@aws/nx-plugin 0.46.0 → 0.47.0

package/src/utils/api-constructs/files/terraform/app/apis/http/__apiNameKebabCase__/__apiNameKebabCase__.tf.template

@@ -258,6 +258,16 @@ resource "aws_apigatewayv2_route" "proxy_routes" {
   depends_on = [aws_apigatewayv2_integration.lambda_integration<% if (auth === 'Cognito') { %>, aws_apigatewayv2_authorizer.cognito_authorizer<% } %>]
 }
 
+# Add API url to runtime config
+module "add_url_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  key_path = "apis.<%- apiNameClassName %>"
+  value    = module.http_api.stage_invoke_url
+
+  depends_on = [module.http_api]
+}
+
 # Lambda permission for API Gateway to invoke the function
 resource "aws_lambda_permission" "api_gateway_invoke" {
   statement_id  = "AllowExecutionFromAPIGateway"

package/src/utils/api-constructs/files/terraform/app/apis/rest/__apiNameKebabCase__/__apiNameKebabCase__.tf.template

@@ -385,6 +385,16 @@ resource "aws_lambda_permission" "api_gateway_invoke" {
   depends_on = [module.rest_api, aws_lambda_function.api_lambda]
 }
 
+# Add API url to runtime config
+module "add_url_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  key_path = "apis.<%- apiNameClassName %>"
+  value    = aws_api_gateway_stage.api_stage.invoke_url
+
+  depends_on = [aws_api_gateway_stage.api_stage]
+}
+
 # Outputs
 
 # API Gateway Outputs (from core module)

package/src/utils/files/terraform/src/core/runtime-config/entry/entry.tf.template

@@ -0,0 +1,119 @@
+terraform {
+  required_providers {
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.0"
+    }
+  }
+}
+
+# Variables
+variable "key_path" {
+  description = "Dot-separated path for the configuration key (e.g., 'apis.FooApi', 'cognito.userPoolId')"
+  type        = string
+}
+
+variable "value" {
+  description = "Value to set at the key path"
+  type        = any
+}
+
+locals {
+  config_file_path = "${path.module}/../../../../../../../dist/packages/common/terraform/runtime-config.json"
+}
+
+# This module writes an entry to runtime-config.json which is provided to any static websites
+# as a way to pass deploy-time values to the UI such as API urls
+
+data "external" "updated_config" {
+  program = ["uv", "run", "python", "-c", <<-EOT
+import json
+import sys
+import os
+import time
+import fcntl
+from pathlib import Path
+
+# Read input from Terraform
+input_data = json.load(sys.stdin)
+config_file = input_data['config_file']
+key_path = input_data['key_path']
+value = json.loads(input_data['value'])
+
+# Create lock file path
+lock_file = config_file + '.lock'
+
+# Ensure directory exists
+Path(config_file).parent.mkdir(parents=True, exist_ok=True)
+
+# Acquire exclusive lock with retry mechanism
+max_retries = 30
+retry_delay = 1.0
+
+for attempt in range(max_retries):
+    try:
+        # Open lock file for exclusive access
+        with open(lock_file, 'w') as lock_fd:
+            # Try to acquire exclusive lock (non-blocking)
+            fcntl.flock(lock_fd.fileno(), fcntl.LOCK_EX | fcntl.LOCK_NB)
+
+            # Critical section - file operations under lock
+            try:
+                # Create empty base config if file doesn't exist
+                if not os.path.exists(config_file):
+                    base_config = {}
+                    with open(config_file, 'w') as f:
+                        json.dump(base_config, f, indent=2)
+
+                # Read current config
+                with open(config_file, 'r') as f:
+                    config = json.load(f)
+
+                # Set the nested key using dot notation
+                keys = key_path.split('.')
+                current = config
+                for key in keys[:-1]:
+                    if key not in current:
+                        current[key] = {}
+                    current = current[key]
+                current[keys[-1]] = value
+
+                # Write updated config back to file atomically
+                temp_file = config_file + '.tmp'
+                with open(temp_file, 'w') as f:
+                    json.dump(config, f, indent=2)
+                os.rename(temp_file, config_file)
+
+                # Output the updated config for Terraform
+                print(json.dumps({"updated_json": json.dumps(config)}))
+
+                # Success - break out of retry loop
+                break
+
+            finally:
+                # Lock is automatically released when file is closed
+                pass
+
+    except (IOError, OSError) as e:
+        if attempt < max_retries - 1:
+            # Wait before retrying
+            time.sleep(retry_delay)
+            continue
+        else:
+            # Final attempt failed
+            raise Exception(f"Failed to acquire lock after {max_retries} attempts: {e}")
+
+# Clean up lock file if it exists
+try:
+    os.remove(lock_file)
+except OSError:
+    pass
+EOT
+  ]
+
+  query = {
+    config_file = local.config_file_path
+    key_path    = var.key_path
+    value       = jsonencode(var.value)
+  }
+}

