feat: Add support for custom Lambda function email senders in Auth construct

.changeset/curvy-pans-brake.md

@@ -0,0 +1,6 @@
+---
+'@aws-amplify/auth-construct': minor
+'@aws-amplify/backend-auth': minor
+---
+
+Added custom user KMS key for customEmailSender

.changeset/unlucky-chairs-train.md

@@ -0,0 +1,6 @@
+---
+'@aws-amplify/auth-construct': minor
+'@aws-amplify/backend-auth': minor
+---
+
+feat: Add support for custom Lambda function email senders in Auth construct

.eslint_dictionary.json

@@ -193,5 +193,7 @@
   "xlarge",
   "yaml",
   "yargs",
-  "zoneinfo"
+  "zoneinfo",
+  "SKey",
+  "decrypt"
 ]

packages/ai-constructs/API.md

@@ -54,6 +54,7 @@ type ConversationHandlerFunctionProps = {
         modelId: string;
         region?: string;
     }>;
+    memoryMB?: number;
     outputStorageStrategy?: BackendOutputStorageStrategy<AIConversationOutput>;
 };
 

packages/auth-construct/API.md

@@ -9,6 +9,7 @@ import { AuthResources } from '@aws-amplify/plugin-types';
 import { aws_cognito } from 'aws-cdk-lib';
 import { BackendOutputStorageStrategy } from '@aws-amplify/plugin-types';
 import { Construct } from 'constructs';
+import { IFunction } from 'aws-cdk-lib/aws-lambda';
 import { NumberAttributeConstraints } from 'aws-cdk-lib/aws-cognito';
 import { ResourceProvider } from '@aws-amplify/plugin-types';
 import { SecretValue } from 'aws-cdk-lib';
@@ -47,7 +48,8 @@ export type AuthProps = {
         externalProviders?: ExternalProviderOptions;
     };
     senders?: {
-        email: Pick<UserPoolSESOptions, 'fromEmail' | 'fromName' | 'replyTo'>;
+        email: Pick<UserPoolSESOptions, 'fromEmail' | 'fromName' | 'replyTo'> | IFunction;
+        kmsKeyArn?: string;
     };
     userAttributes?: UserAttributes;
     multifactor?: MFA;

packages/auth-construct/src/construct.ts

@@ -34,6 +34,7 @@ import {
   UserPoolIdentityProviderOidc,
   UserPoolIdentityProviderSaml,
   UserPoolIdentityProviderSamlMetadataType,
+  UserPoolOperation,
   UserPoolProps,
 } from 'aws-cdk-lib/aws-cognito';
 import { FederatedPrincipal, Role } from 'aws-cdk-lib/aws-iam';
@@ -51,6 +52,8 @@ import {
   StackMetadataBackendOutputStorageStrategy,
 } from '@aws-amplify/backend-output-storage';
 import * as path from 'path';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { IKey, Key } from 'aws-cdk-lib/aws-kms';
 
 type DefaultRoles = { auth: Role; unAuth: Role };
 type IdentityProviderSetupResult = {
@@ -131,6 +134,8 @@ export class AmplifyAuth
     };
   } = {};
 
+  private customEmailSenderKMSkey: IKey | undefined;
+
   /**
    * Create a new Auth construct with AuthProps.
    * If no props are provided, email login and defaults will be used.
@@ -141,24 +146,39 @@ export class AmplifyAuth
     props: AuthProps = DEFAULTS.IF_NO_PROPS_PROVIDED
   ) {
     super(scope, id);
-
     this.name = props.name ?? '';
     this.domainPrefix = props.loginWith.externalProviders?.domainPrefix;
-
     // UserPool
     this.computedUserPoolProps = this.getUserPoolProps(props);
+
     this.userPool = new cognito.UserPool(
       this,
       `${this.name}UserPool`,
       this.computedUserPoolProps
     );
+    /**
+     * Configure custom email sender for Cognito User Pool
+     * Grant necessary permissions for Lambda function to decrypt emails
+     * and allow Cognito to invoke the Lambda function
+     */
+    if (
+      props.senders?.email &&
+      props.senders.email instanceof lambda.Function &&
+      this.customEmailSenderKMSkey
+    ) {
+      this.customEmailSenderKMSkey.grantDecrypt(props.senders.email);
+      this.customEmailSenderKMSkey.grantEncrypt(props.senders.email);
+      this.userPool.addTrigger(
+        UserPoolOperation.of('customEmailSender'),
+        props.senders.email
+      );
+    }
 
