search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.81k stars 819 forks source link

Can't create new amplify env because MFALambdaRole already exists #13783

Closed DevTGhosh closed 2 months ago

DevTGhosh commented 4 months ago

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v20.11.0

Amplify CLI Version

12.9.0

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

Try to create a new amplify env and when you try to amplify push it fails with the following error

🛑 The following resources failed to deploy: Resource Name: MFALambdaRole (AWS::IAM::Role) Event Type: create Reason: The policy chedar678aa9d9_sns_pass_role_policy already exists on the role chedar678aa9d9_totp_lambda_role-dev.

🛑 Resource is not in the state stackUpdateComplete Name: MFALambdaRole (AWS::IAM::Role), Event Type: create, Reason: The policy chedar678aa9d9_sns_pass_role_policy already exists on the role chedar678aa9d9_totp_lambda_role-dev., IsCustomResource: false

Expected behavior

To be able to create a new amplify env.

Reproduction steps

  1. Create a new amplify env
  2. amplify push

Project Identifier

Project Identifier: c1df5805dc85b2b52388558184e19166

Log output

``` # Put your logs below this line ```

Additional information

My auth cloudformation template

{ "Description": "{\"createdOn\":\"Mac\",\"createdBy\":\"Amplify\",\"createdWith\":\"12.9.0\",\"stackType\":\"auth-Cognito\",\"metadata\":{}}", "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "env": { "Type": "String" }, "functionchedarAuthTestPostConfirmationArn": { "Type": "String", "Default": "functionchedarAuthTestPostConfirmationArn" }, "functionchedarAuthTestPostConfirmationName": { "Type": "String", "Default": "functionchedarAuthTestPostConfirmationName" }, "identityPoolName": { "Type": "String" }, "allowUnauthenticatedIdentities": { "Type": "String" }, "resourceNameTruncated": { "Type": "String" }, "userPoolName": { "Type": "String" }, "autoVerifiedAttributes": { "Type": "CommaDelimitedList" }, "mfaConfiguration": { "Type": "String" }, "mfaTypes": { "Type": "CommaDelimitedList" }, "smsAuthenticationMessage": { "Type": "String" }, "smsVerificationMessage": { "Type": "String" }, "emailVerificationSubject": { "Type": "String" }, "emailVerificationMessage": { "Type": "String" }, "defaultPasswordPolicy": { "Type": "String" }, "passwordPolicyMinLength": { "Type": "String" }, "passwordPolicyCharacters": { "Type": "CommaDelimitedList" }, "requiredAttributes": { "Type": "CommaDelimitedList" }, "aliasAttributes": { "Type": "CommaDelimitedList" }, "userpoolClientGenerateSecret": { "Type": "String" }, "userpoolClientRefreshTokenValidity": { "Type": "String" }, "userpoolClientWriteAttributes": { "Type": "CommaDelimitedList" }, "userpoolClientReadAttributes": { "Type": "CommaDelimitedList" }, "userpoolClientLambdaRole": { "Type": "String" }, "userpoolClientSetAttributes": { "Type": "String" }, "authSelections": { "Type": "String" }, "resourceName": { "Type": "String" }, "serviceName": { "Type": "String" }, "useDefault": { "Type": "String" }, "sharedId": { "Type": "String" }, "userPoolGroupList": { "Type": "CommaDelimitedList" }, "userPoolGroups": { "Type": "String" }, "usernameCaseSensitive": { "Type": "String" }, "adminQueries": { "Type": "String" }, "hostedUI": { "Type": "String" }, "triggers": { "Type": "String" }, "authRoleArn": { "Type": "String" }, "unauthRoleArn": { "Type": "String" }, "breakCircularDependency": { "Type": "String" }, "useEnabledMfas": { "Type": "String" }, "dependsOn": { "Type": "CommaDelimitedList" }, "permissions": { "Type": "CommaDelimitedList" }, "authTriggerConnections": { "Type": "CommaDelimitedList" }, "parentStack": { "Type": "String" }, "authProviders": { "Type": "CommaDelimitedList" }, "thirdPartyAuth": { "Type": "String" } }, "Conditions": { "ShouldNotCreateEnvResources": { "Fn::Equals": [ { "Ref": "env" }, "NONE" ] } }, "Resources": { "SNSRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "cognito-idp.amazonaws.com" }, "Action": [ "sts:AssumeRole" ], "Condition": { "StringEquals": { "sts:ExternalId": "chedar678aa9d9_role_external_id" } } } ] }, "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "*" } ] }, "PolicyName": "chedar678aa9d9-sns-policy" } ], "RoleName": { "Fn::If": [ "ShouldNotCreateEnvResources", "chedar678aa9d9_sns-role", { "Fn::Join": [ "", [ "sns678aa9d9", { "Fn::Select": [ 3, { "Fn::Split": [ "-", { "Ref": "AWS::StackName" } ] } ] }, "-", { "Ref": "env" } ] ] } ] } } }, "UserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { "AdminCreateUserConfig": { "InviteMessageTemplate": { "EmailMessage": "

Clap!

Thank you for signing up to your first scene

\"\"

Bienvenue,

Votre compte Chedar a bien été créé.

Vous trouverez ci-dessous les accès à votre compte:

  • Lien:app.chedar.fr
  • Nom d'utilisateur: {username}
  • Mot de passe temporaire: {####}

Notre centre de formation est accessible ici:learn.chedar.io

Happy budgeting,

l'Equipe Chedar

 

Si vous avez des soucis à vous connectez, veuillez nous contacter àsupport@chedar.fr

\"\"
", "EmailSubject": "You're Invited to Chedar!" } }, "AutoVerifiedAttributes": [ "email" ], "EmailConfiguration": { "EmailSendingAccount": "DEVELOPER", "From": "support@chedar.fr", "ReplyToEmailAddress": "support@chedar.fr", "SourceArn": "arn:aws:ses:eu-west-1:251651594881:identity/support@chedar.fr" }, "EmailVerificationMessage": { "Ref": "emailVerificationMessage" }, "EmailVerificationSubject": { "Ref": "emailVerificationSubject" }, "LambdaConfig": { "PostConfirmation": { "Ref": "functionchedarAuthTestPostConfirmationArn" } }, "MfaConfiguration": { "Ref": "mfaConfiguration" }, "Policies": { "PasswordPolicy": { "MinimumLength": { "Ref": "passwordPolicyMinLength" }, "RequireLowercase": false, "RequireNumbers": false, "RequireSymbols": false, "RequireUppercase": false, "TemporaryPasswordValidityDays": 60 } }, "Schema": [ { "Mutable": true, "Name": "email", "Required": true }, { "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Name": "tenantid", "Required": false } ], "SmsAuthenticationMessage": { "Ref": "smsAuthenticationMessage" }, "SmsConfiguration": { "ExternalId": "chedar678aa9d9_role_external_id", "SnsCallerArn": { "Fn::GetAtt": [ "SNSRole", "Arn" ] } }, "SmsVerificationMessage": { "Ref": "smsVerificationMessage" }, "UserAttributeUpdateSettings": { "AttributesRequireVerificationBeforeUpdate": [ "email" ] }, "UsernameConfiguration": { "CaseSensitive": false }, "UserPoolName": { "Fn::If": [ "ShouldNotCreateEnvResources", { "Ref": "userPoolName" }, { "Fn::Join": [ "", [ { "Ref": "userPoolName" }, "-", { "Ref": "env" } ] ] } ] }, "VerificationMessageTemplate": { "EmailMessage": "Your verification code for Chedar is {####}", "EmailSubject": "Your verification code for Chedar" } } }, "UserPoolPostConfirmationLambdaInvokePermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:invokeFunction", "FunctionName": { "Ref": "functionchedarAuthTestPostConfirmationName" }, "Principal": "cognito-idp.