package/src/utils/files/terraform/src/core/runtime-config/read/read.tf.template

@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.0"
+    }
+  }
+}
+
+locals {
+  config_file_path = "${path.module}/../../../../../../../dist/packages/common/terraform/runtime-config.json"
+}
+
+# Read the runtime config file - will fail gracefully if file doesn't exist
+data "local_file" "runtime_config" {
+  filename = local.config_file_path
+}
+
+# Outputs
+output "config" {
+  description = "Runtime configuration object"
+  value       = jsondecode(data.local_file.runtime_config.content)
+}
+
+output "config_json" {
+  description = "Runtime configuration as JSON string"
+  value       = data.local_file.runtime_config.content
+}

package/src/{py/lambda-function/files/common/constructs/src/app/lambda-functions/__constructFunctionKebabCase__.ts.template → utils/function-constructs/files/cdk/app/lambda-functions/__functionNameKebabCase__.ts.template}

@@ -3,15 +3,15 @@ import * as url from 'url';
 import { Code, Function, Runtime, Tracing } from 'aws-cdk-lib/aws-lambda';
 import { Duration } from 'aws-cdk-lib';
 
-export class <%= constructFunctionClassName %> extends Function {
+export class <%= functionNameClassName %> extends Function {
   constructor(scope: Construct, id: string) {
     super(scope, id, {
         timeout: Duration.seconds(30),
-        runtime: Runtime.PYTHON_3_12,
-        handler: '<%= constructHandlerFilePath %>',
+        runtime: <%= runtime %>,
+        handler: '<%= handler %>',
         code: Code.fromAsset(url.fileURLToPath(
           new URL(
-            '../../../../../../dist/<%= dir %>/bundle',
+            '../../../../../../<%- bundlePathFromRoot %>',
             import.meta.url
           )
         )),
@@ -21,4 +21,4 @@ export class <%= constructFunctionClassName %> extends Function {
         },
     });
   }
-}
+}

package/src/utils/function-constructs/files/terraform/app/lambda-functions/__functionNameKebabCase__/__functionNameKebabCase__.tf.template

@@ -0,0 +1,150 @@
+variable "tags" {
+  description = "Tags to apply to resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "env" {
+  description = "Additional environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements to attach to the Lambda role"
+  type = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+locals {
+  aws_account_id = data.aws_caller_identity.current.account_id
+  aws_region     = data.aws_region.current.name
+}
+
+resource "random_string" "suffix" {
+  length  = 8
+  special = false
+  upper   = false
+}
+
+resource "aws_iam_role" "lambda_role" {
+  name = "<%- functionNameKebabCase %>-role-${random_string.suffix.result}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "LambdaAssumeRolePolicy"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_policy" "lambda_policy" {
+  name        = "<%- functionNameKebabCase %>-policy-${random_string.suffix.result}"
+  description = "Policy for <%- functionNameKebabCase %> Lambda function"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = concat([
+      {
+        Sid    = "CloudWatchLogsAccess"
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = [
+          "arn:aws:logs:${local.aws_region}:${local.aws_account_id}:log-group:/aws/lambda/<%- functionNameKebabCase %>-${random_string.suffix.result}:*"
+        ]
+      },
+      {
+        Sid    = "XRayAccess"
+        Effect = "Allow"
+        Action = [
+          "xray:PutTraceSegments",
+          "xray:PutTelemetryRecords"
+        ]
+        Resource = ["*"]
+      }
+    ], var.additional_iam_policy_statements)
+  })
+
+  tags = var.tags
+}
+
+# Attach the policy to the role
+resource "aws_iam_role_policy_attachment" "lambda_policy_attachment" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.lambda_policy.arn
+}
+
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "${path.module}/../../../../../../../<%- bundlePathFromRoot %>"
+  output_path = "${path.module}/../../../../../../../dist/packages/common/terraform/lambda-functions/<%- functionNameKebabCase %>/lambda.zip"
+}
+
+resource "aws_lambda_function" "lambda_function" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "<%- functionNameKebabCase %>-${random_string.suffix.result}"
+  role            = aws_iam_role.lambda_role.arn
+  handler         = "<%- handler %>"
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+  runtime         = "<%- runtime %>"
+  timeout         = 30
+
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+
+  depends_on = [aws_iam_role_policy_attachment.lambda_policy_attachment]
+}
+
+output "function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.lambda_function.function_name
+}
+
+output "function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.lambda_function.arn
+}
+
+output "role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_role.arn
+}
+
+output "role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_role.name
+}

