cloudformation is still fails after migration

[mkaya95]

Before opening, please confirm:

• [X] I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
• [X] I have searched for duplicate or closed issues.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• [X] I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v14.18.2

Amplify CLI Version

8.2.0

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Amplify Categories

auth, function, api, notifications

Amplify Commands

push

Describe the bug

I would like to create pre-token generation trigger on my cognito. When I ran amplify auth update command it tells me that I need to migrate auth in order to continue. Then I migrated using default configuration. However I am receiving error when I am trying to push it.

Expected behavior

Since I am not touching any configuration it should be successfully push.

Reproduction steps

1. amplify pull
2. amplify push
3. amplify auth update A migration is needed to support latest updates on auth resources. Using service: Cognito, provided by: awscloudformation What do you want to do? Apply default configuration with Social Provider (Federation) What domain name prefix do you want to use? finoplayground Which redirect signin URIs do you want to edit? Do you want to add redirect signin URIs? No Which redirect signout URIs do you want to edit? Do you want to add redirect signout URIs? No Select the identity providers you want to configure for your user pool: ✅ Successfully updated auth resource fino locally
4. amplify push

Then I am receiving error that I shared on the Log output section.

GraphQL schema(s)

```graphql # Put schemas below this line ```

Log output

UPDATE_IN_PROGRESS amplify-fino-dev-XXXXXX-authfino-1CFSV5NL52JX1 AWS::CloudFormation::Stack Thu May 19 2022 16:27:41 GMT+0200 (Central European Summer Time) User Initiated ⠇ Updating resources in the cloud. This may take a few minutes... UPDATE_IN_PROGRESS apifileUpload AWS::CloudFormation::Stack Thu May 19 2022 16:27:45 GMT+0200 (Central European Summer Time) UPDATE_COMPLETE apifileUpload AWS::CloudFormation::Stack Thu May 19 2022 16:27:46 GMT+0200 (Central European Summer Time) ⠼ Updating resources in the cloud. This may take a few minutes... UPDATE_IN_PROGRESS MFALambdaRole AWS::IAM::Role Thu May 19 2022 16:27:50 GMT+0200 (Central European Summer Time) ⠇ Updating resources in the cloud. This may take a few minutes... UPDATE_IN_PROGRESS UserPool AWS::Cognito::UserPool Thu May 19 2022 16:27:50 GMT+0200 (Central European Summer Time) ⠴ Updating resources in the cloud. This may take a few minutes... UPDATE_FAILED UserPool AWS::Cognito::UserPool Thu May 19 2022 16:27:51 GMT+0200 (Central European Summer Time) Updates are not allowed for property - UsernameConfiguration. (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: InvalidParameterException; Request ID: null; Proxy: null) UPDATE_FAILED MFALambdaRole AWS::IAM::Role Thu May 19 2022 16:27:52 GMT+0200 (Central European Summer Time) Resource update cancelled UPDATE_ROLLBACK_IN_PROGRESS amplify-fino-dev-XXXXXX-authfino-1CFSV5NL52JX1 AWS::CloudFormation::Stack Thu May 19 2022 16:27:53 GMT+0200 (Central European Summer Time) The following resource(s) failed to update: [UserPool, MFALambdaRole]. ⠹ Updating resources in the cloud. This may take a few minutes... UPDATE_FAILED authfino AWS::CloudFormation::Stack Thu May 19 2022 16:28:03 GMT+0200 (Central European Summer Time) Embedded stack arn:aws:cloudformation:eu-west-1:676955330953:stack/amplify-fino-dev-XXXXXX-authfino-1CFSV5NL52JX1/fb2e9cc0-c470-11ec-8245-0a93d6020ead was not successfully updated. Currently in UPDATE_ROLLBACK_IN_PROGRESS with reason: The following resource(s) failed to update: [UserPool, MFALambdaRole]. UPDATE_ROLLBACK_IN_PROGRESS amplify-fino-dev-XXXXXX AWS::CloudFormation::Stack Thu May 19 2022 16:28:04 GMT+0200 (Central European Summer Time) The following resource(s) failed to update: [authfino].

Additional information

When I researched this error on the internet I already found this issue however I have still problem even they said thats fixed in #9339

[josefaidt]

Hey @mkaya95 :wave: thanks for raising this! As we begin to look at reproducing this issue would you mind sharing your Auth resource's configuration by posting the contents of amplify/backend/auth/<resource-name>/cli-inputs.json (omitting any sensitive details)?

[mkaya95]

Hi @josefaidt 👋 Thank you for your response. Here is the my cli-inputs.json

{
    "version": "1",
    "cognitoConfig": {
      "identityPoolName": "fxa_identitypool_864x01cb",
      "allowUnauthenticatedIdentities": false,
      "resourceNameTruncated": "fxa0300b5X1",
