github.com/pulumi/pulumi-aws/sdk/v6@v6.32.0/go/aws/cognito/managedUserPoolClient.go

// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT.
// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! ***

package cognito

import (
	"context"
	"reflect"

	"errors"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/internal"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

// Use the `cognito.UserPoolClient` resource to manage a Cognito User Pool Client.
//
// **This resource is advanced** and has special caveats to consider before use. Please read this document completely before using the resource.
//
// Use the `cognito.ManagedUserPoolClient` resource to manage a Cognito User Pool Client that is automatically created by an AWS service. For instance, when [configuring an OpenSearch Domain to use Cognito authentication](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cognito-auth.html), the OpenSearch service creates the User Pool Client during setup and removes it when it is no longer required. As a result, the `cognito.ManagedUserPoolClient` resource does not create or delete this resource, but instead assumes management of it.
//
// Use the `cognito.UserPoolClient` resource to manage Cognito User Pool Clients for normal use cases.
//
// ## Example Usage
//
// <!--Start PulumiCodeChooser -->
// ```go
// package main
//
// import (
//
//	"fmt"
//
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/opensearch"
//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
//
// )
//
//	func main() {
//		pulumi.Run(func(ctx *pulumi.Context) error {
//			exampleUserPool, err := cognito.NewUserPool(ctx, "example", &cognito.UserPoolArgs{
//				Name: pulumi.String("example"),
//			})
//			if err != nil {
//				return err
//			}
//			exampleIdentityPool, err := cognito.NewIdentityPool(ctx, "example", &cognito.IdentityPoolArgs{
//				IdentityPoolName: pulumi.String("example"),
//			})
//			if err != nil {
//				return err
//			}
//			current, err := aws.GetPartition(ctx, nil, nil)
//			if err != nil {
//				return err
//			}
//			example, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
//				Statements: []iam.GetPolicyDocumentStatement{
//					{
//						Sid: pulumi.StringRef(""),
//						Actions: []string{
//							"sts:AssumeRole",
//						},
//						Effect: pulumi.StringRef("Allow"),
//						Principals: []iam.GetPolicyDocumentStatementPrincipal{
//							{
//								Type: "Service",
//								Identifiers: []string{
//									fmt.Sprintf("es.%v", current.DnsSuffix),
//								},
//							},
//						},
//					},
//				},
//			}, nil)
//			if err != nil {
//				return err
//			}
//			exampleRole, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
//				Name:             pulumi.String("example-role"),
//				Path:             pulumi.String("/service-role/"),
//				AssumeRolePolicy: pulumi.String(example.Json),
//			})
//			if err != nil {
//				return err
//			}
//			exampleRolePolicyAttachment, err := iam.NewRolePolicyAttachment(ctx, "example", &iam.RolePolicyAttachmentArgs{
//				Role:      exampleRole.Name,
//				PolicyArn: pulumi.String(fmt.Sprintf("arn:%v:iam::aws:policy/AmazonESCognitoAccess", current.Partition)),
//			})
//			if err != nil {
//				return err
//			}
//			exampleDomain, err := opensearch.NewDomain(ctx, "example", &opensearch.DomainArgs{
//				DomainName: pulumi.String("example"),
//				CognitoOptions: &opensearch.DomainCognitoOptionsArgs{
//					Enabled:        pulumi.Bool(true),
//					UserPoolId:     exampleUserPool.ID(),
//					IdentityPoolId: exampleIdentityPool.ID(),
//					RoleArn:        exampleRole.Arn,
//				},
//				EbsOptions: &opensearch.DomainEbsOptionsArgs{
//					EbsEnabled: pulumi.Bool(true),
//					VolumeSize: pulumi.Int(10),
//				},
//			}, pulumi.DependsOn([]pulumi.Resource{
//				exampleAwsCognitoUserPoolDomain,
//				exampleRolePolicyAttachment,
//			}))
//			if err != nil {
//				return err
//			}
//			_, err = cognito.NewManagedUserPoolClient(ctx, "example", &cognito.ManagedUserPoolClientArgs{
//				NamePrefix: pulumi.String("AmazonOpenSearchService-example"),
//				UserPoolId: exampleUserPool.ID(),
//			}, pulumi.DependsOn([]pulumi.Resource{
//				exampleDomain,
//			}))
//			if err != nil {
//				return err
//			}
//			return nil
//		})
//	}
//
// ```
// <!--End PulumiCodeChooser -->
//
// ## Import
//
// Using `pulumi import`, import Cognito User Pool Clients using the `id` of the Cognito User Pool and the `id` of the Cognito User Pool Client. For example:
//
// ```sh
// $ pulumi import aws:cognito/managedUserPoolClient:ManagedUserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpko
// ```
type ManagedUserPoolClient struct {
	pulumi.CustomResourceState

