Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cognito): better control sms role creation #9513

Merged
merged 9 commits into from
Aug 12, 2020
Merged

feat(cognito): better control sms role creation #9513

merged 9 commits into from
Aug 12, 2020

Conversation

nija-at
Copy link
Contributor

@nija-at nija-at commented Aug 7, 2020
edited
Loading

  • Introduce a property enableSmsRole that can be used to override CDK
    logic and explicitly enable or disable automatic creation of an IAM role
    for SMS.

  • Instead of creating the SMS role by default, all of the time, be smart
    about determining when the role is actually needed. Create the role only
    if (a) SMS is configured as MFA second factor, (b) sign in via phone
    number is enabled, or (c) phone verification is required.

closes #6943

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

feat(cognito): better control sms role creation
01a58b6 
- Introduce a property `enableSmsRole` that can be used to override CDK
logic and explicitly enable or disable automatic creation of an IAM role
for SMS.

- Instead of creating the SMS role by default, all of the time, be smart
about determining when the role is actually needed. Create the role only
if (a) SMS is configured as MFA second factor, (b) sign in via phone
number is enabled, or (c) phone verification is required.

BREAKING CHANGE: CDK may now remove a previously created IAM role for
SMS. The role will be removed only because it's not actually required by
the user pool based on its configuration, so this should have no impact.
This behaviour can be explicitly overridden by setting `enableSmsRole`
property.

closes #6943
@nija-at nija-at requested a review from a team August 7, 2020 15:10
@nija-at nija-at self-assigned this Aug 7, 2020
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 7, 2020
@iliapolo iliapolo added the pr/do-not-merge This PR should not be merged at this time. label Aug 9, 2020
iliapolo
iliapolo approved these changes Aug 9, 2020
View reviewed changes
Copy link
Contributor

@iliapolo iliapolo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nija-at Are you comfortable with the integ tests now not covering the SMS role creation? Or is there another one that does? I'm just a little concerned we lost coverage here.

To your discretion, just wanted to mention it. Adding the do-not-merge label for now but feel free to remove and merge.

packages/@aws-cdk/aws-cognito/lib/user-pool.ts Outdated
Comment on lines 861 to 862
const mfaEnabled = props.mfa && props.mfa !== Mfa.OFF;
const mfaSms = !props.mfaSecondFactor || props.mfaSecondFactor.sms; // mfaSecondFactor.sms is true, by default if MFA is 'on'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like you can reuse the mfaConfiguration method here:

aws-cdk/packages/@aws-cdk/aws-cognito/lib/user-pool.ts

Lines 875 to 892 in e878f9c

private mfaConfiguration(props: UserPoolProps): string[] | undefined {
if (props.mfa === undefined || props.mfa === Mfa.OFF) {
// since default is OFF, treat undefined and OFF the same way
return undefined;
} else if (props.mfaSecondFactor === undefined &&
(props.mfa === Mfa.OPTIONAL || props.mfa === Mfa.REQUIRED)) {
return [ 'SMS_MFA' ];
} else {
const enabledMfas = [];
if (props.mfaSecondFactor!.sms) {
enabledMfas.push('SMS_MFA');
}
if (props.mfaSecondFactor!.otp) {
enabledMfas.push('SOFTWARE_TOKEN_MFA');
}
return enabledMfas;
}
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Changed.

@nija-at
Copy link
Contributor Author

nija-at commented Aug 10, 2020

Are you comfortable with the integ tests now not covering the SMS role creation? Or is there another one that does?

These are tested in integ.user-pool-signup* where SMS-based sign up testing is also included.

@nija-at nija-at removed the pr/do-not-merge This PR should not be merged at this time. label Aug 12, 2020
@mergify
Copy link
Contributor

mergify bot commented Aug 12, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Aug 12, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit a772fe8 into master Aug 12, 2020
@mergify mergify bot deleted the nija-at/cognito-smsrole-optional branch August 12, 2020 08:15
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 0e208ab
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iliapolo iliapolo iliapolo approved these changes

Assignees

@nija-at nija-at

Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

turn off automatic Cognito UserPool SMS role creation
3 participants
@nija-at @aws-cdk-automation @iliapolo