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "UserPool", "Arn" ] } } }, "chedarAuthTestPostConfirmationAddToGroupCognito": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cognito-idp:AdminAddUserToGroup", "cognito-idp:GetGroup", "cognito-idp:CreateGroup" ], "Resource": { "Fn::GetAtt": [ "UserPool", "Arn" ] } } ] }, "PolicyName": "chedarAuthTestPostConfirmationAddToGroupCognito", "Roles": [ { "Fn::Join": [ "", [ "chedarAuthTestPostConfirmation-", { "Ref": "env" } ] ] } ] } }, "UserPoolClientWeb": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ClientName": "chedar678aa9d9_app_clientWeb", "ReadAttributes": [ "email", "custom:tenantid" ], "RefreshTokenValidity": { "Ref": "userpoolClientRefreshTokenValidity" }, "TokenValidityUnits": { "RefreshToken": "days" }, "WriteAttributes": [ "email", "custom:tenantid" ] }, "DependsOn": [ "UserPool" ] }, "UserPoolClient": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ClientName": "chedar678aa9d9_app_client", "GenerateSecret": { "Ref": "userpoolClientGenerateSecret" }, "ReadAttributes": [ "email", "custom:tenantid" ], "RefreshTokenValidity": { "Ref": "userpoolClientRefreshTokenValidity" }, "TokenValidityUnits": { "RefreshToken": "days" }, "WriteAttributes": [ "email", "custom:tenantid" ] }, "DependsOn": [ "UserPool" ] }, "UserPoolClientRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "RoleName": { "Fn::If": [ "ShouldNotCreateEnvResources", { "Ref": "userpoolClientLambdaRole" }, { "Fn::Join": [ "", [ "upClientLambdaRole678aa9d9", { "Fn::Select": [ 3, { "Fn::Split": [ "-", { "Ref": "AWS::StackName" } ] } ] }, "-", { "Ref": "env" } ] ] } ] } } }, "MFALambdaRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": { "Fn::If": [ "ShouldNotCreateEnvResources", "arn:aws:iam:::role/chedar678aa9d9_totp_lambda_role", { "Fn::Join": [ "", [ "arn:aws:iam:::role/chedar678aa9d9__totp_lambda_role-", { "Ref": "env" } ] ] } ] } } ] }, "PolicyName": "chedar678aa9d9_totp_pass_role_policy" }, { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": { "Fn::GetAtt": [ "SNSRole", "Arn" ] } } ] }, "PolicyName": "chedar678aa9d9_sns_pass_role_policy" } ], "RoleName": { "Fn::If": [ "ShouldNotCreateEnvResources", "chedar678aa9d9_totp_lambda_role", { "Fn::Join": [ "", [ "chedar678aa9d9_totp_lambda_role-", { "Ref": "env" } ] ] } ] } }, "DependsOn": [ "SNSRole" ] }, "MFALambda": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": "const response = require('cfn-response');\nconst { CognitoIdentityProviderClient, SetUserPoolMfaConfigCommand } = require('@aws-sdk/client-cognito-identity-provider');\nconst identity = new CognitoIdentityProviderClient({});\n\nexports.handler = (event, context) => {\n // Don't return promise, response.send() marks context as done internally\n void tryHandleEvent(event, context);\n};\n\nasync function tryHandleEvent(event, context) {\n try {\n await handleEvent(event);\n response.send(event, context, response.SUCCESS, {});\n } catch (e) {\n response.send(event, context, response.FAILED, { e });\n }\n}\n\nasync function handleEvent(event) {\n if (event.RequestType === 'Update' || event.RequestType === 'Create') {\n const totpParams = {\n UserPoolId: event.ResourceProperties.userPoolId,\n MfaConfiguration: event.ResourceProperties.mfaConfiguration,\n SmsMfaConfiguration: {\n SmsAuthenticationMessage: event.ResourceProperties.smsAuthenticationMessage,\n SmsConfiguration: {\n SnsCallerArn: event.ResourceProperties.smsConfigCaller,\n ExternalId: event.ResourceProperties.smsConfigExternalId,\n },\n },\n SoftwareTokenMfaConfiguration: { Enabled: event.ResourceProperties.totpEnabled.toLowerCase() === 'true' },\n };\n console.log(totpParams);\n\n await identity.send(new SetUserPoolMfaConfigCommand(totpParams));\n }\n}\n" }, "Role": { "Fn::GetAtt": [ "MFALambdaRole", "Arn" ] }, "Handler": "index.handler", "Runtime": "nodejs18.x", "Timeout": 300 }, "DependsOn": [ "MFALambdaRole" ] }, "MFALambdaPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cognito-idp:SetUserPoolMfaConfig" ], "Resource": { "Fn::GetAtt": [ "UserPool", "Arn" ] } } ] }, "PolicyName": "chedar678aa9d9_totp_lambda_iam_policy", "Roles": [ { "Fn::If": [ "ShouldNotCreateEnvResources", "chedar678aa9d9_totp_lambda_role", { "Fn::Join": [ "", [ "chedar678aa9d9_totp_lambda_role-", { "Ref": "env" } ] ] } ] } ] }, "DependsOn": [ "MFALambda" ] }, "MFALogPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": { "Fn::Sub": [ "arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*", { "region": { "Ref": "AWS::Region" }, "account": { "Ref": "AWS::AccountId" }, "lambda": { "Ref": "MFALambda" } } ] } } ] }, "PolicyName": "chedar678aa9d9_totp_lambda_log_policy", "Roles": [ { "Fn::If": [ "ShouldNotCreateEnvResources", "chedar678aa9d9_totp_lambda_role", { "Fn::Join": [ "", [ "chedar678aa9d9_totp_lambda_role-", { "Ref": "env" } ] ] } ] } ] }, "DependsOn": [ "MFALambdaPolicy" ] }, "MFALambdaInputs": { "Type": "Custom::LambdaCallout", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "MFALambda", "Arn" ] }, "mfaConfiguration": { "Ref": "mfaConfiguration" }, "totpEnabled": true, "smsConfigCaller": { "Fn::GetAtt": [ "SNSRole", "Arn" ] }, "smsAuthenticationMessage": { "Ref": "smsAuthenticationMessage" }, "smsConfigExternalId": "chedar678aa9d9_role_external_id", "userPoolId": { "Ref": "UserPool" } }, "DependsOn": [ "MFALogPolicy" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "IdentityPool": { "Type": "AWS::Cognito::IdentityPool", "Properties": { "AllowUnauthenticatedIdentities": { "Ref": "allowUnauthenticatedIdentities" }, "CognitoIdentityProviders": [ { "ClientId": { "Ref": "UserPoolClient" }, "ProviderName": { "Fn::Sub": [ "cognito-idp.${region}.amazonaws.com/${client}", { "region": { "Ref": "AWS::Region" }, "client": { "Ref": "UserPool" } } ] } }, { "ClientId": { "Ref": "UserPoolClientWeb" }, "ProviderName": { "Fn::Sub": [ "cognito-idp.${region}.amazonaws.com/${client}", { "region": { "Ref": "AWS::Region" }, "client": { "Ref": "UserPool" } } ] } } ], "IdentityPoolName": { "Fn::If": [ "ShouldNotCreateEnvResources", "chedarv2678aa9d9_identitypool_678aa9d9", { "Fn::Join": [ "", [ "chedarv2678aa9d9_identitypool_678aa9d9__", { "Ref": "env" } ] ] } ] } } }, "IdentityPoolRoleMap": { "Type": "AWS::Cognito::IdentityPoolRoleAttachment", "Properties": { "IdentityPoolId": { "Ref": "IdentityPool" }, "RoleMappings": { "UserPoolClientRoleMapping": { "AmbiguousRoleResolution": "AuthenticatedRole", "IdentityProvider": { "Fn::Sub": [ "cognito-idp.${region}.amazonaws.com/${userPool}:${client}", { "region": { "Ref": "AWS::Region" }, "userPool": { "Ref": "UserPool" }, "client": { "Ref": "UserPoolClient" } } ] }, "Type": "Token" }, "UserPoolWebClientRoleMapping": { "AmbiguousRoleResolution": "AuthenticatedRole", "IdentityProvider": { "Fn::Sub": [ "cognito-idp.