agent-claw: automated task changes

cdk/node_modules/aws-cdk-lib/aws-cognito-identitypool/.jsiirc.json

@@ -0,0 +1,13 @@
+{
+  "targets": {
+    "java": {
+      "package": "software.amazon.awscdk.services.cognito.identitypool"
+    },
+    "dotnet": {
+      "namespace": "Amazon.CDK.AWS.Cognito.Identitypool"
+    },
+    "python": {
+      "module": "aws_cdk.aws_cognito_identitypool"
+    }
+  }
+}

cdk/node_modules/aws-cdk-lib/aws-cognito-identitypool/README.md

@@ -0,0 +1,368 @@
+# Amazon Cognito Identity Pool Construct Library
+
+[Amazon Cognito Identity Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html) enable you to grant your users access to other AWS services.
+
+Identity Pools are one of the two main components of [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html), which provides authentication, authorization, and
+user management for your web and mobile apps. Your users can sign in through a trusted identity provider, like a user 
+pool or a SAML 2.0 service, as well as with third party providers such as Facebook, Amazon, Google or Apple. 
+
+The other main component in Amazon Cognito is [user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html). User Pools are user directories that provide sign-up and
+sign-in options for your app users.
+
+This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project.
+
+```ts nofixture
+import { IdentityPool, UserPoolAuthenticationProvider } from 'aws-cdk-lib/aws-cognito-identitypool';
+```
+
+## Table of Contents
+
+- [Identity Pools](#identity-pools)
+  - [Authenticated and Unauthenticated Identities](#authenticated-and-unauthenticated-identities)
+  - [Authentication Providers](#authentication-providers)
+    - [User Pool Authentication Provider](#user-pool-authentication-provider)
+    - [Server Side Token Check](#server-side-token-check)
+    - [Associating an External Provider Directly](#associating-an-external-provider-directly)
+    - [OpenIdConnect and Saml](#openid-connect-and-saml)
+    - [Custom Providers](#custom-providers)
+  - [Role Mapping](#role-mapping)
+    - [Provider Urls](#provider-urls)
+  - [Authentication Flow](#authentication-flow)
+  - [Cognito Sync](#cognito-sync)
+  - [Importing Identity Pools](#importing-identity-pools)
+
+## Identity Pools
+
+Identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have 
+authenticated by presenting a token from another identity provider. An identity pool is a store of user identity data 
+specific to an account.
+
+Identity pools can be used in conjunction with Cognito User Pools or by accessing external federated identity providers  
+directly. Learn more at [Amazon Cognito Identity Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html).
+
+### Authenticated and Unauthenticated Identities
+
+Identity pools define two types of identities: authenticated(`user`) and unauthenticated (`guest`). Every identity in  
+an identity pool is either authenticated or unauthenticated. Each identity pool has a default role for authenticated  
+identities, and a default role for unauthenticated identities. Absent other overriding rules (see below), these are the  
+roles that will be assumed by the corresponding users in the authentication process. 
+
+A basic Identity Pool with minimal configuration has no required props, with default authenticated (user) and  
+unauthenticated (guest) roles applied to the identity pool: 
+
+```ts
+new IdentityPool(this, 'myIdentityPool');
+```
+
+By default, both the authenticated and unauthenticated roles will have no permissions attached. When granting permissions,
+you should ensure that you are granting the least privileged permissions required for your use case. Grant permissions 
+to roles using the public `authenticatedRole` and `unauthenticatedRole` properties: 
+
+```ts
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+
+const identityPool = new IdentityPool(this, 'myIdentityPool');
+declare const table: dynamodb.Table;
+
+// Grant permissions to authenticated users
+table.grantReadWriteData(identityPool.authenticatedRole);
+// Grant permissions to unauthenticated guest users
+table.grantReadData(identityPool.unauthenticatedRole);
+
+// Or add policy statements straight to the role
+identityPool.authenticatedRole.addToPrincipalPolicy(new iam.PolicyStatement({
+  effect: iam.Effect.ALLOW,
+  actions: ['dynamodb:UpdateItem'],
+  resources: [table.tableArn],
+}));
+```
+
+The default roles can also be supplied in `IdentityPoolProps`:
+
+```ts
+const stack = new Stack();
+const authenticatedRole = new iam.Role(this, 'authRole', {
+  assumedBy: new iam.ServicePrincipal('service.amazonaws.com'),
+});
+const unauthenticatedRole = new iam.Role(this, 'unauthRole', {
+  assumedBy: new iam.ServicePrincipal('service.amazonaws.com'),
+});
+const identityPool = new IdentityPool(this, 'TestIdentityPoolActions', {
+  authenticatedRole,
+  unauthenticatedRole,
+});
+```
+
+### Authentication Providers
+
+Authenticated identities belong to users who are authenticated by a public login provider (Amazon Cognito user pools,  
+Login with Amazon, Sign in with Apple, Facebook, Google, SAML, or any OpenID Connect Providers) or a developer provider  
+(your own backend authentication process).