     // UserPool - External Providers (Oauth, SAML, OIDC) and User Pool Domain
     this.providerSetupResult = this.setupExternalProviders(
       this.userPool,
       props.loginWith
     );
-
     // UserPool Client
     const userPoolClient = new cognito.UserPoolClient(
       this,
@@ -478,7 +498,24 @@ export class AmplifyAuth
       },
       { standardAttributes: {}, customAttributes: {} }
     );
-
+    if (props.senders?.kmsKeyArn) {
+      this.customEmailSenderKMSkey = Key.fromKeyArn(
+        this,
+        `${this.name}CustomSenderKey`,
+        props.senders.kmsKeyArn
+      );
+    } else if (
+      props.senders?.email &&
+      props.senders.email instanceof lambda.Function
+    ) {
+      this.customEmailSenderKMSkey = new Key(
+        props.senders.email.stack,
+        `${this.name}CustomSenderKey`,
+        {
+          enableKeyRotation: true,
+        }
+      );
+    }
     const userPoolProps: UserPoolProps = {
       signInCaseSensitive: DEFAULTS.SIGN_IN_CASE_SENSITIVE,
       signInAliases: {
@@ -503,15 +540,15 @@ export class AmplifyAuth
       customAttributes: {
         ...customAttributes,
       },
-      email: props.senders
-        ? cognito.UserPoolEmail.withSES({
-            fromEmail: props.senders.email.fromEmail,
-            fromName: props.senders.email.fromName,
-            replyTo: props.senders.email.replyTo,
-            sesRegion: Stack.of(this).region,
-          })
-        : undefined,
-
+      email:
+        props.senders && 'fromEmail' in props.senders.email
+          ? cognito.UserPoolEmail.withSES({
+              fromEmail: props.senders.email.fromEmail,
+              fromName: props.senders.email.fromName,
+              replyTo: props.senders.email.replyTo,
+              sesRegion: Stack.of(this).region,
+            })
+          : undefined,
       selfSignUpEnabled: DEFAULTS.ALLOW_SELF_SIGN_UP,
       mfa: mfaMode,
       mfaMessage: this.getMFAMessage(props.multifactor),
@@ -528,6 +565,7 @@ export class AmplifyAuth
               props.loginWith.email?.userInvitation
             )
           : undefined,
+      customSenderKmsKey: this.customEmailSenderKMSkey,
     };
     return userPoolProps;
   };

packages/auth-construct/src/types.ts

@@ -9,6 +9,7 @@ import {
   UserPoolIdentityProviderSamlMetadata,
   UserPoolSESOptions,
 } from 'aws-cdk-lib/aws-cognito';
+import { IFunction } from 'aws-cdk-lib/aws-lambda';
 export type VerificationEmailWithLink = {
   /**
    * The type of verification. Must be one of "CODE" or "LINK".
@@ -417,11 +418,16 @@ export type AuthProps = {
    */
   senders?: {
     /**
-     * Configure Cognito to send emails from SES
+     * Configure Cognito to send emails from SES or a custom message trigger
      * SES configurations enable the use of customized email sender addresses and names
+     * Custom message triggers enable the use of third-party email providers when sending email notifications to users
      * @see https://docs.amplify.aws/react/build-a-backend/auth/moving-to-production/#email
+     * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html
      */
-    email: Pick<UserPoolSESOptions, 'fromEmail' | 'fromName' | 'replyTo'>;
+    email:
+      | Pick<UserPoolSESOptions, 'fromEmail' | 'fromName' | 'replyTo'>
+      | IFunction;
+    kmsKeyArn?: string;
   };
   /**
    * The set of attributes that are required for every user in the user pool. Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

packages/backend-ai/API.md

@@ -53,6 +53,7 @@ type DefineConversationHandlerFunctionProps = {
         modelId: string | AiModel;
         region?: string;
     }>;
+    memoryMB?: number;
 };
 
