS 

func ProviderAttribute_GOOGLE_BIRTHDAYS() ProviderAttribute

func ProviderAttribute_GOOGLE_EMAIL 

func ProviderAttribute_GOOGLE_EMAIL() ProviderAttribute

func ProviderAttribute_GOOGLE_FAMILY_NAME 

func ProviderAttribute_GOOGLE_FAMILY_NAME() ProviderAttribute

func ProviderAttribute_GOOGLE_GENDER 

func ProviderAttribute_GOOGLE_GENDER() ProviderAttribute

func ProviderAttribute_GOOGLE_GIVEN_NAME 

func ProviderAttribute_GOOGLE_GIVEN_NAME() ProviderAttribute

func ProviderAttribute_GOOGLE_NAME 

func ProviderAttribute_GOOGLE_NAME() ProviderAttribute

func ProviderAttribute_GOOGLE_NAMES 

func ProviderAttribute_GOOGLE_NAMES() ProviderAttribute

func ProviderAttribute_GOOGLE_PHONE_NUMBERS 

func ProviderAttribute_GOOGLE_PHONE_NUMBERS() ProviderAttribute

func ProviderAttribute_GOOGLE_PICTURE 

func ProviderAttribute_GOOGLE_PICTURE() ProviderAttribute

func ProviderAttribute_Other 

func ProviderAttribute_Other(attributeName *string) ProviderAttribute

Use this to specify an attribute from the identity provider that is not pre-defined in the CDK.

type ResourceServerScope 

type ResourceServerScope interface {
	// A description of the scope.
	ScopeDescription() *string
	// The name of the scope.
	ScopeName() *string
}

A scope for ResourceServer.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("read"),
	scopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("*"),
	scopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &userPoolResourceServerOptions{
	identifier: jsii.String("users"),
	scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []*oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, fullAccessScope),
		},
	},
})

func NewResourceServerScope 

func NewResourceServerScope(props *ResourceServerScopeProps) ResourceServerScope

type ResourceServerScopeProps 

type ResourceServerScopeProps struct {
	// A description of the scope.
	ScopeDescription *string `field:"required" json:"scopeDescription" yaml:"scopeDescription"`
	// The name of the scope.
	ScopeName *string `field:"required" json:"scopeName" yaml:"scopeName"`
}

Props to initialize ResourceServerScope.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("read"),
	scopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("*"),
	scopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &userPoolResourceServerOptions{
	identifier: jsii.String("users"),
	scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []*oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, fullAccessScope),
		},
	},
})

type SignInAliases 

type SignInAliases struct {
	// Whether a user is allowed to sign up or sign in with an email address.
	Email *bool `field:"optional" json:"email" yaml:"email"`
	// Whether a user is allowed to sign up or sign in with a phone number.
	Phone *bool `field:"optional" json:"phone" yaml:"phone"`
	// Whether a user is allowed to sign in with a secondary username, that can be set and modified after sign up.
	//
	// Can only be used in conjunction with `USERNAME`.
	PreferredUsername *bool `field:"optional" json:"preferredUsername" yaml:"preferredUsername"`
	// Whether user is allowed to sign up or sign in with a username.
	Username *bool `field:"optional" json:"username" yaml:"username"`
}

The different ways in which users of this pool can sign up or sign in.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	// ...
	signInAliases: &signInAliases{
		username: jsii.Boolean(true),
		email: jsii.Boolean(true),
	},
})

type SignInUrlOptions 

type SignInUrlOptions struct {
	// Whether to return the FIPS-compliant endpoint.
	Fips *bool `field:"optional" json:"fips" yaml:"fips"`
	// Where to redirect to after sign in.
	RedirectUri *string `field:"required" json:"redirectUri" yaml:"redirectUri"`
	// The path in the URI where the sign-in page is located.
	SignInPath *string `field:"optional" json:"signInPath" yaml:"signInPath"`
}

Options to customize the behaviour of `signInUrl()`.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("UserPool"), &userPoolProps{
})
client := userpool.addClient(jsii.String("Client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		flows: &oAuthFlows{
			implicitCodeGrant: jsii.Boolean(true),
		},
		callbackUrls: []*string{
			jsii.String("https://myapp.com/home"),
			jsii.String("https://myapp.com/users"),
		},
	},
})
domain := userpool.addDomain(jsii.String("Domain"), &userPoolDomainOptions{
})
signInUrl := domain.signInUrl(client, &signInUrlOptions{
	redirectUri: jsii.String("https://myapp.com/home"),
})

type StandardAttribute 

type StandardAttribute struct {
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that's mapped to an identity provider attribute, this must be set to `true`.
	// Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider.
	// If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute.
	Mutable *bool `field:"optional" json:"mutable" yaml:"mutable"`
	// Specifies whether the attribute is required upon user registration.
	//
	// If the attribute is required and the user does not provide a value, registration or sign-in will fail.
	Required *bool `field:"optional" json:"required" yaml:"required"`
}

Standard attribute that can be marked as required or mutable.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	standardAttributes: &standardAttributes{
		fullname: &standardAttribute{
			required: jsii.Boolean(true),
			mutable: jsii.Boolean(false),
		},
		address: &standardAttribute{
			required: jsii.Boolean(false),
			mutable: jsii.Boolean(true),
		},
	},
	customAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#cognito-user-pools-standard-attributes

type StandardAttributes 

type StandardAttributes struct {
	// The user's postal address.
	Address *StandardAttribute `field:"optional" json:"address" yaml:"address"`
	// The user's birthday, represented as an ISO 8601:2004 format.
	Birthdate *StandardAttribute `field:"optional" json:"birthdate" yaml:"birthdate"`
	// The user's e-mail address, represented as an RFC 5322 [RFC5322] addr-spec.
	Email *StandardAttribute `field:"optional" json:"email" yaml:"email"`
	// The surname or last name of the user.
	FamilyName *StandardAttribute `field:"optional" json:"familyName" yaml:"familyName"`
	// The user's full name in displayable form, including all name parts, titles and suffixes.
	Fullname *StandardAttribute `field:"optional" json:"fullname" yaml:"fullname"`
	// The user's gender.
	Gender *StandardAttribute `field:"optional" json:"gender" yaml:"gender"`
	// The user's first name or give name.
	GivenName *StandardAttribute `field:"optional" json:"givenName" yaml:"givenName"`
	// The time, the user's information was last updated.
	LastUpdateTime *StandardAttribute `field:"optional" json:"lastUpdateTime" yaml:"lastUpdateTime"`
	// The user's locale, represented as a BCP47 [RFC5646] language tag.
	Locale *StandardAttribute `field:"optional" json:"locale" yaml:"locale"`
	// The user's middle name.
	MiddleName *StandardAttribute `field:"optional" json:"middleName" yaml:"middleName"`
	// The user's nickname or casual name.
	Nickname *StandardAttribute `field:"optional" json:"nickname" yaml:"nickname"`
	// The user's telephone number.
	PhoneNumber *StandardAttribute `field:"optional" json:"phoneNumber" yaml:"phoneNumber"`
	// The user's preffered username, different from the immutable user name.
	PreferredUsername *StandardAttribute `field:"optional" json:"preferredUsername" yaml:"preferredUsername"`
	// The URL to the user's profile page.
	ProfilePage *StandardAttribute `field:"optional" json:"profilePage" yaml:"profilePage"`
	// The URL to the user's profile picture.
	ProfilePicture *StandardAttribute `field:"optional" json:"profilePicture" yaml:"profilePicture"`
	// The user's time zone.
	Timezone *StandardAttribute `field:"optional" json:"timezone" yaml:"timezone"`
	// The URL to the user's web page or blog.
	Website *StandardAttribute `field:"optional" json:"website" yaml:"website"`
}

