chore(cognito): reference interfaces

packages/aws-cdk-lib/aws-apigateway/lib/authorizers/cognito.ts

@@ -1,11 +1,11 @@
 import { Construct } from 'constructs';
 import { IdentitySource } from './identity-source';
-import * as cognito from '../../../aws-cognito';
 import { Duration, FeatureFlags, Lazy, Names, Stack } from '../../../core';
 import { ValidationError } from '../../../core/lib/errors';
 import { addConstructMetadata } from '../../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../../core/lib/prop-injectable';
 import { APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID } from '../../../cx-api';
+import { IUserPoolRef } from '../../../interfaces/generated/aws-cognito-interfaces.generated';
 import { CfnAuthorizer, CfnAuthorizerProps } from '../apigateway.generated';
 import { Authorizer, IAuthorizer } from '../authorizer';
 import { AuthorizationType } from '../method';
@@ -25,7 +25,7 @@ export interface CognitoUserPoolsAuthorizerProps {
   /**
    * The user pools to associate with this authorizer.
    */
-  readonly cognitoUserPools: cognito.IUserPool[];
+  readonly cognitoUserPools: IUserPoolRef[];
 
   /**
    * How long APIGateway should cache the results. Max 1 hour.
@@ -86,7 +86,7 @@ export class CognitoUserPoolsAuthorizer extends Authorizer implements IAuthorize
       name: props.authorizerName ?? Names.uniqueId(this),
       restApiId,
       type: 'COGNITO_USER_POOLS',
-      providerArns: props.cognitoUserPools.map(userPool => userPool.userPoolArn),
+      providerArns: props.cognitoUserPools.map(userPool => userPool.userPoolRef.userPoolArn),
       authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
       identitySource: props.identitySource || IdentitySource.header('Authorization'),
     };

packages/aws-cdk-lib/aws-appsync/lib/auth-config.ts

@@ -1,8 +1,8 @@
 import { Construct } from 'constructs';
 import { CfnApiKey } from './appsync.generated';
-import { IUserPool } from '../../aws-cognito';
 import { IFunction } from '../../aws-lambda';
 import { Duration, Expiration } from '../../core';
+import { IUserPoolRef } from '../../interfaces/generated/aws-cognito-interfaces.generated';
 
 /**
  * Auth provider settings for AppSync Event APIs
@@ -71,7 +71,7 @@ export interface AppSyncCognitoConfig {
   /**
    * The Cognito user pool to use as identity source
    */
-  readonly userPool: IUserPool;
+  readonly userPool: IUserPoolRef;
   /**
    * the optional app id regex
    *

packages/aws-cdk-lib/aws-appsync/lib/eventapi.ts

@@ -95,7 +95,7 @@ class AppSyncEventApiAuthConfig implements IAppSyncAuthConfig {
   setupCognitoConfig(config?: AppSyncCognitoConfig): CfnApi.CognitoConfigProperty | undefined {
     if (!config) return undefined;
     return {
-      userPoolId: config.userPool.userPoolId,
+      userPoolId: config.userPool.userPoolRef.userPoolId,
       awsRegion: config.userPool.env.region,
       appIdClientRegex: config.appIdClientRegex,
     };

packages/aws-cdk-lib/aws-appsync/lib/graphqlapi.ts

@@ -4,14 +4,14 @@ import { IGraphqlApi, GraphqlApiBase, Visibility, AuthorizationType } from './gr
 import { ISchema, SchemaFile } from './schema';
 import { MergeType, addSourceApiAutoMergePermission, addSourceGraphQLPermission } from './source-api-association';
 import { ICertificate } from '../../aws-certificatemanager';
-import { IUserPool } from '../../aws-cognito';
 import { ManagedPolicy, Role, IRole, ServicePrincipal, IRoleRef } from '../../aws-iam';
 import { IFunction } from '../../aws-lambda';
 import { ILogGroup, LogGroup, LogRetention, RetentionDays } from '../../aws-logs';
 import { CfnResource, Duration, Expiration, FeatureFlags, IResolvable, Lazy, Stack, Token, ValidationError } from '../../core';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
 import * as cxapi from '../../cx-api';
+import { IUserPoolRef } from '../../interfaces/generated/aws-cognito-interfaces.generated';
 
 /**
  * Interface to specify default or additional authorization(s)
@@ -68,7 +68,7 @@ export interface UserPoolConfig {
   /**
    * The Cognito user pool to use as identity source
    */
-  readonly userPool: IUserPool;
+  readonly userPool: IUserPoolRef;
   /**
    * the optional app id regex
    *
@@ -892,7 +892,7 @@ export class GraphqlApi extends GraphqlApiBase {
   private setupUserPoolConfig(config?: UserPoolConfig) {
     if (!config) return undefined;
     return {
-      userPoolId: config.userPool.userPoolId,
+      userPoolId: config.userPool.userPoolRef.userPoolId,
       awsRegion: config.userPool.env.region,
       appIdClientRegex: config.appIdClientRegex,
       defaultAction: config.defaultAction || UserPoolDefaultAction.ALLOW,

packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts

@@ -11,6 +11,7 @@ import { addConstructMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
 import { AwsCustomResource, AwsCustomResourcePolicy, Logging, PhysicalResourceId } from '../../custom-resources';
 import * as cxapi from '../../cx-api';
+import { IUserPoolClientRef, UserPoolClientReference } from '../../interfaces/generated/aws-cognito-interfaces.generated';
 
