PyPI - aws-cdk-lib - Versions diffs - 2.164.1__py3-none-any.whl → 2.165.0__py3-none-any.whl - Mend

aws-cdk-lib 2.164.1py3-none-any.whl → 2.165.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of aws-cdk-lib might be problematic. Click here for more details.

Files changed (30) hide show

aws_cdk/__init__.py +20 -0
aws_cdk/_jsii/__init__.py +1 -1
aws_cdk/_jsii/{aws-cdk-lib@2.164.1.jsii.tgz → aws-cdk-lib@2.165.0.jsii.tgz} +0 -0
aws_cdk/aws_appsync/__init__.py +24 -18
aws_cdk/aws_autoscaling/__init__.py +145 -8
aws_cdk/aws_backup/__init__.py +598 -0
aws_cdk/aws_bedrock/__init__.py +8 -8
aws_cdk/aws_codebuild/__init__.py +88 -33
aws_cdk/aws_cognito/__init__.py +657 -95
aws_cdk/aws_ec2/__init__.py +122 -32
aws_cdk/aws_eks/__init__.py +10 -12
aws_cdk/aws_elasticache/__init__.py +47 -6
aws_cdk/aws_imagebuilder/__init__.py +183 -0
aws_cdk/aws_iot/__init__.py +37 -43
aws_cdk/aws_iotwireless/__init__.py +2 -2
aws_cdk/aws_memorydb/__init__.py +41 -0
aws_cdk/aws_qbusiness/__init__.py +21 -14
aws_cdk/aws_rds/__init__.py +122 -32
aws_cdk/aws_redshift/__init__.py +23 -23
aws_cdk/aws_refactorspaces/__init__.py +56 -61
aws_cdk/aws_resiliencehub/__init__.py +4 -4
aws_cdk/aws_route53/__init__.py +3 -1
aws_cdk/aws_sagemaker/__init__.py +69 -0
aws_cdk/aws_sqs/__init__.py +9 -12
{aws_cdk_lib-2.164.1.dist-info → aws_cdk_lib-2.165.0.dist-info}/METADATA +6 -6
{aws_cdk_lib-2.164.1.dist-info → aws_cdk_lib-2.165.0.dist-info}/RECORD +30 -30
{aws_cdk_lib-2.164.1.dist-info → aws_cdk_lib-2.165.0.dist-info}/LICENSE +0 -0
{aws_cdk_lib-2.164.1.dist-info → aws_cdk_lib-2.165.0.dist-info}/NOTICE +0 -0
{aws_cdk_lib-2.164.1.dist-info → aws_cdk_lib-2.165.0.dist-info}/WHEEL +0 -0
{aws_cdk_lib-2.164.1.dist-info → aws_cdk_lib-2.165.0.dist-info}/top_level.txt +0 -0

aws_cdk/aws_cognito/__init__.py CHANGED Viewed

@@ -1011,6 +1011,33 @@ cognito.UserPoolIdentityProviderGoogle(self, "google",
     )
 )
 ```
+### User Pool Group
+Support for groups in Amazon Cognito user pools enables you to create and manage groups and add users to groups.
+Use groups to create collections of users to manage their permissions or to represent different types of users.
+You can assign an AWS Identity and Access Management (IAM) role to a group to define the permissions for members of a group.
+For more information, see [Adding groups to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html).
+```python
+# user_pool: cognito.UserPool
+# role: iam.Role
+cognito.UserPoolGroup(self, "UserPoolGroup",
+    user_pool=user_pool,
+    group_name="my-group-name",
+    precedence=1,
+    role=role
+)
+# You can also add a group by using addGroup method.
+user_pool.add_group("AnotherUserPoolGroup",
+    group_name="another-group-name"
+)
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -8854,14 +8881,14 @@ class CfnUserPoolIdentityProvider(
         # provider_details: Any
         cfn_user_pool_identity_provider = cognito.CfnUserPoolIdentityProvider(self, "MyCfnUserPoolIdentityProvider",
+            provider_details=provider_details,
             provider_name="providerName",
             provider_type="providerType",
             user_pool_id="userPoolId",
             # the properties below are optional
             attribute_mapping=attribute_mapping,
-            idp_identifiers=["idpIdentifiers"],
-            provider_details=provider_details
+            idp_identifiers=["idpIdentifiers"]
         )
     '''
@@ -8870,34 +8897,34 @@ class CfnUserPoolIdentityProvider(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
+        provider_details: typing.Any,
         provider_name: builtins.str,
         provider_type: builtins.str,
         user_pool_id: builtins.str,
         attribute_mapping: typing.Any = None,
         idp_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
-        provider_details: typing.Any = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
+        :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
         :param provider_name: The IdP name.