The set of standard attributes that can be marked as required or mutable.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	standardAttributes: &standardAttributes{
		fullname: &standardAttribute{
			required: jsii.Boolean(true),
			mutable: jsii.Boolean(false),
		},
		address: &standardAttribute{
			required: jsii.Boolean(false),
			mutable: jsii.Boolean(true),
		},
	},
	customAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#cognito-user-pools-standard-attributes

type StandardAttributesMask 

type StandardAttributesMask struct {
	// The user's postal address.
	Address *bool `field:"optional" json:"address" yaml:"address"`
	// The user's birthday, represented as an ISO 8601:2004 format.
	Birthdate *bool `field:"optional" json:"birthdate" yaml:"birthdate"`
	// The user's e-mail address, represented as an RFC 5322 [RFC5322] addr-spec.
	Email *bool `field:"optional" json:"email" yaml:"email"`
	// Whether the email address has been verified.
	EmailVerified *bool `field:"optional" json:"emailVerified" yaml:"emailVerified"`
	// The surname or last name of the user.
	FamilyName *bool `field:"optional" json:"familyName" yaml:"familyName"`
	// The user's full name in displayable form, including all name parts, titles and suffixes.
	Fullname *bool `field:"optional" json:"fullname" yaml:"fullname"`
	// The user's gender.
	Gender *bool `field:"optional" json:"gender" yaml:"gender"`
	// The user's first name or give name.
	GivenName *bool `field:"optional" json:"givenName" yaml:"givenName"`
	// The time, the user's information was last updated.
	LastUpdateTime *bool `field:"optional" json:"lastUpdateTime" yaml:"lastUpdateTime"`
	// The user's locale, represented as a BCP47 [RFC5646] language tag.
	Locale *bool `field:"optional" json:"locale" yaml:"locale"`
	// The user's middle name.
	MiddleName *bool `field:"optional" json:"middleName" yaml:"middleName"`
	// The user's nickname or casual name.
	Nickname *bool `field:"optional" json:"nickname" yaml:"nickname"`
	// The user's telephone number.
	PhoneNumber *bool `field:"optional" json:"phoneNumber" yaml:"phoneNumber"`
	// Whether the phone number has been verified.
	PhoneNumberVerified *bool `field:"optional" json:"phoneNumberVerified" yaml:"phoneNumberVerified"`
	// The user's preffered username, different from the immutable user name.
	PreferredUsername *bool `field:"optional" json:"preferredUsername" yaml:"preferredUsername"`
	// The URL to the user's profile page.
	ProfilePage *bool `field:"optional" json:"profilePage" yaml:"profilePage"`
	// The URL to the user's profile picture.
	ProfilePicture *bool `field:"optional" json:"profilePicture" yaml:"profilePicture"`
	// The user's time zone.
	Timezone *bool `field:"optional" json:"timezone" yaml:"timezone"`
	// The URL to the user's web page or blog.
	Website *bool `field:"optional" json:"website" yaml:"website"`
}

This interface contains standard attributes recognized by Cognito from https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html including built-in attributes `email_verified` and `phone_number_verified`.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

clientWriteAttributes := (cognito.NewClientAttributes()).withStandardAttributes(&standardAttributesMask{
	fullname: jsii.Boolean(true),
	email: jsii.Boolean(true),
}).withCustomAttributes(jsii.String("favouritePizza"), jsii.String("favouriteBeverage"))

clientReadAttributes := clientWriteAttributes.withStandardAttributes(&standardAttributesMask{
	emailVerified: jsii.Boolean(true),
}).withCustomAttributes(jsii.String("pointsEarned"))

pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	readAttributes: clientReadAttributes,
	writeAttributes: clientWriteAttributes,
})

type StringAttribute 

type StringAttribute interface {
	ICustomAttribute
	// Bind this custom attribute type to the values as expected by CloudFormation.
	Bind() *CustomAttributeConfig
}

The String custom attribute type.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	standardAttributes: &standardAttributes{
		fullname: &standardAttribute{
			required: jsii.Boolean(true),
			mutable: jsii.Boolean(false),
		},
		address: &standardAttribute{
			required: jsii.Boolean(false),
			mutable: jsii.Boolean(true),
		},
	},
	customAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

func NewStringAttribute 

func NewStringAttribute(props *StringAttributeProps) StringAttribute

type StringAttributeConstraints 

type StringAttributeConstraints struct {
	// Maximum length of this attribute.
	MaxLen *float64 `field:"optional" json:"maxLen" yaml:"maxLen"`
	// Minimum length of this attribute.
	MinLen *float64 `field:"optional" json:"minLen" yaml:"minLen"`
}

Constraints that can be applied to a custom attribute of string type.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

stringAttributeConstraints := &stringAttributeConstraints{
	maxLen: jsii.Number(123),
	minLen: jsii.Number(123),
}

type StringAttributeProps 

type StringAttributeProps struct {
	// Maximum length of this attribute.
	MaxLen *float64 `field:"optional" json:"maxLen" yaml:"maxLen"`
	// Minimum length of this attribute.
	MinLen *float64 `field:"optional" json:"minLen" yaml:"minLen"`
	// Specifies whether the value of the attribute can be changed.
	//
	// For any user pool attribute that's mapped to an identity provider attribute, you must set this parameter to true.
	// Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider.
	// If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute.
	Mutable *bool `field:"optional" json:"mutable" yaml:"mutable"`
}

Props for constructing a StringAttr.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	standardAttributes: &standardAttributes{
		fullname: &standardAttribute{
			required: jsii.Boolean(true),
			mutable: jsii.Boolean(false),
		},
		address: &standardAttribute{
			required: jsii.Boolean(false),
			mutable: jsii.Boolean(true),
		},
	},
	customAttributes: map[string]iCustomAttribute{
		"myappid": cognito.NewStringAttribute(&StringAttributeProps{
			"minLen": jsii.Number(5),
			"maxLen": jsii.Number(15),
			"mutable": jsii.Boolean(false),
		}),
		"callingcode": cognito.NewNumberAttribute(&NumberAttributeProps{
			"min": jsii.Number(1),
			"max": jsii.Number(3),
			"mutable": jsii.Boolean(true),
		}),
		"isEmployee": cognito.NewBooleanAttribute(&CustomAttributeProps{
			"mutable": jsii.Boolean(true),
		}),
		"joinedOn": cognito.NewDateTimeAttribute(),
	},
})

type UserInvitationConfig 

type UserInvitationConfig struct {
	// The template to the email body that is sent to the user when an administrator signs them up to the user pool.
	EmailBody *string `field:"optional" json:"emailBody" yaml:"emailBody"`
	// The template to the email subject that is sent to the user when an administrator signs them up to the user pool.
	EmailSubject *string `field:"optional" json:"emailSubject" yaml:"emailSubject"`
	// The template to the SMS message that is sent to the user when an administrator signs them up to the user pool.
	SmsMessage *string `field:"optional" json:"smsMessage" yaml:"smsMessage"`
}

User pool configuration when administrators sign users up.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	userInvitation: &userInvitationConfig{
		emailSubject: jsii.String("Invite to join our awesome app!"),
		emailBody: jsii.String("Hello {username}, you have been invited to join our awesome app! Your temporary password is {####}"),
		smsMessage: jsii.String("Hello {username}, your temporary password for our awesome app is {####}"),
	},
})

type UserPool 

type UserPool interface {
	awscdk.Resource
	IUserPool
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// Get all identity providers registered with this user pool.
	IdentityProviders() *[]IUserPoolIdentityProvider
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//    cross-environment scenarios.
	PhysicalName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// The ARN of the user pool.
	UserPoolArn() *string
	// The physical ID of this user pool resource.
	UserPoolId() *string
	// User pool provider name.
	UserPoolProviderName() *string
	// User pool provider URL.
	UserPoolProviderUrl() *string
	// Add a new app client to this user pool.
	AddClient(id *string, options *UserPoolClientOptions) UserPoolClient
	// Associate a domain to this user pool.
	AddDomain(id *string, options *UserPoolDomainOptions) UserPoolDomain
	// Add a new resource server to this user pool.
	AddResourceServer(id *string, options *UserPoolResourceServerOptions) UserPoolResourceServer
	// Add a lambda trigger to a user pool operation.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
	//
	AddTrigger(operation UserPoolOperation, fn awslambda.IFunction)
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Adds an IAM policy statement associated with this user pool to an IAM principal's policy.
	Grant(grantee awsiam.IGrantable, actions ...*string) awsiam.Grant
	// Register an identity provider with this user pool.
	RegisterIdentityProvider(provider IUserPoolIdentityProvider)
	// Returns a string representation of this construct.
	ToString() *string
}