${region}.amazonaws.com/${userPool}:${webClient}", { "region": { "Ref": "AWS::Region" }, "userPool": { "Ref": "UserPool" }, "webClient": { "Ref": "UserPoolClientWeb" } } ] }, "Type": "Token" } }, "Roles": { "unauthenticated": { "Ref": "unauthRoleArn" }, "authenticated": { "Ref": "authRoleArn" } } }, "DependsOn": [ "IdentityPool", "UserPoolClient", "UserPoolClientWeb" ] } }, "Outputs": { "IdentityPoolId": { "Description": "Id for the identity pool", "Value": { "Ref": "IdentityPool" } }, "IdentityPoolName": { "Value": { "Fn::GetAtt": [ "IdentityPool", "Name" ] } }, "UserPoolId": { "Description": "Id for the user pool", "Value": { "Ref": "UserPool" } }, "UserPoolArn": { "Description": "Arn for the user pool", "Value": { "Fn::GetAtt": [ "UserPool", "Arn" ] } }, "UserPoolName": { "Value": { "Ref": "userPoolName" } }, "AppClientIDWeb": { "Description": "The user pool app client id for web", "Value": { "Ref": "UserPoolClientWeb" } }, "AppClientID": { "Description": "The user pool app client id", "Value": { "Ref": "UserPoolClient" } }, "CreatedSNSRole": { "Description": "role arn", "Value": { "Fn::GetAtt": [ "SNSRole", "Arn" ] } } } }
ykethan commented 4 months ago

Hey @DevTGhosh, thank you for reaching out. From the project identifier noticed the the cli.json present in the amplify folder sees to be missing some feature flags. Were these intentionally removed?

{
  "features": {
    "graphqltransformer": {
      "addmissingownerfields": true,
      "improvepluralization": false,
      "validatetypenamereservedwords": true,
      "useexperimentalpipelinedtransformer": true,
      "enableiterativegsiupdates": true,
      "secondarykeyasgsi": true,
      "skipoverridemutationinputtypes": true,
      "transformerversion": 2,
      "suppressschemamigrationprompt": true,
      "securityenhancementnotification": false,
      "showfieldauthnotification": false,
      "usesubusernamefordefaultidentityclaim": true,
      "usefieldnameforprimarykeyconnectionfield": false,
      "enableautoindexquerynames": true,
      "respectprimarykeyattributesonconnectionfield": true,
      "shoulddeepmergedirectiveconfigdefaults": false,
      "populateownerfieldforstaticgroupauth": true
    },
    "frontend-ios": {
      "enablexcodeintegration": true
    },
    "auth": {
      "enablecaseinsensitivity": true,
      "useinclusiveterminology": true,
      "breakcirculardependency": true,
      "forcealiasattributes": false,
      "useenabledmfas": true
    },
    "codegen": {
      "useappsyncmodelgenplugin": true,
      "usedocsgeneratorplugin": true,
      "usetypesgeneratorplugin": true,
      "cleangeneratedmodelsdirectory": true,
      "retaincasestyle": true,
      "addtimestampfields": true,
      "handlelistnullabilitytransparently": true,
      "emitauthprovider": true,
      "generateindexrules": true,
      "enabledartnullsafety": true,
      "generatemodelsforlazyloadandcustomselectionset": false
    },
    "appsync": {
      "generategraphqlpermissions": true
    },
    "latestregionsupport": {
      "pinpoint": 1,
      "translate": 1,
      "transcribe": 1,
      "rekognition": 1,
      "textract": 1,
      "comprehend": 1
    },
    "project": {
      "overrides": true
    }
  },
  "debug": {}
}

the feature flag useenabledmfas when set as false does add a MFALambdaRole. setting the flag to true and running through the update auth flow should remove the role from the cloudformation template.

ykethan commented 2 months ago

Closing the issue due to inactivity. Do reach out to us if you are still experiencing this issue

github-actions[bot] commented 2 months ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.