package/src/utils/function-constructs/function-constructs.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Tree } from '@nx/devkit';
+export interface AddLambdaFunctionConstructOptions {
+    functionProjectName: string;
+    functionNameClassName: string;
+    functionNameKebabCase: string;
+    bundlePathFromRoot: string;
+    handler: string;
+    runtime: 'node' | 'python';
+}
+/**
+ * Add infrastructure for a lambda function
+ */
+export declare const addLambdaFunctionInfra: (tree: Tree, options: AddLambdaFunctionConstructOptions & {
+    iacProvider: "CDK" | "Terraform";
+}) => void;

package/src/utils/function-constructs/function-constructs.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.addLambdaFunctionInfra = void 0;
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+const devkit_1 = require("@nx/devkit");
+const shared_constructs_constants_1 = require("../shared-constructs-constants");
+const ast_1 = require("../ast");
+/**
+ * Add infrastructure for a lambda function
+ */
+const addLambdaFunctionInfra = (tree, options) => {
+    if (options.iacProvider === 'CDK') {
+        addLambdaFunctionCdkConstructs(tree, options);
+    }
+    else if (options.iacProvider === 'Terraform') {
+        addLambdaFunctionTerraformModules(tree, options);
+    }
+    else {
+        throw new Error(`Unsupported iacProvider ${options.iacProvider}`);
+    }
+    (0, devkit_1.updateJson)(tree, (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, options.iacProvider === 'CDK'
+        ? shared_constructs_constants_1.SHARED_CONSTRUCTS_DIR
+        : shared_constructs_constants_1.SHARED_TERRAFORM_DIR, 'project.json'), (config) => {
+        var _a;
+        if (!config.targets) {
+            config.targets = {};
+        }
+        if (!config.targets.build) {
+            config.targets.build = {};
+        }
+        config.targets.build.dependsOn = [
+            ...((_a = config.targets.build.dependsOn) !== null && _a !== void 0 ? _a : []),
+            `${options.functionProjectName}:build`,
+        ];
+        return config;
+    });
+};
+exports.addLambdaFunctionInfra = addLambdaFunctionInfra;
+const addLambdaFunctionCdkConstructs = (tree, options) => {
+    // Generate app specific CDK construct
+    (0, devkit_1.generateFiles)(tree, (0, devkit_1.joinPathFragments)(__dirname, 'files', 'cdk', 'app', 'lambda-functions'), (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_CONSTRUCTS_DIR, 'src', 'app', 'lambda-functions'), Object.assign(Object.assign({}, options), { runtime: `Runtime.${options.runtime === 'python' ? 'PYTHON_3_12' : 'NODEJS_LATEST'}` }), {
+        overwriteStrategy: devkit_1.OverwriteStrategy.KeepExisting,
+    });
+    // Export app specific CDK construct
+    (0, ast_1.addStarExport)(tree, (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_CONSTRUCTS_DIR, 'src', 'app', 'lambda-functions', 'index.ts'), `./${options.functionNameKebabCase}.js`);
+    (0, ast_1.addStarExport)(tree, (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_CONSTRUCTS_DIR, 'src', 'app', 'index.ts'), './lambda-functions/index.js');
+};
+const addLambdaFunctionTerraformModules = (tree, options) => {
+    // Generate app specific terraform module
+    (0, devkit_1.generateFiles)(tree, (0, devkit_1.joinPathFragments)(__dirname, 'files', 'terraform', 'app', 'lambda-functions'), (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_TERRAFORM_DIR, 'src', 'app', 'lambda-functions'), Object.assign(Object.assign({}, options), { runtime: options.runtime === 'python' ? 'python3.12' : 'nodejs22.x' }), {
+        overwriteStrategy: devkit_1.OverwriteStrategy.KeepExisting,
+    });
+};
+//# sourceMappingURL=function-constructs.js.map

