UserPoolClient - Retrieving the client secret requires an unnecessary custom resource

[mttwise]

Describe the bug

A change was merged previously to CDK to support a workaround for getting the client secret. This custom resource requires someone deploying a stack with only cognito to have a VPC attachment to the custom resource for accounts with SCPs limiting lambdas to have to run in a VPC.

Expected Behavior

Native CFN is used to get Cognito Client Secrets

Current Behavior

As implemented here, a custom resource is used to get the client secret: https://github.com/aws/aws-cdk/pull/21262/files#diff-9713362aa6af827d0bf2a8c68319b5bb9c74f888f9ab417266ff1b98aa121ae2R429

Reproduction Steps

create a cognito app client w/ secret

self.client = user_pool.add_client(
            "service-client",
            user_pool_client_name="service-client",
            supported_identity_providers=[
                aws_cognito.UserPoolClientIdentityProvider.COGNITO
            ],
            o_auth=self.o_auth_settings,
            auth_flows=aws_cognito.AuthFlow(
                user_srp=True,
            ),
            refresh_token_validity=Duration.days(1),
            generate_secret=True,
        )

self.my_secret = SecretValue.unsafe_unwrap(self.client.user_pool_client_secret)

Possible Solution

Since the CFN Attribute was fixed in 2023, Remove the custom resource and instead generate the following CFN during synth to access the client secret:

"UserPoolClientIdSecret":{
    "Value": {
        "Fn::GetAtt": ["CognitoUserPoolClient", "ClientSecret"]
    }
}

Additional Information/Context

No response

CDK CLI Version

2.117.0

Framework Version

No response

Node.js Version

v18.17.1

OS

OSX Sonoma

Language

Python

Language Version

3.10.11

Other information

No response

[pahud]

It's great to simplify this and great to see https://github.com/aws/aws-cdk/pull/28800 WIP.