	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`.
	AccessTokenValidity pulumi.IntOutput `pulumi:"accessTokenValidity"`
	// List of allowed OAuth flows, including code, implicit, and client_credentials.
	AllowedOauthFlows pulumi.StringArrayOutput `pulumi:"allowedOauthFlows"`
	// Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
	AllowedOauthFlowsUserPoolClient pulumi.BoolOutput `pulumi:"allowedOauthFlowsUserPoolClient"`
	// List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
	AllowedOauthScopes pulumi.StringArrayOutput `pulumi:"allowedOauthScopes"`
	// Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
	AnalyticsConfiguration ManagedUserPoolClientAnalyticsConfigurationPtrOutput `pulumi:"analyticsConfiguration"`
	// Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`.
	AuthSessionValidity pulumi.IntOutput `pulumi:"authSessionValidity"`
	// List of allowed callback URLs for the identity providers.
	CallbackUrls pulumi.StringArrayOutput `pulumi:"callbackUrls"`
	// Client secret of the user pool client.
	ClientSecret pulumi.StringOutput `pulumi:"clientSecret"`
	// Default redirect URI and must be included in the list of callback URLs.
	DefaultRedirectUri pulumi.StringOutput `pulumi:"defaultRedirectUri"`
	// Enables the propagation of additional user context data.
	EnablePropagateAdditionalUserContextData pulumi.BoolOutput `pulumi:"enablePropagateAdditionalUserContextData"`
	// Enables or disables token revocation.
	EnableTokenRevocation pulumi.BoolOutput `pulumi:"enableTokenRevocation"`
	// List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
	ExplicitAuthFlows pulumi.StringArrayOutput `pulumi:"explicitAuthFlows"`
	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`.
	IdTokenValidity pulumi.IntOutput `pulumi:"idTokenValidity"`
	// List of allowed logout URLs for the identity providers.
	LogoutUrls pulumi.StringArrayOutput `pulumi:"logoutUrls"`
	// Name of the user pool client.
	Name pulumi.StringOutput `pulumi:"name"`
	// Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
	NamePattern pulumi.StringPtrOutput `pulumi:"namePattern"`
	// String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
	//
	// The following arguments are optional:
	NamePrefix pulumi.StringPtrOutput `pulumi:"namePrefix"`
	// Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
	PreventUserExistenceErrors pulumi.StringOutput `pulumi:"preventUserExistenceErrors"`
	// List of user pool attributes that the application client can read from.
	ReadAttributes pulumi.StringArrayOutput `pulumi:"readAttributes"`
	// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`.
	RefreshTokenValidity pulumi.IntOutput `pulumi:"refreshTokenValidity"`
	// List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `cognito.IdentityProvider` resource(s), or the equivalent string(s).
	SupportedIdentityProviders pulumi.StringArrayOutput `pulumi:"supportedIdentityProviders"`
	// Configuration block for representing the validity times in units. See details below. Detailed below.
	TokenValidityUnits ManagedUserPoolClientTokenValidityUnitsPtrOutput `pulumi:"tokenValidityUnits"`
	// User pool that the client belongs to.
	UserPoolId pulumi.StringOutput `pulumi:"userPoolId"`
	// List of user pool attributes that the application client can write to.
	WriteAttributes pulumi.StringArrayOutput `pulumi:"writeAttributes"`
}