Define a Cognito User Pool.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	oAuth: &oAuthSettings{
		flows: &oAuthFlows{
			authorizationCodeGrant: jsii.Boolean(true),
		},
		scopes: []oAuthScope{
			cognito.*oAuthScope_OPENID(),
		},
		callbackUrls: []*string{
			jsii.String("https://my-app-domain.com/welcome"),
		},
		logoutUrls: []*string{
			jsii.String("https://my-app-domain.com/signin"),
		},
	},
})

func NewUserPool 

func NewUserPool(scope constructs.Construct, id *string, props *UserPoolProps) UserPool

type UserPoolClient 

type UserPoolClient interface {
	awscdk.Resource
	IUserPoolClient
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// The OAuth flows enabled for this client.
	OAuthFlows() *OAuthFlows
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//    cross-environment scenarios.
	PhysicalName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Name of the application client.
	UserPoolClientId() *string
	// The client name that was specified via the `userPoolClientName` property during initialization, throws an error otherwise.
	UserPoolClientName() *string
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Define a UserPool App Client.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
provider := cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &userPoolIdentityProviderAmazonProps{
	userPool: pool,
	clientId: jsii.String("amzn-client-id"),
	clientSecret: jsii.String("amzn-client-secret"),
})

client := pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	supportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
	},
})

client.node.addDependency(provider)

func NewUserPoolClient 

func NewUserPoolClient(scope constructs.Construct, id *string, props *UserPoolClientProps) UserPoolClient

type UserPoolClientIdentityProvider 

type UserPoolClientIdentityProvider interface {
	// The name of the identity provider as recognized by CloudFormation property `SupportedIdentityProviders`.
	Name() *string
}

Identity providers supported by the UserPoolClient.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	supportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
		cognito.*userPoolClientIdentityProvider_COGNITO(),
	},
})

func UserPoolClientIdentityProvider_AMAZON 

func UserPoolClientIdentityProvider_AMAZON() UserPoolClientIdentityProvider

func UserPoolClientIdentityProvider_APPLE 

func UserPoolClientIdentityProvider_APPLE() UserPoolClientIdentityProvider

func UserPoolClientIdentityProvider_COGNITO 

func UserPoolClientIdentityProvider_COGNITO() UserPoolClientIdentityProvider

func UserPoolClientIdentityProvider_Custom 

func UserPoolClientIdentityProvider_Custom(name *string) UserPoolClientIdentityProvider

Specify a provider not yet supported by the CDK.

func UserPoolClientIdentityProvider_FACEBOOK 

func UserPoolClientIdentityProvider_FACEBOOK() UserPoolClientIdentityProvider

func UserPoolClientIdentityProvider_GOOGLE 

func UserPoolClientIdentityProvider_GOOGLE() UserPoolClientIdentityProvider

type UserPoolClientOptions 

type UserPoolClientOptions struct {
	// Validity of the access token.
	//
	// Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token
	//
	AccessTokenValidity awscdk.Duration `field:"optional" json:"accessTokenValidity" yaml:"accessTokenValidity"`
	// The set of OAuth authentication flows to enable on the client.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html
	//
	AuthFlows *AuthFlow `field:"optional" json:"authFlows" yaml:"authFlows"`
	// Turns off all OAuth interactions for this client.
	DisableOAuth *bool `field:"optional" json:"disableOAuth" yaml:"disableOAuth"`
	// Enable token revocation for this client.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation
	//
	EnableTokenRevocation *bool `field:"optional" json:"enableTokenRevocation" yaml:"enableTokenRevocation"`
	// Whether to generate a client secret.
	GenerateSecret *bool `field:"optional" json:"generateSecret" yaml:"generateSecret"`
	// Validity of the ID token.
	//
	// Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token
	//
	IdTokenValidity awscdk.Duration `field:"optional" json:"idTokenValidity" yaml:"idTokenValidity"`
	// OAuth settings for this client to interact with the app.
	//
	// An error is thrown when this is specified and `disableOAuth` is set.
	OAuth *OAuthSettings `field:"optional" json:"oAuth" yaml:"oAuth"`
	// Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html
	//
	PreventUserExistenceErrors *bool `field:"optional" json:"preventUserExistenceErrors" yaml:"preventUserExistenceErrors"`
	// The set of attributes this client will be able to read.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
	//
	ReadAttributes ClientAttributes `field:"optional" json:"readAttributes" yaml:"readAttributes"`
	// Validity of the refresh token.
	//
	// Values between 60 minutes and 10 years are valid.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token
	//
	RefreshTokenValidity awscdk.Duration `field:"optional" json:"refreshTokenValidity" yaml:"refreshTokenValidity"`
	// The list of identity providers that users should be able to use to sign in using this client.
	SupportedIdentityProviders *[]UserPoolClientIdentityProvider `field:"optional" json:"supportedIdentityProviders" yaml:"supportedIdentityProviders"`
	// Name of the application client.
	UserPoolClientName *string `field:"optional" json:"userPoolClientName" yaml:"userPoolClientName"`
	// The set of attributes this client will be able to write.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
	//
	WriteAttributes ClientAttributes `field:"optional" json:"writeAttributes" yaml:"writeAttributes"`
}

Options to create a UserPoolClient.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	oAuth: &oAuthSettings{
		flows: &oAuthFlows{
			authorizationCodeGrant: jsii.Boolean(true),
		},
		scopes: []oAuthScope{
			cognito.*oAuthScope_OPENID(),
		},
		callbackUrls: []*string{
			jsii.String("https://my-app-domain.com/welcome"),
		},
		logoutUrls: []*string{
			jsii.String("https://my-app-domain.com/signin"),
		},
	},
})

type UserPoolClientProps 

type UserPoolClientProps struct {
	// Validity of the access token.
	//
	// Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token
	//
	AccessTokenValidity awscdk.Duration `field:"optional" json:"accessTokenValidity" yaml:"accessTokenValidity"`
	// The set of OAuth authentication flows to enable on the client.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html
	//
	AuthFlows *AuthFlow `field:"optional" json:"authFlows" yaml:"authFlows"`
	// Turns off all OAuth interactions for this client.
	DisableOAuth *bool `field:"optional" json:"disableOAuth" yaml:"disableOAuth"`
	// Enable token revocation for this client.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation
	//
	EnableTokenRevocation *bool `field:"optional" json:"enableTokenRevocation" yaml:"enableTokenRevocation"`
	// Whether to generate a client secret.
	GenerateSecret *bool `field:"optional" json:"generateSecret" yaml:"generateSecret"`
	// Validity of the ID token.
	//
	// Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token
	//
	IdTokenValidity awscdk.Duration `field:"optional" json:"idTokenValidity" yaml:"idTokenValidity"`
	// OAuth settings for this client to interact with the app.
	//
	// An error is thrown when this is specified and `disableOAuth` is set.
	OAuth *OAuthSettings `field:"optional" json:"oAuth" yaml:"oAuth"`
	// Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html
	//
	PreventUserExistenceErrors *bool `field:"optional" json:"preventUserExistenceErrors" yaml:"preventUserExistenceErrors"`
	// The set of attributes this client will be able to read.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
	//
	ReadAttributes ClientAttributes `field:"optional" json:"readAttributes" yaml:"readAttributes"`
	// Validity of the refresh token.
	//
	// Values between 60 minutes and 10 years are valid.
	// See: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token
	//
	RefreshTokenValidity awscdk.Duration `field:"optional" json:"refreshTokenValidity" yaml:"refreshTokenValidity"`
	// The list of identity providers that users should be able to use to sign in using this client.
	SupportedIdentityProviders *[]UserPoolClientIdentityProvider `field:"optional" json:"supportedIdentityProviders" yaml:"supportedIdentityProviders"`
	// Name of the application client.
	UserPoolClientName *string `field:"optional" json:"userPoolClientName" yaml:"userPoolClientName"`
	// The set of attributes this client will be able to write.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
	//
	WriteAttributes ClientAttributes `field:"optional" json:"writeAttributes" yaml:"writeAttributes"`
	// The UserPool resource this client will have access to.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
}

Properties for the UserPoolClient construct.

Example: 

importedPool := cognito.userPool.fromUserPoolId(this, jsii.String("imported-pool"), jsii.String("us-east-1_oiuR12Abd"))
cognito.NewUserPoolClient(this, jsii.String("customer-app-client"), &userPoolClientProps{
	userPool: importedPool,
})

type UserPoolDomain 

type UserPoolDomain interface {
	awscdk.Resource
	IUserPoolDomain
	// The domain name of the CloudFront distribution associated with the user pool domain.
	CloudFrontDomainName() *string
	// The domain that was specified to be created.
	//
	// If `customDomain` was selected, this holds the full domain name that was specified.
	// If the `cognitoDomain` was used, it contains the prefix to the Cognito hosted domain.
	DomainName() *string
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//    cross-environment scenarios.
	PhysicalName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	// The URL to the hosted UI associated with this domain.
	BaseUrl(options *BaseUrlOptions) *string
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// The URL to the sign in page in this domain using a specific UserPoolClient.
	SignInUrl(client UserPoolClient, options *SignInUrlOptions) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Define a user pool domain.

