github.com/pulumi/pulumi-aws/sdk/v6@v6.32.0/go/aws/cognito/userPoolClient.go

// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT.
// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! ***

package cognito

import (
	"context"
	"reflect"

	"errors"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/internal"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

// Provides a Cognito User Pool Client resource.
//
// To manage a User Pool Client created by another service, such as when [configuring an OpenSearch Domain to use Cognito authentication](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cognito-auth.html),
// use the `cognito.ManagedUserPoolClient` resource instead.
//
// ## Example Usage
//
// ### Create a basic user pool client
//
// <!--Start PulumiCodeChooser -->
// ```go
// package main
//
// import (
//
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
//
// )
//
//	func main() {
//		pulumi.Run(func(ctx *pulumi.Context) error {
//			pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
//				Name: pulumi.String("pool"),
//			})
//			if err != nil {
//				return err
//			}
//			_, err = cognito.NewUserPoolClient(ctx, "client", &cognito.UserPoolClientArgs{
//				Name:       pulumi.String("client"),
//				UserPoolId: pool.ID(),
//			})
//			if err != nil {
//				return err
//			}
//			return nil
//		})
//	}
//
// ```
// <!--End PulumiCodeChooser -->
//
// ### Create a user pool client with no SRP authentication
//
// <!--Start PulumiCodeChooser -->
// ```go
// package main
//
// import (
//
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
//
// )
//
//	func main() {
//		pulumi.Run(func(ctx *pulumi.Context) error {
//			pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
//				Name: pulumi.String("pool"),
//			})
//			if err != nil {
//				return err
//			}
//			_, err = cognito.NewUserPoolClient(ctx, "client", &cognito.UserPoolClientArgs{
//				Name:           pulumi.String("client"),
//				UserPoolId:     pool.ID(),
//				GenerateSecret: pulumi.Bool(true),
//				ExplicitAuthFlows: pulumi.StringArray{
//					pulumi.String("ADMIN_NO_SRP_AUTH"),
//				},
//			})
//			if err != nil {
//				return err
//			}
//			return nil
//		})
//	}
//
// ```
// <!--End PulumiCodeChooser -->
//
// ### Create a user pool client with pinpoint analytics
//
// <!--Start PulumiCodeChooser -->
// ```go
// package main
//
// import (
//
//	"fmt"
//
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/pinpoint"
//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
//
// )
//
//	func main() {
//		pulumi.Run(func(ctx *pulumi.Context) error {
//			testUserPool, err := cognito.NewUserPool(ctx, "test", &cognito.UserPoolArgs{
//				Name: pulumi.String("pool"),
//			})
//			if err != nil {
//				return err
//			}
//			testApp, err := pinpoint.NewApp(ctx, "test", &pinpoint.AppArgs{
//				Name: pulumi.String("pinpoint"),
//			})
//			if err != nil {
//				return err
//			}
//			assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
//				Statements: []iam.GetPolicyDocumentStatement{
//					{
//						Effect: pulumi.StringRef("Allow"),
//						Principals: []iam.GetPolicyDocumentStatementPrincipal{
//							{
//								Type: "Service",
//								Identifiers: []string{
//									"cognito-idp.amazonaws.com",
//								},
//							},
//						},
//						Actions: []string{
//							"sts:AssumeRole",
//						},
//					},
//				},
//			}, nil)
//			if err != nil {
//				return err
//			}
//			testRole, err := iam.NewRole(ctx, "test", &iam.RoleArgs{