         :param provider_type: The IdP type.
         :param user_pool_id: The user pool ID.
         :param attribute_mapping: A mapping of IdP attributes to standard and custom user pool attributes.
         :param idp_identifiers: A list of IdP identifiers.
-        :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__759e90505ceb64aa7002be11d4da4a87090102263927799f662a83f606483634)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = CfnUserPoolIdentityProviderProps(
+            provider_details=provider_details,
             provider_name=provider_name,
             provider_type=provider_type,
             user_pool_id=user_pool_id,
             attribute_mapping=attribute_mapping,
             idp_identifiers=idp_identifiers,
-            provider_details=provider_details,
         )
         jsii.create(self.__class__, self, [scope, id, props])
@@ -8935,8 +8962,7 @@ class CfnUserPoolIdentityProvider(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''The resource ID.
+        '''
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -8946,6 +8972,19 @@ class CfnUserPoolIdentityProvider(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+    @builtins.property
+    @jsii.member(jsii_name="providerDetails")
+    def provider_details(self) -> typing.Any:
+        '''The scopes, URLs, and identifiers for your external identity provider.'''
+        return typing.cast(typing.Any, jsii.get(self, "providerDetails"))
+    @provider_details.setter
+    def provider_details(self, value: typing.Any) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__dd9b80463fd736be9b8b32bf8d2368b0c44578e3b056d45e068ca1e5fdfdb299)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "providerDetails", value) # pyright: ignore[reportArgumentType]
     @builtins.property
     @jsii.member(jsii_name="providerName")
     def provider_name(self) -> builtins.str:
@@ -9014,51 +9053,38 @@ class CfnUserPoolIdentityProvider(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "idpIdentifiers", value) # pyright: ignore[reportArgumentType]
-    @builtins.property
-    @jsii.member(jsii_name="providerDetails")
-    def provider_details(self) -> typing.Any:
-        '''The scopes, URLs, and identifiers for your external identity provider.'''
-        return typing.cast(typing.Any, jsii.get(self, "providerDetails"))
-    @provider_details.setter
-    def provider_details(self, value: typing.Any) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__dd9b80463fd736be9b8b32bf8d2368b0c44578e3b056d45e068ca1e5fdfdb299)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "providerDetails", value) # pyright: ignore[reportArgumentType]
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cognito.CfnUserPoolIdentityProviderProps",
     jsii_struct_bases=[],
     name_mapping={
+        "provider_details": "providerDetails",
         "provider_name": "providerName",
         "provider_type": "providerType",
         "user_pool_id": "userPoolId",
         "attribute_mapping": "attributeMapping",
         "idp_identifiers": "idpIdentifiers",
-        "provider_details": "providerDetails",
     },
 )
 class CfnUserPoolIdentityProviderProps:
     def __init__(
         self,
         *,
+        provider_details: typing.Any,
         provider_name: builtins.str,
         provider_type: builtins.str,
         user_pool_id: builtins.str,
         attribute_mapping: typing.Any = None,
         idp_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
-        provider_details: typing.Any = None,
     ) -> None:
         '''Properties for defining a ``CfnUserPoolIdentityProvider``.
+        :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
         :param provider_name: The IdP name.
         :param provider_type: The IdP type.
         :param user_pool_id: The user pool ID.
         :param attribute_mapping: A mapping of IdP attributes to standard and custom user pool attributes.
         :param idp_identifiers: A list of IdP identifiers.
