feat(cognito): user pool feature plans

[Tietew]

Issue # (if applicable)

N/A

Reason for this change

Amazon Cognito introduces the feature plans which replaces the Advanced Security Mode.
See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html

Related to #32369 - passwordless sign-in requires Essentials or higher feature plan.

Description of changes

• Add new featurePlan property and FeaturePlan enum to specify user pool feature plan.
• Deprecate advancedSecurityMode property and AdvancedSecurityMode enum.

Note that the previous AWS document about Advanced Security Mode is now redirected to Advanced security with threat protection.

Description of how you validated changes

Added new unit tests and an integ test.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[Tietew]

If the advanced security mode is enabled with Essentials or Plus feature plan, CloudFormation will fail with following error:

Resource handler returned message: "The following features need to be disabled for the ESSENTIALS pricing tier configured: Threat Protection (Service: CognitoIdenti
tyProvider, Status Code: 400, Request ID: xx)"

We cannot validate advancedSecurityMode is off when featurePlan is not specified (defaults to Essentials) because existing user pools are set to Lite feature plan for backward compatibility and CDK cannot determine what the actual feature plan is.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.66%. Comparing base (f4c19c7) to head (0be6672).
Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #32367      +/-   ##
==========================================
- Coverage   78.67%   78.66%   -0.02%     
==========================================
  Files         107      107              
  Lines        7237     7237              
  Branches     1329     1329              
==========================================
- Hits         5694     5693       -1     
- Misses       1357     1358       +1     
  Partials      186      186              

Flag	Coverage Δ
suite.unit	78.66% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	78.66% <ø> (-0.02%)	⬇️

[GavinZZ]

One comment on the validation part.

[Tietew]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[Tietew]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 0be6672
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.