package/src/utils/function-constructs/function-constructs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"function-constructs.js","sourceRoot":"","sources":["../../../../../../packages/nx-plugin/src/utils/function-constructs/function-constructs.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACH,uCAOoB;AACpB,gFAIwC;AACxC,gCAAuC;AAWvC;;GAEG;AACI,MAAM,sBAAsB,GAAG,CACpC,IAAU,EACV,OAEC,EACD,EAAE;IACF,IAAI,OAAO,CAAC,WAAW,KAAK,KAAK,EAAE,CAAC;QAClC,8BAA8B,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAChD,CAAC;SAAM,IAAI,OAAO,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;QAC/C,iCAAiC,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,IAAA,mBAAU,EACR,IAAI,EACJ,IAAA,0BAAiB,EACf,0CAAY,EACZ,OAAO,CAAC,WAAW,KAAK,KAAK;QAC3B,CAAC,CAAC,mDAAqB;QACvB,CAAC,CAAC,kDAAoB,EACxB,cAAc,CACf,EACD,CAAC,MAA4B,EAAE,EAAE;;QAC/B,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,CAAC,OAAO,GAAG,EAAE,CAAC;QACtB,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YAC1B,MAAM,CAAC,OAAO,CAAC,KAAK,GAAG,EAAE,CAAC;QAC5B,CAAC;QACD,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG;YAC/B,GAAG,CAAC,MAAA,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,mCAAI,EAAE,CAAC;YACzC,GAAG,OAAO,CAAC,mBAAmB,QAAQ;SACvC,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC,CACF,CAAC;AACJ,CAAC,CAAC;AArCW,QAAA,sBAAsB,0BAqCjC;AAEF,MAAM,8BAA8B,GAAG,CACrC,IAAU,EACV,OAA0C,EAC1C,EAAE;IACF,sCAAsC;IACtC,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,CAAC,EACvE,IAAA,0BAAiB,EACf,0CAAY,EACZ,mDAAqB,EACrB,KAAK,EACL,KAAK,EACL,kBAAkB,CACnB,kCAEI,OAAO,KACV,OAAO,EAAE,WAAW,OAAO,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,eAAe,EAAE,KAEtF;QACE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY;KAClD,CACF,CAAC;IAEF,oCAAoC;IACpC,IAAA,mBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EACf,0CAAY,EACZ,mDAAqB,EACrB,KAAK,EACL,KAAK,EACL,kBAAkB,EAClB,UAAU,CACX,EACD,KAAK,OAAO,CAAC,qBAAqB,KAAK,CACxC,CAAC;IACF,IAAA,mBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EACf,0CAAY,EACZ,mDAAqB,EACrB,KAAK,EACL,KAAK,EACL,UAAU,CACX,EACD,6BAA6B,CAC9B,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,iCAAiC,GAAG,CACxC,IAAU,EACV,OAA0C,EAC1C,EAAE;IACF,yCAAyC;IACzC,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EACf,SAAS,EACT,OAAO,EACP,WAAW,EACX,KAAK,EACL,kBAAkB,CACnB,EACD,IAAA,0BAAiB,EACf,0CAAY,EACZ,kDAAoB,EACpB,KAAK,EACL,KAAK,EACL,kBAAkB,CACnB,kCAEI,OAAO,KACV,OAAO,EAAE,OAAO,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,KAErE;QACE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY;KAClD,CACF,CAAC;AACJ,CAAC,CAAC"}

package/src/utils/identity-constructs/files/terraform/core/user-identity/add-callback-url/add-callback-url.tf.template