//				Name:             pulumi.String("role"),
//				AssumeRolePolicy: pulumi.String(assumeRole.Json),
//			})
//			if err != nil {
//				return err
//			}
//			_, err = cognito.NewUserPoolClient(ctx, "test", &cognito.UserPoolClientArgs{
//				Name:       pulumi.String("pool_client"),
//				UserPoolId: testUserPool.ID(),
//				AnalyticsConfiguration: &cognito.UserPoolClientAnalyticsConfigurationArgs{
//					ApplicationId:  testApp.ApplicationId,
//					ExternalId:     pulumi.String("some_id"),
//					RoleArn:        testRole.Arn,
//					UserDataShared: pulumi.Bool(true),
//				},
//			})
//			if err != nil {
//				return err
//			}
//			current, err := aws.GetCallerIdentity(ctx, nil, nil)
//			if err != nil {
//				return err
//			}
//			test := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
//				Statements: iam.GetPolicyDocumentStatementArray{
//					&iam.GetPolicyDocumentStatementArgs{
//						Effect: pulumi.String("Allow"),
//						Actions: pulumi.StringArray{
//							pulumi.String("mobiletargeting:UpdateEndpoint"),
//							pulumi.String("mobiletargeting:PutEvents"),
//						},
//						Resources: pulumi.StringArray{
//							testApp.ApplicationId.ApplyT(func(applicationId string) (string, error) {
//								return fmt.Sprintf("arn:aws:mobiletargeting:*:%v:apps/%v*", current.AccountId, applicationId), nil
//							}).(pulumi.StringOutput),
//						},
//					},
//				},
//			}, nil)
//			_, err = iam.NewRolePolicy(ctx, "test", &iam.RolePolicyArgs{
//				Name: pulumi.String("role_policy"),
//				Role: testRole.ID(),
//				Policy: test.ApplyT(func(test iam.GetPolicyDocumentResult) (*string, error) {
//					return &test.Json, nil
//				}).(pulumi.StringPtrOutput),
//			})
//			if err != nil {
//				return err
//			}
//			return nil
//		})
//	}
//
// ```
// <!--End PulumiCodeChooser -->
//
// ### Create a user pool client with Cognito as the identity provider
//
// <!--Start PulumiCodeChooser -->
// ```go
// package main
//
// import (
//
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cognito"
//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
//
// )
//
//	func main() {
//		pulumi.Run(func(ctx *pulumi.Context) error {
//			pool, err := cognito.NewUserPool(ctx, "pool", &cognito.UserPoolArgs{
//				Name: pulumi.String("pool"),
//			})
//			if err != nil {
//				return err
//			}
//			_, err = cognito.NewUserPoolClient(ctx, "userpool_client", &cognito.UserPoolClientArgs{
//				Name:       pulumi.String("client"),
//				UserPoolId: pool.ID(),
//				CallbackUrls: pulumi.StringArray{
//					pulumi.String("https://example.com"),
//				},
//				AllowedOauthFlowsUserPoolClient: pulumi.Bool(true),
//				AllowedOauthFlows: pulumi.StringArray{
//					pulumi.String("code"),
//					pulumi.String("implicit"),
//				},
//				AllowedOauthScopes: pulumi.StringArray{
//					pulumi.String("email"),
//					pulumi.String("openid"),
//				},
//				SupportedIdentityProviders: pulumi.StringArray{
//					pulumi.String("COGNITO"),
//				},
//			})
//			if err != nil {
//				return err
//			}
//			return nil
//		})
//	}
//
// ```
// <!--End PulumiCodeChooser -->
//
// ## Import
//
// Using `pulumi import`, import Cognito User Pool Clients using the `id` of the Cognito User Pool, and the `id` of the Cognito User Pool Client. For example:
//
// ```sh
// $ pulumi import aws:cognito/userPoolClient:UserPoolClient client us-west-2_abc123/3ho4ek12345678909nh3fmhpko
// ```
type UserPoolClient struct {
	pulumi.CustomResourceState