+
+[Authentication providers](https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html) can be associated with an Identity Pool by first associating them with a Cognito User Pool or by  
+associating the provider directly with the identity pool.
+
+#### User Pool Authentication Provider
+
+In order to attach a user pool to an identity pool as an authentication provider, the identity pool needs properties
+from both the user pool and the user pool client. For this reason identity pools use a `UserPoolAuthenticationProvider`
+to gather the necessary properties from the user pool constructs.
+
+```ts
+const userPool = new cognito.UserPool(this, 'Pool');
+
+new IdentityPool(this, 'myidentitypool', {
+  identityPoolName: 'myidentitypool',
+  authenticationProviders: {
+    userPools: [new UserPoolAuthenticationProvider({ userPool })],
+  },
+});
+```
+
+User pools can also be associated with an identity pool after instantiation. The Identity Pool's `addUserPoolAuthentication` method  
+returns the User Pool Client that has been created:
+
+```ts
+declare const identityPool: IdentityPool;
+const userPool = new cognito.UserPool(this, 'Pool');
+const userPoolClient = identityPool.addUserPoolAuthentication(new UserPoolAuthenticationProvider({
+  userPool,
+}));
+```
+
+#### Server Side Token Check
+
+With the `IdentityPool` CDK Construct, by default the pool is configured to check with the integrated user pools to  
+make sure that the user has not been globally signed out or deleted before the identity pool provides an OIDC token or  
+AWS credentials for the user. 
+
+If the user is signed out or deleted, the identity pool will return a 400 Not Authorized error. This setting can be  
+disabled, however, in several ways.
+
+Setting `disableServerSideTokenCheck` to true will change the default behavior to no server side token check. Learn  
+more [here](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_CognitoIdentityProvider.html#CognitoIdentity-Type-CognitoIdentityProvider-ServerSideTokenCheck):
+
+```ts
+declare const identityPool: IdentityPool;
+const userPool = new cognito.UserPool(this, 'Pool');
+identityPool.addUserPoolAuthentication(new UserPoolAuthenticationProvider({ 
+  userPool,
+  disableServerSideTokenCheck: true, 
+}));
+```
+
+#### Associating an External Provider Directly
+
+One or more [external identity providers](https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html) can be associated with an identity pool directly using  
+`authenticationProviders`:
+
+```ts
+new IdentityPool(this, 'myidentitypool', {
+  identityPoolName: 'myidentitypool',
+  authenticationProviders: {
+    amazon: {
+      appId: 'amzn1.application.12312k3j234j13rjiwuenf',
+    },
+    facebook: {
+      appId: '1234567890123',
+    },
+    google: {
+      clientId: '12345678012.apps.googleusercontent.com',
+    },
+    apple: {
+      servicesId: 'com.myappleapp.auth',
+    },
+    twitter: {
+      consumerKey: 'my-twitter-id',
+      consumerSecret: 'my-twitter-secret',
+    },
+  },
+});
+```
+
+To associate more than one provider of the same type with the identity pool, use User  
+Pools, OpenIdConnect, or SAML. Only one provider per external service can be attached directly to the identity pool.
+
+#### OpenId Connect and Saml
+
+[OpenID Connect](https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html) is an open standard for  
+authentication that is supported by a number of login providers. Amazon Cognito supports linking of identities with  
+OpenID Connect providers that are configured through [AWS Identity and Access Management](https://aws.amazon.com/iam/). 
+
+An identity provider that supports [Security Assertion Markup Language 2.0 (SAML 2.0)](https://docs.aws.amazon.com/cognito/latest/developerguide/saml-identity-provider.html) can be used to provide a simple  
+onboarding flow for users. The SAML-supporting identity provider specifies the IAM roles that can be assumed by users  
+so that different users can be granted different sets of permissions. Associating an OpenId Connect or Saml provider  
+with an identity pool:
+
+```ts
+declare const openIdConnectProvider: iam.OpenIdConnectProvider;
+declare const samlProvider: iam.SamlProvider;
+
+new IdentityPool(this, 'myidentitypool', {
+  identityPoolName: 'myidentitypool',
+  authenticationProviders: {
+    openIdConnectProviders: [openIdConnectProvider],
+    samlProviders: [samlProvider],
+  },
+});
+```
+
+#### Custom Providers
+
+The identity pool's behavior can be customized further using custom [developer authenticated identities](https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html).  
+With developer authenticated identities, users can be registered and authenticated via an existing authentication  
+process while still using Amazon Cognito to synchronize user data and access AWS resources.
+
+Like the supported external providers, though, only one custom provider can be directly associated with the identity  
+pool.
+
+```ts
+declare const openIdConnectProvider: iam.OpenIdConnectProvider;
+new IdentityPool(this, 'myidentitypool', {
+  identityPoolName: 'myidentitypool',
+  authenticationProviders: {
+    google: {