@@ -0,0 +1,123 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Variables
+variable "callback_url" {
+  description = "Callback URL to add (e.g., https://d123456789.cloudfront.net)"
+  type        = string
+}
+
+# Read runtime config to get user pool client details
+module "runtime_config_reader" {
+  source = "../../runtime-config/read"
+}
+
+# Extract cognito details from runtime config
+locals {
+  cognito_props = try(module.runtime_config_reader.config.cognitoProps, null)
+
+  user_pool_id        = local.cognito_props != null ? local.cognito_props.userPoolId : null
+  user_pool_client_id = local.cognito_props != null ? local.cognito_props.userPoolWebClientId : null
+}
+
+# Validation: Ensure cognito props exist in runtime config
+resource "terraform_data" "validate_cognito_props" {
+  lifecycle {
+    precondition {
+      condition     = local.cognito_props != null
+      error_message = "ERROR: cognitoProps not found in runtime config. Ensure user-identity module has been deployed first and has added cognitoProps to the runtime configuration."
+    }
+
+    precondition {
+      condition     = local.user_pool_id != null && local.user_pool_id != ""
+      error_message = "ERROR: cognitoProps.userPoolId is missing or empty in runtime config. Check that user-identity module completed successfully."
+    }
+
+    precondition {
+      condition     = local.user_pool_client_id != null && local.user_pool_client_id != ""
+      error_message = "ERROR: cognitoProps.userPoolWebClientId is missing or empty in runtime config. Check that user-identity module completed successfully."
+    }
+  }
+}
+
+
+# Update the user pool client with additional callback URL
+resource "null_resource" "add_callback_url" {
+  triggers = {
+    callback_url        = var.callback_url
+    user_pool_id        = local.user_pool_id
+    user_pool_client_id = local.user_pool_client_id
+  }
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      uv run --with boto3 python -c "
+import boto3
+import sys
+
+# Configuration
+user_pool_id = '${local.user_pool_id}'
+client_id = '${local.user_pool_client_id}'
+new_callback_url = '${var.callback_url}'
+
+# Initialize Cognito client
+cognito = boto3.client('cognito-idp')
+
+try:
+    # Get current user pool client configuration
+    response = cognito.describe_user_pool_client(
+        UserPoolId=user_pool_id,
+        ClientId=client_id
+    )
+
+    client_config = response['UserPoolClient']
+    current_callback_urls = client_config.get('CallbackURLs', [])
+    current_logout_urls = client_config.get('LogoutURLs', [])
+
+    # Check if URL already exists
+    if new_callback_url in current_callback_urls:
+        print(f'Callback URL {new_callback_url} already exists')
+    else:
+        # Add new URL to both callback and logout URLs
+        updated_callback_urls = current_callback_urls + [new_callback_url]
+        updated_logout_urls = current_logout_urls + [new_callback_url]
+
+        # Update the user pool client
+        # Only include valid update parameters (exclude read-only fields and ones we're setting)
+        valid_update_params = [
+            'ClientName', 'RefreshTokenValidity', 'AccessTokenValidity', 'IdTokenValidity',
+            'TokenValidityUnits', 'ReadAttributes', 'WriteAttributes', 'ExplicitAuthFlows',
+            'SupportedIdentityProviders', 'DefaultRedirectURI', 'AllowedOAuthFlows',
+            'AllowedOAuthScopes', 'AllowedOAuthFlowsUserPoolClient', 'AnalyticsConfiguration',
+            'PreventUserExistenceErrors', 'EnableTokenRevocation',
+            'EnablePropagateAdditionalUserContextData', 'AuthSessionValidity', 'RefreshTokenRotation'
+        ]
+
+        update_config = {k: v for k, v in client_config.items() if k in valid_update_params}
+
+        cognito.update_user_pool_client(
+            UserPoolId=user_pool_id,
+            ClientId=client_id,
+            CallbackURLs=updated_callback_urls,
+            LogoutURLs=updated_logout_urls,
+            **update_config
+        )
+
+        print(f'Successfully added callback URL: {new_callback_url}')
+
+except Exception as e:
+    print(f'Error updating callback URLs: {e}')
+    sys.exit(1)
+"
+    EOT
+  }
+
+  depends_on = [terraform_data.validate_cognito_props]
+}
+