Example: 

userpool := cognito.NewUserPool(this, jsii.String("UserPool"), &userPoolProps{
})
client := userpool.addClient(jsii.String("Client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		flows: &oAuthFlows{
			implicitCodeGrant: jsii.Boolean(true),
		},
		callbackUrls: []*string{
			jsii.String("https://myapp.com/home"),
			jsii.String("https://myapp.com/users"),
		},
	},
})
domain := userpool.addDomain(jsii.String("Domain"), &userPoolDomainOptions{
})
signInUrl := domain.signInUrl(client, &signInUrlOptions{
	redirectUri: jsii.String("https://myapp.com/home"),
})

func NewUserPoolDomain 

func NewUserPoolDomain(scope constructs.Construct, id *string, props *UserPoolDomainProps) UserPoolDomain

type UserPoolDomainOptions 

type UserPoolDomainOptions struct {
	// Associate a cognito prefix domain with your user pool Either `customDomain` or `cognitoDomain` must be specified.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html
	//
	CognitoDomain *CognitoDomainOptions `field:"optional" json:"cognitoDomain" yaml:"cognitoDomain"`
	// Associate a custom domain with your user pool Either `customDomain` or `cognitoDomain` must be specified.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html
	//
	CustomDomain *CustomDomainOptions `field:"optional" json:"customDomain" yaml:"customDomain"`
}

Options to create a UserPoolDomain.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

pool.addDomain(jsii.String("CognitoDomain"), &userPoolDomainOptions{
	cognitoDomain: &cognitoDomainOptions{
		domainPrefix: jsii.String("my-awesome-app"),
	},
})

certificateArn := "arn:aws:acm:us-east-1:123456789012:certificate/11-3336f1-44483d-adc7-9cd375c5169d"

domainCert := certificatemanager.certificate.fromCertificateArn(this, jsii.String("domainCert"), certificateArn)
pool.addDomain(jsii.String("CustomDomain"), &userPoolDomainOptions{
	customDomain: &customDomainOptions{
		domainName: jsii.String("user.myapp.com"),
		certificate: domainCert,
	},
})

type UserPoolDomainProps 

type UserPoolDomainProps struct {
	// Associate a cognito prefix domain with your user pool Either `customDomain` or `cognitoDomain` must be specified.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html
	//
	CognitoDomain *CognitoDomainOptions `field:"optional" json:"cognitoDomain" yaml:"cognitoDomain"`
	// Associate a custom domain with your user pool Either `customDomain` or `cognitoDomain` must be specified.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html
	//
	CustomDomain *CustomDomainOptions `field:"optional" json:"customDomain" yaml:"customDomain"`
	// The user pool to which this domain should be associated.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
}

Props for UserPoolDomain construct.

Example: 

import cognito "github.com/aws/aws-cdk-go/awscdk"
import ec2 "github.com/aws/aws-cdk-go/awscdk"
import elbv2 "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/constructs-go/constructs"
import actions "github.com/aws/aws-cdk-go/awscdk"

cognitoStack struct {
stack
}

lb := elbv2.NewApplicationLoadBalancer(this, jsii.String("LB"), &applicationLoadBalancerProps{
	vpc: vpc,
	internetFacing: jsii.Boolean(true),
})

userPool := cognito.NewUserPool(this, jsii.String("UserPool"))
userPoolClient := cognito.NewUserPoolClient(this, jsii.String("Client"), &userPoolClientProps{
	userPool: userPool,

	// Required minimal configuration for use with an ELB
	generateSecret: jsii.Boolean(true),
	authFlows: &authFlow{
		userPassword: jsii.Boolean(true),
	},
	oAuth: &oAuthSettings{
		flows: &oAuthFlows{
			authorizationCodeGrant: jsii.Boolean(true),
		},
		scopes: []oAuthScope{
			cognito.*oAuthScope_EMAIL(),
		},
		callbackUrls: []*string{
			fmt.Sprintf("https://%v/oauth2/idpresponse", lb.loadBalancerDnsName),
		},
	},
})
cfnClient := userPoolClient.node.defaultChild.(cfnUserPoolClient)
cfnClient.addPropertyOverride(jsii.String("RefreshTokenValidity"), jsii.Number(1))
cfnClient.addPropertyOverride(jsii.String("SupportedIdentityProviders"), []interface{}{
	jsii.String("COGNITO"),
})

userPoolDomain := cognito.NewUserPoolDomain(this, jsii.String("Domain"), &userPoolDomainProps{
	userPool: userPool,
	cognitoDomain: &cognitoDomainOptions{
		domainPrefix: jsii.String("test-cdk-prefix"),
	},
})

lb.addListener(jsii.String("Listener"), &baseApplicationListenerProps{
	port: jsii.Number(443),
	certificates: []iListenerCertificate{
		certificate,
	},
	defaultAction: actions.NewAuthenticateCognitoAction(&authenticateCognitoActionProps{
		userPool: userPool,
		userPoolClient: userPoolClient,
		userPoolDomain: userPoolDomain,
		next: elbv2.listenerAction.fixedResponse(jsii.Number(200), &fixedResponseOptions{
			contentType: jsii.String("text/plain"),
			messageBody: jsii.String("Authenticated"),
		}),
	}),
})

awscdk.NewCfnOutput(this, jsii.String("DNS"), &cfnOutputProps{
	value: lb.loadBalancerDnsName,
})

app := awscdk.NewApp()
NewCognitoStack(app, jsii.String("integ-cognito"))
app.synth()

type UserPoolEmail 

type UserPoolEmail interface {
}

Configure how Cognito sends emails.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	email: cognito.userPoolEmail.withSES(&userPoolSESOptions{
		fromEmail: jsii.String("noreply@myawesomeapp.com"),
		fromName: jsii.String("Awesome App"),
		replyTo: jsii.String("support@myawesomeapp.com"),
	}),
})

func UserPoolEmail_WithCognito 

func UserPoolEmail_WithCognito(replyTo *string) UserPoolEmail

Send email using Cognito.

func UserPoolEmail_WithSES 

func UserPoolEmail_WithSES(options *UserPoolSESOptions) UserPoolEmail

Send email using SES.

type UserPoolIdentityProvider 

type UserPoolIdentityProvider interface {
}

User pool third-party identity providers.

type UserPoolIdentityProviderAmazon 

type UserPoolIdentityProviderAmazon interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//    cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents a identity provider that integrates with 'Login with Amazon'.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
provider := cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &userPoolIdentityProviderAmazonProps{
	userPool: pool,
	clientId: jsii.String("amzn-client-id"),
	clientSecret: jsii.String("amzn-client-secret"),
})

client := pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	supportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
	},
})

client.node.addDependency(provider)

func NewUserPoolIdentityProviderAmazon 

func NewUserPoolIdentityProviderAmazon(scope constructs.Construct, id *string, props *UserPoolIdentityProviderAmazonProps) UserPoolIdentityProviderAmazon

type UserPoolIdentityProviderAmazonProps 

type UserPoolIdentityProviderAmazonProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The client id recognized by 'Login with Amazon' APIs.
	// See: https://developer.amazon.com/docs/login-with-amazon/security-profile.html#client-identifier
	//
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The client secret to be accompanied with clientId for 'Login with Amazon' APIs to authenticate the client.
	// See: https://developer.amazon.com/docs/login-with-amazon/security-profile.html#client-identifier
	//
	ClientSecret *string `field:"required" json:"clientSecret" yaml:"clientSecret"`
	// The types of user profile data to obtain for the Amazon profile.
	// See: https://developer.amazon.com/docs/login-with-amazon/customer-profile.html
	//
	Scopes *[]*string `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties to initialize UserPoolAmazonIdentityProvider.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))
provider := cognito.NewUserPoolIdentityProviderAmazon(this, jsii.String("Amazon"), &userPoolIdentityProviderAmazonProps{
	userPool: pool,
	clientId: jsii.String("amzn-client-id"),
	clientSecret: jsii.String("amzn-client-secret"),
})

client := pool.addClient(jsii.String("app-client"), &userPoolClientOptions{
	// ...
	supportedIdentityProviders: []userPoolClientIdentityProvider{
		cognito.*userPoolClientIdentityProvider_AMAZON(),
	},
})

client.node.addDependency(provider)

type UserPoolIdentityProviderApple 

type UserPoolIdentityProviderApple interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//    cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents a identity provider that integrates with 'Apple'.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderApple := awscdk.Aws_cognito.NewUserPoolIdentityProviderApple(this, jsii.String("MyUserPoolIdentityProviderApple"), &userPoolIdentityProviderAppleProps{
	clientId: jsii.String("clientId"),
	keyId: jsii.String("keyId"),
	privateKey: jsii.String("privateKey"),
	teamId: jsii.String("teamId"),
	userPool: userPool,

