feat(cognito): use secretsmanager secrets for clientSecretValue (#22885)

…nd validating if at least one is informed


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: saleco

packages/@aws-cdk/aws-cognito/README.md

@@ -573,6 +573,21 @@ const provider = new cognito.UserPoolIdentityProviderAmazon(this, 'Amazon', {
 });
 ```
 
+Using Google identity provider is possible to use clientSecretValue with SecretValue from secrets manager.
+
+```ts
+const userpool = new cognito.UserPool(this, 'Pool');
+const secret = secretsManager.Secret.fromSecretAttributes(this, "CognitoClientSecret", {
+    secretCompleteArn: "arn:aws:secretsmanager:xxx:xxx:secret:xxx-xxx"
+}).secretValue
+
+const provider = new cognito.UserPoolIdentityProviderGoogle(this, 'Google', {
+  clientId: 'amzn-client-id',
+  clientSecretValue: secret,
+  userPool: userpool,
+});
+```
+
 Attribute mapping allows mapping attributes provided by the third-party identity providers to [standard and custom
 attributes](#Attributes) of the user pool. Learn more about [Specifying Identity Provider Attribute Mappings for Your
 User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html).

packages/@aws-cdk/aws-cognito/lib/user-pool-idps/google.ts

@@ -1,3 +1,4 @@
+import { SecretValue } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnUserPoolIdentityProvider } from '../cognito.generated';
 import { UserPoolIdentityProviderProps } from './base';
@@ -15,8 +16,16 @@ export interface UserPoolIdentityProviderGoogleProps extends UserPoolIdentityPro
   /**
    * The client secret to be accompanied with clientId for Google APIs to authenticate the client.
    * @see https://developers.google.com/identity/sign-in/web/sign-in
+   * @default none
+   * @deprecated use clientSecretValue instead
    */
-  readonly clientSecret: string;
+  readonly clientSecret?: string;
+  /**
+   * The client secret to be accompanied with clientId for Google APIs to authenticate the client as SecretValue
+   * @see https://developers.google.com/identity/sign-in/web/sign-in
+   * @default none
+   */
+  readonly clientSecretValue?: SecretValue;
   /**
    * The list of google permissions to obtain for getting access to the google profile
    * @see https://developers.google.com/identity/sign-in/web/sign-in
@@ -37,13 +46,19 @@ export class UserPoolIdentityProviderGoogle extends UserPoolIdentityProviderBase
 
     const scopes = props.scopes ?? ['profile'];
 
+    //at least one of the properties must be configured
+    if ((!props.clientSecret && !props.clientSecretValue) ||
+      (props.clientSecret && props.clientSecretValue)) {
+      throw new Error('Exactly one of "clientSecret" or "clientSecretValue" must be configured.');
+    }
+
     const resource = new CfnUserPoolIdentityProvider(this, 'Resource', {
       userPoolId: props.userPool.userPoolId,
       providerName: 'Google', // must be 'Google' when the type is 'Google'
       providerType: 'Google',
       providerDetails: {
         client_id: props.clientId,
-        client_secret: props.clientSecret,
+        client_secret: props.clientSecretValue ? props.clientSecretValue.unsafeUnwrap() : props.clientSecret,
         authorize_scopes: scopes.join(' '),
       },
       attributeMapping: super.configureAttributeMapping(),

packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.google.js.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"21.0.0"}

packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.google.js.snapshot/integ-user-pool-idp-google.assets.json

@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
-    "79536373e9b12c019b3f973b117c3673ee38c74b1d6ec98e640e039bc242cac9": {
+    "3f71d591e59a499e629b4e779bfb0ca43a99273439cdca3810400c323ae66100": {
       "source": {
         "path": "integ-user-pool-idp-google.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "79536373e9b12c019b3f973b117c3673ee38c74b1d6ec98e640e039bc242cac9.json",
+          "objectKey": "3f71d591e59a499e629b4e779bfb0ca43a99273439cdca3810400c323ae66100.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.google.js.snapshot/integ-user-pool-idp-google.template.json

@@ -69,6 +69,18 @@
     }
    }
   },
+  "GoogleClientSecretValueD28C3034": {
+   "Type": "AWS::SecretsManager::Secret",
+   "Properties": {
+    "GenerateSecretString": {
+     "ExcludePunctuation": true,
+     "PasswordLength": 20
+    },
+    "Name": "GoogleClientSecretValueName"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
   "googleDB2C5242": {
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
@@ -86,7 +98,18 @@
     },
     "ProviderDetails": {
      "client_id": "google-client-id",
-     "client_secret": "google-client-secret",
+     "client_secret": {
+      "Fn::Join": [
+       "",
+       [
+        "{{resolve:secretsmanager:",
+        {
+         "Ref": "GoogleClientSecretValueD28C3034"
+        },
+        ":SecretString:::}}"
+       ]
+      ]
+     },
      "authorize_scopes": "profile"
     }
    }

packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.google.js.snapshot/integ.json

@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "testCases": {
     "integ.user-pool-idp.google": {
       "stacks": [

packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.google.js.snapshot/manifest.json