 /**
  * Types of authentication flow
@@ -419,7 +420,7 @@ export interface AnalyticsConfiguration {
 /**
  * Represents a Cognito user pool client.
  */
-export interface IUserPoolClient extends IResource {
+export interface IUserPoolClient extends IResource, IUserPoolClientRef {
   /**
    * Name of the application client
    * @attribute
@@ -452,6 +453,9 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
       get userPoolClientSecret(): SecretValue {
         throw new ValidationError('UserPool Client Secret is not available for imported Clients', this);
       }
+      get userPoolClientRef(): UserPoolClientReference {
+        throw new ValidationError('userPoolClientRef is not available for imported Clients without userPoolId', this);
+      }
     }
 
     return new Import(scope, id);
@@ -545,6 +549,13 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
     this._userPoolClientName = props.userPoolClientName;
   }
 
+  public get userPoolClientRef(): UserPoolClientReference {
+    return {
+      userPoolId: this.userPool.userPoolId,
+      clientId: this.userPoolClientId,
+    };
+  }
+
   /**
    * The client name that was specified via the `userPoolClientName` property during initialization,
    * throws an error otherwise.

packages/aws-cdk-lib/aws-cognito/lib/user-pool-domain.ts

@@ -1,13 +1,13 @@
 import { Construct } from 'constructs';
 import { CfnUserPoolDomain } from './cognito.generated';
-import { IUserPool } from './user-pool';
 import { UserPoolClient } from './user-pool-client';
 import { ICertificate } from '../../aws-certificatemanager';
 import { IResource, Resource, Stack, Token } from '../../core';
 import { ValidationError } from '../../core/lib/errors';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
 import { AwsCustomResource, AwsCustomResourcePolicy, AwsSdkCall, PhysicalResourceId } from '../../custom-resources';
+import { IUserPoolDomainRef, IUserPoolRef, UserPoolDomainReference } from '../../interfaces/generated/aws-cognito-interfaces.generated';
 
 /**
  * The branding version of managed login for the domain.
@@ -26,7 +26,7 @@ export enum ManagedLoginVersion {
 /**
  * Represents a user pool domain.
  */
-export interface IUserPoolDomain extends IResource {
+export interface IUserPoolDomain extends IResource, IUserPoolDomainRef {
   /**
    * The domain that was specified to be created.
    * If `customDomain` was selected, this holds the full domain name that was specified.
@@ -101,7 +101,7 @@ export interface UserPoolDomainProps extends UserPoolDomainOptions {
   /**
    * The user pool to which this domain should be associated.
    */
-  readonly userPool: IUserPool;
+  readonly userPool: IUserPoolRef;
 }
 
 /**
@@ -118,13 +118,17 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
   public static fromDomainName(scope: Construct, id: string, userPoolDomainName: string): IUserPoolDomain {
     class Import extends Resource implements IUserPoolDomain {
       public readonly domainName = userPoolDomainName;
+      get userPoolDomainRef(): UserPoolDomainReference {
+        throw new ValidationError('userPoolDomainRef is not available for imported UserPoolDomain without userPoolId', this);
+      }
     }
 
     return new Import(scope, id);
   }
 
   public readonly domainName: string;
   private isCognitoDomain: boolean;
+  private readonly userPool: IUserPoolRef;
 
   private cloudFrontCustomResource?: AwsCustomResource;
   private readonly resource: CfnUserPoolDomain;
@@ -145,10 +149,11 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
     }
 
     this.isCognitoDomain = !!props.cognitoDomain;
+    this.userPool = props.userPool;
 
     const domainName = props.cognitoDomain?.domainPrefix || props.customDomain?.domainName!;
     this.resource = new CfnUserPoolDomain(this, 'Resource', {
-      userPoolId: props.userPool.userPoolId,
+      userPoolId: props.userPool.userPoolRef.userPoolId,
       domain: domainName,
       customDomainConfig: props.customDomain ? { certificateArn: props.customDomain.certificate.certificateArn } : undefined,
       managedLoginVersion: props.managedLoginVersion,
@@ -157,6 +162,13 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
     this.domainName = this.resource.ref;
   }
 
+  public get userPoolDomainRef(): UserPoolDomainReference {
+    return {
+      userPoolId: this.userPool.userPoolRef.userPoolId,
+      domain: this.domainName,
+    };
+  }
+
   /**
    * The domain name of the CloudFront distribution associated with the user pool domain.
    */

packages/aws-cdk-lib/aws-cognito/lib/user-pool-group.ts

@@ -1,16 +1,16 @@
 import { Construct } from 'constructs';
 import { CfnUserPoolGroup } from './cognito.generated';
-import { IUserPool } from './user-pool';
 import { IRoleRef } from '../../aws-iam';
 import { IResource, Resource, Token } from '../../core';
 import { ValidationError } from '../../core/lib/errors';
 import { addConstructMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
+import { IUserPoolGroupRef, IUserPoolRef, UserPoolGroupReference } from '../../interfaces/generated/aws-cognito-interfaces.generated';
 