-        :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html
         :exampleMetadata: fixture=_generated
@@ -9073,25 +9099,26 @@ class CfnUserPoolIdentityProviderProps:
             # provider_details: Any
             cfn_user_pool_identity_provider_props = cognito.CfnUserPoolIdentityProviderProps(
+                provider_details=provider_details,
                 provider_name="providerName",
                 provider_type="providerType",
                 user_pool_id="userPoolId",
                 # the properties below are optional
                 attribute_mapping=attribute_mapping,
-                idp_identifiers=["idpIdentifiers"],
-                provider_details=provider_details
+                idp_identifiers=["idpIdentifiers"]
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__41106943fcdd509be0174e1e1c8a8c320bd77587c77e22cfc1c1b7378dfb42ec)
+            check_type(argname="argument provider_details", value=provider_details, expected_type=type_hints["provider_details"])
             check_type(argname="argument provider_name", value=provider_name, expected_type=type_hints["provider_name"])
             check_type(argname="argument provider_type", value=provider_type, expected_type=type_hints["provider_type"])
             check_type(argname="argument user_pool_id", value=user_pool_id, expected_type=type_hints["user_pool_id"])
             check_type(argname="argument attribute_mapping", value=attribute_mapping, expected_type=type_hints["attribute_mapping"])
             check_type(argname="argument idp_identifiers", value=idp_identifiers, expected_type=type_hints["idp_identifiers"])
-            check_type(argname="argument provider_details", value=provider_details, expected_type=type_hints["provider_details"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
+            "provider_details": provider_details,
             "provider_name": provider_name,
             "provider_type": provider_type,
             "user_pool_id": user_pool_id,
@@ -9100,8 +9127,51 @@ class CfnUserPoolIdentityProviderProps:
             self._values["attribute_mapping"] = attribute_mapping
         if idp_identifiers is not None:
             self._values["idp_identifiers"] = idp_identifiers
-        if provider_details is not None:
-            self._values["provider_details"] = provider_details
+    @builtins.property
+    def provider_details(self) -> typing.Any:
+        '''The scopes, URLs, and identifiers for your external identity provider.
+        The following
+        examples describe the provider detail keys for each IdP type. These values and their
+        schema are subject to change. Social IdP ``authorize_scopes`` values must match
+        the values listed here.
+        - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` .
+        Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``
+        Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``
+        - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }``
+        Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }``
+        The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes.
+        Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }``
+        - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"``
+        Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }``
+        - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }``
+        Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }``
+        - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }``
+        Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }``
+        - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }``
+        Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providerdetails
+        '''
+        result = self._values.get("provider_details")
+        assert result is not None, "Required property 'provider_details' is missing"
+        return typing.cast(typing.Any, result)
     @builtins.property
     def provider_name(self) -> builtins.str:
@@ -9151,50 +9221,6 @@ class CfnUserPoolIdentityProviderProps:
         result = self._values.get("idp_identifiers")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
-    @builtins.property
-    def provider_details(self) -> typing.Any:
-        '''The scopes, URLs, and identifiers for your external identity provider.
-        The following
-        examples describe the provider detail keys for each IdP type. These values and their
-        schema are subject to change. Social IdP ``authorize_scopes`` values must match
-        the values listed here.
-        - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` .
-        Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``
-        Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``
-        - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }``
-        Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }``
-        The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes.
-        Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }``
-        - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"``
-        Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }``
-        - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }``
-        Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }``
-        - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }``
-        Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }``
-        - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }``
-        Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providerdetails
-        '''
-        result = self._values.get("provider_details")
-        return typing.cast(typing.Any, result)
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
@@ -13131,6 +13157,28 @@ class IUserPool(_IResource_c80c4260, typing_extensions.Protocol):
         '''
         ...
+    @jsii.member(jsii_name="addGroup")
+    def add_group(
+        self,
+        id: builtins.str,
+        *,
+        description: typing.Optional[builtins.str] = None,
+        group_name: typing.Optional[builtins.str] = None,
+        precedence: typing.Optional[jsii.Number] = None,
+        role: typing.Optional[_IRole_235f5d8e] = None,
+    ) -> "UserPoolGroup":
+        '''Add a new group to this user pool.
+        :param id: -
+        :param description: A string containing the description of the group. Default: - no description
+        :param group_name: The name of the group. Must be unique. Default: - auto generate a name
+        :param precedence: A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher or null Precedence values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the cognito:roles and cognito:preferred_role claims. Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other. If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role claim in tokens for users in each group. If the two groups have different role ARNs, the cognito:preferred_role claim isn't set in users' tokens. Default: - null
+        :param role: The role for the group. Default: - no description
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
+        '''
+        ...
     @jsii.member(jsii_name="addResourceServer")
     def add_resource_server(
         self,
@@ -13303,6 +13351,38 @@ class _IUserPoolProxy(
         return typing.cast("UserPoolDomain", jsii.invoke(self, "addDomain", [id, options]))
+    @jsii.member(jsii_name="addGroup")
+    def add_group(
+        self,
+        id: builtins.str,
+        *,
+        description: typing.Optional[builtins.str] = None,
+        group_name: typing.Optional[builtins.str] = None,
+        precedence: typing.Optional[jsii.Number] = None,
+        role: typing.Optional[_IRole_235f5d8e] = None,
+    ) -> "UserPoolGroup":
+        '''Add a new group to this user pool.
