feat: add CognitoUserPoolConstruct with managed login branding support#62
Merged
ncipollina merged 4 commits intomainfrom Apr 3, 2026
Merged
feat: add CognitoUserPoolConstruct with managed login branding support#62ncipollina merged 4 commits intomainfrom
ncipollina merged 4 commits intomainfrom
Conversation
Introduces a new CDK construct for provisioning Cognito User Pools with full support for custom domains, app clients, resource servers, user groups, CloudFormation outputs, and AWS Managed Login branding (v2). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: eb43fa5e6e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Document CognitoUserPoolConstruct covering domain modes (Cognito-hosted and custom), resource servers, app clients, user groups, Managed Login branding, CloudFormation exports, testing helpers, and AutoFixture integration. Update docs/index.md, docs/testing/index.md, README.md, mkdocs.yml, and the .slnx solution file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cognito custom domains require an ACM certificate in us-east-1. The Certificate construct has no Region property in CDK v2 (DnsValidatedCertificate which had one is deprecated). Add an optional ICertificate property to ICognitoUserPoolDomainProps so callers deploying outside us-east-1 can provide a pre-created certificate from a us-east-1 stack. When null, the construct creates one in the stack's region as before (valid for stacks already in us-east-1). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a synth-time guard that throws when a custom domain is configured without a caller-supplied certificate and the stack region is resolved to something other than us-east-1. Cognito requires certificates in us-east-1; this surfaces the misconfiguration immediately with a clear message instead of failing at CloudFormation deploy time. Environment-agnostic stacks (Token.IsUnresolved) are skipped since the region is not known at synth. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Introduces
CognitoUserPoolConstruct, a new CDK L3 construct that provisions a fully configured Cognito User Pool. It covers the entire Cognito surface needed for production apps: custom or Cognito-hosted domains, app clients, resource servers with scopes, user groups, AWS Managed Login branding (v2), and CloudFormation exports for cross-stack consumption.Changes
New construct —
CognitoUserPoolConstructUserPoolwith sensible defaults (email sign-in, auto-verify, configurable password policy, MFA, removal policy)CfnManagedLoginBrandingresources linked to app clients, with a dependency on the domain and JSII-compatible JSON serialization viaToJsiiCompatibleCfnOutputCloudFormation exports:{stack}-{id}-user-pool-id,{stack}-{id}-user-pool-arn,{stack}-{id}-client-{name}-idNew models
ICognitoUserPoolConstructProps/CognitoUserPoolConstructPropsICognitoUserPoolDomainProps/CognitoUserPoolDomainProps(supports Cognito prefix or custom domain)ICognitoUserPoolAppClientProps/CognitoUserPoolAppClientPropsICognitoResourceServerProps/CognitoResourceServerPropsICognitoResourceServerScopeProps/CognitoResourceServerScopePropsICognitoUserPoolGroupProps/CognitoUserPoolGroupPropsICognitoManagedLoginBrandingProps/CognitoManagedLoginBrandingProps(settings JSON + optional assets)ICognitoManagedLoginBrandingAssetProps/CognitoManagedLoginBrandingAssetPropsCognitoManagedLoginVersionenum (ManagedLogin/ClassicHostedUi)Testing helpers (shipped in the library)
CognitoUserPoolConstructPropsBuilder— fluent builder for test propsCognitoUserPoolConstructAssertions—ShouldHaveUserPool,ShouldHaveCognitoUserPoolDomain,ShouldHaveUserPoolClient,ShouldHaveResourceServer,ShouldHaveUserPoolGroup,ShouldHaveManagedLoginBranding,ShouldNotHaveManagedLoginBranding,ShouldExportUserPoolId,ShouldExportUserPoolArn,ShouldExportAppClientIdCdkTestHelper.CreateCognitoUserPoolPropsBuilderfactory methodUnit tests
CognitoUserPoolConstructTestscovering all construct behaviors including branding present/absent, empty settings JSON guard, and all three CloudFormation exportsBuild scripts
scripts/pack-local.ps1/scripts/pack-local.sh— pack and install to local NuGet cache for consuming reposValidation
dotnet test— all 16 new tests pass alongside existing suitedotnet build— no errors, pre-existing warnings onlyRelease Notes
CognitoUserPoolConstruct— new L3 construct for Cognito User Pools with managed login branding, cross-stack exports, and a full suite of shipped test helpers.Notes for Reviewers
The JSII runtime cannot serialize
System.Text.Json.JsonElementdirectly. TheToJsiiCompatiblemethod recursively converts the parsed branding JSON into plain CLR types (Dictionary<string,object>, arrays, primitives) before passing it toCfnManagedLoginBrandingProps.Settings. The branding resource is also given an explicit CDK dependency on the domain to ensure correct CloudFormation creation order when using Managed Login v2.