fix(cognito): deprecate privateKey and add privateKeyValue as typed SecureValue

[pahud]

Issue # (if applicable)

Closes #31378

Reason for this change

1. privateKey was typed string which should be SecureValue just as clientSecretValue in Google IdP. This PR deprecates privateKey and adds privateKeyValue with correct type.
2. apple.ts was named by mistake and it won't be unit tested. This PR renames it to apple.test.ts so it would be covered. Figured an existing test was failed, just fixed that failed one as well.

Description of changes

• Add privateKeyValue property of type SecretValue to UserPoolIdentityProviderAppleProps
• Deprecate the existing privateKey string property
• Implement logic to ensure exactly one of privateKey or privateKeyValue is provided
• Update UserPoolIdentityProviderApple to use the new privateKeyValue when available
• Rename apple.ts test file to apple.test.ts for consistency
• Add new test case to verify mutually exclusive properties

Users must now provide either privateKey or privateKeyValue,
but not both. This change enhances security by allowing the use of SecretValue
for the Apple IDP private key.

Description of how you validated changes

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[pahud]

Exemption Request

[GavinZZ]

Exemption Request

Have you tested this by deploying to CFN?

[pahud]

@GavinZZ

Unfortunately I don't have a valid private_key for that. And there's no existing integ test for that as well so I am offering unit tests only.

8:07:08 PM | CREATE_FAILED | AWS::Cognito::UserPoolIdentityProvider | AppleIdentityProvider6271AB3B
Provided private key cannot be used for Sign in with Apple. (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException;
Request ID: b28d3b10-14ca-42bc-a288-e1db34e7d6e3; Proxy: null)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 9f78329
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.