+        :param id: -
+        :param description: A string containing the description of the group. Default: - no description
+        :param group_name: The name of the group. Must be unique. Default: - auto generate a name
+        :param precedence: A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher or null Precedence values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the cognito:roles and cognito:preferred_role claims. Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other. If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role claim in tokens for users in each group. If the two groups have different role ARNs, the cognito:preferred_role claim isn't set in users' tokens. Default: - null
+        :param role: The role for the group. Default: - no description
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e70d406698753c50dbab4e4d1f9837fc55e7c713f52b3937d20745b5ab2a221e)
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        options = UserPoolGroupOptions(
+            description=description,
+            group_name=group_name,
+            precedence=precedence,
+            role=role,
+        )
+        return typing.cast("UserPoolGroup", jsii.invoke(self, "addGroup", [id, options]))
     @jsii.member(jsii_name="addResourceServer")
     def add_resource_server(
         self,
@@ -13460,6 +13540,40 @@ class _IUserPoolDomainProxy(
 typing.cast(typing.Any, IUserPoolDomain).__jsii_proxy_class__ = lambda : _IUserPoolDomainProxy
+@jsii.interface(jsii_type="aws-cdk-lib.aws_cognito.IUserPoolGroup")
+class IUserPoolGroup(_IResource_c80c4260, typing_extensions.Protocol):
+    '''Represents a user pool group.'''
+    @builtins.property
+    @jsii.member(jsii_name="groupName")
+    def group_name(self) -> builtins.str:
+        '''The user group name.
+        :attribute: true
+        '''
+        ...
+class _IUserPoolGroupProxy(
+    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+):
+    '''Represents a user pool group.'''
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_cognito.IUserPoolGroup"
+    @builtins.property
+    @jsii.member(jsii_name="groupName")
+    def group_name(self) -> builtins.str:
+        '''The user group name.
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "groupName"))
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IUserPoolGroup).__jsii_proxy_class__ = lambda : _IUserPoolGroupProxy
 @jsii.interface(jsii_type="aws-cdk-lib.aws_cognito.IUserPoolIdentityProvider")
 class IUserPoolIdentityProvider(_IResource_c80c4260, typing_extensions.Protocol):
     '''Represents a UserPoolIdentityProvider.'''
@@ -16497,6 +16611,36 @@ class UserPool(
         return typing.cast("UserPoolDomain", jsii.invoke(self, "addDomain", [id, options]))
+    @jsii.member(jsii_name="addGroup")
+    def add_group(
+        self,
+        id: builtins.str,
+        *,
+        description: typing.Optional[builtins.str] = None,
+        group_name: typing.Optional[builtins.str] = None,
+        precedence: typing.Optional[jsii.Number] = None,
+        role: typing.Optional[_IRole_235f5d8e] = None,
+    ) -> "UserPoolGroup":
+        '''Add a new group to this user pool.
+        :param id: -
+        :param description: A string containing the description of the group. Default: - no description
+        :param group_name: The name of the group. Must be unique. Default: - auto generate a name
+        :param precedence: A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher or null Precedence values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the cognito:roles and cognito:preferred_role claims. Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other. If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role claim in tokens for users in each group. If the two groups have different role ARNs, the cognito:preferred_role claim isn't set in users' tokens. Default: - null
+        :param role: The role for the group. Default: - no description
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__182df28f489c4d9ab970aca99503d45cd2196b431c6ce7b04bb1e343694049fa)
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        options = UserPoolGroupOptions(
+            description=description,
+            group_name=group_name,
+            precedence=precedence,
+            role=role,
+        )
+        return typing.cast("UserPoolGroup", jsii.invoke(self, "addGroup", [id, options]))
     @jsii.member(jsii_name="addResourceServer")
     def add_resource_server(
         self,
@@ -18041,32 +18185,382 @@ class UserPoolEmailConfig:
         )
-class UserPoolIdentityProvider(
+@jsii.implements(IUserPoolGroup)
+class UserPoolGroup(
+    _Resource_45bc6135,
     metaclass=jsii.JSIIMeta,
-    jsii_type="aws-cdk-lib.aws_cognito.UserPoolIdentityProvider",
+    jsii_type="aws-cdk-lib.aws_cognito.UserPoolGroup",
 ):
-    '''User pool third-party identity providers.'''
+    '''Define a user pool group.