	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used.
	// By default, the unit is hours.
	// The unit can be overridden by a value in `token_validity_units.access_token`.
	AccessTokenValidity pulumi.IntOutput `pulumi:"accessTokenValidity"`
	// List of allowed OAuth flows (code, implicit, client_credentials).
	AllowedOauthFlows pulumi.StringArrayOutput `pulumi:"allowedOauthFlows"`
	// Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
	AllowedOauthFlowsUserPoolClient pulumi.BoolOutput `pulumi:"allowedOauthFlowsUserPoolClient"`
	// List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
	AllowedOauthScopes pulumi.StringArrayOutput `pulumi:"allowedOauthScopes"`
	// Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.
	AnalyticsConfiguration UserPoolClientAnalyticsConfigurationPtrOutput `pulumi:"analyticsConfiguration"`
	// Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between `3` and `15`. Default value is `3`.
	AuthSessionValidity pulumi.IntOutput `pulumi:"authSessionValidity"`
	// List of allowed callback URLs for the identity providers.
	CallbackUrls pulumi.StringArrayOutput `pulumi:"callbackUrls"`
	// Client secret of the user pool client.
	ClientSecret pulumi.StringOutput `pulumi:"clientSecret"`
	// Default redirect URI. Must be in the list of callback URLs.
	DefaultRedirectUri pulumi.StringOutput `pulumi:"defaultRedirectUri"`
	// Activates the propagation of additional user context data.
	EnablePropagateAdditionalUserContextData pulumi.BoolOutput `pulumi:"enablePropagateAdditionalUserContextData"`
	// Enables or disables token revocation.
	EnableTokenRevocation pulumi.BoolOutput `pulumi:"enableTokenRevocation"`
	// List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
	ExplicitAuthFlows pulumi.StringArrayOutput `pulumi:"explicitAuthFlows"`
	// Should an application secret be generated.
	GenerateSecret pulumi.BoolPtrOutput `pulumi:"generateSecret"`
	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used.
	// By default, the unit is hours.
	// The unit can be overridden by a value in `token_validity_units.id_token`.
	IdTokenValidity pulumi.IntOutput `pulumi:"idTokenValidity"`
	// List of allowed logout URLs for the identity providers.
	LogoutUrls pulumi.StringArrayOutput `pulumi:"logoutUrls"`
	// Name of the application client.
	Name pulumi.StringOutput `pulumi:"name"`
	// Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.
	PreventUserExistenceErrors pulumi.StringOutput `pulumi:"preventUserExistenceErrors"`
	// List of user pool attributes the application client can read from.
	ReadAttributes pulumi.StringArrayOutput `pulumi:"readAttributes"`
	// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used.
	// By default, the unit is days.
	// The unit can be overridden by a value in `token_validity_units.refresh_token`.
	RefreshTokenValidity pulumi.IntOutput `pulumi:"refreshTokenValidity"`
	// List of provider names for the identity providers that are supported on this client. Uses the `providerName` attribute of `cognito.IdentityProvider` resource(s), or the equivalent string(s).
	SupportedIdentityProviders pulumi.StringArrayOutput `pulumi:"supportedIdentityProviders"`
	// Configuration block for units in which the validity times are represented in. Detailed below.
	TokenValidityUnits UserPoolClientTokenValidityUnitsPtrOutput `pulumi:"tokenValidityUnits"`
	// User pool the client belongs to.
	//
	// The following arguments are optional:
	UserPoolId pulumi.StringOutput `pulumi:"userPoolId"`
	// List of user pool attributes the application client can write to.
	WriteAttributes pulumi.StringArrayOutput `pulumi:"writeAttributes"`
}

