Skip to main content

aws_cognito_userpool_client Resource

Use the aws_cognito_userpool_client InSpec audit resource to test properties of a single Cognito user pool client.

For additional information, including details on parameters and properties, see the AWS documentation on Cognito user pool.

Installation

This resource is available in the Chef InSpec AWS resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.

Syntax

Ensure that a user pool exists.

describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do
  it { should exist }
end

Parameters

user_pool_id (required)

The ID of the user pool.

client_id (required)

The client ID of the user pool.

Properties

user_pool_id
The user pool ID.
client_name
The app client name associated with the user pool.
client_id
The app client ID associated with the user pool.
client_secret
The app client secret of the user pool client.
last_modified_date
The last modified date of the user pool client.
creation_date
The creation date of the user pool client.
refresh_token_validity
The time limit value that the refresh token is valid in token_validity_units.
access_token_validity
The time limit value of the access token in token_validity_units.
id_token_validity
The time limit value of the refresh token in token_validity_units.
token_validity_units (access_token)
The time unit for the access_token_validity.
token_validity_units (id_token)
The time unit for the id_token_validity.
token_validity_units (refresh_token)
The time unit for the refresh_token_validity.
read_attributes
A list of the read-only attributes of the user pool.
write_attributes
A list of writeable attributes of the user pool.
explicit_auth_flows
The authentication flows supported by the user pool client.
supported_identity_providers
The list of provider names for the identity providers supported by the user pool client.
callback_urls
The list of callback URLs for the identity providers.
logout_urls
The list of logout URLs for the identity providers.
default_redirect_uri
The default redirect URI. This must be in the callback_urls list.
allowed_o_auth_flows
The allowed_o_auth_flows of the user pool.
allowed_o_auth_scopes
The allowed_o_auth_scopes of the user pool.
allowed_o_auth_flows_user_pool_client
Whether the client is allowed to follow the OAuth protocol when interacting with user pools. Valid values: true, false.
analytics_configuration (application_id)
The Amazon Pinpoint analytics application ID.
analytics_configuration (application_arn)
The Amazon Pinpoint ARN.
analytics_configuration (role_arn)
The ARN of an IAM role that authorizes Cognito to publish events to Pinpoint.
analytics_configuration (external_id)
The Amazon Pinpoint analytics external ID.
analytics_configuration (user_data_shared)
Whether Cognito will include user data if it publishes to Pinpoint analytics. Valid values: true, false.
prevent_user_existence_errors
Select which errors are returned by Cognito APIs. Valid values: ENABLED, LEGACY.

Examples

Ensure an client name is available.

describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do
  its('client_name') { should eq 'CLIENT_NAME' }
end

Ensure an client secret is available.

describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do
    its('client_secret') { should eq 'CLIENT_SECRET' }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

The controls will pass if the describe method returns at least one result.

exist

Use should to test that the entity exists.

describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do
  it { should exist }
end

Use should_not to test the entity does not exist.

describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do
  it { should_not exist }
end

be_available

Use should to check if the user pool is available.

describe aws_cognito_userpool_client(user_pool_id: 'USER_POOL_ID', client_id: 'CLIENT_ID') do
  it { should be_available }
end

AWS Permissions

Your Principal will need the CognitoIdentityProvider:Client:DescribeUserPoolClientResponse action with Effect set to Allow.

Edit this page on GitHub.

Thank you for your feedback!

×









Search Results