search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.81k stars 821 forks source link

Failed to migrate auth after upgrade amplify cli from version 6 to 12 #13905

Open JaysZila opened 2 weeks ago

JaysZila commented 2 weeks ago

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

20.15.0

Amplify CLI Version

12.10.1

What operating system are you using?

MacOs

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

My project was recently upgraded from Amplify CLI version 6.0.0 to 12.10.1. After the upgrade, when I ran the amplify push command, it displayed the following error:

“Auth triggers have been configured using an older version of the CLI and must be migrated before they can be deployed. Run amplify update auth and select ‘yes’ at the migration prompt. Then retry the deployment using amplify push.”

I have run amplify update auth with the following options:

Using service: Cognito, provided by: awscloudformation
 What do you want to do? Walkthrough all the auth configurations
 Select the authentication/authorization services that you want to use: User Sign-Up, Sign-In, connected with AWS IAM controls (Enables per-user Storage features for
 images or other content, Analytics, and more)
 Allow unauthenticated logins? (Provides scoped down permissions that you can control via AWS IAM) Yes
 Do you want to enable 3rd party authentication providers in your identity pool? No
 Do you want to add User Pool Groups? No
 Do you want to add an admin queries API? No
 Multifactor authentication (MFA) user login options: OFF
 Email based user registration/forgot password: Enabled (Requires per-user email entry at registration)
 Specify an email verification subject: Your verification code
 Specify an email verification message: Your verification code is {####}
 Do you want to override the default password policy for this User Pool? No
 Specify the app's refresh token expiration period (in days): 1
 Do you want to specify the user attributes this app can read and write? No
 Do you want to enable any of the following capabilities? Custom Auth Challenge Flow (basic scaffolding - not for production)
 Do you want to use an OAuth flow? No
? Do you want to configure Lambda Triggers for Cognito? Yes
? Which triggers do you want to enable for Cognito Create Auth Challenge, Define Auth Challenge, Verify Auth Challenge Response
? What functionality do you want to use for Create Auth Challenge Custom Auth Challenge Scaffolding (Creation)
? What functionality do you want to use for Define Auth Challenge Custom Auth Challenge Scaffolding (Definition)
? What functionality do you want to use for Verify Auth Challenge Response Custom Auth Challenge Scaffolding (Verification)

Successfully updated the Cognito trigger locally Successfully updated the Cognito trigger locally Successfully updated the Cognito trigger locally ✅ Successfully updated auth resource myAuth locally

After the migration was completed, it removed myAuth-cloudformation-template.json, auth-trigger-cloudformation-template.json, and parameter.json files and added cli-input.json instead.

After that, I manually re-added myAuth-cloudformation-template.json and auth-trigger-cloudformation-template.json (my project have custom lambda trigger created before) back to the project and pushed the changes to the cloud again.

However, I encountered the following error:

The following resources failed to deploy: Resource Name: UserPool (AWS::Cognito::UserPool) Event Type: update Reason: Resource handler returned message: "Invalid request provided: Updates are not allowed for property - UsernameConfiguration." (RequestToken: xxxxxx, HandlerErrorCode: InvalidRequest)

Expected behavior

amplify push needs to work normally after the migration is completed.

Reproduction steps

  1. npm install -g @aws-amplify/cli@12.10.1
  2. amplify update auth
  3. re-added myAuth-cloudformation-template.json and auth-trigger-cloudformation-template.json back to the project
  4. amplify push

