cdk deploy error with amplify exported backend (appsync + auth)

[DarylSerrano]

I have and amplify app that has an API Graphql and Auth. Both created from amplify cli. I then exported the amplify app using amplify export --out <your-cdk-project-location> following this guide

I then proceeded to add in into a CDK project to deploy it on another account and region following this guide

  const amplifyBackend = new AmplifyExportedBackend(this, "amplifyExportedBackend", {
      amplifyEnvironment: `dev-${cdk.Stack.of(this).region + cdk.Stack.of(this).account}`, 
      path: path.resolve('.', 'amplify-export-amplifyapp')
    })

After running deploy I am getting this error:

Failed resources:
amplify-amplifyapp-dev-us-west-2982135724133-151709 | 15:43:46 | CREATE_FAILED        | AWS::CloudFormation::Stack  | CdkversionStack/amplifyExportedBackend-amplify-backend-stack/AmplifyCfnInclude/apiamplifyapp/apiamplifyapp (apiamplifyapp) Parameters: [authRoleName, unauthRoleName] must have values

 ❌  CdkversionStack/amplifyExportedBackend-amplify-backend-stack (amplify-amplifyapp-dev-us-west-2982135724133-151709) failed: Error: The stack named amplify-amplifyapp-dev-us-west-2982135724133-151709 failed
 creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Parameters: [authRoleName, unauthRoleName] must have values
    at FullCloudFormationDeployment.monitorDeployment (C:\Users\xxxx\AppData\Roaming\nvm\v20.10.0\node_modules\aws-cdk\lib\index.js:430:10615)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (C:\Users\xxxx\AppData\Roaming\nvm\v20.10.0\node_modules\aws-cdk\lib\index.js:433:198753)
    at async C:\Users\xxxx\AppData\Roaming\nvm\v20.10.0\node_modules\aws-cdk\lib\index.js:433:180693

 ❌ Deployment failed: Error: The stack named amplify-amplifyapp-dev-us-west-2982135724133-151709 failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Parameters: [authR
oleName, unauthRoleName] must have values
    at FullCloudFormationDeployment.monitorDeployment (C:\Users\xxxx\AppData\Roaming\nvm\v20.10.0\node_modules\aws-cdk\lib\index.js:430:10615)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (C:\Users\xxxx\AppData\Roaming\nvm\v20.10.0\node_modules\aws-cdk\lib\index.js:433:198753)
    at async C:\Users\xxxx\AppData\Roaming\nvm\v20.10.0\node_modules\aws-cdk\lib\index.js:433:180693

The stack named amplify-amplifyapp-dev-us-west-2982135724133-151709 failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Parameters: [authRoleName, unauthRoleName] must have values

Expected Behavior stack should be deployed in the account and region

This works if I remove the auth, export the amplify app again and only deploy the api.

Node version: v20.10.0 Amplify CLI version: 12.10.1

[ndaba1]

Hey @DarylSerrano, I was facing this same issue and upon digging a bit deeper into it, I found it was an issue with the cloudformation templates.

The amplify app is exported as one root stack with multiple nested stacks (auth + graphql api) for your case. The authRole and unauthRole are created by amplify while initializing auth in your project and you may see these parameters referenced/listed across the project, e.g in your team provider. They are parameters of the root stack and this can be seen as such from the amplify-export-<app-name>/root-stack-template.json under the Parameters object. Within the same file, you will a separate entry for Resources which should contain your auth and api (appsync) nested stacks for your case. It is from here that you can pass/reference params from the root stack into nested stacks.

Assuming your api is named test, you would notice such an entry:

"apitest": {
      "Type": "AWS::CloudFormation::Stack",
      "Properties": {
        "Parameters": {
          "AuthCognitoUserPoolId": {
            "Fn::GetAtt": [
              "authjumbaauth",
              "Outputs.UserPoolId"
            ]
          }
        }
      }
    },

Under Parameters, notice authRoleName and unauthRoleName are not being passed despite being required in the cloudformation template of said api - which would be at amplify-export-<app-name>/api/test/cloudformation-template.json. Ideally, this section would need to be:

"apitest": {
      "Type": "AWS::CloudFormation::Stack",
      "Properties": {
        "Parameters": {
          "AuthCognitoUserPoolId": {
            "Fn::GetAtt": [
              "authjumbaauth",
              "Outputs.UserPoolId"
            ]
          },
          "authRoleName": {
            "Ref": "AuthRoleName"
          },
          "unauthRoleName": {
            "Ref": "UnauthRoleName"
          }
        }
      }
    },

This seems to be issue with how the amplify export command is working and you can get around it by having a script to add in the omitted params that would run post amplify export.