// NewManagedUserPoolClient registers a new resource with the given unique name, arguments, and options.
func NewManagedUserPoolClient(ctx *pulumi.Context,
	name string, args *ManagedUserPoolClientArgs, opts ...pulumi.ResourceOption) (*ManagedUserPoolClient, error) {
	if args == nil {
		return nil, errors.New("missing one or more required arguments")
	}

	if args.UserPoolId == nil {
		return nil, errors.New("invalid value for required argument 'UserPoolId'")
	}
	secrets := pulumi.AdditionalSecretOutputs([]string{
		"clientSecret",
	})
	opts = append(opts, secrets)
	opts = internal.PkgResourceDefaultOpts(opts)
	var resource ManagedUserPoolClient
	err := ctx.RegisterResource("aws:cognito/managedUserPoolClient:ManagedUserPoolClient", name, args, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

// GetManagedUserPoolClient gets an existing ManagedUserPoolClient resource's state with the given name, ID, and optional
// state properties that are used to uniquely qualify the lookup (nil if not required).
func GetManagedUserPoolClient(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ManagedUserPoolClientState, opts ...pulumi.ResourceOption) (*ManagedUserPoolClient, error) {
	var resource ManagedUserPoolClient
	err := ctx.ReadResource("aws:cognito/managedUserPoolClient:ManagedUserPoolClient", name, id, state, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

// Input properties used for looking up and filtering ManagedUserPoolClient resources.
type managedUserPoolClientState struct {
	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`.
	AccessTokenValidity *int `pulumi:"accessTokenValidity"`
	// List of allowed OAuth flows, including code, implicit, and client_credentials.
	AllowedOauthFlows []string `pulumi:"allowedOauthFlows"`
	// Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
	AllowedOauthFlowsUserPoolClient *bool `pulumi:"allowedOauthFlowsUserPoolClient"`
	// List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
	AllowedOauthScopes []string `pulumi:"allowedOauthScopes"`
	// Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
	AnalyticsConfiguration *ManagedUserPoolClientAnalyticsConfiguration `pulumi:"analyticsConfiguration"`
	// Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`.
	AuthSessionValidity *int `pulumi:"authSessionValidity"`
	// List of allowed callback URLs for the identity providers.
	CallbackUrls []string `pulumi:"callbackUrls"`
	// Client secret of the user pool client.
	ClientSecret *string `pulumi:"clientSecret"`
	// Default redirect URI and must be included in the list of callback URLs.
	DefaultRedirectUri *string `pulumi:"defaultRedirectUri"`
	// Enables the propagation of additional user context data.
	EnablePropagateAdditionalUserContextData *bool `pulumi:"enablePropagateAdditionalUserContextData"`
	// Enables or disables token revocation.
	EnableTokenRevocation *bool `pulumi:"enableTokenRevocation"`
	// List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
	ExplicitAuthFlows []string `pulumi:"explicitAuthFlows"`
	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`.
	IdTokenValidity *int `pulumi:"idTokenValidity"`
	// List of allowed logout URLs for the identity providers.
	LogoutUrls []string `pulumi:"logoutUrls"`
	// Name of the user pool client.
	Name *string `pulumi:"name"`
	// Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
	NamePattern *string `pulumi:"namePattern"`
	// String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
	//
	// The following arguments are optional:
	NamePrefix *string `pulumi:"namePrefix"`
	// Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
	PreventUserExistenceErrors *string `pulumi:"preventUserExistenceErrors"`
	// List of user pool attributes that the application client can read from.
	ReadAttributes []string `pulumi:"readAttributes"`
	// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`.
	RefreshTokenValidity *int `pulumi:"refreshTokenValidity"`
	// List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `cognito.IdentityProvider` resource(s), or the equivalent string(s).
	SupportedIdentityProviders []string `pulumi:"supportedIdentityProviders"`
	// Configuration block for representing the validity times in units. See details below. Detailed below.
	TokenValidityUnits *ManagedUserPoolClientTokenValidityUnits `pulumi:"tokenValidityUnits"`
	// User pool that the client belongs to.
	UserPoolId *string `pulumi:"userPoolId"`
	// List of user pool attributes that the application client can write to.
	WriteAttributes []string `pulumi:"writeAttributes"`
}

