Open MattHapner opened 1 year ago
Hey @MattHapner :wave: thanks for raising this! I was not able to reproduce this issue when attempting to input a group name with special characters:
during amplify add auth
➜ amplify add auth
Using service: Cognito, provided by: awscloudformation
The current configured provider is Amazon Cognito.
Do you want to use the default authentication and security configuration? Manual configuration
Select the authentication/authorization services that you want to use: User Sign-Up, Sign-In, connected with AWS IAM co
ntrols (Enables per-user Storage features for images or other content, Analytics, and more)
Provide a friendly name for your resource that will be used to label this category in the project: 14326c567ce06c567ce0
Enter a name for your identity pool. 14326c567ce0_identitypool_6c567ce0
Allow unauthenticated logins? (Provides scoped down permissions that you can control via AWS IAM) No
Do you want to enable 3rd party authentication providers in your identity pool? No
Provide a name for your user pool: 14326c567ce0_userpool_6c567ce0
Warning: you will not be able to edit these selections.
How do you want users to be able to sign in? Username
Do you want to add User Pool Groups? Yes
? Provide a name for your user pool group: test:group
>> Resource name should be alphanumeric
during amplify update auth
➜ amplify update auth
Please note that certain attributes may not be overwritten if you choose to use defaults settings.
You have configured resources that might depend on this Cognito resource. Updating this Cognito resource could have unintended side effects.
Using service: Cognito, provided by: awscloudformation
What do you want to do? Create or update Cognito user pool groups
? Provide a name for your user pool group: test:group
>> Resource name should be alphanumeric
How was the Cognito User Pool group added to the project's auth resource?
Thanks for the response @josefaidt. I believe they were provisioned via the means that you just demonstrated... it must've been on a much older version of the cli. I have a user-pool-group-precendence.json
file that contains the contents of three roles that I provisioned via the CLI:
[
{
"groupName": "group:Admin",
"precedence": 1
},
{
"groupName": "group:Manager",
"precedence": 2
},
{
"groupName": "group:Employee",
"precedence": 3
}
]
Why is the requirement of alphanumeric-y enforced when Cognito itself does not enforce that?
Hey @MattHapner thanks for clarifying! If you modify that file and the auth's cli-inputs.json
file to remove the colons does it allow you to push successfully? You will want to modify the userPoolGroupList
in the cli-inputs.json
file.
"userPoolGroupList": [
"admins"
],
Additionally I agree that this prompt should follow the same requirements as the underlying service. I'll mark this as a feature request to relax the validation here and to properly stringify for use in CloudFormation.
@josefaidt I'll make the change to alphanumeric characters only and let you know. This is a pretty major frustration for me as in order to unblock myself I now need to create new groups and reassign all my users to their respective group.
EDIT: Making the change to remove special characters did resolve the problem as I had assumed it would
How did you install the Amplify CLI?
npm
If applicable, what version of Node.js are you using?
No response
Amplify CLI Version
11.1.0 (set to
latest
in CI/CD build job)What operating system are you using?
Windows
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
N/A
Describe the bug
When identity pools are enabled and Cognito user groups are specified with names containing special characters, the CloudFormation template will incorrectly reference the role resources with those special characters present. As stated in the AWS Cognito console, "The group name must contain between 1 and 128 non-space characters." However, CloudFormation resources must be only alpha-numeric ([a-zA-Z0-9]). When the CloudFormation template is generated, the "AWS::Cognito::UserPoolGroup" resources are correctly named without the special characters (e.g. "group:test" is provisioned as "groupTestGroup"), but they have a property called "RoleARN" that still has the special characters in the ref (e.g.
"RoleArn": { "Fn::GetAtt": [ "group:testGroupRole", "Arn" ] }
). The CloudFormation parsing engine is not able to recognize that resource and fails. This also happens with the Outputs of the template and the "RoleName" of the "AWS::IAM::Role".Expected behavior
It's expected that any generated "Ref"s to CF resources would also properly sanitize for special characters.
Reproduction steps
Project Identifier
No response
Log output
Additional information
No response
Before submitting, please confirm: