This example shows a basic user auth pool configuration.

User pool resource

• Fully managed sign-ups, logins and authorization for your users with pay-per-use pricing.

Basic example

resources:
  myUserAuthPool:
    type: user-auth-pool
    properties:
      # Ensures that new accounts can only be created using admin create flows
      #
      # - If this is disabled, users can sign themselves up.
      #
      # - Type: boolean
      # - Required: false
      allowOnlyAdminsToCreateAccount: true
      # Maximum number of days that unused accounts will be preserved
      #
      # - Type: number
      # - Required: false
      unusedAccountValidityDays: 100
      # Enforces email verification for new accounts
      #
      # - Type: boolean
      # - Required: false
      requireEmailVerification: true
      # Enforces phone number verification for new accounts
      #
      # - Type: boolean
      # - Required: false
      requirePhoneNumberVerification: true
      # Enables hosted UI for the userpool
      #
      # - Type: boolean
      # - Required: false
      # - Default: false
      enableHostedUi: false
      # Domain prefix for the hosted UI
      #
      # - Type: string
      # - Required: false
      hostedUiDomainPrefix: example-value
      # CSS applied to your hosted UI
      #
      # - Type: string
      # - Required: false
      hostedUiCSS: example-value
      # Function hooks that will be triggered on certain events that happen inside the userpool
      #
      # - To better understand user pool hooks, refer to
      # [AWS Docs](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html)
      #
      # - Type: object
      # - Required: false
      hooks:
        #
        # - Type: string
        # - Required: false
        customMessage: example-value
        #
        # - Type: string
        # - Required: false
        postAuthentication: example-value
        #
        # - Type: string
        # - Required: false
        postConfirmation: example-value
        #
        # - Type: string
        # - Required: false
        preAuthentication: example-value
        #
        # - Type: string
        # - Required: false
        preSignUp: example-value
        #
        # - Type: string
        # - Required: false
        preTokenGeneration: example-value
        #
        # - Type: string
        # - Required: false
        userMigration: example-value
        #
        # - Type: string
        # - Required: false
        createAuthChallenge: example-value
        #
        # - Type: string
        # - Required: false
        defineAuthChallenge: example-value
        #
        # - Type: string
        # - Required: false
        verifyAuthChallengeResponse: example-value
      # Configuration for emails sent by Cognito User Pool
      #
      # - Type: object
      # - Required: false
      emailConfiguration:
        #
        # - Type: string
        # - Required: false
        sesAddressArn: example-value
        #
        # - Type: string
        # - Required: false
        from: example-value
        #
        # - Type: string
        # - Required: false
        replyToEmailAddress: user@example.com
      # Configuration of invite message for new users
      #
      # - Type: object
      # - Required: false
      inviteMessageConfig:
        #
        # - Type: string
        # - Required: false
        emailMessage: example-value
        #
        # - Type: string
        # - Required: false
        emailSubject: example-value
        #
        # - Type: string
        # - Required: false
        smsMessage: example-value
      # Configuration of user verification type
      #
      # - `none` - no verification is required
      # - `email-link` - user receives a link that he needs to click via an email
      # - `email-code` - user receives a code that he needs to enter via an email
      # - `sms` - user receives a code that he needs to enter via a SMS
      #
      # - Type: enum: [email-code, email-link, none, sms]
      # - Required: false
      # - Allowed values: [email-code, email-link, none, sms]
      userVerificationType: email-code
      # Configures the user verification message
      #
      # - Type: object
      # - Required: false
      userVerificationMessageConfig:
        #
        # - Type: string
        # - Required: false
        emailMessageUsingCode: example-value
        #
        # - Type: string
        # - Required: false
        emailMessageUsingLink: example-value
        #
        # - Type: string
        # - Required: false
        emailSubjectUsingCode: example-value
        #
        # - Type: string
        # - Required: false
        emailSubjectUsingLink: example-value
        #
        # - Type: string
        # - Required: false
        smsMessage: example-value
      # Configures Multi-factor Authentication for this userpool
      #
      # - Type: object
      # - Required: false
      mfaConfiguration:
        #
        # - Type: enum: [OFF, ON, OPTIONAL]
        # - Required: false
        # - Allowed values: [OFF, ON, OPTIONAL]
        status: OFF
        #
        # - Type: array<string>
        # - Required: false
        enabledTypes:
          - SMS
      # Requirements for the password
      #
      # - Applies for users created using directly using cognito
      #
      # - Type: object
      # - Required: false
      passwordPolicy:
        #
        # - Type: number
        # - Required: false
        minimumLength: 100
        #
        # - Type: boolean
        # - Required: false
        requireLowercase: true
        #
        # - Type: boolean
        # - Required: false
        requireNumbers: true
        #
        # - Type: boolean
        # - Required: false
        requireSymbols: true
        #
        # - Type: boolean
        # - Required: false
        requireUppercase: true
        #
        # - Type: number
        # - Required: false
        temporaryPasswordValidityDays: 100
      #
      # - Type: array<object (reference)>
      # - Required: false
      schema:
        - name: example-name
      # Allows phone number to be used as a username
      #
      #
      # - Type: boolean
      # - Required: false
      # - Default: true
      allowPhoneNumberAsUserName: true
      # Allows email to be used as a username
      #
      #
      # - Type: boolean
      # - Required: false
      # - Default: true
      allowEmailAsUserName: true
      # Duration (in seconds) until the access token expires
      #
      # - To better understand tokens used in in cognito user pools, refer
      # to [AWS docs](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
      #
      # - Type: number
      # - Required: false
      accessTokenValiditySeconds: 100
      # Duration (in seconds) until the identity token expires
      #
      # - To better understand tokens used in in cognito user pools, refer
      # to [AWS docs](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
      #
      # - Type: number
      # - Required: false
      idTokenValiditySeconds: 100
      # Duration (in seconds) until the refresh token expires
      #
      # - To better understand tokens used in in cognito user pools, refer
      # to [AWS docs](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
      #
      # - Type: number
      # - Required: false
      refreshTokenValidityDays: 100
      # Oauth flows allowed for this user pool
      #
      # - To better understand Oauth flows, refer
      # to [AWS blog post](https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/)
      #
      # - Type: array<object (reference)>
      # - Required: false
      allowedOAuthFlows:
        - example-value
      # Oauth scopes allowed for this user pool
      #
      # - Type: array<string>
      # - Required: false
      allowedOAuthScopes:
        - example-value
      # User will be redirected to this URL after a successful authentication
      #
      # - Type: array<string>
      # - Required: false
      callbackURLs:
        - https://example.com
      # User will be redirected to this URL after a logout
      #
      # - Type: array<string>
      # - Required: false
      logoutURLs:
        - https://example.com
      # Configuration for external identity providers
      #
      # - Type: array<object (reference)>
      # - Required: false
      identityProviders:
        - clientId: example-value
          clientSecret: example-value
          type: Facebook
      # Name of the 'web-app-firewall' resource type that will be used to protect this user pool
      #
      # - You can use `web-app-firewall` to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.
      # - Web app firewall protects your application by filtering dangerous requests coming to your app.
      # You can read more about the firewall [in our docs](https://docs.stacktape.com/security-resources/web-app-firewalls/).
      #
      # - Type: string
      # - Required: false
      useFirewall: example-value
      # Generates secret for a user pool client
      #
      # - By default, client secret is not generated.
      # - When enabled, this property instructs the system to generate a unique secret associated with the app client. This secret is used in conjunction with the client ID to authenticate the app client in server-to-server interactions.
      # - The client secret adds an additional layer of security for applications that can securely store secrets. It is particularly useful for backend applications where the secret can be kept confidential.
      #
      # - Type: boolean
      # - Required: false
      # - Default: false
      generateClientSecret: false
      # Enables exclusive use of external identity providers for authentication, disabling user pool's built-in sign-in mechanism
      #
      # - Disables Cognito User Pool authentication: Users will not be able to sign up or sign in using Cognito's built-in username and password mechanism.
      # - Requires external identity providers: Authentication must be performed through configured external identity providers such as Google, Facebook, or SAML-based services.
      #
      # - Type: boolean
      # - Required: false
      # - Default: false
      allowOnlyExternalIdentityProviders: false