type ManagedUserPoolClientState struct {
	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`.
	AccessTokenValidity pulumi.IntPtrInput
	// List of allowed OAuth flows, including code, implicit, and client_credentials.
	AllowedOauthFlows pulumi.StringArrayInput
	// Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
	AllowedOauthFlowsUserPoolClient pulumi.BoolPtrInput
	// List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
	AllowedOauthScopes pulumi.StringArrayInput
	// Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
	AnalyticsConfiguration ManagedUserPoolClientAnalyticsConfigurationPtrInput
	// Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`.
	AuthSessionValidity pulumi.IntPtrInput
	// List of allowed callback URLs for the identity providers.
	CallbackUrls pulumi.StringArrayInput
	// Client secret of the user pool client.
	ClientSecret pulumi.StringPtrInput
	// Default redirect URI and must be included in the list of callback URLs.
	DefaultRedirectUri pulumi.StringPtrInput
	// Enables the propagation of additional user context data.
	EnablePropagateAdditionalUserContextData pulumi.BoolPtrInput
	// Enables or disables token revocation.
	EnableTokenRevocation pulumi.BoolPtrInput
	// List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
	ExplicitAuthFlows pulumi.StringArrayInput
	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`.
	IdTokenValidity pulumi.IntPtrInput
	// List of allowed logout URLs for the identity providers.
	LogoutUrls pulumi.StringArrayInput
	// Name of the user pool client.
	Name pulumi.StringPtrInput
	// Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
	NamePattern pulumi.StringPtrInput
	// String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
	//
	// The following arguments are optional:
	NamePrefix pulumi.StringPtrInput
	// Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
	PreventUserExistenceErrors pulumi.StringPtrInput
	// List of user pool attributes that the application client can read from.
	ReadAttributes pulumi.StringArrayInput
	// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`.
	RefreshTokenValidity pulumi.IntPtrInput
	// List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `cognito.IdentityProvider` resource(s), or the equivalent string(s).
	SupportedIdentityProviders pulumi.StringArrayInput
	// Configuration block for representing the validity times in units. See details below. Detailed below.
	TokenValidityUnits ManagedUserPoolClientTokenValidityUnitsPtrInput
	// User pool that the client belongs to.
	UserPoolId pulumi.StringPtrInput
	// List of user pool attributes that the application client can write to.
	WriteAttributes pulumi.StringArrayInput
}

func (ManagedUserPoolClientState) ElementType() reflect.Type {
	return reflect.TypeOf((*managedUserPoolClientState)(nil)).Elem()
}

type managedUserPoolClientArgs struct {
	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`.
	AccessTokenValidity *int `pulumi:"accessTokenValidity"`
	// List of allowed OAuth flows, including code, implicit, and client_credentials.
	AllowedOauthFlows []string `pulumi:"allowedOauthFlows"`
	// Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
	AllowedOauthFlowsUserPoolClient *bool `pulumi:"allowedOauthFlowsUserPoolClient"`
	// List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
	AllowedOauthScopes []string `pulumi:"allowedOauthScopes"`
	// Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
	AnalyticsConfiguration *ManagedUserPoolClientAnalyticsConfiguration `pulumi:"analyticsConfiguration"`
	// Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`.
	AuthSessionValidity *int `pulumi:"authSessionValidity"`
	// List of allowed callback URLs for the identity providers.
	CallbackUrls []string `pulumi:"callbackUrls"`
	// Default redirect URI and must be included in the list of callback URLs.
	DefaultRedirectUri *string `pulumi:"defaultRedirectUri"`
	// Enables the propagation of additional user context data.
	EnablePropagateAdditionalUserContextData *bool `pulumi:"enablePropagateAdditionalUserContextData"`
	// Enables or disables token revocation.
	EnableTokenRevocation *bool `pulumi:"enableTokenRevocation"`
	// List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
	ExplicitAuthFlows []string `pulumi:"explicitAuthFlows"`
	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`.
	IdTokenValidity *int `pulumi:"idTokenValidity"`
	// List of allowed logout URLs for the identity providers.
	LogoutUrls []string `pulumi:"logoutUrls"`
	// Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
	NamePattern *string `pulumi:"namePattern"`
	// String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
	//
	// The following arguments are optional:
	NamePrefix *string `pulumi:"namePrefix"`
	// Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
	PreventUserExistenceErrors *string `pulumi:"preventUserExistenceErrors"`
	// List of user pool attributes that the application client can read from.
	ReadAttributes []string `pulumi:"readAttributes"`
	// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`.
	RefreshTokenValidity *int `pulumi:"refreshTokenValidity"`
	// List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `cognito.IdentityProvider` resource(s), or the equivalent string(s).
	SupportedIdentityProviders []string `pulumi:"supportedIdentityProviders"`
	// Configuration block for representing the validity times in units. See details below. Detailed below.
	TokenValidityUnits *ManagedUserPoolClientTokenValidityUnits `pulumi:"tokenValidityUnits"`
	// User pool that the client belongs to.
	UserPoolId string `pulumi:"userPoolId"`
	// List of user pool attributes that the application client can write to.
	WriteAttributes []string `pulumi:"writeAttributes"`
}

// The set of arguments for constructing a ManagedUserPoolClient resource.
type ManagedUserPoolClientArgs struct {
	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`.
	AccessTokenValidity pulumi.IntPtrInput
	// List of allowed OAuth flows, including code, implicit, and client_credentials.
	AllowedOauthFlows pulumi.StringArrayInput
	// Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
	AllowedOauthFlowsUserPoolClient pulumi.BoolPtrInput
	// List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
	AllowedOauthScopes pulumi.StringArrayInput
	// Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
	AnalyticsConfiguration ManagedUserPoolClientAnalyticsConfigurationPtrInput
	// Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`.
	AuthSessionValidity pulumi.IntPtrInput
	// List of allowed callback URLs for the identity providers.
	CallbackUrls pulumi.StringArrayInput
	// Default redirect URI and must be included in the list of callback URLs.
	DefaultRedirectUri pulumi.StringPtrInput
	// Enables the propagation of additional user context data.
	EnablePropagateAdditionalUserContextData pulumi.BoolPtrInput
	// Enables or disables token revocation.
	EnableTokenRevocation pulumi.BoolPtrInput
	// List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
	ExplicitAuthFlows pulumi.StringArrayInput
	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`.
	IdTokenValidity pulumi.IntPtrInput
	// List of allowed logout URLs for the identity providers.
	LogoutUrls pulumi.StringArrayInput
	// Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
	NamePattern pulumi.StringPtrInput
	// String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
	//
	// The following arguments are optional:
	NamePrefix pulumi.StringPtrInput
	// Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
	PreventUserExistenceErrors pulumi.StringPtrInput
	// List of user pool attributes that the application client can read from.
	ReadAttributes pulumi.StringArrayInput
	// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`.
	RefreshTokenValidity pulumi.IntPtrInput
	// List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `cognito.IdentityProvider` resource(s), or the equivalent string(s).
	SupportedIdentityProviders pulumi.StringArrayInput
	// Configuration block for representing the validity times in units. See details below. Detailed below.
	TokenValidityUnits ManagedUserPoolClientTokenValidityUnitsPtrInput
	// User pool that the client belongs to.
	UserPoolId pulumi.StringInput
	// List of user pool attributes that the application client can write to.
	WriteAttributes pulumi.StringArrayInput
}

func (ManagedUserPoolClientArgs) ElementType() reflect.Type {
	return reflect.TypeOf((*managedUserPoolClientArgs)(nil)).Elem()
}

type ManagedUserPoolClientInput interface {
	pulumi.Input

	ToManagedUserPoolClientOutput() ManagedUserPoolClientOutput
	ToManagedUserPoolClientOutputWithContext(ctx context.Context) ManagedUserPoolClientOutput
}

func (*ManagedUserPoolClient) ElementType() reflect.Type {
	return reflect.TypeOf((**ManagedUserPoolClient)(nil)).Elem()
}

func (i *ManagedUserPoolClient) ToManagedUserPoolClientOutput() ManagedUserPoolClientOutput {
	return i.ToManagedUserPoolClientOutputWithContext(context.Background())
}

func (i *ManagedUserPoolClient) ToManagedUserPoolClientOutputWithContext(ctx context.Context) ManagedUserPoolClientOutput {
	return pulumi.ToOutputWithContext(ctx, i).(ManagedUserPoolClientOutput)
}