// NewUserPoolClient registers a new resource with the given unique name, arguments, and options.
func NewUserPoolClient(ctx *pulumi.Context,
	name string, args *UserPoolClientArgs, opts ...pulumi.ResourceOption) (*UserPoolClient, error) {
	if args == nil {
		return nil, errors.New("missing one or more required arguments")
	}

	if args.UserPoolId == nil {
		return nil, errors.New("invalid value for required argument 'UserPoolId'")
	}
	secrets := pulumi.AdditionalSecretOutputs([]string{
		"clientSecret",
	})
	opts = append(opts, secrets)
	opts = internal.PkgResourceDefaultOpts(opts)
	var resource UserPoolClient
	err := ctx.RegisterResource("aws:cognito/userPoolClient:UserPoolClient", name, args, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

// GetUserPoolClient gets an existing UserPoolClient resource's state with the given name, ID, and optional
// state properties that are used to uniquely qualify the lookup (nil if not required).
func GetUserPoolClient(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *UserPoolClientState, opts ...pulumi.ResourceOption) (*UserPoolClient, error) {
	var resource UserPoolClient
	err := ctx.ReadResource("aws:cognito/userPoolClient:UserPoolClient", name, id, state, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

// Input properties used for looking up and filtering UserPoolClient resources.
type userPoolClientState struct {
	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used.
	// By default, the unit is hours.
	// The unit can be overridden by a value in `token_validity_units.access_token`.
	AccessTokenValidity *int `pulumi:"accessTokenValidity"`
	// List of allowed OAuth flows (code, implicit, client_credentials).
	AllowedOauthFlows []string `pulumi:"allowedOauthFlows"`
	// Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
	AllowedOauthFlowsUserPoolClient *bool `pulumi:"allowedOauthFlowsUserPoolClient"`
	// List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
	AllowedOauthScopes []string `pulumi:"allowedOauthScopes"`
	// Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.
	AnalyticsConfiguration *UserPoolClientAnalyticsConfiguration `pulumi:"analyticsConfiguration"`
	// Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between `3` and `15`. Default value is `3`.
	AuthSessionValidity *int `pulumi:"authSessionValidity"`
	// List of allowed callback URLs for the identity providers.
	CallbackUrls []string `pulumi:"callbackUrls"`
	// Client secret of the user pool client.
	ClientSecret *string `pulumi:"clientSecret"`
	// Default redirect URI. Must be in the list of callback URLs.
	DefaultRedirectUri *string `pulumi:"defaultRedirectUri"`
	// Activates the propagation of additional user context data.
	EnablePropagateAdditionalUserContextData *bool `pulumi:"enablePropagateAdditionalUserContextData"`
	// Enables or disables token revocation.
	EnableTokenRevocation *bool `pulumi:"enableTokenRevocation"`
	// List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
	ExplicitAuthFlows []string `pulumi:"explicitAuthFlows"`
	// Should an application secret be generated.
	GenerateSecret *bool `pulumi:"generateSecret"`
	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used.
	// By default, the unit is hours.
	// The unit can be overridden by a value in `token_validity_units.id_token`.
	IdTokenValidity *int `pulumi:"idTokenValidity"`
	// List of allowed logout URLs for the identity providers.
	LogoutUrls []string `pulumi:"logoutUrls"`
	// Name of the application client.
	Name *string `pulumi:"name"`
	// Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.
	PreventUserExistenceErrors *string `pulumi:"preventUserExistenceErrors"`
	// List of user pool attributes the application client can read from.
	ReadAttributes []string `pulumi:"readAttributes"`
	// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used.
	// By default, the unit is days.
	// The unit can be overridden by a value in `token_validity_units.refresh_token`.
	RefreshTokenValidity *int `pulumi:"refreshTokenValidity"`
	// List of provider names for the identity providers that are supported on this client. Uses the `providerName` attribute of `cognito.IdentityProvider` resource(s), or the equivalent string(s).
	SupportedIdentityProviders []string `pulumi:"supportedIdentityProviders"`
	// Configuration block for units in which the validity times are represented in. Detailed below.
	TokenValidityUnits *UserPoolClientTokenValidityUnits `pulumi:"tokenValidityUnits"`
	// User pool the client belongs to.
	//
	// The following arguments are optional:
	UserPoolId *string `pulumi:"userPoolId"`
	// List of user pool attributes the application client can write to.
	WriteAttributes []string `pulumi:"writeAttributes"`
}

type UserPoolClientState struct {
	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used.
	// By default, the unit is hours.
	// The unit can be overridden by a value in `token_validity_units.access_token`.
	AccessTokenValidity pulumi.IntPtrInput
	// List of allowed OAuth flows (code, implicit, client_credentials).
	AllowedOauthFlows pulumi.StringArrayInput
	// Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
	AllowedOauthFlowsUserPoolClient pulumi.BoolPtrInput
	// List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
	AllowedOauthScopes pulumi.StringArrayInput
	// Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.
	AnalyticsConfiguration UserPoolClientAnalyticsConfigurationPtrInput
	// Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between `3` and `15`. Default value is `3`.
	AuthSessionValidity pulumi.IntPtrInput
	// List of allowed callback URLs for the identity providers.
	CallbackUrls pulumi.StringArrayInput
	// Client secret of the user pool client.
	ClientSecret pulumi.StringPtrInput
	// Default redirect URI. Must be in the list of callback URLs.
	DefaultRedirectUri pulumi.StringPtrInput
	// Activates the propagation of additional user context data.
	EnablePropagateAdditionalUserContextData pulumi.BoolPtrInput
	// Enables or disables token revocation.
	EnableTokenRevocation pulumi.BoolPtrInput
	// List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
	ExplicitAuthFlows pulumi.StringArrayInput
	// Should an application secret be generated.
	GenerateSecret pulumi.BoolPtrInput
	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used.
	// By default, the unit is hours.
	// The unit can be overridden by a value in `token_validity_units.id_token`.
	IdTokenValidity pulumi.IntPtrInput
	// List of allowed logout URLs for the identity providers.
	LogoutUrls pulumi.StringArrayInput
	// Name of the application client.
	Name pulumi.StringPtrInput
	// Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.
	PreventUserExistenceErrors pulumi.StringPtrInput
	// List of user pool attributes the application client can read from.
	ReadAttributes pulumi.StringArrayInput
	// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used.
	// By default, the unit is days.
	// The unit can be overridden by a value in `token_validity_units.refresh_token`.
	RefreshTokenValidity pulumi.IntPtrInput
	// List of provider names for the identity providers that are supported on this client. Uses the `providerName` attribute of `cognito.IdentityProvider` resource(s), or the equivalent string(s).
	SupportedIdentityProviders pulumi.StringArrayInput
	// Configuration block for units in which the validity times are represented in. Detailed below.
	TokenValidityUnits UserPoolClientTokenValidityUnitsPtrInput
	// User pool the client belongs to.
	//
	// The following arguments are optional:
	UserPoolId pulumi.StringPtrInput
	// List of user pool attributes the application client can write to.
	WriteAttributes pulumi.StringArrayInput
}

