Auth Cloudformation Template is out of sync with actual Cognito Resource

[julien-tamade]

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

16.14.2

Amplify CLI Version

12.10.1

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

My auth resource across my prod and staging environments are setup to have birthdate, given_name, family_name, and email as required attributes. When I created my dev environment, it got setup with just given_name due to some bug in amplify cli at the time that didn't recognize the others. This was all fine, but somewhere in the process of merging changes from dev, it seems that my cloudformation templates on prod and staging have been corrupted to only have given_name as well, even though their cognito resources still have 3 additional required attributes. I've tried to push with all the attributes and it fails saying that these cannot be changed. And I've tried manually changing the #current-cloud-backend.zip in S3 to add in the missing 3 attributes to allow the push to go through, but when deploying it throws this error:

Resource handler returned message: "Invalid AttributeDataType input, consider using the provided AttributeDataType enum. (Service: CognitoIdentityProvider, Status Code: 400, Request ID: 959ed3a6-4750-497b-9e85-f5f7bc11d500)" (RequestToken: 18c3f139-fdb5-5064-578f-ad48e7b7d158, HandlerErrorCode: InvalidRequest)

I narrowed down the issue in the cloudformation template not to the requiredAttributes which could be set correctly in the cloudformation parameters, but the Schema field in the template, which only had

"Schema": [ { "Mutable": true, "Name": "given_name", "Required": true } ],

and was missing the other 3 attributes.

Other people in other issues have gotten around this by just leaving their auth resource configured incorrectly. Keeping the attributes expected by cloudformation, but that are not aligned with the actual cognito resource.

Some people also mentioned that lowering the amplify version and pushing should work, which it seems like it was going to do for me on 7.6.8 but It ran into another error regarding ElasticSearchInstanceType not being recognized with graphql transformer V2, which forced me to stay at a higher version of amplify to be able to set the OpenSearchInstanceType in the team-provider-info.json

This seems like a bad longterm solution to me as I imagine there could be issues arising from this down the road that block pushes. I'd love to get these back in sync with eachother.

Expected behavior

I would have expected amplify or cloudformation to throw an initial error when the requiredAttributes were first changed as removing these shouldn't be allowed either, the same way that adding new ones is not allowed.

Now, I would expect myself to be able to push with the correct attributes declared.

Reproduction steps

I'm not sure exactly how to reproduce, but I imagine that setting up two environments, one with more required attributes and one with fewer and then merging the 2nd into the 1st and pushing would do it. This would have been done on amplify 7.6.8 initially

Project Identifier

I get DiagnoseReportUploadError when running that command

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[ykethan]

Hey @julien-tamade, thank you for reaching out. Could compare the CloudFormation hostedUIProviderMeta parameter on the AWS CloudFormation auth stack and the parameters.json in the current-cloud-backend? could you also try running a diff on the auth cloudformation template.

[josefaidt]

Closing due to inactivity

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[julien-tamade]

Sorry for the delay

My project does not have a hostedUIProviderMeta field anywhere.

[josefaidt]

Hey @julien-tamade 👋 no worries! Do you mind sharing your auth cli-inputs.json file? This should be located at amplify/backend/auth/<name>/cli-inputs.json

[julien-tamade]

this is what i eventually got pushed after removing the other required attributes (though they are still required), and setting the #current-cloud-backend in S3 to match

{
  "version": "1",
  "cognitoConfig": {
    "identityPoolName": "xxxxxx_IdentityPool",
    "allowUnauthenticatedIdentities": true,
    "resourceNameTruncated": "xxxxx7577f30c",
    "userPoolName": "xxxxx_UserPool",
    "autoVerifiedAttributes": [
      "email"
    ],
    "mfaConfiguration": "OFF",
    "mfaTypes": [
      "SMS Text Message"
    ],
    "smsAuthenticationMessage": "Your authentication code is {####}",
    "smsVerificationMessage": "Your verification code is {####}",
    "emailVerificationSubject": "Your Flowly Verification Code",
    "emailVerificationMessage": "Your verification code is {####}",
    "defaultPasswordPolicy": false,
    "passwordPolicyMinLength": 8,
    "passwordPolicyCharacters": [],
    "requiredAttributes": [
      "given_name"
    ],
    "aliasAttributes": [
      "email",
      "preferred_username"
    ],
    "userpoolClientGenerateSecret": true,
    "userpoolClientRefreshTokenValidity": "1000",
    "userpoolClientWriteAttributes": [
      "address",
      "gender",
      "nickname",
      "preferred_username",
      "birthdate",
      "email",
      "family_name",
      "given_name"
    ],
    "userpoolClientReadAttributes": [
      "address",
      "birthdate",
      "email",
      "family_name",
      "gender",
      "given_name",
      "nickname",
      "phone_number",
      "preferred_username"
    ],
    "userpoolClientLambdaRole": "xxxxxx7577f30c_userpoolclient_lambda_role",
    "userpoolClientSetAttributes": true,
    "authSelections": "identityPoolAndUserPool",
    "resourceName": "xxxxxxxx",
    "serviceName": "Cognito",
    "useDefault": "manual",
    "userPoolGroupList": [],
    "userPoolGroups": false,
    "verificationBucketName": "xxxxxxxverificationbucket",
    "adminQueries": false,
    "hostedUI": false,
    "thirdPartyAuth": false,
    "authProviders": [],
    "triggers": {
      "CustomMessage": [
        "verification-link"
      ],
      "PostConfirmation": [
        "custom"
      ],
      "PreSignup": [
        "custom"
      ]
    },
    "authRoleArn": {
      "Fn::GetAtt": [
        "AuthRole",
        "Arn"
      ]
    },
    "unauthRoleArn": {
      "Fn::GetAtt": [
        "UnauthRole",
        "Arn"
      ]
    },
    "breakCircularDependency": false,
    "useEnabledMfas": false,
    "dependsOn": [
      {
        "category": "function",
        "resourceName": "xxxxxxCustomMessage",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      },
      {
        "category": "function",
        "resourceName": "xxxxxxPostConfirmation",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      },
      {
        "category": "function",
        "resourceName": "xxxxxxxTestPreSignup",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      }
    ],
    "permissions": [],
    "authTriggerConnections": [
      "{\"triggerType\":\"CustomMessage\",\"lambdaFunctionName\":\"xxxxxCustomMessage\"}",
      "{\"triggerType\":\"PostConfirmation\",\"lambdaFunctionName\":\"xxxxxPostConfirmation\"}",
      "{\"triggerType\":\"PreSignUp\",\"lambdaFunctionName\":\"xxxxxxPreSignup\"}"
    ],
    "parentStack": {
      "Ref": "AWS::StackId"
    }
  }
}          
```

[ykethan]

Glad to hear that you were able to mitigate the issue. Closing the issue for now, do reach out to us if you require any further assistance.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.