 // @public (undocumented)

packages/backend-auth/API.md

@@ -5,6 +5,7 @@
 ```ts
 
 import { AmazonProviderProps } from '@aws-amplify/auth-construct';
+import { AmplifyFunction } from '@aws-amplify/plugin-types';
 import { AppleProviderProps } from '@aws-amplify/auth-construct';
 import { AuthProps } from '@aws-amplify/auth-construct';
 import { AuthResources } from '@aws-amplify/plugin-types';
@@ -22,6 +23,7 @@ import { ResourceAccessAcceptorFactory } from '@aws-amplify/plugin-types';
 import { ResourceProvider } from '@aws-amplify/plugin-types';
 import { StackProvider } from '@aws-amplify/plugin-types';
 import { TriggerEvent } from '@aws-amplify/auth-construct';
+import { UserPoolSESOptions } from 'aws-cdk-lib/aws-cognito';
 
 // @public
 export type ActionIam = 'addUserToGroup' | 'createGroup' | 'createUser' | 'deleteGroup' | 'deleteUser' | 'deleteUserAttributes' | 'disableUser' | 'enableUser' | 'forgetDevice' | 'getDevice' | 'getGroup' | 'getUser' | 'listUsers' | 'listUsersInGroup' | 'listGroups' | 'listDevices' | 'listGroupsForUser' | 'removeUserFromGroup' | 'resetUserPassword' | 'setUserMfaPreference' | 'setUserPassword' | 'setUserSettings' | 'updateDeviceStatus' | 'updateGroup' | 'updateUserAttributes';
@@ -36,10 +38,14 @@ export type AmazonProviderFactoryProps = Omit<AmazonProviderProps, 'clientId' |
 };
 
 // @public (undocumented)
-export type AmplifyAuthProps = Expand<Omit<AuthProps, 'outputStorageStrategy' | 'loginWith'> & {
+export type AmplifyAuthProps = Expand<Omit<AuthProps, 'outputStorageStrategy' | 'loginWith' | 'senders'> & {
     loginWith: Expand<AuthLoginWithFactoryProps>;
     triggers?: Partial<Record<TriggerEvent, ConstructFactory<ResourceProvider<FunctionResources>>>>;
     access?: AuthAccessGenerator;
+    senders?: {
+        email: Pick<UserPoolSESOptions, 'fromEmail' | 'fromName' | 'replyTo'> | ConstructFactory<AmplifyFunction>;
+        kmsKeyArn?: string;
+    };
 }>;
 
 // @public

packages/backend-auth/src/factory.test.ts

@@ -26,6 +26,7 @@ import {
 import { Policy, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { AmplifyUserError } from '@aws-amplify/platform-core';
 import { CfnFunction } from 'aws-cdk-lib/aws-lambda';
+import { Key } from 'aws-cdk-lib/aws-kms';
 
 const createStackAndSetContext = (): Stack => {
   const app = new App();
@@ -355,6 +356,138 @@ void describe('AmplifyAuthFactory', () => {
       });
     });
   });
+
+  void it('sets customEmailSender when function is provided as email sender', () => {
+    const testFunc = new aws_lambda.Function(stack, 'testFunc', {
+      code: aws_lambda.Code.fromInline('test placeholder'),
+      runtime: aws_lambda.Runtime.NODEJS_18_X,
+      handler: 'index.handler',
+    });
+    const funcStub: ConstructFactory<ResourceProvider<FunctionResources>> = {
+      getInstance: () => {
+        return {
+          resources: {
+            lambda: testFunc,
+            cfnResources: {
+              cfnFunction: testFunc.node.findChild('Resource') as CfnFunction,
+            },
+          },
+        };
+      },
+    };
+
+    resetFactoryCount();
+
+    const authWithTriggerFactory = defineAuth({
+      loginWith: { email: true },
+      senders: { email: funcStub },
+    });
+