-    @jsii.member(jsii_name="fromProviderName")
-    @builtins.classmethod
-    def from_provider_name(
-        cls,
+    :exampleMetadata: infused
+    Example::
+        # user_pool: cognito.UserPool
+        # role: iam.Role
+        cognito.UserPoolGroup(self, "UserPoolGroup",
+            user_pool=user_pool,
+            group_name="my-group-name",
+            precedence=1,
+            role=role
+        )
+        # You can also add a group by using addGroup method.
+        user_pool.add_group("AnotherUserPoolGroup",
+            group_name="another-group-name"
+        )
+    '''
+    def __init__(
+        self,
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
-        provider_name: builtins.str,
-    ) -> IUserPoolIdentityProvider:
-        '''Import an existing UserPoolIdentityProvider.
+        *,
+        user_pool: IUserPool,
+        description: typing.Optional[builtins.str] = None,
+        group_name: typing.Optional[builtins.str] = None,
+        precedence: typing.Optional[jsii.Number] = None,
+        role: typing.Optional[_IRole_235f5d8e] = None,
+    ) -> None:
+        '''
         :param scope: -
         :param id: -
-        :param provider_name: -
+        :param user_pool: The user pool to which this group is associated.
+        :param description: A string containing the description of the group. Default: - no description
+        :param group_name: The name of the group. Must be unique. Default: - auto generate a name
+        :param precedence: A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher or null Precedence values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the cognito:roles and cognito:preferred_role claims. Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other. If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role claim in tokens for users in each group. If the two groups have different role ARNs, the cognito:preferred_role claim isn't set in users' tokens. Default: - null
+        :param role: The role for the group. Default: - no description
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__9db3563a94587e916fce47561a9ad603b26f36fbcb7b72d5e133ddf1e77b76d6)
+            type_hints = typing.get_type_hints(_typecheckingstub__775ac13db76309a928c26a49c092fd74e83d97ad55358f5e3e7abc39c87da53a)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-            check_type(argname="argument provider_name", value=provider_name, expected_type=type_hints["provider_name"])
-        return typing.cast(IUserPoolIdentityProvider, jsii.sinvoke(cls, "fromProviderName", [scope, id, provider_name]))
+        props = UserPoolGroupProps(
+            user_pool=user_pool,
+            description=description,
+            group_name=group_name,
+            precedence=precedence,
+            role=role,
+        )
+        jsii.create(self.__class__, self, [scope, id, props])
+    @jsii.member(jsii_name="fromGroupName")
+    @builtins.classmethod
+    def from_group_name(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        group_name: builtins.str,
+    ) -> IUserPoolGroup:
+        '''Import a UserPoolGroup given its group name.
+        :param scope: -
+        :param id: -
+        :param group_name: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__9d44902ed5a2acfdafc23199f3078ecfdbefe799f2ec29a5b0d850ee7b6d36ec)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument group_name", value=group_name, expected_type=type_hints["group_name"])
+        return typing.cast(IUserPoolGroup, jsii.sinvoke(cls, "fromGroupName", [scope, id, group_name]))
+    @builtins.property
+    @jsii.member(jsii_name="groupName")
+    def group_name(self) -> builtins.str:
+        '''The user group name.'''
+        return typing.cast(builtins.str, jsii.get(self, "groupName"))
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cognito.UserPoolGroupOptions",
+    jsii_struct_bases=[],
+    name_mapping={
+        "description": "description",
+        "group_name": "groupName",
+        "precedence": "precedence",
+        "role": "role",
+    },
+)
+class UserPoolGroupOptions:
+    def __init__(
+        self,
+        *,
+        description: typing.Optional[builtins.str] = None,
+        group_name: typing.Optional[builtins.str] = None,
+        precedence: typing.Optional[jsii.Number] = None,
+        role: typing.Optional[_IRole_235f5d8e] = None,
+    ) -> None:
+        '''Options to create a UserPoolGroup.
+        :param description: A string containing the description of the group. Default: - no description
+        :param group_name: The name of the group. Must be unique. Default: - auto generate a name
+        :param precedence: A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher or null Precedence values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the cognito:roles and cognito:preferred_role claims. Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other. If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role claim in tokens for users in each group. If the two groups have different role ARNs, the cognito:preferred_role claim isn't set in users' tokens. Default: - null
+        :param role: The role for the group. Default: - no description
+        :exampleMetadata: infused
+        Example::
+            # user_pool: cognito.UserPool
+            # role: iam.Role
+            cognito.UserPoolGroup(self, "UserPoolGroup",
+                user_pool=user_pool,
+                group_name="my-group-name",
+                precedence=1,
+                role=role
+            )
+            # You can also add a group by using addGroup method.
