Skip to content

fix(cognito): remove overly strict validation for threat protection on non-PLUS plans #36027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mergify merged 3 commits into from
Nov 14, 2025
Merged

fix(cognito): remove overly strict validation for threat protection on non-PLUS plans #36027

mergify merged 3 commits into from
Nov 14, 2025

Conversation

@pahud
Copy link
Contributor

@pahud pahud commented Nov 12, 2025

Issue # (if applicable)

Closes #36023.

Reason for this change

CDK v2.181.0 introduced validation that blocks deployments of existing Cognito User Pools with threat protection enabled on LITE feature plans. This validation incorrectly assumes all user pools must follow current AWS requirements, but existing user pools on LITE plans are grandfathered and can legitimately use threat protection. This regression prevents users from upgrading CDK beyond v2.160.0.

Description of changes

Removed two CDK-level validation blocks in UserPool construct that incorrectly rejected threat protection configurations on non-PLUS feature plans:

  • Removed validation blocking advancedSecurityMode (deprecated property) on LITE/ESSENTIALS plans
  • Removed validation blocking standardThreatProtectionMode and customThreatProtectionMode on LITE/ESSENTIALS plans
  • Kept validation preventing simultaneous use of deprecated and new threat protection properties
  • Updated unit tests to verify CloudFormation template generation instead of expecting validation errors

Rationale: CDK cannot determine the actual feature plan of existing user pools at synthesis time. CloudFormation validates feature plan requirements at deployment time, which correctly allows grandfathered user pools to continue working while still catching invalid configurations for new resources.

Describe any new or updated permissions being added

N/A - No IAM permissions or resource access changes.

Description of how you validated changes

  • Unit tests: Updated 3 test blocks (12 test cases) to verify CloudFormation template generation for all combinations of feature plans and threat protection modes. All 339 unit tests in aws-cognito module pass.
  • Build validation: TypeScript compilation, JSII compatibility, and linting all pass successfully.
  • Regression testing: Verified that validation for conflicting properties (using deprecated and new threat protection properties together) still works correctly.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

pahud added 2 commits November 12, 2025 08:13
@pahud
fix(cognito): remove feature plan validation for threat protection
6565642 
- Remove runtime validation of feature plan requirements for threat protection
- Allow CloudFormation to handle validation of threat protection settings
- Update test cases to generate CloudFormation templates instead of throwing errors
- Preserve existing behavior for user pools with grandfathered configurations
- Improve flexibility for user pool configuration across different feature plans
This change allows more flexible configuration of Cognito User Pool threat protection settings during CDK synthesis, deferring strict validation to CloudFormation deployment time.
@pahud
docs(cognito): Update README with clarified Threat Protection details
9530c8f 
- Remove feature plan validation statement for Threat Protection
- Add clarifying note about feature plan requirements for new user pools
- Improve documentation readability for Threat Protection section
- Explain CDK and CloudFormation behavior for threat protection configuration
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 labels Nov 12, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team November 12, 2025 13:15
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Nov 12, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Nov 12, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@pahud
Copy link
Contributor Author

pahud commented Nov 12, 2025

Exemption Request - remove synth-time validations. No integ tests update required.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Nov 12, 2025
@leonmk-aws leonmk-aws self-assigned this Nov 12, 2025
@leonmk-aws leonmk-aws added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Nov 14, 2025
@aws-cdk-automation aws-cdk-automation dismissed their stale review November 14, 2025 12:22

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@mergify
Copy link
Contributor

mergify bot commented Nov 14, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Nov 14, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 172c65f into aws:main Nov 14, 2025
18 of 19 checks passed
@github-actions
Copy link
Contributor

github-actions bot commented Nov 14, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 14, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@leonmk-aws leonmk-aws leonmk-aws approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees

@leonmk-aws leonmk-aws

Labels

bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort p1 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cognito User Pool: CDK Version update blocking existing user pools threat protection

3 participants

@pahud @aws-cdk-automation @leonmk-aws