Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth Cloudformation Template is out of sync with actual Cognito Resource #13531

Closed
2 tasks done
julien-tamade opened this issue Jan 12, 2024 · 8 comments
Closed
2 tasks done

Auth Cloudformation Template is out of sync with actual Cognito Resource #13531

julien-tamade opened this issue Jan 12, 2024 · 8 comments
Labels
auth Issues tied to the auth category of the CLI pending-triage Issue is pending triage

Comments

@julien-tamade
Copy link

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

16.14.2

Amplify CLI Version

12.10.1

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

My auth resource across my prod and staging environments are setup to have birthdate, given_name, family_name, and email as required attributes. When I created my dev environment, it got setup with just given_name due to some bug in amplify cli at the time that didn't recognize the others. This was all fine, but somewhere in the process of merging changes from dev, it seems that my cloudformation templates on prod and staging have been corrupted to only have given_name as well, even though their cognito resources still have 3 additional required attributes. I've tried to push with all the attributes and it fails saying that these cannot be changed. And I've tried manually changing the #current-cloud-backend.zip in S3 to add in the missing 3 attributes to allow the push to go through, but when deploying it throws this error:

Resource handler returned message: "Invalid AttributeDataType input, consider using the provided AttributeDataType enum. (Service: CognitoIdentityProvider, Status Code: 400, Request ID: 959ed3a6-4750-497b-9e85-f5f7bc11d500)" (RequestToken: 18c3f139-fdb5-5064-578f-ad48e7b7d158, HandlerErrorCode: InvalidRequest)

I narrowed down the issue in the cloudformation template not to the requiredAttributes which could be set correctly in the cloudformation parameters, but the Schema field in the template, which only had

"Schema": [ { "Mutable": true, "Name": "given_name", "Required": true } ],

and was missing the other 3 attributes.

Other people in other issues have gotten around this by just leaving their auth resource configured incorrectly. Keeping the attributes expected by cloudformation, but that are not aligned with the actual cognito resource.

Some people also mentioned that lowering the amplify version and pushing should work, which it seems like it was going to do for me on 7.6.8 but It ran into another error regarding ElasticSearchInstanceType not being recognized with graphql transformer V2, which forced me to stay at a higher version of amplify to be able to set the OpenSearchInstanceType in the team-provider-info.json

This seems like a bad longterm solution to me as I imagine there could be issues arising from this down the road that block pushes. I'd love to get these back in sync with eachother.

Expected behavior

I would have expected amplify or cloudformation to throw an initial error when the requiredAttributes were first changed as removing these shouldn't be allowed either, the same way that adding new ones is not allowed.

Now, I would expect myself to be able to push with the correct attributes declared.

Reproduction steps

I'm not sure exactly how to reproduce, but I imagine that setting up two environments, one with more required attributes and one with fewer and then merging the 2nd into the 1st and pushing would do it. This would have been done on amplify 7.6.8 initially

Project Identifier

I get DiagnoseReportUploadError when running that command

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

  • I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • I have removed any sensitive information from my code snippets and submission.
@julien-tamade julien-tamade added the pending-triage Issue is pending triage label Jan 12, 2024
@ykethan
Copy link
Member

ykethan commented Jan 15, 2024

Hey @julien-tamade, thank you for reaching out. Could compare the CloudFormation hostedUIProviderMeta parameter on the AWS CloudFormation auth stack and the parameters.json in the current-cloud-backend? could you also try running a diff on the auth cloudformation template.

@ykethan ykethan added auth Issues tied to the auth category of the CLI pending-response Issue is pending response from the issue author labels Jan 15, 2024
@josefaidt
Copy link
Contributor

Closing due to inactivity

@josefaidt josefaidt closed this as not planned Won't fix, can't repro, duplicate, stale Feb 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 2, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@julien-tamade
Copy link
Author

Sorry for the delay

My project does not have a hostedUIProviderMeta field anywhere.

