feat(cognito): user pool: adds custom sender (Email/SMS) lambda triggers (#17740)

thchia · web-flow · commit 7f45de4ba3cd · 2021-12-06T15:49:54.000Z
### Motivation

I would like to use the Custom Sender triggers in my CDK app. They are supported by raw CF (despite the docs claiming otherwise).

I do not wish to use the CfnUserPool construct as I am unable to pass the pool as a reference to other constructs (e.g. API Gateway authorisers/User Pool App Clients/etc.).

I do not wish to follow the method recommended by the docs either (using the CLI to update the pool post-deployment), as it is hard to automate (requiring me to fetch the ARNs of my functions and KMS Key, not to mention it overrides other properties of the User Pool), and leaks my stack configuration out from CDK and into some post-deploy script.

Please find this PR in support of adding the triggers to CDK.

### Description

Adds support for 2 extra lambda triggers (`CustomEmailSender` and `CustomSMSSender`). These triggers have a different format, requiring both function ARN and version (only supported value is `V1_0`).

Additionally, specifying either of these requires a `KMSKeyId` be specified as well, which appears as a property of the `LambdaTriggers` property in CF.

Additionally, specifying the `CustomSMSSender` requires the `smsRole` be specified (allowing `sns:publish`).

Neither of these requirements are enforced in the code, but CF will throw helpful (IMO) errors if they are not satisfied.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool.ts
@@ -1,4 +1,5 @@
 import { IRole, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from '@aws-cdk/aws-iam';
+import { IKey } from '@aws-cdk/aws-kms';
 import * as lambda from '@aws-cdk/aws-lambda';
 import { ArnFormat, Duration, IResource, Lazy, Names, RemovalPolicy, Resource, Stack, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
@@ -138,6 +139,20 @@ export interface UserPoolTriggers {
    */
   readonly verifyAuthChallengeResponse?: lambda.IFunction;
 
+  /**
+   * Amazon Cognito invokes this trigger to send email notifications to users.
+   * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html
+   * @default - no trigger configured
+   */
+  readonly customEmailSender?: lambda.IFunction
+
+  /**
+   * Amazon Cognito invokes this trigger to send SMS notifications to users.
+   * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html
+   * @default - no trigger configured
+   */
+  readonly customSmsSender?: lambda.IFunction
+
   /**
    * Index signature
    */
@@ -208,6 +223,18 @@ export class UserPoolOperation {
    */
   public static readonly VERIFY_AUTH_CHALLENGE_RESPONSE = new UserPoolOperation('verifyAuthChallengeResponse');
 
+  /**
+   * Amazon Cognito invokes this trigger to send email notifications to users.
+   * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html
+   */
+  public static readonly CUSTOM_EMAIL_SENDER = new UserPoolOperation('customEmailSender');
+
+  /**
+   * Amazon Cognito invokes this trigger to send email notifications to users.
+   * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html
+   */
+  public static readonly CUSTOM_SMS_SENDER = new UserPoolOperation('customSmsSender');
+
   /** A custom user pool operation */
   public static of(name: string): UserPoolOperation {
     const lowerCamelCase = name.charAt(0).toLowerCase() + name.slice(1);
@@ -616,6 +643,13 @@ export interface UserPoolProps {
    * @default - see defaults on each property of DeviceTracking.
    */
   readonly deviceTracking?: DeviceTracking;
+
+  /**
+   * This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
+   * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html
+   * @default - no key ID configured
+   */
+  readonly customSenderKmsKey?: IKey;
 }
 
 /**
@@ -766,12 +800,37 @@ export class UserPool extends UserPoolBase {
 
     const signIn = this.signInConfiguration(props);
 
+    if (props.customSenderKmsKey) {
+      const kmsKey = props.customSenderKmsKey;
+      (this.triggers as any).kmsKeyId = kmsKey.keyArn;
+    }
+
     if (props.lambdaTriggers) {
       for (const t of Object.keys(props.lambdaTriggers)) {
-        const trigger = props.lambdaTriggers[t];
-        if (trigger !== undefined) {
-          this.addLambdaPermission(trigger as lambda.IFunction, t);
-          (this.triggers as any)[t] = (trigger as lambda.IFunction).functionArn;
+        let trigger: lambda.IFunction | undefined;
+        switch (t) {
+          case 'customSmsSender':
+          case 'customEmailSender':
+            if (!this.triggers.kmsKeyId) {
+              throw new Error('you must specify a KMS key if you are using customSmsSender or customEmailSender.');
+            }
+            trigger = props.lambdaTriggers[t];
+            const version = 'V1_0';
+            if (trigger !== undefined) {
+              this.addLambdaPermission(trigger as lambda.IFunction, t);
+              (this.triggers as any)[t] = {
+                lambdaArn: trigger.functionArn,
+                lambdaVersion: version,
+              };
+            }
+            break;
+          default:
+            trigger = props.lambdaTriggers[t] as lambda.IFunction | undefined;
+            if (trigger !== undefined) {
+              this.addLambdaPermission(trigger as lambda.IFunction, t);
+              (this.triggers as any)[t] = (trigger as lambda.IFunction).functionArn;
+            }
+            break;
         }
       }
     }
@@ -848,7 +907,21 @@ export class UserPool extends UserPoolBase {
     }
 