@@ -1,12 +1,6 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "integ-user-pool-idp-google.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/79536373e9b12c019b3f973b117c3673ee38c74b1d6ec98e640e039bc242cac9.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3f71d591e59a499e629b4e779bfb0ca43a99273439cdca3810400c323ae66100.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -57,6 +51,12 @@
             "data": "pooldomain430FA744"
           }
         ],
+        "/integ-user-pool-idp-google/GoogleClientSecretValue/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "GoogleClientSecretValueD28C3034"
+          }
+        ],
         "/integ-user-pool-idp-google/google/Resource": [
           {
             "type": "aws:cdk:logicalId",
@@ -83,6 +83,12 @@
         ]
       },
       "displayName": "integ-user-pool-idp-google"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }

packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.google.js.snapshot/tree.json

@@ -4,14 +4,6 @@
     "id": "App",
     "path": "",
     "children": {
-      "Tree": {
-        "id": "Tree",
-        "path": "Tree",
-        "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.1.85"
-        }
-      },
       "integ-user-pool-idp-google": {
         "id": "integ-user-pool-idp-google",
         "path": "integ-user-pool-idp-google",
@@ -137,6 +129,42 @@
               "version": "0.0.0"
             }
           },
+          "GoogleClientSecretValue": {
+            "id": "GoogleClientSecretValue",
+            "path": "integ-user-pool-idp-google/GoogleClientSecretValue",
+            "children": {
+              "Resource": {
+                "id": "Resource",
+                "path": "integ-user-pool-idp-google/GoogleClientSecretValue/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::SecretsManager::Secret",
+                  "aws:cdk:cloudformation:props": {
+                    "generateSecretString": {
+                      "excludePunctuation": true,
+                      "passwordLength": 20
+                    },
+                    "name": "GoogleClientSecretValueName"
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "@aws-cdk/aws-secretsmanager.CfnSecret",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "@aws-cdk/aws-secretsmanager.Secret",
+              "version": "0.0.0"
+            }
+          },
+          "GoogleClientSecretValue2": {
+            "id": "GoogleClientSecretValue2",
+            "path": "integ-user-pool-idp-google/GoogleClientSecretValue2",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.Resource",
+              "version": "0.0.0"
+            }
+          },
           "google": {
             "id": "google",
             "path": "integ-user-pool-idp-google/google",
@@ -161,7 +189,18 @@
                     },
                     "providerDetails": {
                       "client_id": "google-client-id",
-                      "client_secret": "google-client-secret",
+                      "client_secret": {
+                        "Fn::Join": [
+                          "",
+                          [
+                            "{{resolve:secretsmanager:",
+                            {
+                              "Ref": "GoogleClientSecretValueD28C3034"
+                            },
+                            ":SecretString:::}}"
+                          ]
+                        ]
+                      },
                       "authorize_scopes": "profile"
                     }
                   }
@@ -181,20 +220,44 @@
             "id": "SignInLink",
             "path": "integ-user-pool-idp-google/SignInLink",
             "constructInfo": {
-              "fqn": "constructs.Construct",
-              "version": "10.1.85"
+              "fqn": "@aws-cdk/core.CfnOutput",
+              "version": "0.0.0"
+            }
+          },
+          "BootstrapVersion": {
+            "id": "BootstrapVersion",
+            "path": "integ-user-pool-idp-google/BootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnParameter",
+              "version": "0.0.0"
+            }
+          },
+          "CheckBootstrapVersion": {
+            "id": "CheckBootstrapVersion",
+            "path": "integ-user-pool-idp-google/CheckBootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnRule",
+              "version": "0.0.0"
             }
           }
         },
+        "constructInfo": {
+          "fqn": "@aws-cdk/core.Stack",
+          "version": "0.0.0"
+        }
+      },
+      "Tree": {
+        "id": "Tree",
+        "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.1.85"
+          "version": "10.1.161"
         }
       }
     },
     "constructInfo": {
-      "fqn": "constructs.Construct",
-      "version": "10.1.85"
+      "fqn": "@aws-cdk/core.App",
+      "version": "0.0.0"
     }
   }
 }

packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.google.ts

@@ -1,22 +1,37 @@
+import { Secret } from '@aws-cdk/aws-secretsmanager';
 import { App, CfnOutput, RemovalPolicy, Stack } from '@aws-cdk/core';
 import { ProviderAttribute, UserPool, UserPoolIdentityProviderGoogle } from '../lib';
 
+
 /*
  * Stack verification steps
  * * Visit the URL provided by stack output 'SignInLink' in a browser, and verify the 'Google' sign in link shows up.
