export const meta = {
  title: `Override Amplify-generated Cognito resources`,
  description: 'The "amplify override auth" command generates a developer-configurable "overrides" TypeScript file which provides Amplify-generated Cognito resources as CDK constructs. For example, developers can set auth settings that are not directly available in the Amplify CLI workflow, such as the number of valid days for a temporary password.',
};

```bash
amplify override auth
```

Run the command above to override Amplify-generated auth resources including Amazon Cognito user pool, identity pool, user pool groups, and more.

The command creates a new `overrides.ts` file under `amplify/backend/auth/<resource-name>/` which provides you the Amplify-generated resources as [CDK constructs](https://docs.aws.amazon.com/cdk/latest/guide/home.html).

## Customize Amplify-generated Cognito auth resources

Apply all the overrides in the `override(...)` function. For example, to update the temporary password validity days for your Cognito user pool:

```ts
import { AmplifyAuthCognitoStackTemplate } from '@aws-amplify/cli-extensibility-helper';

export function override(resources: AmplifyAuthCognitoStackTemplate) {
  resources.userPool.policies = { // Set the user pool policies
    passwordPolicy: {
      ...resources.userPool.policies["passwordPolicy"], // Carry over existing settings
      temporaryPasswordValidityDays: 3 // Add new setting not provided Amplify's default
    }
  }
}
```

Or add a custom attribute to your Cognito user pool:

<Callout warning>

Removing or adding an attribute on a Cognito userpool schema including default attributes (e.g. `email`) will cause errors such as 
`Invalid AttributeDataType input, consider using the provided AttributeDataType enum` as CloudFormation interprets this as schema change. 

</Callout>

<Callout warning>

Custom attributes can not be renamed or deleted after you create them.

</Callout>

```ts
import { AmplifyAuthCognitoStackTemplate } from '@aws-amplify/cli-extensibility-helper'

export function override(resources: AmplifyAuthCognitoStackTemplate) {
  const myCustomAttribute = {
    attributeDataType: 'String',
    developerOnlyAttribute: false,
    mutable: true,
    name: 'my_custom_attribute',
    required: false,
  }
  resources.userPool.schema = [
    ...(resources.userPool.schema as any[]), // Carry over existing attributes (example: email)
    myCustomAttribute,
  ]
}
```

You can override the following auth resources that Amplify generates:

|Amplify-generated resource|Description|
|-|-|
|[customMessageConfirmationBucket](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html)|S3 bucket used for custom message triggers|
|[snsRole](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)|SNS role for sending authentication-related messages|
|[userPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html)|The Cognito user pool that enables user sign-up and sign-in|
|[userPoolClientWeb](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html)|A Cognito user pool client for web apps|
|[userPoolClient](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html)|A Cognito user pool client for mobile apps|
|[identityPool](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html)|A Cognito identity pool to federate identities|
|[identityPoolRoleMap](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html)|Role mapping for authenticated and unauthenticated user roles|
|[lambdaConfigPermissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html)|Permissions for Lambda function to access Cognito user pool and identity pool |
|[lambdaTriggerPermissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM policy attached to Cognito Lambda triggers|
|[userPoolClientLambda](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html)|Lambda function to fetch app client secret from user pool client|
|[userPoolClientRole](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)|IAM Role for Lambda function to fetch app client secret from user pool client|
|[userPoolClientLambdaPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy for Lambda function to fetch app client secret from user pool client|
|[userPoolClientLogPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy to enable CloudWatch logging for Lambda function to fetch app client secret from user pool client|
|[userPoolClientInputs](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudformation.CustomResource.html)|Custom CloudFormation resource to fetch app client secret from user pool client|
|[hostedUICustomResource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html)|Lambda function to enable Cognito user pool Hosted UI login|
|[hostedUICustomResourcePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy for Lambda function to enable Cognito user pool Hosted UI login|
|[hostedUICustomResourceLogPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy to enable CloudWatch logging for Lambda function to enable Cognito user pool Hosted UI login|
|[hostedUICustomResourceInputs](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudformation.CustomResource.html)|Custom CloudFormation resource to enable Cognito user pool Hosted UI login|
|[hostedUIProvidersCustomResource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html)|Lambda function to configure Hosted UI with 3rd party identity providers|
|[hostedUIProvidersCustomResourcePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy for Lambda function to configure Hosted UI with 3rd party identity provider|
|[hostedUIProvidersCustomResourceLogPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy to enable CloudWatch logging for Lambda function to configure Hosted UI with 3rd party identity provider|
|[hostedUIProvidersCustomResourceInputs](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudformation.CustomResource.html)|Custom CloudFormation resource to configure Hosted UI with 3rd party identity provider|
|[oAuthCustomResource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html)|Lambda function to enable OAuth|
|[oAuthCustomResourcePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy for OAuth custom CloudFormation resource|
|[oAuthCustomResourceLogPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy to enable CloudWatch logging for OAuth Lambda function|
|[oAuthCustomResourceInputs](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudformation.CustomResource.html)|Custom CloudFormation resource to enable OAuth|
|[mfaLambda](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html)|Lambda function to enable multi-factor authentication function|
|[mfaLogPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy to enable CloudWatch logging for multi-factor authentication Lambda function|
|[mfaLambdaPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy for multi-factor authentication Lambda function|
|[mfaLambdaInputs](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudformation.CustomResource.html)|Custom CloudFormation resource to enable multi-factor authentication|
|[mfaLambdaRole](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)|IAM Execution Role for multi-factor authentication Lambda function|
|[openIdLambda](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html)|Lambda function to enable OpenID Connect|
|[openIdLogPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy to enable CloudWatch logging for OpenID Connect Lambda function|
|[openIdLambdaIAMPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html)|IAM Policy to enable OpenID Connect Lambda function|
|[openIdLambdaInputs](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudformation.CustomResource.html)|Custom CloudFormation resource to enable OpenID Connect|
|[openIdLambdaRole](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)|Lambda Execution Role for OpenID Connect Lambda function|

## Customize Amplify-generated Cognito user group resources

Apply all the overrides in the `override(...)` function. For example to add a path to the lambda execution role that facilitates the user pool group to role mapping:
```ts
import { AmplifyUserPoolGroupStackTemplate } from '@aws-amplify/cli-extensibility-helper';

export function override(resources: AmplifyUserPoolGroupStackTemplate) {
  resources.lambdaExecutionRole.path = "/<my-path>/" // Note: CFN does not allow you to modify the path after creation
}
```

You can override the following user pool group resources that Amplify generates:

|Amplify-generated resource|Description|
|-|-|
|[userPoolGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html)|The map of user pool groups|
|[userPoolGroupRole](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)|The map of user pool group roles|
|[roleMapCustomResource](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudformation.CustomResource.html)|A custom CloudFormation resource to map user pool groups to their roles|
|[lambdaExecutionRole](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html)|Lambda execution role for the "user pool group"-to-role mapping function|
|[roleMapLambdaFunction](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html)|The Lambda function that facilitates the user pool group to role mapping|


## Customize Amplify-generated Cognito auth resources with social providers

Apply all the overrides in the `override(...)` function. For example to add social providers to your Cognito user pool:

```ts
import { AmplifyAuthCognitoStackTemplate } from "@aws-amplify/cli-extensibility-helper";

export function override(resources: AmplifyAuthCognitoStackTemplate) {
  resources.addCfnResource(
    {
      type: "AWS::Cognito::UserPoolIdentityProvider",
      properties: {
        AttributeMapping: {
          preferred_username: "email",
          email: "email"
        },
        ProviderDetails: {
          client_id: "test",
          client_secret: "test",
          authorize_scopes: "test",
        },
        ProviderName: "LoginWithAmazon",
        ProviderType: "LoginWithAmazon",
        UserPoolId: {
          Ref: "UserPool",
        },
      },
    },
    "amazon-social-provider"
  );
}
```