      "userPoolName": "fxa",
      "autoVerifiedAttributes": [
        "email"
      ],
      "mfaConfiguration": "OPTIONAL",
      "mfaTypes": [
        "SMS Text Message"
      ],
      "smsAuthenticationMessage": "Your authentication code is {####}",
      "smsVerificationMessage": "Your verification code is {####}",
      "emailVerificationSubject": "Your verification code",
      "emailVerificationMessage": "Your verification code is {####}",
      "defaultPasswordPolicy": false,
      "passwordPolicyMinLength": 8,
      "passwordPolicyCharacters": [],
      "requiredAttributes": [],
      "aliasAttributes": [
        "preferred_username"
      ],
      "userpoolClientGenerateSecret": false,
      "userpoolClientRefreshTokenValidity": 30,
      "userpoolClientWriteAttributes": [
        "email"
      ],
      "userpoolClientReadAttributes": [
        "email"
      ],
      "userpoolClientLambdaRole": "fxa0300b5X1_userpoolclient_lambda_role",
      "userpoolClientSetAttributes": false,
      "authSelections": "identityPoolAndUserPool",
      "resourceName": "fxa",
      "serviceName": "Cognito",
      "useDefault": "defaultSocial",
      "sharedId": "0300b5X1",
      "userPoolGroupList": [],
      "userPoolGroups": false,
      "usernameCaseSensitive": false,
      "adminQueries": false,
      "hostedUI": true,
      "hostedUIDomainName": "fxaplayground",
      "hostedUIProviderMeta": "[]",
      "authProvidersUserPool": [],
      "triggers": {},
      "authRoleArn": {
        "Fn::GetAtt": [
          "AuthRole",
          "Arn"
        ]
      },
      "unauthRoleArn": {
        "Fn::GetAtt": [
          "UnauthRole",
          "Arn"
        ]
      },
      "breakCircularDependency": true,
      "useEnabledMfas": false,
      "dependsOn": [],
      "oAuthMetadata": "{\"AllowedOAuthFlows\":[\"code\"],\"AllowedOAuthScopes\":[\"phone\",\"email\",\"openid\",\"profile\",\"aws.cognito.signin.user.admin\"],\"CallbackURLs\":[\"http://localhost:4200/dashboard/\",\"https://dev.xxxx.com/dashboard/\"],\"LogoutURLs\":[\"http://localhost:4200/\",\"https://dev.xxxx.com/\"]}",
      "authProviders": [],
      "parentStack": {
        "Ref": "AWS::StackId"
      },
      "permissions": []
    }
  }

[josefaidt]

Hey @mkaya95 thank you for posting that! Are you also able to clarify what version of the CLI was used prior to migrating, or what version of the CLI was used to initially create the auth resource?

[mkaya95]

Hey @mkaya95 thank you for posting that! Are you also able to clarify what version of the CLI was used prior to migrating, or what version of the CLI was used to initially create the auth resource?

Hi @josefaidt, I am not sure what version of CLI was used for creating. It can be 7.3.6, However, migrate attempting CLI version is 8.2.0

[josefaidt]

Hey @mkaya95 thank you for clarifying! I was not able to immediately reproduce this by creating an auth resource with an older CLI version (5.4.0) and migrating to the latest version of the CLI (8.3.0). Are you able to capture the diff of this property?

"usernameCaseSensitive": false,

In the auth resource's built CloudFormation template we can see this is the only property used with UsernameConfiguration

"UsernameConfiguration": {
  "CaseSensitive": false
},

[mkaya95]

Hey @josefaidt, Thank you for your response.

fino-cloudformation-template.yml

usernameCaseSensitive:
    Type: String

parameters.json

"usernameCaseSensitive": false,

After amplify auth update;

cli-inputs.json

"usernameCaseSensitive": false,

build folder; build/fino-cloudformation-template.yml

"usernameCaseSensitive": {
  "Type": "String"
},
...
...
...
"UsernameConfiguration": {
  "CaseSensitive": false
},

build/parameters.json

"usernameCaseSensitive": false,

[josefaidt]

Hey @mkaya95 thank you for clarifying! Are you seeing a username configuration in the Cognito Console that's different than what you have locally? Are the values different in the #current-cloud-backend.zip archive (found in your s3 deployment bucket)?

[josefaidt]

Hey @mkaya95 :wave: just wanted to follow-up here and see if you are still experiencing this issue?

[Chiida]

Hi @josefaidt, as I know, @mkaya95 solved this issue and he'll post the solution here soon.

[josefaidt]

Hey @Chiida thanks for chiming in here! And glad to hear y'all were able to sort this out! I'll close this for now but I am looking forward to hearing about the solution @mkaya95 found

[mkaya95]

Hi @josefaidt, Sorry for the late response. Deployment is passed successfully once I removed usernameCaseSensitive parameter from my configuration. Thank you for your attention.