	// the properties below are optional
	attributeMapping: &attributeMapping{
		address: providerAttribute,
		birthdate: providerAttribute,
		custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		email: providerAttribute,
		familyName: providerAttribute,
		fullname: providerAttribute,
		gender: providerAttribute,
		givenName: providerAttribute,
		lastUpdateTime: providerAttribute,
		locale: providerAttribute,
		middleName: providerAttribute,
		nickname: providerAttribute,
		phoneNumber: providerAttribute,
		preferredUsername: providerAttribute,
		profilePage: providerAttribute,
		profilePicture: providerAttribute,
		timezone: providerAttribute,
		website: providerAttribute,
	},
	scopes: []*string{
		jsii.String("scopes"),
	},
})

func NewUserPoolIdentityProviderApple 

func NewUserPoolIdentityProviderApple(scope constructs.Construct, id *string, props *UserPoolIdentityProviderAppleProps) UserPoolIdentityProviderApple

type UserPoolIdentityProviderAppleProps 

type UserPoolIdentityProviderAppleProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The client id recognized by Apple APIs.
	// See: https://developer.apple.com/documentation/sign_in_with_apple/clientconfigi/3230948-clientid
	//
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The keyId (of the same key, which content has to be later supplied as `privateKey`) for Apple APIs to authenticate the client.
	KeyId *string `field:"required" json:"keyId" yaml:"keyId"`
	// The privateKey content for Apple APIs to authenticate the client.
	PrivateKey *string `field:"required" json:"privateKey" yaml:"privateKey"`
	// The teamId for Apple APIs to authenticate the client.
	TeamId *string `field:"required" json:"teamId" yaml:"teamId"`
	// The list of apple permissions to obtain for getting access to the apple profile.
	// See: https://developer.apple.com/documentation/sign_in_with_apple/clientconfigi/3230955-scope
	//
	Scopes *[]*string `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties to initialize UserPoolAppleIdentityProvider.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderAppleProps := &userPoolIdentityProviderAppleProps{
	clientId: jsii.String("clientId"),
	keyId: jsii.String("keyId"),
	privateKey: jsii.String("privateKey"),
	teamId: jsii.String("teamId"),
	userPool: userPool,

	// the properties below are optional
	attributeMapping: &attributeMapping{
		address: providerAttribute,
		birthdate: providerAttribute,
		custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		email: providerAttribute,
		familyName: providerAttribute,
		fullname: providerAttribute,
		gender: providerAttribute,
		givenName: providerAttribute,
		lastUpdateTime: providerAttribute,
		locale: providerAttribute,
		middleName: providerAttribute,
		nickname: providerAttribute,
		phoneNumber: providerAttribute,
		preferredUsername: providerAttribute,
		profilePage: providerAttribute,
		profilePicture: providerAttribute,
		timezone: providerAttribute,
		website: providerAttribute,
	},
	scopes: []*string{
		jsii.String("scopes"),
	},
}

type UserPoolIdentityProviderFacebook 

type UserPoolIdentityProviderFacebook interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//    cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents a identity provider that integrates with 'Facebook Login'.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderFacebook := awscdk.Aws_cognito.NewUserPoolIdentityProviderFacebook(this, jsii.String("MyUserPoolIdentityProviderFacebook"), &userPoolIdentityProviderFacebookProps{
	clientId: jsii.String("clientId"),
	clientSecret: jsii.String("clientSecret"),
	userPool: userPool,

	// the properties below are optional
	apiVersion: jsii.String("apiVersion"),
	attributeMapping: &attributeMapping{
		address: providerAttribute,
		birthdate: providerAttribute,
		custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		email: providerAttribute,
		familyName: providerAttribute,
		fullname: providerAttribute,
		gender: providerAttribute,
		givenName: providerAttribute,
		lastUpdateTime: providerAttribute,
		locale: providerAttribute,
		middleName: providerAttribute,
		nickname: providerAttribute,
		phoneNumber: providerAttribute,
		preferredUsername: providerAttribute,
		profilePage: providerAttribute,
		profilePicture: providerAttribute,
		timezone: providerAttribute,
		website: providerAttribute,
	},
	scopes: []*string{
		jsii.String("scopes"),
	},
})

func NewUserPoolIdentityProviderFacebook 

func NewUserPoolIdentityProviderFacebook(scope constructs.Construct, id *string, props *UserPoolIdentityProviderFacebookProps) UserPoolIdentityProviderFacebook

type UserPoolIdentityProviderFacebookProps 

type UserPoolIdentityProviderFacebookProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The client id recognized by Facebook APIs.
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The client secret to be accompanied with clientUd for Facebook to authenticate the client.
	// See: https://developers.facebook.com/docs/facebook-login/security#appsecret
	//
	ClientSecret *string `field:"required" json:"clientSecret" yaml:"clientSecret"`
	// The Facebook API version to use.
	ApiVersion *string `field:"optional" json:"apiVersion" yaml:"apiVersion"`
	// The list of facebook permissions to obtain for getting access to the Facebook profile.
	// See: https://developers.facebook.com/docs/facebook-login/permissions
	//
	Scopes *[]*string `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties to initialize UserPoolFacebookIdentityProvider.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderFacebookProps := &userPoolIdentityProviderFacebookProps{
	clientId: jsii.String("clientId"),
	clientSecret: jsii.String("clientSecret"),
	userPool: userPool,

	// the properties below are optional
	apiVersion: jsii.String("apiVersion"),
	attributeMapping: &attributeMapping{
		address: providerAttribute,
		birthdate: providerAttribute,
		custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		email: providerAttribute,
		familyName: providerAttribute,
		fullname: providerAttribute,
		gender: providerAttribute,
		givenName: providerAttribute,
		lastUpdateTime: providerAttribute,
		locale: providerAttribute,
		middleName: providerAttribute,
		nickname: providerAttribute,
		phoneNumber: providerAttribute,
		preferredUsername: providerAttribute,
		profilePage: providerAttribute,
		profilePicture: providerAttribute,
		timezone: providerAttribute,
		website: providerAttribute,
	},
	scopes: []*string{
		jsii.String("scopes"),
	},
}

type UserPoolIdentityProviderGoogle 

type UserPoolIdentityProviderGoogle interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//    cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents a identity provider that integrates with 'Google'.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderGoogle := awscdk.Aws_cognito.NewUserPoolIdentityProviderGoogle(this, jsii.String("MyUserPoolIdentityProviderGoogle"), &userPoolIdentityProviderGoogleProps{
	clientId: jsii.String("clientId"),
	clientSecret: jsii.String("clientSecret"),
	userPool: userPool,

	// the properties below are optional
	attributeMapping: &attributeMapping{
		address: providerAttribute,
		birthdate: providerAttribute,
		custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		email: providerAttribute,
		familyName: providerAttribute,
		fullname: providerAttribute,
		gender: providerAttribute,
		givenName: providerAttribute,
		lastUpdateTime: providerAttribute,
		locale: providerAttribute,
		middleName: providerAttribute,
		nickname: providerAttribute,
		phoneNumber: providerAttribute,
		preferredUsername: providerAttribute,
		profilePage: providerAttribute,
		profilePicture: providerAttribute,
		timezone: providerAttribute,
		website: providerAttribute,
	},
	scopes: []*string{
		jsii.String("scopes"),
	},
})

func NewUserPoolIdentityProviderGoogle 

func NewUserPoolIdentityProviderGoogle(scope constructs.Construct, id *string, props *UserPoolIdentityProviderGoogleProps) UserPoolIdentityProviderGoogle

type UserPoolIdentityProviderGoogleProps 

type UserPoolIdentityProviderGoogleProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The client id recognized by Google APIs.
	// See: https://developers.google.com/identity/sign-in/web/sign-in#specify_your_apps_client_id
	//
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The client secret to be accompanied with clientId for Google APIs to authenticate the client.
	// See: https://developers.google.com/identity/sign-in/web/sign-in
	//
	ClientSecret *string `field:"required" json:"clientSecret" yaml:"clientSecret"`
	// The list of google permissions to obtain for getting access to the google profile.
	// See: https://developers.google.com/identity/sign-in/web/sign-in
	//
	Scopes *[]*string `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties to initialize UserPoolGoogleIdentityProvider.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderGoogleProps := &userPoolIdentityProviderGoogleProps{
	clientId: jsii.String("clientId"),
	clientSecret: jsii.String("clientSecret"),
	userPool: userPool,

	// the properties below are optional
	attributeMapping: &attributeMapping{
		address: providerAttribute,
		birthdate: providerAttribute,
		custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		email: providerAttribute,
		familyName: providerAttribute,
		fullname: providerAttribute,
		gender: providerAttribute,
		givenName: providerAttribute,
		lastUpdateTime: providerAttribute,
		locale: providerAttribute,
		middleName: providerAttribute,
		nickname: providerAttribute,
		phoneNumber: providerAttribute,
		preferredUsername: providerAttribute,
		profilePage: providerAttribute,
		profilePicture: providerAttribute,
		timezone: providerAttribute,
		website: providerAttribute,
	},
	scopes: []*string{
		jsii.String("scopes"),
	},
}

type UserPoolIdentityProviderOidc added in v2.27.0 

type UserPoolIdentityProviderOidc interface {
	awscdk.Resource
	IUserPoolIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//    cross-environment scenarios.
	PhysicalName() *string
	// The primary identifier of this identity provider.
	ProviderName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	ConfigureAttributeMapping() interface{}
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Represents a identity provider that integrates with OpenID Connect.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderOidc := awscdk.Aws_cognito.NewUserPoolIdentityProviderOidc(this, jsii.String("MyUserPoolIdentityProviderOidc"), &userPoolIdentityProviderOidcProps{
	clientId: jsii.String("clientId"),
	clientSecret: jsii.String("clientSecret"),
	issuerUrl: jsii.String("issuerUrl"),
	userPool: userPool,

	// the properties below are optional
	attributeMapping: &attributeMapping{
		address: providerAttribute,
		birthdate: providerAttribute,
		custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		email: providerAttribute,
		familyName: providerAttribute,
		fullname: providerAttribute,
		gender: providerAttribute,
		givenName: providerAttribute,
		lastUpdateTime: providerAttribute,
		locale: providerAttribute,
		middleName: providerAttribute,
		nickname: providerAttribute,
		phoneNumber: providerAttribute,
		preferredUsername: providerAttribute,
		profilePage: providerAttribute,
		profilePicture: providerAttribute,
		timezone: providerAttribute,
		website: providerAttribute,
	},
	attributeRequestMethod: awscdk.*Aws_cognito.oidcAttributeRequestMethod_GET,
	endpoints: &oidcEndpoints{
		authorization: jsii.String("authorization"),
		jwksUri: jsii.String("jwksUri"),
		token: jsii.String("token"),
		userInfo: jsii.String("userInfo"),
	},
	identifiers: []*string{
		jsii.String("identifiers"),
	},
	name: jsii.String("name"),
	scopes: []*string{
		jsii.String("scopes"),
	},
})

func NewUserPoolIdentityProviderOidc added in v2.27.0 

func NewUserPoolIdentityProviderOidc(scope constructs.Construct, id *string, props *UserPoolIdentityProviderOidcProps) UserPoolIdentityProviderOidc

type UserPoolIdentityProviderOidcProps added in v2.27.0 

type UserPoolIdentityProviderOidcProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
	// The client id.
	ClientId *string `field:"required" json:"clientId" yaml:"clientId"`
	// The client secret.
	ClientSecret *string `field:"required" json:"clientSecret" yaml:"clientSecret"`
	// Issuer URL.
	IssuerUrl *string `field:"required" json:"issuerUrl" yaml:"issuerUrl"`
	// The method to use to request attributes.
	AttributeRequestMethod OidcAttributeRequestMethod `field:"optional" json:"attributeRequestMethod" yaml:"attributeRequestMethod"`
	// OpenID connect endpoints.
	Endpoints *OidcEndpoints `field:"optional" json:"endpoints" yaml:"endpoints"`
	// Identifiers.
	//
	// Identifiers can be used to redirect users to the correct IdP in multitenant apps.
	Identifiers *[]*string `field:"optional" json:"identifiers" yaml:"identifiers"`
	// The name of the provider.
	Name *string `field:"optional" json:"name" yaml:"name"`
	// The OAuth 2.0 scopes that you will request from OpenID Connect. Scopes are groups of OpenID Connect user attributes to exchange with your app.
	Scopes *[]*string `field:"optional" json:"scopes" yaml:"scopes"`
}

Properties to initialize UserPoolIdentityProviderOidc.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderOidcProps := &userPoolIdentityProviderOidcProps{
	clientId: jsii.String("clientId"),
	clientSecret: jsii.String("clientSecret"),
	issuerUrl: jsii.String("issuerUrl"),
	userPool: userPool,

	// the properties below are optional
	attributeMapping: &attributeMapping{
		address: providerAttribute,
		birthdate: providerAttribute,
		custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		email: providerAttribute,
		familyName: providerAttribute,
		fullname: providerAttribute,
		gender: providerAttribute,
		givenName: providerAttribute,
		lastUpdateTime: providerAttribute,
		locale: providerAttribute,
		middleName: providerAttribute,
		nickname: providerAttribute,
		phoneNumber: providerAttribute,
		preferredUsername: providerAttribute,
		profilePage: providerAttribute,
		profilePicture: providerAttribute,
		timezone: providerAttribute,
		website: providerAttribute,
	},
	attributeRequestMethod: awscdk.Aws_cognito.oidcAttributeRequestMethod_GET,
	endpoints: &oidcEndpoints{
		authorization: jsii.String("authorization"),
		jwksUri: jsii.String("jwksUri"),
		token: jsii.String("token"),
		userInfo: jsii.String("userInfo"),
	},
	identifiers: []*string{
		jsii.String("identifiers"),
	},
	name: jsii.String("name"),
	scopes: []*string{
		jsii.String("scopes"),
	},
}

type UserPoolIdentityProviderProps 

type UserPoolIdentityProviderProps struct {
	// The user pool to which this construct provides identities.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
	// Mapping attributes from the identity provider to standard and custom attributes of the user pool.
	AttributeMapping *AttributeMapping `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
}

Properties to create a new instance of UserPoolIdentityProvider.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var providerAttribute providerAttribute
var userPool userPool

userPoolIdentityProviderProps := &userPoolIdentityProviderProps{
	userPool: userPool,

	// the properties below are optional
	attributeMapping: &attributeMapping{
		address: providerAttribute,
		birthdate: providerAttribute,
		custom: map[string]*providerAttribute{
			"customKey": providerAttribute,
		},
		email: providerAttribute,
		familyName: providerAttribute,
		fullname: providerAttribute,
		gender: providerAttribute,
		givenName: providerAttribute,
		lastUpdateTime: providerAttribute,
		locale: providerAttribute,
		middleName: providerAttribute,
		nickname: providerAttribute,
		phoneNumber: providerAttribute,
		preferredUsername: providerAttribute,
		profilePage: providerAttribute,
		profilePicture: providerAttribute,
		timezone: providerAttribute,
		website: providerAttribute,
	},
}

type UserPoolOperation 

type UserPoolOperation interface {
	// The key to use in `CfnUserPool.LambdaConfigProperty`.
	OperationName() *string
}

User pool operations to which lambda triggers can be attached.