     this.addLambdaPermission(fn, operation.operationName);
-    (this.triggers as any)[operation.operationName] = fn.functionArn;
+    switch (operation.operationName) {
+      case 'customEmailSender':
+      case 'customSmsSender':
+        if (!this.triggers.kmsKeyId) {
+          throw new Error('you must specify a KMS key if you are using customSmsSender or customEmailSender.');
+        }
+        (this.triggers as any)[operation.operationName] = {
+          lambdaArn: fn.functionArn,
+          lambdaVersion: 'V1_0',
+        };
+        break;
+      default:
+        (this.triggers as any)[operation.operationName] = fn.functionArn;
+    }
+
   }
 
   private addLambdaPermission(fn: lambda.IFunction, name: string): void {
diff --git a/packages/@aws-cdk/aws-cognito/package.json b/packages/@aws-cdk/aws-cognito/package.json
@@ -84,6 +84,7 @@
   "dependencies": {
     "@aws-cdk/aws-certificatemanager": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "@aws-cdk/aws-lambda": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/custom-resources": "0.0.0",
@@ -94,6 +95,7 @@
   "peerDependencies": {
     "@aws-cdk/aws-certificatemanager": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "@aws-cdk/aws-lambda": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/custom-resources": "0.0.0",
diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-custom-sender.expected.json b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-custom-sender.expected.json
@@ -0,0 +1,198 @@
+{
+  "Resources": {
+    "emailLambdaServiceRole7569D9F6": {
+      "Type": "AWS::IAM::Role",
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "lambda.amazonaws.com"
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          {
+            "Fn::Join": [
+              "",
+              [
+                "arn:",
+                {
+                  "Ref": "AWS::Partition"
+                },
+                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+              ]
+            ]
+          }
+        ]
+      }
+    },
+    "emailLambda61F82360": {
+      "Type": "AWS::Lambda::Function",
+      "Properties": {
+        "Code": {
+          "ZipFile": "exports.handler = function(event, ctx, cb) { console.log(\"Mocked custom email send\");return cb(null, \"success\"); }"
+        },
+        "Role": {
+          "Fn::GetAtt": [
+            "emailLambdaServiceRole7569D9F6",
+            "Arn"
+          ]
+        },
+        "Handler": "index.handler",
+        "Runtime": "nodejs14.x"
+      },
+      "DependsOn": [
+        "emailLambdaServiceRole7569D9F6"
+      ]
+    },
+    "emailLambdaCustomEmailSenderCognito5E15D907": {
+      "Type": "AWS::Lambda::Permission",
+      "Properties": {
+        "Action": "lambda:InvokeFunction",
+        "FunctionName": {
+          "Fn::GetAtt": [
+            "emailLambda61F82360",
+            "Arn"
+          ]
+        },
+        "Principal": "cognito-idp.amazonaws.com"
+      }
+    },
+    "keyFEDD6EC0": {
+      "Type": "AWS::KMS::Key",
+      "Properties": {
+        "KeyPolicy": {
+          "Statement": [
+            {
+              "Action": "kms:*",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:",
+                      {
+                        "Ref": "AWS::Partition"
+                      },
+                      ":iam::",
+                      {
+                        "Ref": "AWS::AccountId"
+                      },
+                      ":root"
+                    ]
+                  ]
+                }
+              },
+              "Resource": "*"
+            }
+          ],
+          "Version": "2012-10-17"
+        }
+      },
+      "UpdateReplacePolicy": "Retain",
+      "DeletionPolicy": "Retain"
+    },
+    "pool056F3F7E": {
+      "Type": "AWS::Cognito::UserPool",
+      "Properties": {
+        "AccountRecoverySetting": {
+          "RecoveryMechanisms": [
+            {
+              "Name": "verified_phone_number",
+              "Priority": 1