Project Identifier

No response

Log output

``` # Put your logs below this line ```

Additional information

My cloudformation stack details (Auth)

Resources

Parameters include usernameCaseSensitive: false

Before submitting, please confirm:

ykethan commented 2 weeks ago

Hey @JaysZila, thank you for reaching out. Could provide is the cli-inputs.json generated in the backend/auth/<resource-name> folder? From the error message the issue may be caused by using alias attributes in your existing Auth resource. If it does you may need to enable the forcealiasattributes in the cli.json present at the root of the amplify folder. Then run amplify build or amplify update auth and amplify push.

current version of the cli.json

{
  "features": {
    "graphqltransformer": {
      "addmissingownerfields": true,
      "improvepluralization": false,
      "validatetypenamereservedwords": true,
      "useexperimentalpipelinedtransformer": true,
      "enableiterativegsiupdates": true,
      "secondarykeyasgsi": true,
      "skipoverridemutationinputtypes": true,
      "transformerversion": 2,
      "suppressschemamigrationprompt": true,
      "securityenhancementnotification": false,
      "showfieldauthnotification": false,
      "usesubusernamefordefaultidentityclaim": true,
      "usefieldnameforprimarykeyconnectionfield": false,
      "enableautoindexquerynames": true,
      "respectprimarykeyattributesonconnectionfield": true,
      "shoulddeepmergedirectiveconfigdefaults": false,
      "populateownerfieldforstaticgroupauth": true,
      "subscriptionsinheritprimaryauth": false
    },
    "frontend-ios": {
      "enablexcodeintegration": true
    },
    "auth": {
      "enablecaseinsensitivity": true,
      "useinclusiveterminology": true,
      "breakcirculardependency": true,
      "forcealiasattributes": false, // enable this flag
      "useenabledmfas": true
    },
    "codegen": {
      "useappsyncmodelgenplugin": true,
      "usedocsgeneratorplugin": true,
      "usetypesgeneratorplugin": true,
      "cleangeneratedmodelsdirectory": true,
      "retaincasestyle": true,
      "addtimestampfields": true,
      "handlelistnullabilitytransparently": true,
      "emitauthprovider": true,
      "generateindexrules": true,
      "enabledartnullsafety": true,
      "generatemodelsforlazyloadandcustomselectionset": false
    },
    "appsync": {
      "generategraphqlpermissions": true
    },
    "latestregionsupport": {
      "pinpoint": 1,
      "translate": 1,
      "transcribe": 1,
      "rekognition": 1,
      "textract": 1,
      "comprehend": 1
    },
    "project": {
      "overrides": true
    }
  },
  "debug": {}
}
JaysZila commented 2 weeks ago

Hi @ykethan This is my cli-input.json

{
  "version": "1",
  "cognitoConfig": {
    "identityPoolName": "IdentityPoolName",
    "allowUnauthenticatedIdentities": true,
    "resourceNameTruncated": "xxxxxxx",
    "userPoolName": "UserPoolName",
    "autoVerifiedAttributes": [
      "email"
    ],
    "mfaConfiguration": "OFF",
    "mfaTypes": [
      "SMS Text Message"
    ],
    "smsAuthenticationMessage": "Your authentication code is {####}",
    "smsVerificationMessage": "Your verification code is {####}",
    "emailVerificationSubject": "Your verification code",
    "emailVerificationMessage": "Your verification code is {####}",
    "defaultPasswordPolicy": false,
    "passwordPolicyMinLength": "x",
    "passwordPolicyCharacters": [
      "Requires Numbers"
    ],
    "requiredAttributes": [],
    "aliasAttributes": [],
    "userpoolClientGenerateSecret": false,
    "userpoolClientRefreshTokenValidity": "1",
    "userpoolClientWriteAttributes": [
      "email"
    ],
    "userpoolClientReadAttributes": [
      "email"
    ],
    "userpoolClientLambdaRole": "userpoolclient_lambda_role",
    "userpoolClientSetAttributes": false,
    "authSelections": "identityPoolAndUserPool",
    "resourceName": "myAuth",
    "serviceName": "Cognito",
    "useDefault": "manual",
    "sharedId": "xxxxxx",
    "userPoolGroupList": [],
    "userPoolGroups": false,
    "usernameCaseSensitive": false, ---> but in AWS Cognito the value is true (case sensitive)
    "adminQueries": false,
    "hostedUI": false,
    "thirdPartyAuth": false,
    "authProviders": [],
    "triggers": {
      "CreateAuthChallenge": [
        "boilerplate-create-challenge"
      ],
      "DefineAuthChallenge": [
        "boilerplate-define-challenge"
      ],