Example: 

authChallengeFn := lambda.NewFunction(this, jsii.String("authChallengeFn"), &functionProps{
	runtime: lambda.runtime_NODEJS_14_X(),
	handler: jsii.String("index.handler"),
	code: lambda.code.fromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
})

userpool := cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	lambdaTriggers: &userPoolTriggers{
		createAuthChallenge: authChallengeFn,
	},
})

userpool.addTrigger(cognito.userPoolOperation_USER_MIGRATION(), lambda.NewFunction(this, jsii.String("userMigrationFn"), &functionProps{
	runtime: lambda.*runtime_NODEJS_14_X(),
	handler: jsii.String("index.handler"),
	code: lambda.*code.fromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
}))

func UserPoolOperation_CREATE_AUTH_CHALLENGE 

func UserPoolOperation_CREATE_AUTH_CHALLENGE() UserPoolOperation

func UserPoolOperation_CUSTOM_EMAIL_SENDER added in v2.1.0 

func UserPoolOperation_CUSTOM_EMAIL_SENDER() UserPoolOperation

func UserPoolOperation_CUSTOM_MESSAGE 

func UserPoolOperation_CUSTOM_MESSAGE() UserPoolOperation

func UserPoolOperation_CUSTOM_SMS_SENDER added in v2.1.0 

func UserPoolOperation_CUSTOM_SMS_SENDER() UserPoolOperation

func UserPoolOperation_DEFINE_AUTH_CHALLENGE 

func UserPoolOperation_DEFINE_AUTH_CHALLENGE() UserPoolOperation

func UserPoolOperation_Of 

func UserPoolOperation_Of(name *string) UserPoolOperation

A custom user pool operation.

func UserPoolOperation_POST_AUTHENTICATION 

func UserPoolOperation_POST_AUTHENTICATION() UserPoolOperation

func UserPoolOperation_POST_CONFIRMATION 

func UserPoolOperation_POST_CONFIRMATION() UserPoolOperation

func UserPoolOperation_PRE_AUTHENTICATION 

func UserPoolOperation_PRE_AUTHENTICATION() UserPoolOperation

func UserPoolOperation_PRE_SIGN_UP 

func UserPoolOperation_PRE_SIGN_UP() UserPoolOperation

func UserPoolOperation_PRE_TOKEN_GENERATION 

func UserPoolOperation_PRE_TOKEN_GENERATION() UserPoolOperation

func UserPoolOperation_USER_MIGRATION 

func UserPoolOperation_USER_MIGRATION() UserPoolOperation

func UserPoolOperation_VERIFY_AUTH_CHALLENGE_RESPONSE 

func UserPoolOperation_VERIFY_AUTH_CHALLENGE_RESPONSE() UserPoolOperation

type UserPoolProps 

type UserPoolProps struct {
	// How will a user be able to recover their account?
	AccountRecovery AccountRecovery `field:"optional" json:"accountRecovery" yaml:"accountRecovery"`
	// Attributes which Cognito will look to verify automatically upon user sign up.
	//
	// EMAIL and PHONE are the only available options.
	AutoVerify *AutoVerifiedAttrs `field:"optional" json:"autoVerify" yaml:"autoVerify"`
	// Define a set of custom attributes that can be configured for each user in the user pool.
	CustomAttributes *map[string]ICustomAttribute `field:"optional" json:"customAttributes" yaml:"customAttributes"`
	// This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html
	//
	CustomSenderKmsKey awskms.IKey `field:"optional" json:"customSenderKmsKey" yaml:"customSenderKmsKey"`
	// Device tracking settings.
	DeviceTracking *DeviceTracking `field:"optional" json:"deviceTracking" yaml:"deviceTracking"`
	// Email settings for a user pool.
	Email UserPoolEmail `field:"optional" json:"email" yaml:"email"`
	// Setting this would explicitly enable or disable SMS role creation.
	//
	// When left unspecified, CDK will determine based on other properties if a role is needed or not.
	EnableSmsRole *bool `field:"optional" json:"enableSmsRole" yaml:"enableSmsRole"`
	// Lambda functions to use for supported Cognito triggers.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
	//
	LambdaTriggers *UserPoolTriggers `field:"optional" json:"lambdaTriggers" yaml:"lambdaTriggers"`
	// Configure whether users of this user pool can or are required use MFA to sign in.
	Mfa Mfa `field:"optional" json:"mfa" yaml:"mfa"`
	// The SMS message template sent during MFA verification.
	//
	// Use '{####}' in the template where Cognito should insert the verification code.
	MfaMessage *string `field:"optional" json:"mfaMessage" yaml:"mfaMessage"`
	// Configure the MFA types that users can use in this user pool.
	//
	// Ignored if `mfa` is set to `OFF`.
	MfaSecondFactor *MfaSecondFactor `field:"optional" json:"mfaSecondFactor" yaml:"mfaSecondFactor"`
	// Password policy for this user pool.
	PasswordPolicy *PasswordPolicy `field:"optional" json:"passwordPolicy" yaml:"passwordPolicy"`
	// Policy to apply when the user pool is removed from the stack.
	RemovalPolicy awscdk.RemovalPolicy `field:"optional" json:"removalPolicy" yaml:"removalPolicy"`
	// Whether self sign up should be enabled.
	//
	// This can be further configured via the `selfSignUp` property.
	SelfSignUpEnabled *bool `field:"optional" json:"selfSignUpEnabled" yaml:"selfSignUpEnabled"`
	// Methods in which a user registers or signs in to a user pool.
	//
	// Allows either username with aliases OR sign in with email, phone, or both.
	//
	// Read the sections on usernames and aliases to learn more -
	// https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
	//
	// To match with 'Option 1' in the above link, with a verified email, this property should be set to
	// `{ username: true, email: true }`. To match with 'Option 2' in the above link with both a verified email and phone
	// number, this property should be set to `{ email: true, phone: true }`.
	SignInAliases *SignInAliases `field:"optional" json:"signInAliases" yaml:"signInAliases"`
	// Whether sign-in aliases should be evaluated with case sensitivity.
	//
	// For example, when this option is set to false, users will be able to sign in using either `MyUsername` or `myusername`.
	SignInCaseSensitive *bool `field:"optional" json:"signInCaseSensitive" yaml:"signInCaseSensitive"`
	// The IAM role that Cognito will assume while sending SMS messages.
	SmsRole awsiam.IRole `field:"optional" json:"smsRole" yaml:"smsRole"`
	// The 'ExternalId' that Cognito service must using when assuming the `smsRole`, if the role is restricted with an 'sts:ExternalId' conditional.
	//
	// Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
	//
	// This property will be ignored if `smsRole` is not specified.
	SmsRoleExternalId *string `field:"optional" json:"smsRoleExternalId" yaml:"smsRoleExternalId"`
	// The region to integrate with SNS to send SMS messages.
	//
	// This property will do nothing if SMS configuration is not configured.
	SnsRegion *string `field:"optional" json:"snsRegion" yaml:"snsRegion"`
	// The set of attributes that are required for every user in the user pool.
	//
	// Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
	StandardAttributes *StandardAttributes `field:"optional" json:"standardAttributes" yaml:"standardAttributes"`
	// Configuration around admins signing up users into a user pool.
	UserInvitation *UserInvitationConfig `field:"optional" json:"userInvitation" yaml:"userInvitation"`
	// Name of the user pool.
	UserPoolName *string `field:"optional" json:"userPoolName" yaml:"userPoolName"`
	// Configuration around users signing themselves up to the user pool.
	//
	// Enable or disable self sign-up via the `selfSignUpEnabled` property.
	UserVerification *UserVerificationConfig `field:"optional" json:"userVerification" yaml:"userVerification"`
}

Props for the UserPool construct.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	selfSignUpEnabled: jsii.Boolean(true),
	userVerification: &userVerificationConfig{
		emailSubject: jsii.String("Verify your email for our awesome app!"),
		emailBody: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
		emailStyle: cognito.verificationEmailStyle_CODE,
		smsMessage: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
	},
})

type UserPoolResourceServer 

type UserPoolResourceServer interface {
	awscdk.Resource
	IUserPoolResourceServer
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//    cross-environment scenarios.
	PhysicalName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Resource server id.
	UserPoolResourceServerId() *string
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Defines a User Pool OAuth2.0 Resource Server.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("read"),
	scopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("*"),
	scopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &userPoolResourceServerOptions{
	identifier: jsii.String("users"),
	scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []*oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, fullAccessScope),
		},
	},
})

func NewUserPoolResourceServer 

func NewUserPoolResourceServer(scope constructs.Construct, id *string, props *UserPoolResourceServerProps) UserPoolResourceServer

type UserPoolResourceServerOptions 

type UserPoolResourceServerOptions struct {
	// A unique resource server identifier for the resource server.
	Identifier *string `field:"required" json:"identifier" yaml:"identifier"`
	// Oauth scopes.
	Scopes *[]ResourceServerScope `field:"optional" json:"scopes" yaml:"scopes"`
	// A friendly name for the resource server.
	UserPoolResourceServerName *string `field:"optional" json:"userPoolResourceServerName" yaml:"userPoolResourceServerName"`
}

Options to create a UserPoolResourceServer.

