aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.83k stars 823 forks source link

User Pool Groups Cloudformation Issue when Special Characters Present #12560

Open MattHapner opened 1 year ago

MattHapner commented 1 year ago

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

11.1.0 (set to latest in CI/CD build job)

What operating system are you using?

Windows

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

N/A

Describe the bug

When identity pools are enabled and Cognito user groups are specified with names containing special characters, the CloudFormation template will incorrectly reference the role resources with those special characters present. As stated in the AWS Cognito console, "The group name must contain between 1 and 128 non-space characters." However, CloudFormation resources must be only alpha-numeric ([a-zA-Z0-9]). When the CloudFormation template is generated, the "AWS::Cognito::UserPoolGroup" resources are correctly named without the special characters (e.g. "group:test" is provisioned as "groupTestGroup"), but they have a property called "RoleARN" that still has the special characters in the ref (e.g. "RoleArn": { "Fn::GetAtt": [ "group:testGroupRole", "Arn" ] }). The CloudFormation parsing engine is not able to recognize that resource and fails. This also happens with the Outputs of the template and the "RoleName" of the "AWS::IAM::Role".

Expected behavior

It's expected that any generated "Ref"s to CF resources would also properly sanitize for special characters.

Reproduction steps

  1. amplify add auth
  2. configure a user pools group with special characters in the name (e.g. ':')
  3. enable identity pools for group role-based access

Project Identifier

No response

Log output

``` # Put your logs below this line ```

Additional information

No response

Before submitting, please confirm:

josefaidt commented 1 year ago

Hey @MattHapner :wave: thanks for raising this! I was not able to reproduce this issue when attempting to input a group name with special characters:

during amplify add auth

➜  amplify add auth
Using service: Cognito, provided by: awscloudformation

 The current configured provider is Amazon Cognito. 

 Do you want to use the default authentication and security configuration? Manual configuration
 Select the authentication/authorization services that you want to use: User Sign-Up, Sign-In, connected with AWS IAM co
ntrols (Enables per-user Storage features for images or other content, Analytics, and more)
 Provide a friendly name for your resource that will be used to label this category in the project: 14326c567ce06c567ce0

 Enter a name for your identity pool. 14326c567ce0_identitypool_6c567ce0
 Allow unauthenticated logins? (Provides scoped down permissions that you can control via AWS IAM) No
 Do you want to enable 3rd party authentication providers in your identity pool? No
 Provide a name for your user pool: 14326c567ce0_userpool_6c567ce0
 Warning: you will not be able to edit these selections. 
 How do you want users to be able to sign in? Username
 Do you want to add User Pool Groups? Yes
? Provide a name for your user pool group: test:group
>> Resource name should be alphanumeric

during amplify update auth

➜  amplify update auth
Please note that certain attributes may not be overwritten if you choose to use defaults settings.

You have configured resources that might depend on this Cognito resource.  Updating this Cognito resource could have unintended side effects.

Using service: Cognito, provided by: awscloudformation
 What do you want to do? Create or update Cognito user pool groups
? Provide a name for your user pool group: test:group
>> Resource name should be alphanumeric

How was the Cognito User Pool group added to the project's auth resource?

MattHapner commented 1 year ago

Thanks for the response @josefaidt. I believe they were provisioned via the means that you just demonstrated... it must've been on a much older version of the cli. I have a user-pool-group-precendence.json file that contains the contents of three roles that I provisioned via the CLI:

[
  {
    "groupName": "group:Admin",
    "precedence": 1
  },
  {
    "groupName": "group:Manager",
    "precedence": 2
  },
  {
    "groupName": "group:Employee",
    "precedence": 3
  }
]

Why is the requirement of alphanumeric-y enforced when Cognito itself does not enforce that?

josefaidt commented 1 year ago

Hey @MattHapner thanks for clarifying! If you modify that file and the auth's cli-inputs.json file to remove the colons does it allow you to push successfully? You will want to modify the userPoolGroupList in the cli-inputs.json file.

"userPoolGroupList": [
      "admins"
    ],

Additionally I agree that this prompt should follow the same requirements as the underlying service. I'll mark this as a feature request to relax the validation here and to properly stringify for use in CloudFormation.

MattHapner commented 1 year ago

@josefaidt I'll make the change to alphanumeric characters only and let you know. This is a pretty major frustration for me as in order to unblock myself I now need to create new groups and reassign all my users to their respective group.

EDIT: Making the change to remove special characters did resolve the problem as I had assumed it would