func (UserPoolClientState) ElementType() reflect.Type {
	return reflect.TypeOf((*userPoolClientState)(nil)).Elem()
}

type userPoolClientArgs struct {
	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used.
	// By default, the unit is hours.
	// The unit can be overridden by a value in `token_validity_units.access_token`.
	AccessTokenValidity *int `pulumi:"accessTokenValidity"`
	// List of allowed OAuth flows (code, implicit, client_credentials).
	AllowedOauthFlows []string `pulumi:"allowedOauthFlows"`
	// Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
	AllowedOauthFlowsUserPoolClient *bool `pulumi:"allowedOauthFlowsUserPoolClient"`
	// List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
	AllowedOauthScopes []string `pulumi:"allowedOauthScopes"`
	// Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.
	AnalyticsConfiguration *UserPoolClientAnalyticsConfiguration `pulumi:"analyticsConfiguration"`
	// Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between `3` and `15`. Default value is `3`.
	AuthSessionValidity *int `pulumi:"authSessionValidity"`
	// List of allowed callback URLs for the identity providers.
	CallbackUrls []string `pulumi:"callbackUrls"`
	// Default redirect URI. Must be in the list of callback URLs.
	DefaultRedirectUri *string `pulumi:"defaultRedirectUri"`
	// Activates the propagation of additional user context data.
	EnablePropagateAdditionalUserContextData *bool `pulumi:"enablePropagateAdditionalUserContextData"`
	// Enables or disables token revocation.
	EnableTokenRevocation *bool `pulumi:"enableTokenRevocation"`
	// List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
	ExplicitAuthFlows []string `pulumi:"explicitAuthFlows"`
	// Should an application secret be generated.
	GenerateSecret *bool `pulumi:"generateSecret"`
	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used.
	// By default, the unit is hours.
	// The unit can be overridden by a value in `token_validity_units.id_token`.
	IdTokenValidity *int `pulumi:"idTokenValidity"`
	// List of allowed logout URLs for the identity providers.
	LogoutUrls []string `pulumi:"logoutUrls"`
	// Name of the application client.
	Name *string `pulumi:"name"`
	// Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.
	PreventUserExistenceErrors *string `pulumi:"preventUserExistenceErrors"`
	// List of user pool attributes the application client can read from.
	ReadAttributes []string `pulumi:"readAttributes"`
	// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used.
	// By default, the unit is days.
	// The unit can be overridden by a value in `token_validity_units.refresh_token`.
	RefreshTokenValidity *int `pulumi:"refreshTokenValidity"`
	// List of provider names for the identity providers that are supported on this client. Uses the `providerName` attribute of `cognito.IdentityProvider` resource(s), or the equivalent string(s).
	SupportedIdentityProviders []string `pulumi:"supportedIdentityProviders"`
	// Configuration block for units in which the validity times are represented in. Detailed below.
	TokenValidityUnits *UserPoolClientTokenValidityUnits `pulumi:"tokenValidityUnits"`
	// User pool the client belongs to.
	//
	// The following arguments are optional:
	UserPoolId string `pulumi:"userPoolId"`
	// List of user pool attributes the application client can write to.
	WriteAttributes []string `pulumi:"writeAttributes"`
}