  * * If you plug in valid 'Google' credentials, the federated log in should work.
  */
+
 const app = new App();
 const stack = new Stack(app, 'integ-user-pool-idp-google');
 
 const userpool = new UserPool(stack, 'pool', {
   removalPolicy: RemovalPolicy.DESTROY,
 });
 
+const secret = new Secret(stack, 'GoogleClientSecretValue', {
+  secretName: 'GoogleClientSecretValueName',
+  generateSecretString: {
+    excludePunctuation: true,
+    passwordLength: 20,
+  },
+});
+
+const clientSecret = Secret.fromSecretAttributes(stack, 'GoogleClientSecretValue2', {
+  secretCompleteArn: secret.secretArn,
+}).secretValue;
+
 new UserPoolIdentityProviderGoogle(stack, 'google', {
   userPool: userpool,
   clientId: 'google-client-id',
-  clientSecret: 'google-client-secret',
+  clientSecretValue: clientSecret,
   attributeMapping: {
     givenName: ProviderAttribute.GOOGLE_GIVEN_NAME,
     familyName: ProviderAttribute.GOOGLE_FAMILY_NAME,

packages/@aws-cdk/aws-cognito/test/user-pool-idps/google.test.ts

@@ -1,5 +1,5 @@
 import { Template } from '@aws-cdk/assertions';
-import { Stack } from '@aws-cdk/core';
+import { SecretValue, Stack } from '@aws-cdk/core';
 import { ProviderAttribute, UserPool, UserPoolIdentityProviderGoogle } from '../../lib';
 
 describe('UserPoolIdentityProvider', () => {
@@ -13,7 +13,7 @@ describe('UserPoolIdentityProvider', () => {
       new UserPoolIdentityProviderGoogle(stack, 'userpoolidp', {
         userPool: pool,
         clientId: 'google-client-id',
-        clientSecret: 'google-client-secret',
+        clientSecretValue: SecretValue.unsafePlainText('google-client-secret'),
       });
 
       Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
@@ -36,7 +36,7 @@ describe('UserPoolIdentityProvider', () => {
       new UserPoolIdentityProviderGoogle(stack, 'userpoolidp', {
         userPool: pool,
         clientId: 'google-client-id',
-        clientSecret: 'google-client-secret',
+        clientSecretValue: SecretValue.unsafePlainText('google-client-secret'),
         scopes: ['scope1', 'scope2'],
       });
 
@@ -60,7 +60,7 @@ describe('UserPoolIdentityProvider', () => {
       const provider = new UserPoolIdentityProviderGoogle(stack, 'userpoolidp', {
         userPool: pool,
         clientId: 'google-client-id',
-        clientSecret: 'google-client-secret',
+        clientSecretValue: SecretValue.unsafePlainText('google-client-secret'),
       });
 
       // THEN
@@ -76,7 +76,7 @@ describe('UserPoolIdentityProvider', () => {
       new UserPoolIdentityProviderGoogle(stack, 'userpoolidp', {
         userPool: pool,
         clientId: 'google-client-id',
-        clientSecret: 'google-client-secret',
+        clientSecretValue: SecretValue.unsafePlainText('google-client-secret'),
         attributeMapping: {
           givenName: ProviderAttribute.GOOGLE_NAME,
           address: ProviderAttribute.other('google-address'),