+            user_pool.add_group("AnotherUserPoolGroup",
+                group_name="another-group-name"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a76259212a5e57f1375d5eb2940f0d6cde7a130c86d1a85fc682cc6597a4934b)
+            check_type(argname="argument description", value=description, expected_type=type_hints["description"])
+            check_type(argname="argument group_name", value=group_name, expected_type=type_hints["group_name"])
+            check_type(argname="argument precedence", value=precedence, expected_type=type_hints["precedence"])
+            check_type(argname="argument role", value=role, expected_type=type_hints["role"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if description is not None:
+            self._values["description"] = description
+        if group_name is not None:
+            self._values["group_name"] = group_name
+        if precedence is not None:
+            self._values["precedence"] = precedence
+        if role is not None:
+            self._values["role"] = role
+    @builtins.property
+    def description(self) -> typing.Optional[builtins.str]:
+        '''A string containing the description of the group.
+        :default: - no description
+        '''
+        result = self._values.get("description")
+        return typing.cast(typing.Optional[builtins.str], result)
+    @builtins.property
+    def group_name(self) -> typing.Optional[builtins.str]:
+        '''The name of the group.
+        Must be unique.
+        :default: - auto generate a name
+        '''
+        result = self._values.get("group_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+    @builtins.property
+    def precedence(self) -> typing.Optional[jsii.Number]:
+        '''A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool.
+        Zero is the highest precedence value.
+        Groups with lower Precedence values take precedence over groups with higher or null Precedence values.
+        If a user belongs to two or more groups, it is the group with the lowest precedence value
+        whose role ARN is given in the user's tokens for the cognito:roles and cognito:preferred_role claims.
+        Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other.
+        If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role
+        claim in tokens for users in each group.
+        If the two groups have different role ARNs, the cognito:preferred_role claim isn't set in users' tokens.
+        :default: - null
+        '''
+        result = self._values.get("precedence")
+        return typing.cast(typing.Optional[jsii.Number], result)
+    @builtins.property
+    def role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The role for the group.
+        :default: - no description
+        '''
+        result = self._values.get("role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+    def __repr__(self) -> str:
+        return "UserPoolGroupOptions(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cognito.UserPoolGroupProps",
+    jsii_struct_bases=[UserPoolGroupOptions],
+    name_mapping={
+        "description": "description",
+        "group_name": "groupName",
+        "precedence": "precedence",
+        "role": "role",
+        "user_pool": "userPool",
+    },
+)
+class UserPoolGroupProps(UserPoolGroupOptions):
+    def __init__(
+        self,
+        *,
+        description: typing.Optional[builtins.str] = None,
+        group_name: typing.Optional[builtins.str] = None,
+        precedence: typing.Optional[jsii.Number] = None,
+        role: typing.Optional[_IRole_235f5d8e] = None,
+        user_pool: IUserPool,
+    ) -> None:
+        '''Props for UserPoolGroup construct.
+        :param description: A string containing the description of the group. Default: - no description
+        :param group_name: The name of the group. Must be unique. Default: - auto generate a name
+        :param precedence: A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher or null Precedence values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the cognito:roles and cognito:preferred_role claims. Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other. If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role claim in tokens for users in each group. If the two groups have different role ARNs, the cognito:preferred_role claim isn't set in users' tokens. Default: - null
+        :param role: The role for the group. Default: - no description
+        :param user_pool: The user pool to which this group is associated.
+        :exampleMetadata: infused
+        Example::
+            # user_pool: cognito.UserPool
+            # role: iam.Role
+            cognito.UserPoolGroup(self, "UserPoolGroup",
+                user_pool=user_pool,
+                group_name="my-group-name",
+                precedence=1,
+                role=role
+            )
+            # You can also add a group by using addGroup method.
+            user_pool.add_group("AnotherUserPoolGroup",
+                group_name="another-group-name"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__6f5beec5c4d6b11b4325b68ae8691c3f5f2eb75f4aa5ef1c6e333e5df0fe7e36)
+            check_type(argname="argument description", value=description, expected_type=type_hints["description"])
+            check_type(argname="argument group_name", value=group_name, expected_type=type_hints["group_name"])
+            check_type(argname="argument precedence", value=precedence, expected_type=type_hints["precedence"])
+            check_type(argname="argument role", value=role, expected_type=type_hints["role"])
+            check_type(argname="argument user_pool", value=user_pool, expected_type=type_hints["user_pool"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "user_pool": user_pool,
+        }
+        if description is not None:
+            self._values["description"] = description
+        if group_name is not None:
+            self._values["group_name"] = group_name
+        if precedence is not None:
+            self._values["precedence"] = precedence
+        if role is not None:
+            self._values["role"] = role
+    @builtins.property
+    def description(self) -> typing.Optional[builtins.str]:
+        '''A string containing the description of the group.