// The set of arguments for constructing a UserPoolClient resource.
type UserPoolClientArgs struct {
	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used.
	// By default, the unit is hours.
	// The unit can be overridden by a value in `token_validity_units.access_token`.
	AccessTokenValidity pulumi.IntPtrInput
	// List of allowed OAuth flows (code, implicit, client_credentials).
	AllowedOauthFlows pulumi.StringArrayInput
	// Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
	AllowedOauthFlowsUserPoolClient pulumi.BoolPtrInput
	// List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
	AllowedOauthScopes pulumi.StringArrayInput
	// Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.
	AnalyticsConfiguration UserPoolClientAnalyticsConfigurationPtrInput
	// Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between `3` and `15`. Default value is `3`.
	AuthSessionValidity pulumi.IntPtrInput
	// List of allowed callback URLs for the identity providers.
	CallbackUrls pulumi.StringArrayInput
	// Default redirect URI. Must be in the list of callback URLs.
	DefaultRedirectUri pulumi.StringPtrInput
	// Activates the propagation of additional user context data.
	EnablePropagateAdditionalUserContextData pulumi.BoolPtrInput
	// Enables or disables token revocation.
	EnableTokenRevocation pulumi.BoolPtrInput
	// List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
	ExplicitAuthFlows pulumi.StringArrayInput
	// Should an application secret be generated.
	GenerateSecret pulumi.BoolPtrInput
	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used.
	// By default, the unit is hours.
	// The unit can be overridden by a value in `token_validity_units.id_token`.
	IdTokenValidity pulumi.IntPtrInput
	// List of allowed logout URLs for the identity providers.
	LogoutUrls pulumi.StringArrayInput
	// Name of the application client.
	Name pulumi.StringPtrInput
	// Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.
	PreventUserExistenceErrors pulumi.StringPtrInput
	// List of user pool attributes the application client can read from.
	ReadAttributes pulumi.StringArrayInput
	// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used.
	// By default, the unit is days.
	// The unit can be overridden by a value in `token_validity_units.refresh_token`.
	RefreshTokenValidity pulumi.IntPtrInput
	// List of provider names for the identity providers that are supported on this client. Uses the `providerName` attribute of `cognito.IdentityProvider` resource(s), or the equivalent string(s).
	SupportedIdentityProviders pulumi.StringArrayInput
	// Configuration block for units in which the validity times are represented in. Detailed below.
	TokenValidityUnits UserPoolClientTokenValidityUnitsPtrInput
	// User pool the client belongs to.
	//
	// The following arguments are optional:
	UserPoolId pulumi.StringInput
	// List of user pool attributes the application client can write to.
	WriteAttributes pulumi.StringArrayInput
}

func (UserPoolClientArgs) ElementType() reflect.Type {
	return reflect.TypeOf((*userPoolClientArgs)(nil)).Elem()
}

type UserPoolClientInput interface {
	pulumi.Input

	ToUserPoolClientOutput() UserPoolClientOutput
	ToUserPoolClientOutputWithContext(ctx context.Context) UserPoolClientOutput
}

func (*UserPoolClient) ElementType() reflect.Type {
	return reflect.TypeOf((**UserPoolClient)(nil)).Elem()
}

func (i *UserPoolClient) ToUserPoolClientOutput() UserPoolClientOutput {
	return i.ToUserPoolClientOutputWithContext(context.Background())
}

func (i *UserPoolClient) ToUserPoolClientOutputWithContext(ctx context.Context) UserPoolClientOutput {
	return pulumi.ToOutputWithContext(ctx, i).(UserPoolClientOutput)
}

// UserPoolClientArrayInput is an input type that accepts UserPoolClientArray and UserPoolClientArrayOutput values.
// You can construct a concrete instance of `UserPoolClientArrayInput` via:
//
//	UserPoolClientArray{ UserPoolClientArgs{...} }
type UserPoolClientArrayInput interface {
	pulumi.Input

	ToUserPoolClientArrayOutput() UserPoolClientArrayOutput
	ToUserPoolClientArrayOutputWithContext(context.Context) UserPoolClientArrayOutput
}

type UserPoolClientArray []UserPoolClientInput

func (UserPoolClientArray) ElementType() reflect.Type {
	return reflect.TypeOf((*[]*UserPoolClient)(nil)).Elem()
}

func (i UserPoolClientArray) ToUserPoolClientArrayOutput() UserPoolClientArrayOutput {
	return i.ToUserPoolClientArrayOutputWithContext(context.Background())
}

func (i UserPoolClientArray) ToUserPoolClientArrayOutputWithContext(ctx context.Context) UserPoolClientArrayOutput {
	return pulumi.ToOutputWithContext(ctx, i).(UserPoolClientArrayOutput)
}

// UserPoolClientMapInput is an input type that accepts UserPoolClientMap and UserPoolClientMapOutput values.
// You can construct a concrete instance of `UserPoolClientMapInput` via:
//
//	UserPoolClientMap{ "key": UserPoolClientArgs{...} }
type UserPoolClientMapInput interface {
	pulumi.Input