+      clientId: '12345678012.apps.googleusercontent.com',
+    },
+    openIdConnectProviders: [openIdConnectProvider],
+    customProvider: 'my-custom-provider.example.com',
+  },
+});
+```
+
+### Role Mapping
+
+In addition to setting default roles for authenticated and unauthenticated users, identity pools can also be used to  
+define rules to choose the role for each user based on claims in the user's ID token by using Role Mapping. When using  
+role mapping, it's important to be aware of some of the permissions the role will need, and that the least privileged
+roles necessary are given for your specific use case. An in depth  
+review of roles and role mapping can be found [here](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html).
+
+Using a [token-based approach](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users) to role mapping will allow mapped roles to be passed through the `cognito:roles` or  
+`cognito:preferred_role` claims from the identity provider:
+
+```ts
+import { IdentityPoolProviderUrl } from 'aws-cdk-lib/aws-cognito-identitypool';
+
+new IdentityPool(this, 'myidentitypool', {
+  identityPoolName: 'myidentitypool',
+  roleMappings: [{
+    providerUrl: IdentityPoolProviderUrl.AMAZON,
+    useToken: true,
+  }],
+});
+```
+
+Using a rule-based approach to role mapping allows roles to be assigned based on custom claims passed from the identity provider:
+
+```ts
+import { IdentityPoolProviderUrl, RoleMappingMatchType } from 'aws-cdk-lib/aws-cognito-identitypool';
+
+declare const adminRole: iam.Role;
+declare const nonAdminRole: iam.Role;
+new IdentityPool(this, 'myidentitypool', {
+  identityPoolName: 'myidentitypool',
+  // Assign specific roles to users based on whether or not the custom admin claim is passed from the identity provider
+  roleMappings: [{
+    providerUrl: IdentityPoolProviderUrl.AMAZON,
+    rules: [
+      {
+        claim: 'custom:admin',
+        claimValue: 'admin',
+        mappedRole: adminRole,
+      },
+      {
+        claim: 'custom:admin',
+        claimValue: 'admin',
+        matchType: RoleMappingMatchType.NOTEQUAL,
+        mappedRole: nonAdminRole,
+      }
+    ],
+  }],
+});
+```
+
+#### Provider Urls
+
+Role mappings must be associated with the url of an Identity Provider which can be supplied
+`IdentityPoolProviderUrl`. Supported Providers have static Urls that can be used:
+
+```ts
+import { IdentityPoolProviderUrl } from 'aws-cdk-lib/aws-cognito-identitypool';
+
+new IdentityPool(this, 'myidentitypool', {
+  identityPoolName: 'myidentitypool',
+  roleMappings: [{
+    providerUrl: IdentityPoolProviderUrl.FACEBOOK,
+    useToken: true,
+  }],
+});
+```
+
+For identity providers that don't have static Urls, a custom Url can be supplied:
+
+```ts
+import { IdentityPoolProviderUrl } from 'aws-cdk-lib/aws-cognito-identitypool';
+
+new IdentityPool(this, 'myidentitypool', {
+  identityPoolName: 'myidentitypool',
+  roleMappings: [
+    {
+      providerUrl: IdentityPoolProviderUrl.custom('my-custom-provider.com'),
+      useToken: true,
+    },
+  ],
+});
+```
+
+If a provider URL is a CDK Token, as it will be if you are trying to use a previously defined Cognito User Pool, you will need to also provide a mappingKey.
+This is because by default, the key in the Cloudformation role mapping hash is the providerUrl, and Cloudformation map keys must be concrete strings, they
+cannot be references. For example:
+
+```ts
+import { UserPool, UserPoolClient } from 'aws-cdk-lib/aws-cognito';
+import { IdentityPoolProviderUrl } from 'aws-cdk-lib/aws-cognito-identitypool';
+
+declare const userPool: UserPool;
+declare const userPoolClient: UserPoolClient;
+new IdentityPool(this, 'myidentitypool', {
+  identityPoolName: 'myidentitypool',
+  roleMappings: [{
+    mappingKey: 'cognito',
+    providerUrl: IdentityPoolProviderUrl.userPool(userPool, userPoolClient),
+    useToken: true,
+  }],
+});
+```
+
+See [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-identityprovider) for more information.
+
+### Authentication Flow
+
+Identity Pool [Authentication Flow](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html) defaults to the enhanced, simplified flow. The Classic (basic) Authentication Flow  
+can also be implemented using `allowClassicFlow`:
+
+```ts
+new IdentityPool(this, 'myidentitypool', {
+  identityPoolName: 'myidentitypool',
+  allowClassicFlow: true,
+});
+```
+
+### Cognito Sync
+
+It's now recommended to integrate [AWS AppSync](https://aws.amazon.com/appsync/) for synchronizing app data across devices, so  
+Cognito Sync features like `PushSync`, `CognitoEvents`, and `CognitoStreams` are not a part of `IdentityPool`. More    
+information can be found [here](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sync.html).
+
+### Importing Identity Pools
+
+You can import existing identity pools into your stack using Identity Pool static methods with the Identity Pool Id or  
+Arn:
+
+```ts
+IdentityPool.fromIdentityPoolId(this, 'my-imported-identity-pool',
+  'us-east-1:dj2823ryiwuhef937');
+IdentityPool.fromIdentityPoolArn(this, 'my-imported-identity-pool',
+  'arn:aws:cognito-identity:us-east-1:123456789012:identitypool/us-east-1:dj2823ryiwuhef937');
+```

cdk/node_modules/aws-cdk-lib/aws-cognito-identitypool/index.d.ts

@@ -0,0 +1 @@
+export * from './lib';

cdk/node_modules/aws-cdk-lib/aws-cognito-identitypool/index.js

@@ -0,0 +1 @@
+"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__exportStar=exports&&exports.__exportStar||function(m,exports2){for(var p in m)p!=="default"&&!Object.prototype.hasOwnProperty.call(exports2,p)&&__createBinding(exports2,m,p)};Object.defineProperty(exports,"__esModule",{value:!0});var _noFold;exports.IdentityPoolProviderType=void 0,Object.defineProperty(exports,_noFold="IdentityPoolProviderType",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").IdentityPoolProviderType;return Object.defineProperty(exports,_noFold="IdentityPoolProviderType",{enumerable:!0,configurable:!0,value}),value}}),exports.IdentityPoolProviderUrl=void 0,Object.defineProperty(exports,_noFold="IdentityPoolProviderUrl",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").IdentityPoolProviderUrl;return Object.defineProperty(exports,_noFold="IdentityPoolProviderUrl",{enumerable:!0,configurable:!0,value}),value}}),exports.RoleMappingMatchType=void 0,Object.defineProperty(exports,_noFold="RoleMappingMatchType",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").RoleMappingMatchType;return Object.defineProperty(exports,_noFold="RoleMappingMatchType",{enumerable:!0,configurable:!0,value}),value}}),exports.IdentityPool=void 0,Object.defineProperty(exports,_noFold="IdentityPool",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").IdentityPool;return Object.defineProperty(exports,_noFold="IdentityPool",{enumerable:!0,configurable:!0,value}),value}}),exports.UserPoolAuthenticationProvider=void 0,Object.defineProperty(exports,_noFold="UserPoolAuthenticationProvider",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").UserPoolAuthenticationProvider;return Object.defineProperty(exports,_noFold="UserPoolAuthenticationProvider",{enumerable:!0,configurable:!0,value}),value}});

cdk/node_modules/aws-cdk-lib/aws-cognito-identitypool/lib/identitypool-user-pool-authentication-provider.d.ts

@@ -0,0 +1,76 @@
+import type { Construct } from 'constructs';
+import type { IIdentityPool } from './identitypool';
+import type { IUserPool, IUserPoolClientRef } from '../../aws-cognito';
+/**
+ * Represents the concept of a User Pool Authentication Provider.
+ * You use user pool authentication providers to configure User Pools
+ * and User Pool Clients for use with Identity Pools
+ */
+export interface IUserPoolAuthenticationProvider {
+    /**
+     * The method called when a given User Pool Authentication Provider is added
+     * (for the first time) to an Identity Pool.
+     */
+    bind(scope: Construct, identityPool: IIdentityPool, options?: UserPoolAuthenticationProviderBindOptions): UserPoolAuthenticationProviderBindConfig;
+}
+/**
+ * Props for the User Pool Authentication Provider
+ */
+export interface UserPoolAuthenticationProviderProps {
+    /**
+     * The User Pool of the Associated Identity Providers
+     */
+    readonly userPool: IUserPool;
+    /**
+     * The User Pool Client for the provided User Pool
+     * @default - A default user pool client will be added to User Pool
+     */
+    readonly userPoolClient?: IUserPoolClientRef;
+    /**
+     * Setting this to true turns off identity pool checks for this user pool to make sure the user has not been globally signed out or deleted before the identity pool provides an OIDC token or AWS credentials for the user
+     * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html
+     * @default false
+     */
+    readonly disableServerSideTokenCheck?: boolean;
+}
+/**
+ * Represents UserPoolAuthenticationProvider Bind Options
+ */
+export interface UserPoolAuthenticationProviderBindOptions {
+}
+/**
+ * Represents a UserPoolAuthenticationProvider Bind Configuration
+ */
+export interface UserPoolAuthenticationProviderBindConfig {
+    /**
+     * Client Id of the Associated User Pool Client
+     */
+    readonly clientId: string;
+    /**
+     * The identity providers associated with the UserPool
+     */
+    readonly providerName: string;
+    /**
+     * Whether to enable the identity pool's server side token check
+     */
+    readonly serverSideTokenCheck: boolean;
+}
+/**
+ * Defines a User Pool Authentication Provider
+ */
+export declare class UserPoolAuthenticationProvider implements IUserPoolAuthenticationProvider {
+    /**
+     * The User Pool of the Associated Identity Providers
+     */
+    private userPool;
+    /**
+     * The User Pool Client for the provided User Pool
+     */
+    private userPoolClient;
+    /**
+     * Whether to disable the pool's default server side token check
+     */
+    private disableServerSideTokenCheck;
+    constructor(props: UserPoolAuthenticationProviderProps);
+    bind(scope: Construct, identityPool: IIdentityPool, _options?: UserPoolAuthenticationProviderBindOptions): UserPoolAuthenticationProviderBindConfig;
+}

cdk/node_modules/aws-cdk-lib/aws-cognito-identitypool/lib/identitypool-user-pool-authentication-provider.js

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.UserPoolAuthenticationProvider=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var constructs_1=()=>{var tmp=require("constructs");return constructs_1=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp};class UserPoolAuthenticationProvider{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cognito_identitypool.UserPoolAuthenticationProvider",version:"2.252.0"};userPool;userPoolClient;disableServerSideTokenCheck;constructor(props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cognito_identitypool_UserPoolAuthenticationProviderProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,UserPoolAuthenticationProvider),error}this.userPool=props.userPool,this.userPoolClient=props.userPoolClient||this.userPool.addClient("UserPoolAuthenticationProviderClient"),this.disableServerSideTokenCheck=props.disableServerSideTokenCheck??!1}bind(scope,identityPool,_options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cognito_identitypool_IIdentityPool(identityPool),jsiiDeprecationWarnings().aws_cdk_lib_aws_cognito_identitypool_UserPoolAuthenticationProviderBindOptions(_options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.bind),error}constructs_1().Node.of(identityPool).addDependency(this.userPool),constructs_1().Node.of(identityPool).addDependency(this.userPoolClient);const region=core_1().Stack.of(scope).region,urlSuffix=core_1().Stack.of(scope).urlSuffix;return{clientId:this.userPoolClient.userPoolClientRef.clientId,providerName:`cognito-idp.${region}.${urlSuffix}/${this.userPool.userPoolId}`,serverSideTokenCheck:!this.disableServerSideTokenCheck}}}exports.UserPoolAuthenticationProvider=UserPoolAuthenticationProvider;