+            },
+            {
+              "Name": "verified_email",
+              "Priority": 2
+            }
+          ]
+        },
+        "AdminCreateUserConfig": {
+          "AllowAdminCreateUserOnly": false
+        },
+        "AutoVerifiedAttributes": [
+          "email"
+        ],
+        "EmailVerificationMessage": "The verification code to your new account is {####}",
+        "EmailVerificationSubject": "Verify your new account",
+        "LambdaConfig": {
+          "CustomEmailSender": {
+            "LambdaArn": {
+              "Fn::GetAtt": [
+                "emailLambda61F82360",
+                "Arn"
+              ]
+            },
+            "LambdaVersion": "V1_0"
+          },
+          "KMSKeyID": {
+            "Fn::GetAtt": [
+              "keyFEDD6EC0",
+              "Arn"
+            ]
+          }
+        },
+        "SmsVerificationMessage": "The verification code to your new account is {####}",
+        "UsernameAttributes": [
+          "email"
+        ],
+        "VerificationMessageTemplate": {
+          "DefaultEmailOption": "CONFIRM_WITH_CODE",
+          "EmailMessage": "The verification code to your new account is {####}",
+          "EmailSubject": "Verify your new account",
+          "SmsMessage": "The verification code to your new account is {####}"
+        }
+      },
+      "UpdateReplacePolicy": "Delete",
+      "DeletionPolicy": "Delete"
+    },
+    "poolclient2623294C": {
+      "Type": "AWS::Cognito::UserPoolClient",
+      "Properties": {
+        "UserPoolId": {
+          "Ref": "pool056F3F7E"
+        },
+        "AllowedOAuthFlows": [
+          "implicit",
+          "code"
+        ],
+        "AllowedOAuthFlowsUserPoolClient": true,
+        "AllowedOAuthScopes": [
+          "profile",
+          "phone",
+          "email",
+          "openid",
+          "aws.cognito.signin.user.admin"
+        ],
+        "CallbackURLs": [
+          "https://example.com"
+        ],
+        "ExplicitAuthFlows": [
+          "ALLOW_USER_SRP_AUTH",
+          "ALLOW_REFRESH_TOKEN_AUTH"
+        ],
+        "SupportedIdentityProviders": [
+          "COGNITO"
+        ]
+      }
+    }
+  },
+  "Outputs": {
+    "UserPoolId": {
+      "Value": {
+        "Ref": "pool056F3F7E"
+      }
+    },
+    "ClientId": {
+      "Value": {
+        "Ref": "poolclient2623294C"
+      }
+    }
+  }
+}
diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-custom-sender.ts b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-custom-sender.ts
@@ -0,0 +1,47 @@
+import * as kms from '@aws-cdk/aws-kms';
+import * as lambda from '@aws-cdk/aws-lambda';
+import { App, CfnOutput, RemovalPolicy, Stack } from '@aws-cdk/core';
+import { UserPool } from '../lib';
+
+/*
+ * Stack verification steps
+ * * Sign up to the created user pool using an email address as the username, and password.
+ * * Verify the CustomEmailSender lambda was called via logged message in CloudWatch.
+ */
+const app = new App();
+const stack = new Stack(app, 'integ-user-pool-custom-sender');
+
+const customSenderLambda = new lambda.Function(stack, 'emailLambda', {
+  runtime: lambda.Runtime.NODEJS_14_X,
+  handler: 'index.handler',
+  code: lambda.Code.fromInline('exports.handler = function(event, ctx, cb) { console.log("Mocked custom email send");return cb(null, "success"); }'),
+});
+
+const userpool = new UserPool(stack, 'pool', {
+  autoVerify: {
+    email: true,
+  },
+  selfSignUpEnabled: true,
+  signInAliases: {
+    email: true,
+  },
+  customSenderKmsKey: new kms.Key(stack, 'key'),
+  lambdaTriggers: {
+    customEmailSender: customSenderLambda,
+  },
+  removalPolicy: RemovalPolicy.DESTROY,
+});
+
+const client = userpool.addClient('client', {
+  authFlows: {
+    userSrp: true,
+  },
+});
+
+new CfnOutput(stack, 'UserPoolId', {
+  value: userpool.userPoolId,
+});
+
+new CfnOutput(stack, 'ClientId', {
+  value: client.userPoolClientId,
+});
diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool.test.ts