	ToUserPoolClientMapOutput() UserPoolClientMapOutput
	ToUserPoolClientMapOutputWithContext(context.Context) UserPoolClientMapOutput
}

type UserPoolClientMap map[string]UserPoolClientInput

func (UserPoolClientMap) ElementType() reflect.Type {
	return reflect.TypeOf((*map[string]*UserPoolClient)(nil)).Elem()
}

func (i UserPoolClientMap) ToUserPoolClientMapOutput() UserPoolClientMapOutput {
	return i.ToUserPoolClientMapOutputWithContext(context.Background())
}

func (i UserPoolClientMap) ToUserPoolClientMapOutputWithContext(ctx context.Context) UserPoolClientMapOutput {
	return pulumi.ToOutputWithContext(ctx, i).(UserPoolClientMapOutput)
}

type UserPoolClientOutput struct{ *pulumi.OutputState }

func (UserPoolClientOutput) ElementType() reflect.Type {
	return reflect.TypeOf((**UserPoolClient)(nil)).Elem()
}

func (o UserPoolClientOutput) ToUserPoolClientOutput() UserPoolClientOutput {
	return o
}

func (o UserPoolClientOutput) ToUserPoolClientOutputWithContext(ctx context.Context) UserPoolClientOutput {
	return o
}

// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used.
// By default, the unit is hours.
// The unit can be overridden by a value in `token_validity_units.access_token`.
func (o UserPoolClientOutput) AccessTokenValidity() pulumi.IntOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.IntOutput { return v.AccessTokenValidity }).(pulumi.IntOutput)
}

// List of allowed OAuth flows (code, implicit, client_credentials).
func (o UserPoolClientOutput) AllowedOauthFlows() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringArrayOutput { return v.AllowedOauthFlows }).(pulumi.StringArrayOutput)
}

// Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
func (o UserPoolClientOutput) AllowedOauthFlowsUserPoolClient() pulumi.BoolOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.BoolOutput { return v.AllowedOauthFlowsUserPoolClient }).(pulumi.BoolOutput)
}

// List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
func (o UserPoolClientOutput) AllowedOauthScopes() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringArrayOutput { return v.AllowedOauthScopes }).(pulumi.StringArrayOutput)
}

// Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.
func (o UserPoolClientOutput) AnalyticsConfiguration() UserPoolClientAnalyticsConfigurationPtrOutput {
	return o.ApplyT(func(v *UserPoolClient) UserPoolClientAnalyticsConfigurationPtrOutput { return v.AnalyticsConfiguration }).(UserPoolClientAnalyticsConfigurationPtrOutput)
}

// Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between `3` and `15`. Default value is `3`.
func (o UserPoolClientOutput) AuthSessionValidity() pulumi.IntOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.IntOutput { return v.AuthSessionValidity }).(pulumi.IntOutput)
}

// List of allowed callback URLs for the identity providers.
func (o UserPoolClientOutput) CallbackUrls() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringArrayOutput { return v.CallbackUrls }).(pulumi.StringArrayOutput)
}

// Client secret of the user pool client.
func (o UserPoolClientOutput) ClientSecret() pulumi.StringOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringOutput { return v.ClientSecret }).(pulumi.StringOutput)
}

// Default redirect URI. Must be in the list of callback URLs.
func (o UserPoolClientOutput) DefaultRedirectUri() pulumi.StringOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringOutput { return v.DefaultRedirectUri }).(pulumi.StringOutput)
}

// Activates the propagation of additional user context data.
func (o UserPoolClientOutput) EnablePropagateAdditionalUserContextData() pulumi.BoolOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.BoolOutput { return v.EnablePropagateAdditionalUserContextData }).(pulumi.BoolOutput)
}

// Enables or disables token revocation.
func (o UserPoolClientOutput) EnableTokenRevocation() pulumi.BoolOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.BoolOutput { return v.EnableTokenRevocation }).(pulumi.BoolOutput)
}

// List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
func (o UserPoolClientOutput) ExplicitAuthFlows() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringArrayOutput { return v.ExplicitAuthFlows }).(pulumi.StringArrayOutput)
}

// Should an application secret be generated.
func (o UserPoolClientOutput) GenerateSecret() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.BoolPtrOutput { return v.GenerateSecret }).(pulumi.BoolPtrOutput)
}

// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used.
// By default, the unit is hours.
// The unit can be overridden by a value in `token_validity_units.id_token`.
func (o UserPoolClientOutput) IdTokenValidity() pulumi.IntOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.IntOutput { return v.IdTokenValidity }).(pulumi.IntOutput)
}

// List of allowed logout URLs for the identity providers.
func (o UserPoolClientOutput) LogoutUrls() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringArrayOutput { return v.LogoutUrls }).(pulumi.StringArrayOutput)
}