cdk/node_modules/aws-cdk-lib/aws-cognito-identitypool/lib/identitypool.d.ts

@@ -0,0 +1,365 @@
+import type { Construct } from 'constructs';
+import type { IUserPoolAuthenticationProvider } from './identitypool-user-pool-authentication-provider';
+import type { IdentityPoolReference, IIdentityPoolRef, IUserPool, IUserPoolClient } from '../../aws-cognito';
+import { CfnIdentityPoolRoleAttachment } from '../../aws-cognito';
+import type { IRole, IOIDCProviderRef, ISAMLProviderRef } from '../../aws-iam';
+import type { IResource } from '../../core';
+import { Resource } from '../../core';
+/**
+ * Represents a Cognito Identity Pool
+ */
+export interface IIdentityPool extends IResource, IIdentityPoolRef {
+    /**
+     * The ID of the Identity Pool in the format REGION:GUID
+     * @attribute
+     */
+    readonly identityPoolId: string;
+    /**
+     * The ARN of the Identity Pool
+     * @attribute
+     */
+    readonly identityPoolArn: string;
+    /**
+     * Name of the Identity Pool
+     * @attribute
+     */
+    readonly identityPoolName: string;
+}
+/**
+ * Props for the Identity Pool construct
+ */
+export interface IdentityPoolProps {
+    /**
+     * The name of the Identity Pool
+     * @default - Automatically generated name by CloudFormation at deploy time
+     */
+    readonly identityPoolName?: string;
+    /**
+     * The default Role to be assumed by authenticated users
+     * @default - A default authenticated Role will be added
+     */
+    readonly authenticatedRole?: IRole;
+    /**
+     * The default Role to be assumed by unauthenticated users
+     * @default - A default unauthenticated Role will be added
+     */
+    readonly unauthenticatedRole?: IRole;
+    /**
+     * Whether the Identity Pool supports unauthenticated logins
+     * @default - false
+     */
+    readonly allowUnauthenticatedIdentities?: boolean;
+    /**
+     * Rules for mapping roles to users
+     * @default - no role mappings
+     */
+    readonly roleMappings?: IdentityPoolRoleMapping[];
+    /**
+     * Enables the Basic (Classic) authentication flow
+     * @default - Classic Flow not allowed
+     */
+    readonly allowClassicFlow?: boolean;
+    /**
+     * Authentication Providers for using in Identity Pool
+     * @default - No Authentication Providers passed directly to Identity Pool
+     */
+    readonly authenticationProviders?: IdentityPoolAuthenticationProviders;
+}
+/**
+ * Types of Identity Pool Login Providers
+ */
+export declare enum IdentityPoolProviderType {
+    /** Facebook provider type */
+    FACEBOOK = "Facebook",
+    /** Google provider type */
+    GOOGLE = "Google",
+    /** Amazon provider type */
+    AMAZON = "Amazon",
+    /** Apple provider type */
+    APPLE = "Apple",
+    /** Twitter provider type */
+    TWITTER = "Twitter",
+    /** Open Id provider type */
+    OPEN_ID = "OpenId",
+    /** Saml provider type */
+    SAML = "Saml",
+    /** User Pool provider type */
+    USER_POOL = "UserPool",
+    /** Custom provider type */
+    CUSTOM = "Custom"
+}
+/**
+ * Keys for Login Providers - each correspond to the client IDs of their respective federation Identity Providers
+ */
+export declare class IdentityPoolProviderUrl {
+    /**
+     * The type of Identity Pool Provider
+     */
+    readonly type: IdentityPoolProviderType;
+    /**
+     * The value of the Identity Pool Provider
+     */
+    readonly value: string;
+    /** Facebook Provider url */
+    static readonly FACEBOOK: IdentityPoolProviderUrl;
+    /** Google Provider url */
+    static readonly GOOGLE: IdentityPoolProviderUrl;
+    /** Amazon Provider url */
+    static readonly AMAZON: IdentityPoolProviderUrl;
+    /** Apple Provider url */
+    static readonly APPLE: IdentityPoolProviderUrl;
+    /** Twitter Provider url */
+    static readonly TWITTER: IdentityPoolProviderUrl;
+    /** OpenId Provider url */
+    static openId(url: string): IdentityPoolProviderUrl;
+    /** Saml Provider url */
+    static saml(url: string): IdentityPoolProviderUrl;
+    /** User Pool Provider Url */
+    static userPool(userPool: IUserPool, userPoolClient: IUserPoolClient): IdentityPoolProviderUrl;
+    /** Custom Provider url */
+    static custom(url: string): IdentityPoolProviderUrl;
+    constructor(
+    /**
+     * The type of Identity Pool Provider
+     */
+    type: IdentityPoolProviderType, 
+    /**
+     * The value of the Identity Pool Provider
+     */
+    value: string);
+}
+/**
+ * Login Provider for identity federation using Amazon credentials
+ */
+export interface IdentityPoolAmazonLoginProvider {
+    /**
+     * App ID for Amazon identity federation
+     */
+    readonly appId: string;
+}
+/**
+ * Login Provider for identity federation using Facebook credentials
+ */
+export interface IdentityPoolFacebookLoginProvider {
+    /**
+     * App ID for Facebook identity federation
+     */
+    readonly appId: string;
+}
+/**
+ * Login Provider for identity federation using Apple credentials
+ */
+export interface IdentityPoolAppleLoginProvider {
+    /**
+     * Services ID for Apple identity federation
+     */
+    readonly servicesId: string;
+}
+/**
+ * Login Provider for identity federation using Google credentials
+ */
+export interface IdentityPoolGoogleLoginProvider {
+    /**
+     * Client ID for Google identity federation
+     */
+    readonly clientId: string;
+}
+/**
+ * Login Provider for identity federation using Twitter credentials
+ */
+export interface IdentityPoolTwitterLoginProvider {
+    /**
+     * Consumer key for Twitter identity federation
+     */
+    readonly consumerKey: string;
+    /**
+     * Consumer secret for identity federation
+     */
+    readonly consumerSecret: string;
+}
+/**
+ * External Authentication Providers for usage in Identity Pool.
+ * @see https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html
+ */
+export interface IdentityPoolAuthenticationProviders {
+    /**
+     * The Facebook Authentication Provider associated with this Identity Pool
+     * @default - No Facebook Authentication Provider used without OpenIdConnect or a User Pool
+     */
+    readonly facebook?: IdentityPoolFacebookLoginProvider;
+    /**