@github-actions github-actions bot removed the pending-response Issue is pending response from the issue author label Feb 3, 2024
@josefaidt josefaidt reopened this Feb 3, 2024
@josefaidt
Copy link
Contributor

Hey @julien-tamade 👋 no worries! Do you mind sharing your auth cli-inputs.json file? This should be located at amplify/backend/auth/<name>/cli-inputs.json

@josefaidt josefaidt added the pending-response Issue is pending response from the issue author label Feb 3, 2024
@josefaidt josefaidt mentioned this issue Feb 3, 2024
Closed
2 tasks
@julien-tamade
Copy link
Author

julien-tamade commented Feb 3, 2024
edited
Loading

this is what i eventually got pushed after removing the other required attributes (though they are still required), and setting the #current-cloud-backend in S3 to match

{
  "version": "1",
  "cognitoConfig": {
    "identityPoolName": "xxxxxx_IdentityPool",
    "allowUnauthenticatedIdentities": true,
    "resourceNameTruncated": "xxxxx7577f30c",
    "userPoolName": "xxxxx_UserPool",
    "autoVerifiedAttributes": [
      "email"
    ],
    "mfaConfiguration": "OFF",
    "mfaTypes": [
      "SMS Text Message"
    ],
    "smsAuthenticationMessage": "Your authentication code is {####}",
    "smsVerificationMessage": "Your verification code is {####}",
    "emailVerificationSubject": "Your Flowly Verification Code",
    "emailVerificationMessage": "Your verification code is {####}",
    "defaultPasswordPolicy": false,
    "passwordPolicyMinLength": 8,
    "passwordPolicyCharacters": [],
    "requiredAttributes": [
      "given_name"
    ],
    "aliasAttributes": [
      "email",
      "preferred_username"
    ],
    "userpoolClientGenerateSecret": true,
    "userpoolClientRefreshTokenValidity": "1000",
    "userpoolClientWriteAttributes": [
      "address",
      "gender",
      "nickname",
      "preferred_username",
      "birthdate",
      "email",
      "family_name",
      "given_name"
    ],
    "userpoolClientReadAttributes": [
      "address",
      "birthdate",
      "email",
      "family_name",
      "gender",
      "given_name",
      "nickname",
      "phone_number",
      "preferred_username"
    ],
    "userpoolClientLambdaRole": "xxxxxx7577f30c_userpoolclient_lambda_role",
    "userpoolClientSetAttributes": true,
    "authSelections": "identityPoolAndUserPool",
    "resourceName": "xxxxxxxx",
    "serviceName": "Cognito",
    "useDefault": "manual",
    "userPoolGroupList": [],
    "userPoolGroups": false,
    "verificationBucketName": "xxxxxxxverificationbucket",
    "adminQueries": false,
    "hostedUI": false,
    "thirdPartyAuth": false,
    "authProviders": [],
    "triggers": {
      "CustomMessage": [
        "verification-link"
      ],
      "PostConfirmation": [
        "custom"
      ],
      "PreSignup": [
        "custom"
      ]
    },
    "authRoleArn": {
      "Fn::GetAtt": [
        "AuthRole",
        "Arn"
      ]
    },
    "unauthRoleArn": {
      "Fn::GetAtt": [
        "UnauthRole",
        "Arn"
      ]
    },
    "breakCircularDependency": false,
    "useEnabledMfas": false,
    "dependsOn": [
      {
        "category": "function",
        "resourceName": "xxxxxxCustomMessage",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      },
      {
        "category": "function",
        "resourceName": "xxxxxxPostConfirmation",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      },
      {
        "category": "function",
        "resourceName": "xxxxxxxTestPreSignup",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      }
    ],
    "permissions": [],
    "authTriggerConnections": [
      "{\"triggerType\":\"CustomMessage\",\"lambdaFunctionName\":\"xxxxxCustomMessage\"}",
      "{\"triggerType\":\"PostConfirmation\",\"lambdaFunctionName\":\"xxxxxPostConfirmation\"}",
      "{\"triggerType\":\"PreSignUp\",\"lambdaFunctionName\":\"xxxxxxPreSignup\"}"
    ],
    "parentStack": {
      "Ref": "AWS::StackId"
    }
  }
}          
```

@github-actions github-actions bot removed the pending-response Issue is pending response from the issue author label Feb 3, 2024
@ykethan
Copy link
Member

ykethan commented Feb 6, 2024

Glad to hear that you were able to mitigate the issue. Closing the issue for now, do reach out to us if you require any further assistance.

@ykethan ykethan closed this as not planned Won't fix, can't repro, duplicate, stale Feb 6, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 6, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth Issues tied to the auth category of the CLI pending-triage Issue is pending triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@josefaidt @julien-tamade @ykethan