// Name of the application client.
func (o UserPoolClientOutput) Name() pulumi.StringOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput)
}

// Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.
func (o UserPoolClientOutput) PreventUserExistenceErrors() pulumi.StringOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringOutput { return v.PreventUserExistenceErrors }).(pulumi.StringOutput)
}

// List of user pool attributes the application client can read from.
func (o UserPoolClientOutput) ReadAttributes() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringArrayOutput { return v.ReadAttributes }).(pulumi.StringArrayOutput)
}

// Time limit, between 60 minutes and 10 years, after which the refresh token is no longer valid and cannot be used.
// By default, the unit is days.
// The unit can be overridden by a value in `token_validity_units.refresh_token`.
func (o UserPoolClientOutput) RefreshTokenValidity() pulumi.IntOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.IntOutput { return v.RefreshTokenValidity }).(pulumi.IntOutput)
}

// List of provider names for the identity providers that are supported on this client. Uses the `providerName` attribute of `cognito.IdentityProvider` resource(s), or the equivalent string(s).
func (o UserPoolClientOutput) SupportedIdentityProviders() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringArrayOutput { return v.SupportedIdentityProviders }).(pulumi.StringArrayOutput)
}

// Configuration block for units in which the validity times are represented in. Detailed below.
func (o UserPoolClientOutput) TokenValidityUnits() UserPoolClientTokenValidityUnitsPtrOutput {
	return o.ApplyT(func(v *UserPoolClient) UserPoolClientTokenValidityUnitsPtrOutput { return v.TokenValidityUnits }).(UserPoolClientTokenValidityUnitsPtrOutput)
}

// User pool the client belongs to.
//
// The following arguments are optional:
func (o UserPoolClientOutput) UserPoolId() pulumi.StringOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringOutput { return v.UserPoolId }).(pulumi.StringOutput)
}

// List of user pool attributes the application client can write to.
func (o UserPoolClientOutput) WriteAttributes() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *UserPoolClient) pulumi.StringArrayOutput { return v.WriteAttributes }).(pulumi.StringArrayOutput)
}

type UserPoolClientArrayOutput struct{ *pulumi.OutputState }

func (UserPoolClientArrayOutput) ElementType() reflect.Type {
	return reflect.TypeOf((*[]*UserPoolClient)(nil)).Elem()
}

func (o UserPoolClientArrayOutput) ToUserPoolClientArrayOutput() UserPoolClientArrayOutput {
	return o
}

func (o UserPoolClientArrayOutput) ToUserPoolClientArrayOutputWithContext(ctx context.Context) UserPoolClientArrayOutput {
	return o
}

func (o UserPoolClientArrayOutput) Index(i pulumi.IntInput) UserPoolClientOutput {
	return pulumi.All(o, i).ApplyT(func(vs []interface{}) *UserPoolClient {
		return vs[0].([]*UserPoolClient)[vs[1].(int)]
	}).(UserPoolClientOutput)
}

type UserPoolClientMapOutput struct{ *pulumi.OutputState }

func (UserPoolClientMapOutput) ElementType() reflect.Type {
	return reflect.TypeOf((*map[string]*UserPoolClient)(nil)).Elem()
}

func (o UserPoolClientMapOutput) ToUserPoolClientMapOutput() UserPoolClientMapOutput {
	return o
}

func (o UserPoolClientMapOutput) ToUserPoolClientMapOutputWithContext(ctx context.Context) UserPoolClientMapOutput {
	return o
}

func (o UserPoolClientMapOutput) MapIndex(k pulumi.StringInput) UserPoolClientOutput {
	return pulumi.All(o, k).ApplyT(func(vs []interface{}) *UserPoolClient {
		return vs[0].(map[string]*UserPoolClient)[vs[1].(string)]
	}).(UserPoolClientOutput)
}

func init() {
	pulumi.RegisterInputType(reflect.TypeOf((*UserPoolClientInput)(nil)).Elem(), &UserPoolClient{})
	pulumi.RegisterInputType(reflect.TypeOf((*UserPoolClientArrayInput)(nil)).Elem(), UserPoolClientArray{})
	pulumi.RegisterInputType(reflect.TypeOf((*UserPoolClientMapInput)(nil)).Elem(), UserPoolClientMap{})
	pulumi.RegisterOutputType(UserPoolClientOutput{})
	pulumi.RegisterOutputType(UserPoolClientArrayOutput{})
	pulumi.RegisterOutputType(UserPoolClientMapOutput{})
}