+     * The Google Authentication Provider associated with this Identity Pool
+     * @default - No Google Authentication Provider used without OpenIdConnect or a User Pool
+     */
+    readonly google?: IdentityPoolGoogleLoginProvider;
+    /**
+     * The Amazon Authentication Provider associated with this Identity Pool
+     * @default -  No Amazon Authentication Provider used without OpenIdConnect or a User Pool
+     */
+    readonly amazon?: IdentityPoolAmazonLoginProvider;
+    /**
+     * The Apple Authentication Provider associated with this Identity Pool
+     * @default - No Apple Authentication Provider used without OpenIdConnect or a User Pool
+     */
+    readonly apple?: IdentityPoolAppleLoginProvider;
+    /**
+     * The Twitter Authentication Provider associated with this Identity Pool
+     * @default - No Twitter Authentication Provider used without OpenIdConnect or a User Pool
+     */
+    readonly twitter?: IdentityPoolTwitterLoginProvider;
+    /**
+     * The User Pool Authentication Providers associated with this Identity Pool
+     * @default - no User Pools associated
+     */
+    readonly userPools?: IUserPoolAuthenticationProvider[];
+    /**
+     * The OpenIdConnect Provider associated with this Identity Pool
+     * @default - no OpenIdConnectProvider
+     */
+    readonly openIdConnectProviders?: IOIDCProviderRef[];
+    /**
+     * The Security Assertion Markup Language provider associated with this Identity Pool
+     * @default - no SamlProvider
+     */
+    readonly samlProviders?: ISAMLProviderRef[];
+    /**
+     * The developer provider name to associate with this Identity Pool
+     * @default - no custom provider
+     */
+    readonly customProvider?: string;
+}
+/**
+ * Map roles to users in the Identity Pool based on claims from the Identity Provider
+ * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
+ */
+export interface IdentityPoolRoleMapping {
+    /**
+     * The url of the Provider for which the role is mapped
+     */
+    readonly providerUrl: IdentityPoolProviderUrl;
+    /**
+     * The key used for the role mapping in the role mapping hash. Required if the providerUrl is a token.
+     * @default - The provided providerUrl
+     */
+    readonly mappingKey?: string;
+    /**
+     * If true then mapped roles must be passed through the cognito:roles or cognito:preferred_role claims from Identity Provider.
+     * @see https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users
+     *
+     * @default false
+     */
+    readonly useToken?: boolean;
+    /**
+     * Allow for role assumption when results of role mapping are ambiguous
+     * @default false - Ambiguous role resolutions will lead to requester being denied
+     */
+    readonly resolveAmbiguousRoles?: boolean;
+    /**
+     * The claim and value that must be matched in order to assume the role. Required if useToken is false
+     * @default - No role mapping rule
+     */
+    readonly rules?: RoleMappingRule[];
+}
+/**
+ * Types of matches allowed for role mapping
+ */
+export declare enum RoleMappingMatchType {
+    /**
+     * The claim from the token must equal the given value in order for a match
+     */
+    EQUALS = "Equals",
+    /**
+     * The claim from the token must contain the given value in order for a match
+     */
+    CONTAINS = "Contains",
+    /**
+     * The claim from the token must start with the given value in order for a match
+     */
+    STARTS_WITH = "StartsWith",
+    /**
+     * The claim from the token must not equal the given value in order for a match
+     */
+    NOTEQUAL = "NotEqual"
+}
+/**
+ * Represents an Identity Pool Role Attachment role mapping rule
+ */
+export interface RoleMappingRule {
+    /**
+     * The key sent in the token by the federated Identity Provider
+     */
+    readonly claim: string;
+    /**
+     * The role to be assumed when the claim value is matched
+     */
+    readonly mappedRole: IRole;
+    /**
+     * The value of the claim that must be matched
+     */
+    readonly claimValue: string;
+    /**
+     * How to match with the claim value
+     *
+     * @default RoleMappingMatchType.EQUALS
+     */
+    readonly matchType?: RoleMappingMatchType;
+}
+/**
+ * Define a Cognito Identity Pool
+ *
+ * @resource AWS::Cognito::IdentityPool
+ */
+export declare class IdentityPool extends Resource implements IIdentityPool {
+    /** Uniquely identifies this class. */
+    static readonly PROPERTY_INJECTION_ID: string;
+    /**
+     * Import an existing Identity Pool from its ID
+     */
+    static fromIdentityPoolId(scope: Construct, id: string, identityPoolId: string): IIdentityPool;
+    /**
+     * Import an existing Identity Pool from its ARN
+     */
+    static fromIdentityPoolArn(scope: Construct, id: string, identityPoolArn: string): IIdentityPool;
+    /**
+     * The ID of the Identity Pool in the format REGION:GUID
+     * @attribute
+     */
+    readonly identityPoolId: string;
+    /**
+     * The ARN of the Identity Pool
+     * @attribute
+     */
+    readonly identityPoolArn: string;
+    /**
+     * The name of the Identity Pool
+     * @attribute
+     */
+    readonly identityPoolName: string;
+    /**
+     * Default Role for authenticated users
+     */
+    readonly authenticatedRole: IRole;
+    /**
+     * Default Role for unauthenticated users
+     */
+    readonly unauthenticatedRole: IRole;
+    /**
+     * Role Provider for the default Role for authenticated users
+     */
+    readonly roleAttachment: CfnIdentityPoolRoleAttachment;
+    /**
+     * List of Identity Providers added in constructor for use with property overrides
+     */
+    private readonly _cognitoIdentityProviders;
+    constructor(scope: Construct, id: string, props?: IdentityPoolProps);
+    /**
+     * Add a User Pool to the Identity Pool and configure the User Pool client to handle identities
+     */
+    addUserPoolAuthentication(userPool: IUserPoolAuthenticationProvider): void;
+    /**
+     * Configure default Roles for Identity Pool
+     */
+    private configureDefaultRole;
+    private configureDefaultGrantPrincipal;
+    get identityPoolRef(): IdentityPoolReference;
+}