+        :default: - no description
+        '''
+        result = self._values.get("description")
+        return typing.cast(typing.Optional[builtins.str], result)
+    @builtins.property
+    def group_name(self) -> typing.Optional[builtins.str]:
+        '''The name of the group.
+        Must be unique.
+        :default: - auto generate a name
+        '''
+        result = self._values.get("group_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+    @builtins.property
+    def precedence(self) -> typing.Optional[jsii.Number]:
+        '''A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool.
+        Zero is the highest precedence value.
+        Groups with lower Precedence values take precedence over groups with higher or null Precedence values.
+        If a user belongs to two or more groups, it is the group with the lowest precedence value
+        whose role ARN is given in the user's tokens for the cognito:roles and cognito:preferred_role claims.
+        Two groups can have the same Precedence value. If this happens, neither group takes precedence over the other.
+        If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role
+        claim in tokens for users in each group.
+        If the two groups have different role ARNs, the cognito:preferred_role claim isn't set in users' tokens.
+        :default: - null
+        '''
+        result = self._values.get("precedence")
+        return typing.cast(typing.Optional[jsii.Number], result)
+    @builtins.property
+    def role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The role for the group.
+        :default: - no description
+        '''
+        result = self._values.get("role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+    @builtins.property
+    def user_pool(self) -> IUserPool:
+        '''The user pool to which this group is associated.'''
+        result = self._values.get("user_pool")
+        assert result is not None, "Required property 'user_pool' is missing"
+        return typing.cast(IUserPool, result)
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+    def __repr__(self) -> str:
+        return "UserPoolGroupProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+class UserPoolIdentityProvider(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_cognito.UserPoolIdentityProvider",
+):
+    '''User pool third-party identity providers.'''
+    @jsii.member(jsii_name="fromProviderName")
+    @builtins.classmethod
+    def from_provider_name(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        provider_name: builtins.str,
+    ) -> IUserPoolIdentityProvider:
+        '''Import an existing UserPoolIdentityProvider.
+        :param scope: -
+        :param id: -
+        :param provider_name: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__9db3563a94587e916fce47561a9ad603b26f36fbcb7b72d5e133ddf1e77b76d6)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument provider_name", value=provider_name, expected_type=type_hints["provider_name"])
+        return typing.cast(IUserPoolIdentityProvider, jsii.sinvoke(cls, "fromProviderName", [scope, id, provider_name]))
 @jsii.implements(IUserPoolIdentityProvider)
@@ -21540,6 +22034,7 @@ __all__ = [
     "IUserPool",
     "IUserPoolClient",
     "IUserPoolDomain",
+    "IUserPoolGroup",
     "IUserPoolIdentityProvider",
     "IUserPoolResourceServer",
     "KeepOriginalAttrs",
@@ -21578,6 +22073,9 @@ __all__ = [
     "UserPoolDomainProps",
     "UserPoolEmail",
     "UserPoolEmailConfig",
+    "UserPoolGroup",
+    "UserPoolGroupOptions",
+    "UserPoolGroupProps",
     "UserPoolIdentityProvider",
     "UserPoolIdentityProviderAmazon",
     "UserPoolIdentityProviderAmazonProps",
@@ -22760,12 +23258,12 @@ def _typecheckingstub__759e90505ceb64aa7002be11d4da4a87090102263927799f662a83f60
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
+    provider_details: typing.Any,
     provider_name: builtins.str,
     provider_type: builtins.str,
     user_pool_id: builtins.str,
     attribute_mapping: typing.Any = None,
     idp_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
-    provider_details: typing.Any = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -22782,6 +23280,12 @@ def _typecheckingstub__7ff11acc316d5d73192edfeab5a5d7fb2aa7891c069fce7ccaa876300