// ManagedUserPoolClientArrayInput is an input type that accepts ManagedUserPoolClientArray and ManagedUserPoolClientArrayOutput values.
// You can construct a concrete instance of `ManagedUserPoolClientArrayInput` via:
//
//	ManagedUserPoolClientArray{ ManagedUserPoolClientArgs{...} }
type ManagedUserPoolClientArrayInput interface {
	pulumi.Input

	ToManagedUserPoolClientArrayOutput() ManagedUserPoolClientArrayOutput
	ToManagedUserPoolClientArrayOutputWithContext(context.Context) ManagedUserPoolClientArrayOutput
}

type ManagedUserPoolClientArray []ManagedUserPoolClientInput

func (ManagedUserPoolClientArray) ElementType() reflect.Type {
	return reflect.TypeOf((*[]*ManagedUserPoolClient)(nil)).Elem()
}

func (i ManagedUserPoolClientArray) ToManagedUserPoolClientArrayOutput() ManagedUserPoolClientArrayOutput {
	return i.ToManagedUserPoolClientArrayOutputWithContext(context.Background())
}

func (i ManagedUserPoolClientArray) ToManagedUserPoolClientArrayOutputWithContext(ctx context.Context) ManagedUserPoolClientArrayOutput {
	return pulumi.ToOutputWithContext(ctx, i).(ManagedUserPoolClientArrayOutput)
}

// ManagedUserPoolClientMapInput is an input type that accepts ManagedUserPoolClientMap and ManagedUserPoolClientMapOutput values.
// You can construct a concrete instance of `ManagedUserPoolClientMapInput` via:
//
//	ManagedUserPoolClientMap{ "key": ManagedUserPoolClientArgs{...} }
type ManagedUserPoolClientMapInput interface {
	pulumi.Input

	ToManagedUserPoolClientMapOutput() ManagedUserPoolClientMapOutput
	ToManagedUserPoolClientMapOutputWithContext(context.Context) ManagedUserPoolClientMapOutput
}

type ManagedUserPoolClientMap map[string]ManagedUserPoolClientInput

func (ManagedUserPoolClientMap) ElementType() reflect.Type {
	return reflect.TypeOf((*map[string]*ManagedUserPoolClient)(nil)).Elem()
}

func (i ManagedUserPoolClientMap) ToManagedUserPoolClientMapOutput() ManagedUserPoolClientMapOutput {
	return i.ToManagedUserPoolClientMapOutputWithContext(context.Background())
}

func (i ManagedUserPoolClientMap) ToManagedUserPoolClientMapOutputWithContext(ctx context.Context) ManagedUserPoolClientMapOutput {
	return pulumi.ToOutputWithContext(ctx, i).(ManagedUserPoolClientMapOutput)
}

type ManagedUserPoolClientOutput struct{ *pulumi.OutputState }

func (ManagedUserPoolClientOutput) ElementType() reflect.Type {
	return reflect.TypeOf((**ManagedUserPoolClient)(nil)).Elem()
}

func (o ManagedUserPoolClientOutput) ToManagedUserPoolClientOutput() ManagedUserPoolClientOutput {
	return o
}

func (o ManagedUserPoolClientOutput) ToManagedUserPoolClientOutputWithContext(ctx context.Context) ManagedUserPoolClientOutput {
	return o
}

// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.access_token`.
func (o ManagedUserPoolClientOutput) AccessTokenValidity() pulumi.IntOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.IntOutput { return v.AccessTokenValidity }).(pulumi.IntOutput)
}

// List of allowed OAuth flows, including code, implicit, and client_credentials.
func (o ManagedUserPoolClientOutput) AllowedOauthFlows() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringArrayOutput { return v.AllowedOauthFlows }).(pulumi.StringArrayOutput)
}

// Whether the client is allowed to use the OAuth protocol when interacting with Cognito user pools.
func (o ManagedUserPoolClientOutput) AllowedOauthFlowsUserPoolClient() pulumi.BoolOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.BoolOutput { return v.AllowedOauthFlowsUserPoolClient }).(pulumi.BoolOutput)
}

// List of allowed OAuth scopes, including phone, email, openid, profile, and aws.cognito.signin.user.admin.
func (o ManagedUserPoolClientOutput) AllowedOauthScopes() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringArrayOutput { return v.AllowedOauthScopes }).(pulumi.StringArrayOutput)
}