+    const backendAuth = authWithTriggerFactory.getInstance(getInstanceProps);
+
+    const template = Template.fromStack(backendAuth.stack);
+
+    template.hasResourceProperties('AWS::Cognito::UserPool', {
+      LambdaConfig: {
+        CustomEmailSender: {
+          LambdaArn: {
+            Ref: Match.stringLikeRegexp('testFunc'),
+          },
+        },
+        KMSKeyID: {
+          'Fn::GetAtt': [Match.anyValue(), 'Arn'],
+        },
+      },
+    });
+  });
+  void it('ensures empty lambdaTriggers do not remove triggers added elsewhere', () => {
+    const testFunc = new aws_lambda.Function(stack, 'testFunc', {
+      code: aws_lambda.Code.fromInline('test placeholder'),
+      runtime: aws_lambda.Runtime.NODEJS_18_X,
+      handler: 'index.handler',
+    });
+    const funcStub: ConstructFactory<ResourceProvider<FunctionResources>> = {
+      getInstance: () => {
+        return {
+          resources: {
+            lambda: testFunc,
+            cfnResources: {
+              cfnFunction: testFunc.node.findChild('Resource') as CfnFunction,
+            },
+          },
+        };
+      },
+    };
+
+    resetFactoryCount();
+
+    const authWithTriggerFactory = defineAuth({
+      loginWith: { email: true },
+      senders: { email: funcStub },
+      triggers: { preSignUp: funcStub },
+    });
+
+    const backendAuth = authWithTriggerFactory.getInstance(getInstanceProps);
+
+    const template = Template.fromStack(backendAuth.stack);
+    template.hasResourceProperties('AWS::Cognito::UserPool', {
+      LambdaConfig: {
+        PreSignUp: {
+          Ref: Match.stringLikeRegexp('testFunc'),
+        },
+        CustomEmailSender: {
+          LambdaArn: {
+            Ref: Match.stringLikeRegexp('testFunc'),
+          },
+        },
+        KMSKeyID: {
+          'Fn::GetAtt': [Match.anyValue(), 'Arn'],
+        },
+      },
+    });
+  });
+  void it('uses provided KMS key ARN and sets up custom email sender', () => {
+    const customKmsKeyArn = new Key(stack, `CustomSenderKey`, {
+      enableKeyRotation: true,
+    });
+    const testFunc = new aws_lambda.Function(stack, 'testFunc', {
+      code: aws_lambda.Code.fromInline('test placeholder'),
+      runtime: aws_lambda.Runtime.NODEJS_18_X,
+      handler: 'index.handler',
+    });
+    const funcStub: ConstructFactory<ResourceProvider<FunctionResources>> = {
+      getInstance: () => ({
+        resources: {
+          lambda: testFunc,
+          cfnResources: {
+            cfnFunction: testFunc.node.findChild('Resource') as CfnFunction,
+          },
+        },
+      }),
+    };
+
+    resetFactoryCount();
+
+    const authWithTriggerFactory = defineAuth({
+      loginWith: { email: true },
+      senders: {
+        email: funcStub,
+        kmsKeyArn: customKmsKeyArn.keyArn,
+      },
+      triggers: { preSignUp: funcStub },
+    });
+
+    const backendAuth = authWithTriggerFactory.getInstance(getInstanceProps);
+    const template = Template.fromStack(backendAuth.stack);
+
+    template.hasResourceProperties('AWS::Cognito::UserPool', {
+      LambdaConfig: {
+        KMSKeyID: {
+          Ref: Match.stringLikeRegexp('CustomSenderKey'),
+        },
+      },
+    });
+  });
 });
 
 const upperCaseFirstChar = (str: string) => {