 /**
  * Represents a user pool group.
  */
-export interface IUserPoolGroup extends IResource {
+export interface IUserPoolGroup extends IResource, IUserPoolGroupRef {
   /**
    * The user group name
    * @attribute
@@ -68,7 +68,7 @@ export interface UserPoolGroupProps extends UserPoolGroupOptions {
   /**
    * The user pool to which this group is associated.
    */
-  readonly userPool: IUserPool;
+  readonly userPool: IUserPoolRef;
 }
 
 /**
@@ -85,11 +85,15 @@ export class UserPoolGroup extends Resource implements IUserPoolGroup {
   public static fromGroupName(scope: Construct, id: string, groupName: string): IUserPoolGroup {
     class Import extends Resource implements IUserPoolGroup {
       public readonly groupName = groupName;
+      get userPoolGroupRef(): UserPoolGroupReference {
+        throw new ValidationError('userPoolGroupRef is not available for imported UserPoolGroup without userPoolId', this);
+      }
     }
     return new Import(scope, id);
   }
 
   public readonly groupName: string;
+  private readonly userPool: IUserPoolRef;
 
   constructor(scope: Construct, id: string, props: UserPoolGroupProps) {
     super(scope, id);
@@ -116,8 +120,10 @@ export class UserPoolGroup extends Resource implements IUserPoolGroup {
       throw new ValidationError('\`groupName\` must be between 1 and 128 characters and can include letters, numbers, and symbols.', this);
     }
 
+    this.userPool = props.userPool;
+
     const resource = new CfnUserPoolGroup(this, 'Resource', {
-      userPoolId: props.userPool.userPoolId,
+      userPoolId: props.userPool.userPoolRef.userPoolId,
       description: props.description,
       groupName: props.groupName,
       precedence: props.precedence,
@@ -126,4 +132,11 @@ export class UserPoolGroup extends Resource implements IUserPoolGroup {
 
     this.groupName = resource.ref;
   }
+
+  public get userPoolGroupRef(): UserPoolGroupReference {
+    return {
+      userPoolId: this.userPool.userPoolRef.userPoolId,
+      groupName: this.groupName,
+    };
+  }
 }

packages/aws-cdk-lib/aws-cognito/lib/user-pool-idp.ts

@@ -1,10 +1,12 @@
 import { Construct } from 'constructs';
 import { IResource, Resource } from '../../core';
+import { ValidationError } from '../../core/lib/errors';
+import { IUserPoolIdentityProviderRef, UserPoolIdentityProviderReference } from '../../interfaces/generated/aws-cognito-interfaces.generated';
 
 /**
  * Represents a UserPoolIdentityProvider
  */
-export interface IUserPoolIdentityProvider extends IResource {
+export interface IUserPoolIdentityProvider extends IResource, IUserPoolIdentityProviderRef {
   /**
    * The primary identifier of this identity provider
    * @attribute
@@ -22,6 +24,9 @@ export class UserPoolIdentityProvider {
   public static fromProviderName(scope: Construct, id: string, providerName: string): IUserPoolIdentityProvider {
     class Import extends Resource implements IUserPoolIdentityProvider {
       public readonly providerName: string = providerName;
+      get userPoolIdentityProviderRef(): UserPoolIdentityProviderReference {
+        throw new ValidationError('userPoolIdentityProviderRef is not available for imported UserPoolIdentityProvider without userPoolId', this);
+      }
     }
 
     return new Import(scope, id);

packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/private/user-pool-idp-base.ts

@@ -1,6 +1,8 @@
 import { Construct } from 'constructs';
 import { Resource } from '../../../../core';
+import { UserPoolIdentityProviderReference } from '../../../../interfaces/generated/aws-cognito-interfaces.generated';
 import { StandardAttributeNames } from '../../private/attr-names';
+import { IUserPool } from '../../user-pool';
 import { IUserPoolIdentityProvider } from '../../user-pool-idp';
 import { UserPoolIdentityProviderProps, AttributeMapping } from '../base';
 
@@ -11,12 +13,21 @@ import { UserPoolIdentityProviderProps, AttributeMapping } from '../base';
  */
 export abstract class UserPoolIdentityProviderBase extends Resource implements IUserPoolIdentityProvider {
   public abstract readonly providerName: string;
+  private readonly userPool: IUserPool;
 
   public constructor(scope: Construct, id: string, private readonly props: UserPoolIdentityProviderProps) {
     super(scope, id);
+    this.userPool = props.userPool;
     props.userPool.registerIdentityProvider(this);
   }
 
+  public get userPoolIdentityProviderRef(): UserPoolIdentityProviderReference {
+    return {
+      userPoolId: this.userPool.userPoolId,
+      providerName: this.providerName,
+    };
+  }
+
   protected configureAttributeMapping(): any {
     if (!this.props.attributeMapping) {
       return undefined;