-Original file line number
+Diff line change
 import { Match, Template } from '@aws-cdk/assertions';
 import { Role, ServicePrincipal } from '@aws-cdk/aws-iam';
 +import * as kms from '@aws-cdk/aws-kms';
 import * as lambda from '@aws-cdk/aws-lambda';
 import { testDeprecated } from '@aws-cdk/cdk-build-tools';
 import { CfnParameter, Duration, Stack, Tags } from '@aws-cdk/core';
     });
   });
 +  test('custom sender lambda triggers via properties are correctly configured', () => {
 +    // GIVEN
 +    const stack = new Stack();
 +    const kmsKey = fooKey(stack, 'TestKMSKey');
 +    const emailFn = fooFunction(stack, 'customEmailSender');
 +    const smsFn = fooFunction(stack, 'customSmsSender');
++
 +    // WHEN
 +    new UserPool(stack, 'Pool', {
 +      customSenderKmsKey: kmsKey,
 +      lambdaTriggers: {
 +        customEmailSender: emailFn,
 +        customSmsSender: smsFn,
 +      },
 +    });
++
 +    // THEN
 +    Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', {
 +      LambdaConfig: {
 +        CustomEmailSender: {
 +          LambdaArn: stack.resolve(emailFn.functionArn),
 +          LambdaVersion: 'V1_0',
 +        },
 +        CustomSMSSender: {
 +          LambdaArn: stack.resolve(smsFn.functionArn),
 +          LambdaVersion: 'V1_0',
 +        },
 +      },
 +    });
 +    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
 +      Action: 'lambda:InvokeFunction',
 +      FunctionName: stack.resolve(emailFn.functionArn),
 +      Principal: 'cognito-idp.amazonaws.com',
 +    });
 +    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
 +      Action: 'lambda:InvokeFunction',
 +      FunctionName: stack.resolve(smsFn.functionArn),
 +      Principal: 'cognito-idp.amazonaws.com',
 +    });
 +  });
++
 +  test('lambda trigger KMS Key ID via properties is correctly configured', () => {
 +    // GIVEN
 +    const stack = new Stack();
 +    const kmsKey = fooKey(stack, 'TestKMSKey');
++
 +    // WHEN
 +    new UserPool(stack, 'Pool', {
 +      customSenderKmsKey: kmsKey,
 +    });
++
 +    // THEN
 +    Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', {
 +      LambdaConfig: {
 +        KMSKeyID: { 'Fn::GetAtt': ['TestKMSKey32509532', 'Arn'] },
 +      },
 +    });
 +  });
++
   test('add* API correctly appends triggers', () => {
     // GIVEN
     const stack = new Stack();
 +    const kmsKey = fooKey(stack, 'TestKMSKey');
     const createAuthChallenge = fooFunction(stack, 'createAuthChallenge');
     const customMessage = fooFunction(stack, 'customMessage');
     const preTokenGeneration = fooFunction(stack, 'preTokenGeneration');
     const userMigration = fooFunction(stack, 'userMigration');
     const verifyAuthChallengeResponse = fooFunction(stack, 'verifyAuthChallengeResponse');
 +    const customEmailSender = fooFunction(stack, 'customEmailSender');
 +    const customSmsSender = fooFunction(stack, 'customSmsSender');
     // WHEN
 -    const pool = new UserPool(stack, 'Pool');
 +    const pool = new UserPool(stack, 'Pool', {
 +      customSenderKmsKey: kmsKey,
 +    });
     pool.addTrigger(UserPoolOperation.CREATE_AUTH_CHALLENGE, createAuthChallenge);
     pool.addTrigger(UserPoolOperation.CUSTOM_MESSAGE, customMessage);
     pool.addTrigger(UserPoolOperation.DEFINE_AUTH_CHALLENGE, defineAuthChallenge);
     pool.addTrigger(UserPoolOperation.PRE_TOKEN_GENERATION, preTokenGeneration);
     pool.addTrigger(UserPoolOperation.USER_MIGRATION, userMigration);
     pool.addTrigger(UserPoolOperation.VERIFY_AUTH_CHALLENGE_RESPONSE, verifyAuthChallengeResponse);
 +    pool.addTrigger(UserPoolOperation.CUSTOM_EMAIL_SENDER, customEmailSender);
 +    pool.addTrigger(UserPoolOperation.CUSTOM_SMS_SENDER, customSmsSender);
     // THEN
     Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', {
         PreTokenGeneration: stack.resolve(preTokenGeneration.functionArn),
         UserMigration: stack.resolve(userMigration.functionArn),
         VerifyAuthChallengeResponse: stack.resolve(verifyAuthChallengeResponse.functionArn),
 +        CustomEmailSender: {
 +          LambdaArn: stack.resolve(customEmailSender.functionArn),
 +          LambdaVersion: 'V1_0',
 +        },
 +        CustomSMSSender: {
 +          LambdaArn: stack.resolve(customSmsSender.functionArn),
 +          LambdaVersion: 'V1_0',
 +        },
       },
     });
     [createAuthChallenge, customMessage, defineAuthChallenge, postAuthentication,
       postConfirmation, preAuthentication, preSignUp, preTokenGeneration, userMigration,
 -      verifyAuthChallengeResponse].forEach((fn) => {
 +      verifyAuthChallengeResponse, customEmailSender, customSmsSender].forEach((fn) => {
       Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
         Action: 'lambda:InvokeFunction',
         FunctionName: stack.resolve(fn.functionArn),
     handler: 'index.handler',
   });
+}
++
 +function fooKey(scope: Construct, name: string): kms.Key {
 +  return new kms.Key(scope, name);
 +}