// Configuration block for Amazon Pinpoint analytics that collects metrics for this user pool. See details below.
func (o ManagedUserPoolClientOutput) AnalyticsConfiguration() ManagedUserPoolClientAnalyticsConfigurationPtrOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) ManagedUserPoolClientAnalyticsConfigurationPtrOutput {
		return v.AnalyticsConfiguration
	}).(ManagedUserPoolClientAnalyticsConfigurationPtrOutput)
}

// Duration, in minutes, of the session token created by Amazon Cognito for each API request in an authentication flow. The session token must be responded to by the native user of the user pool before it expires. Valid values for `authSessionValidity` are between `3` and `15`, with a default value of `3`.
func (o ManagedUserPoolClientOutput) AuthSessionValidity() pulumi.IntOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.IntOutput { return v.AuthSessionValidity }).(pulumi.IntOutput)
}

// List of allowed callback URLs for the identity providers.
func (o ManagedUserPoolClientOutput) CallbackUrls() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringArrayOutput { return v.CallbackUrls }).(pulumi.StringArrayOutput)
}

// Client secret of the user pool client.
func (o ManagedUserPoolClientOutput) ClientSecret() pulumi.StringOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringOutput { return v.ClientSecret }).(pulumi.StringOutput)
}

// Default redirect URI and must be included in the list of callback URLs.
func (o ManagedUserPoolClientOutput) DefaultRedirectUri() pulumi.StringOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringOutput { return v.DefaultRedirectUri }).(pulumi.StringOutput)
}

// Enables the propagation of additional user context data.
func (o ManagedUserPoolClientOutput) EnablePropagateAdditionalUserContextData() pulumi.BoolOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.BoolOutput { return v.EnablePropagateAdditionalUserContextData }).(pulumi.BoolOutput)
}

// Enables or disables token revocation.
func (o ManagedUserPoolClientOutput) EnableTokenRevocation() pulumi.BoolOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.BoolOutput { return v.EnableTokenRevocation }).(pulumi.BoolOutput)
}

// List of authentication flows. The available options include ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_REFRESH_TOKEN_AUTH.
func (o ManagedUserPoolClientOutput) ExplicitAuthFlows() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringArrayOutput { return v.ExplicitAuthFlows }).(pulumi.StringArrayOutput)
}

// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. By default, the unit is hours. The unit can be overridden by a value in `token_validity_units.id_token`.
func (o ManagedUserPoolClientOutput) IdTokenValidity() pulumi.IntOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.IntOutput { return v.IdTokenValidity }).(pulumi.IntOutput)
}

// List of allowed logout URLs for the identity providers.
func (o ManagedUserPoolClientOutput) LogoutUrls() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringArrayOutput { return v.LogoutUrls }).(pulumi.StringArrayOutput)
}

// Name of the user pool client.
func (o ManagedUserPoolClientOutput) Name() pulumi.StringOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput)
}

// Regular expression that matches the name of the desired User Pool Client. It must only match one User Pool Client.
func (o ManagedUserPoolClientOutput) NamePattern() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringPtrOutput { return v.NamePattern }).(pulumi.StringPtrOutput)
}

// String that matches the beginning of the name of the desired User Pool Client. It must match only one User Pool Client.
//
// The following arguments are optional:
func (o ManagedUserPoolClientOutput) NamePrefix() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringPtrOutput { return v.NamePrefix }).(pulumi.StringPtrOutput)
}

// Setting determines the errors and responses returned by Cognito APIs when a user does not exist in the user pool during authentication, account confirmation, and password recovery.
func (o ManagedUserPoolClientOutput) PreventUserExistenceErrors() pulumi.StringOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringOutput { return v.PreventUserExistenceErrors }).(pulumi.StringOutput)
}

// List of user pool attributes that the application client can read from.
func (o ManagedUserPoolClientOutput) ReadAttributes() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringArrayOutput { return v.ReadAttributes }).(pulumi.StringArrayOutput)
}

// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used. By default, the unit is days. The unit can be overridden by a value in `token_validity_units.refresh_token`.
func (o ManagedUserPoolClientOutput) RefreshTokenValidity() pulumi.IntOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.IntOutput { return v.RefreshTokenValidity }).(pulumi.IntOutput)
}

// List of provider names for the identity providers that are supported on this client. It uses the `providerName` attribute of the `cognito.IdentityProvider` resource(s), or the equivalent string(s).
func (o ManagedUserPoolClientOutput) SupportedIdentityProviders() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringArrayOutput { return v.SupportedIdentityProviders }).(pulumi.StringArrayOutput)
}

// Configuration block for representing the validity times in units. See details below. Detailed below.
func (o ManagedUserPoolClientOutput) TokenValidityUnits() ManagedUserPoolClientTokenValidityUnitsPtrOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) ManagedUserPoolClientTokenValidityUnitsPtrOutput {
		return v.TokenValidityUnits
	}).(ManagedUserPoolClientTokenValidityUnitsPtrOutput)
}

// User pool that the client belongs to.
func (o ManagedUserPoolClientOutput) UserPoolId() pulumi.StringOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringOutput { return v.UserPoolId }).(pulumi.StringOutput)
}

// List of user pool attributes that the application client can write to.
func (o ManagedUserPoolClientOutput) WriteAttributes() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *ManagedUserPoolClient) pulumi.StringArrayOutput { return v.WriteAttributes }).(pulumi.StringArrayOutput)
}

type ManagedUserPoolClientArrayOutput struct{ *pulumi.OutputState }

func (ManagedUserPoolClientArrayOutput) ElementType() reflect.Type {
	return reflect.TypeOf((*[]*ManagedUserPoolClient)(nil)).Elem()
}

func (o ManagedUserPoolClientArrayOutput) ToManagedUserPoolClientArrayOutput() ManagedUserPoolClientArrayOutput {
	return o
}

func (o ManagedUserPoolClientArrayOutput) ToManagedUserPoolClientArrayOutputWithContext(ctx context.Context) ManagedUserPoolClientArrayOutput {
	return o
}

func (o ManagedUserPoolClientArrayOutput) Index(i pulumi.IntInput) ManagedUserPoolClientOutput {
	return pulumi.All(o, i).ApplyT(func(vs []interface{}) *ManagedUserPoolClient {
		return vs[0].([]*ManagedUserPoolClient)[vs[1].(int)]
	}).(ManagedUserPoolClientOutput)
}

type ManagedUserPoolClientMapOutput struct{ *pulumi.OutputState }

func (ManagedUserPoolClientMapOutput) ElementType() reflect.Type {
	return reflect.TypeOf((*map[string]*ManagedUserPoolClient)(nil)).Elem()
}

func (o ManagedUserPoolClientMapOutput) ToManagedUserPoolClientMapOutput() ManagedUserPoolClientMapOutput {
	return o
}

func (o ManagedUserPoolClientMapOutput) ToManagedUserPoolClientMapOutputWithContext(ctx context.Context) ManagedUserPoolClientMapOutput {
	return o
}

func (o ManagedUserPoolClientMapOutput) MapIndex(k pulumi.StringInput) ManagedUserPoolClientOutput {
	return pulumi.All(o, k).ApplyT(func(vs []interface{}) *ManagedUserPoolClient {
		return vs[0].(map[string]*ManagedUserPoolClient)[vs[1].(string)]
	}).(ManagedUserPoolClientOutput)
}

func init() {
	pulumi.RegisterInputType(reflect.TypeOf((*ManagedUserPoolClientInput)(nil)).Elem(), &ManagedUserPoolClient{})
	pulumi.RegisterInputType(reflect.TypeOf((*ManagedUserPoolClientArrayInput)(nil)).Elem(), ManagedUserPoolClientArray{})
	pulumi.RegisterInputType(reflect.TypeOf((*ManagedUserPoolClientMapInput)(nil)).Elem(), ManagedUserPoolClientMap{})
	pulumi.RegisterOutputType(ManagedUserPoolClientOutput{})
	pulumi.RegisterOutputType(ManagedUserPoolClientArrayOutput{})
	pulumi.RegisterOutputType(ManagedUserPoolClientMapOutput{})
}