cdk/node_modules/aws-cdk-lib/aws-cognito-identitypool/lib/index.d.ts

@@ -0,0 +1,2 @@
+export * from './identitypool';
+export * from './identitypool-user-pool-authentication-provider';

cdk/node_modules/aws-cdk-lib/aws-cognito-identitypool/lib/index.js

@@ -0,0 +1 @@
+"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__exportStar=exports&&exports.__exportStar||function(m,exports2){for(var p in m)p!=="default"&&!Object.prototype.hasOwnProperty.call(exports2,p)&&__createBinding(exports2,m,p)};Object.defineProperty(exports,"__esModule",{value:!0});var _noFold;exports.IdentityPoolProviderType=void 0,Object.defineProperty(exports,_noFold="IdentityPoolProviderType",{enumerable:!0,configurable:!0,get:()=>{var value=require("./identitypool").IdentityPoolProviderType;return Object.defineProperty(exports,_noFold="IdentityPoolProviderType",{enumerable:!0,configurable:!0,value}),value}}),exports.IdentityPoolProviderUrl=void 0,Object.defineProperty(exports,_noFold="IdentityPoolProviderUrl",{enumerable:!0,configurable:!0,get:()=>{var value=require("./identitypool").IdentityPoolProviderUrl;return Object.defineProperty(exports,_noFold="IdentityPoolProviderUrl",{enumerable:!0,configurable:!0,value}),value}}),exports.RoleMappingMatchType=void 0,Object.defineProperty(exports,_noFold="RoleMappingMatchType",{enumerable:!0,configurable:!0,get:()=>{var value=require("./identitypool").RoleMappingMatchType;return Object.defineProperty(exports,_noFold="RoleMappingMatchType",{enumerable:!0,configurable:!0,value}),value}}),exports.IdentityPool=void 0,Object.defineProperty(exports,_noFold="IdentityPool",{enumerable:!0,configurable:!0,get:()=>{var value=require("./identitypool").IdentityPool;return Object.defineProperty(exports,_noFold="IdentityPool",{enumerable:!0,configurable:!0,value}),value}}),exports.UserPoolAuthenticationProvider=void 0,Object.defineProperty(exports,_noFold="UserPoolAuthenticationProvider",{enumerable:!0,configurable:!0,get:()=>{var value=require("./identitypool-user-pool-authentication-provider").UserPoolAuthenticationProvider;return Object.defineProperty(exports,_noFold="UserPoolAuthenticationProvider",{enumerable:!0,configurable:!0,value}),value}});