     """Type checking stubs"""
     pass
+def _typecheckingstub__dd9b80463fd736be9b8b32bf8d2368b0c44578e3b056d45e068ca1e5fdfdb299(
+    value: typing.Any,
+) -> None:
+    """Type checking stubs"""
+    pass
 def _typecheckingstub__03fef1ca3436f487bdb2ac4c72e914ca702f01a40d12470aaa64c77a0f7e15a2(
     value: builtins.str,
 ) -> None:
@@ -22812,20 +23316,14 @@ def _typecheckingstub__7662247fd2cd01f6776c3a84fedff308a45861e95cabe426cb256482a
     """Type checking stubs"""
     pass
-def _typecheckingstub__dd9b80463fd736be9b8b32bf8d2368b0c44578e3b056d45e068ca1e5fdfdb299(
-    value: typing.Any,
-) -> None:
-    """Type checking stubs"""
-    pass
 def _typecheckingstub__41106943fcdd509be0174e1e1c8a8c320bd77587c77e22cfc1c1b7378dfb42ec(
     *,
+    provider_details: typing.Any,
     provider_name: builtins.str,
     provider_type: builtins.str,
     user_pool_id: builtins.str,
     attribute_mapping: typing.Any = None,
     idp_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
-    provider_details: typing.Any = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -23346,6 +23844,17 @@ def _typecheckingstub__792921e0d9eecd6253eadd31c7fba82fdce9c0ba38f25dcba7dcd063e
     """Type checking stubs"""
     pass
+def _typecheckingstub__e70d406698753c50dbab4e4d1f9837fc55e7c713f52b3937d20745b5ab2a221e(
+    id: builtins.str,
+    *,
+    description: typing.Optional[builtins.str] = None,
+    group_name: typing.Optional[builtins.str] = None,
+    precedence: typing.Optional[jsii.Number] = None,
+    role: typing.Optional[_IRole_235f5d8e] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
 def _typecheckingstub__6e7f4643c9bff39b5095e7aa370612aed9ce88bfde927b1cbbd7b3a21df157a2(
     id: builtins.str,
     *,
@@ -23654,6 +24163,17 @@ def _typecheckingstub__f9659a33214c6a8f47e5cc02aec61f89c8bd48113d0c9b3e32a81fef2
     """Type checking stubs"""
     pass
+def _typecheckingstub__182df28f489c4d9ab970aca99503d45cd2196b431c6ce7b04bb1e343694049fa(
+    id: builtins.str,
+    *,
+    description: typing.Optional[builtins.str] = None,
+    group_name: typing.Optional[builtins.str] = None,
+    precedence: typing.Optional[jsii.Number] = None,
+    role: typing.Optional[_IRole_235f5d8e] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
 def _typecheckingstub__15a655e8061891a027a61815d064f6a0d9d429f80e33f0c0c98213485f2beedd(
     id: builtins.str,
     *,
@@ -23829,6 +24349,48 @@ def _typecheckingstub__e3ce90cb9624f22600c6b33192c8ad7ad7f3946d65d49e2cf22b46b1d
     """Type checking stubs"""
     pass
+def _typecheckingstub__775ac13db76309a928c26a49c092fd74e83d97ad55358f5e3e7abc39c87da53a(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    user_pool: IUserPool,
+    description: typing.Optional[builtins.str] = None,
+    group_name: typing.Optional[builtins.str] = None,
+    precedence: typing.Optional[jsii.Number] = None,
+    role: typing.Optional[_IRole_235f5d8e] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+def _typecheckingstub__9d44902ed5a2acfdafc23199f3078ecfdbefe799f2ec29a5b0d850ee7b6d36ec(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    group_name: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+def _typecheckingstub__a76259212a5e57f1375d5eb2940f0d6cde7a130c86d1a85fc682cc6597a4934b(
+    *,
+    description: typing.Optional[builtins.str] = None,
+    group_name: typing.Optional[builtins.str] = None,
+    precedence: typing.Optional[jsii.Number] = None,
+    role: typing.Optional[_IRole_235f5d8e] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+def _typecheckingstub__6f5beec5c4d6b11b4325b68ae8691c3f5f2eb75f4aa5ef1c6e333e5df0fe7e36(
+    *,
+    description: typing.Optional[builtins.str] = None,
+    group_name: typing.Optional[builtins.str] = None,
+    precedence: typing.Optional[jsii.Number] = None,
+    role: typing.Optional[_IRole_235f5d8e] = None,
+    user_pool: IUserPool,
+) -> None:
+    """Type checking stubs"""
+    pass
 def _typecheckingstub__9db3563a94587e916fce47561a9ad603b26f36fbcb7b72d5e133ddf1e77b76d6(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,

aws-cdk-lib 2.164.1__py3-none-any.whl → 2.165.0__py3-none-any.whl

Potentially problematic release.

aws-cdk-lib 2.164.1py3-none-any.whl → 2.165.0py3-none-any.whl