Example: 

pool := cognito.NewUserPool(this, jsii.String("Pool"))

readOnlyScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("read"),
	scopeDescription: jsii.String("Read-only access"),
})
fullAccessScope := cognito.NewResourceServerScope(&resourceServerScopeProps{
	scopeName: jsii.String("*"),
	scopeDescription: jsii.String("Full access"),
})

userServer := pool.addResourceServer(jsii.String("ResourceServer"), &userPoolResourceServerOptions{
	identifier: jsii.String("users"),
	scopes: []resourceServerScope{
		readOnlyScope,
		fullAccessScope,
	},
})

readOnlyClient := pool.addClient(jsii.String("read-only-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, readOnlyScope),
		},
	},
})

fullAccessClient := pool.addClient(jsii.String("full-access-client"), &userPoolClientOptions{
	// ...
	oAuth: &oAuthSettings{
		// ...
		scopes: []*oAuthScope{
			cognito.*oAuthScope.resourceServer(userServer, fullAccessScope),
		},
	},
})

type UserPoolResourceServerProps 

type UserPoolResourceServerProps struct {
	// A unique resource server identifier for the resource server.
	Identifier *string `field:"required" json:"identifier" yaml:"identifier"`
	// Oauth scopes.
	Scopes *[]ResourceServerScope `field:"optional" json:"scopes" yaml:"scopes"`
	// A friendly name for the resource server.
	UserPoolResourceServerName *string `field:"optional" json:"userPoolResourceServerName" yaml:"userPoolResourceServerName"`
	// The user pool to add this resource server to.
	UserPool IUserPool `field:"required" json:"userPool" yaml:"userPool"`
}

Properties for the UserPoolResourceServer construct.

Example: 

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"

var resourceServerScope resourceServerScope
var userPool userPool

userPoolResourceServerProps := &userPoolResourceServerProps{
	identifier: jsii.String("identifier"),
	userPool: userPool,

	// the properties below are optional
	scopes: []*resourceServerScope{
		resourceServerScope,
	},
	userPoolResourceServerName: jsii.String("userPoolResourceServerName"),
}

type UserPoolSESOptions 

type UserPoolSESOptions struct {
	// The verified Amazon SES email address that Cognito should use to send emails.
	//
	// The email address used must be a verified email address
	// in Amazon SES and must be configured to allow Cognito to
	// send emails.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html
	//
	FromEmail *string `field:"required" json:"fromEmail" yaml:"fromEmail"`
	// The name of a configuration set in Amazon SES that should be applied to emails sent via Cognito.
	// See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-emailconfiguration.html#cfn-cognito-userpool-emailconfiguration-configurationset
	//
	ConfigurationSetName *string `field:"optional" json:"configurationSetName" yaml:"configurationSetName"`
	// An optional name that should be used as the sender's name along with the email.
	FromName *string `field:"optional" json:"fromName" yaml:"fromName"`
	// The destination to which the receiver of the email should reploy to.
	ReplyTo *string `field:"optional" json:"replyTo" yaml:"replyTo"`
	// Required if the UserPool region is different than the SES region.
	//
	// If sending emails with a Amazon SES verified email address,
	// and the region that SES is configured is different than the
	// region in which the UserPool is deployed, you must specify that
	// region here.
	//
	// Must be 'us-east-1', 'us-west-2', or 'eu-west-1'.
	SesRegion *string `field:"optional" json:"sesRegion" yaml:"sesRegion"`
	// SES Verified custom domain to be used to verify the identity.
	SesVerifiedDomain *string `field:"optional" json:"sesVerifiedDomain" yaml:"sesVerifiedDomain"`
}

Configuration for Cognito sending emails via Amazon SES.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	email: cognito.userPoolEmail.withSES(&userPoolSESOptions{
		sesRegion: jsii.String("us-east-1"),
		fromEmail: jsii.String("noreply@myawesomeapp.com"),
		fromName: jsii.String("Awesome App"),
		replyTo: jsii.String("support@myawesomeapp.com"),
	}),
})

type UserPoolTriggers 

type UserPoolTriggers struct {
	// Creates an authentication challenge.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-create-auth-challenge.html
	//
	CreateAuthChallenge awslambda.IFunction `field:"optional" json:"createAuthChallenge" yaml:"createAuthChallenge"`
	// Amazon Cognito invokes this trigger to send email notifications to users.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html
	//
	CustomEmailSender awslambda.IFunction `field:"optional" json:"customEmailSender" yaml:"customEmailSender"`
	// A custom Message AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-message.html
	//
	CustomMessage awslambda.IFunction `field:"optional" json:"customMessage" yaml:"customMessage"`
	// Amazon Cognito invokes this trigger to send SMS notifications to users.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html
	//
	CustomSmsSender awslambda.IFunction `field:"optional" json:"customSmsSender" yaml:"customSmsSender"`
	// Defines the authentication challenge.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.html
	//
	DefineAuthChallenge awslambda.IFunction `field:"optional" json:"defineAuthChallenge" yaml:"defineAuthChallenge"`
	// A post-authentication AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html
	//
	PostAuthentication awslambda.IFunction `field:"optional" json:"postAuthentication" yaml:"postAuthentication"`
	// A post-confirmation AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html
	//
	PostConfirmation awslambda.IFunction `field:"optional" json:"postConfirmation" yaml:"postConfirmation"`
	// A pre-authentication AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html
	//
	PreAuthentication awslambda.IFunction `field:"optional" json:"preAuthentication" yaml:"preAuthentication"`
	// A pre-registration AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
	//
	PreSignUp awslambda.IFunction `field:"optional" json:"preSignUp" yaml:"preSignUp"`
	// A pre-token-generation AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
	//
	PreTokenGeneration awslambda.IFunction `field:"optional" json:"preTokenGeneration" yaml:"preTokenGeneration"`
	// A user-migration AWS Lambda trigger.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html
	//
	UserMigration awslambda.IFunction `field:"optional" json:"userMigration" yaml:"userMigration"`
	// Verifies the authentication challenge response.
	// See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-verify-auth-challenge-response.html
	//
	VerifyAuthChallengeResponse awslambda.IFunction `field:"optional" json:"verifyAuthChallengeResponse" yaml:"verifyAuthChallengeResponse"`
}

Triggers for a user pool.

Example: 

authChallengeFn := lambda.NewFunction(this, jsii.String("authChallengeFn"), &functionProps{
	runtime: lambda.runtime_NODEJS_14_X(),
	handler: jsii.String("index.handler"),
	code: lambda.code.fromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
})

userpool := cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	lambdaTriggers: &userPoolTriggers{
		createAuthChallenge: authChallengeFn,
	},
})

userpool.addTrigger(cognito.userPoolOperation_USER_MIGRATION(), lambda.NewFunction(this, jsii.String("userMigrationFn"), &functionProps{
	runtime: lambda.*runtime_NODEJS_14_X(),
	handler: jsii.String("index.handler"),
	code: lambda.*code.fromAsset(path.join(__dirname, jsii.String("path/to/asset"))),
}))

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

type UserVerificationConfig 

type UserVerificationConfig struct {
	// The email body template for the verification email sent to the user upon sign up.
	//
	// See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-templates.html to
	// learn more about message templates.
	EmailBody *string `field:"optional" json:"emailBody" yaml:"emailBody"`
	// Emails can be verified either using a code or a link.
	//
	// Learn more at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-email-verification-message-customization.html
	EmailStyle VerificationEmailStyle `field:"optional" json:"emailStyle" yaml:"emailStyle"`
	// The email subject template for the verification email sent to the user upon sign up.
	//
	// See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-templates.html to
	// learn more about message templates.
	EmailSubject *string `field:"optional" json:"emailSubject" yaml:"emailSubject"`
	// The message template for the verification SMS sent to the user upon sign up.
	//
	// See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-templates.html to
	// learn more about message templates.
	SmsMessage *string `field:"optional" json:"smsMessage" yaml:"smsMessage"`
}

User pool configuration for user self sign up.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	selfSignUpEnabled: jsii.Boolean(true),
	userVerification: &userVerificationConfig{
		emailSubject: jsii.String("Verify your email for our awesome app!"),
		emailBody: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
		emailStyle: cognito.verificationEmailStyle_CODE,
		smsMessage: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
	},
})

type VerificationEmailStyle 

type VerificationEmailStyle string

The email verification style.

Example: 

cognito.NewUserPool(this, jsii.String("myuserpool"), &userPoolProps{
	// ...
	selfSignUpEnabled: jsii.Boolean(true),
	userVerification: &userVerificationConfig{
		emailSubject: jsii.String("Verify your email for our awesome app!"),
		emailBody: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
		emailStyle: cognito.verificationEmailStyle_CODE,
		smsMessage: jsii.String("Thanks for signing up to our awesome app! Your verification code is {####}"),
	},
})

const (
	// Verify email via code.
	VerificationEmailStyle_CODE VerificationEmailStyle = "CODE"
	// Verify email via link.
	VerificationEmailStyle_LINK VerificationEmailStyle = "LINK"
)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.