      "VerifyAuthChallengeResponse": [
        "boilerplate-verify"
      ]
    },
    "authRoleArn": {
      "Fn::GetAtt": [
        "AuthRole",
        "Arn"
      ]
    },
    "unauthRoleArn": {
      "Fn::GetAtt": [
        "UnauthRole",
        "Arn"
      ]
    },
    "breakCircularDependency": true,
    "useEnabledMfas": false,
    "dependsOn": [
      {
        "category": "function",
        "resourceName": "myAuthCreateAuthChallenge",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      },
      {
        "category": "function",
        "resourceName": "myAuthDefineAuthChallenge",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      },
      {
        "category": "function",
        "resourceName": "myAuthVerifyAuthChallengeResponse",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      }
    ],
    "permissions": [],
    "authTriggerConnections": "[\n  {\n    \"triggerType\": \"CreateAuthChallenge\",\n    \"lambdaFunctionName\": \"myAuthCreateAuthChallenge\"\n  },\n  {\n    \"triggerType\": \"DefineAuthChallenge\",\n    \"lambdaFunctionName\": \"myAuthDefineAuthChallenge\"\n  },\n  {\n    \"triggerType\": \"VerifyAuthChallengeResponse\",\n    \"lambdaFunctionName\": \"myAuthVerifyAuthChallengeResponse\"\n  }\n]",
    "parentStack": {
      "Ref": "AWS::StackId"
    }
  }
}

My current cli.json does not have forceAliasAttributes. And also, user pool is configured to use username as the key for login. Do you mean I need to add it and set the value to true?

    "auth": {
      "enablecaseinsensitivity": true,
      "useinclusiveterminology": true,
      "breakcirculardependency": true
    }

backend-config.json, amplify-meta.json "usernameAttributes": []

ykethan commented 2 weeks ago

Hey @JaysZila, thank you for posting the cli-inputs.json, from the file it appears the alias attributes are not being utilized so you should be fine as this flag defaults to false. You could update the cli.json to have the latest flags present as well. Could you update the "usernameCaseSensitive" as true in the cli-inputs.json and push. Do let us know if this mitigates the issue.

JaysZila commented 2 weeks ago

@ykethan Thank you for your reply. I tried updating it to true, but it still resulted in the same error message.

ykethan commented 2 weeks ago

@JaysZila by any chance was this manually updated on the console? on the generated CloudFormation template did notice the following and updating the usernameCaseSensitive": true, did cause a similar error. 

"UsernameConfiguration": {
     "CaseSensitive": false
 }

On the CloudFormation console, could you check the auth nested stack template for UsernameConfiguration? The name of the stack should start with amplify-<app-name> with auth appended in name. Could you verify the UsernameConfiguration matches the locally generated UsernameConfiguration in the CloudFormation template.

JaysZila commented 2 weeks ago

@ykethan I'm not sure about manually updated on the console since I'm not part of the team project from the beginning

To give you more detail on UsernameConfiguration in project

Before running amplify update auth

After running amplify update auth /build folder was created under backend/auth , containing the following files:

"UsernameConfiguration": {
          "CaseSensitive": false
}

cli-inputs.json, which was created under the backend/auth folder

I’m not quite sure about the UsernameConfiguration in the auth stack, since it’s a property of the AWS::Cognito::UserPool which is the one of the resource in auth stack. Is this what you mean?

2254AFED-E156-46EF-A6EB-3D8EAFAB566C_4_5005_c

image

If not, then I ran this command in the AWS console to check the details of the User Pool

aws cognito-idp describe-user-pool --user-pool-id "myUserPoolId"

The result is that there is no UsernameConfiguration defined in the User Pool either

ykethan commented 2 weeks ago

Hey @JaysZila, on a bit of a deep dive, noticed a similar issues: https://github.com/aws-amplify/amplify-cli/issues/10846 and https://github.com/aws-amplify/amplify-cli/issues/10447. The comments https://github.com/aws-amplify/amplify-cli/issues/10846#issuecomment-1264033973, https://github.com/aws-amplify/amplify-cli/issues/10447#issuecomment-1154476327 provided a workaround of removing the usernameCaseSensitive parameter fixed the issue. Could you try this and let us know if this mitigates the issue.

JaysZila commented 1 week ago

@ykethan Thank you so much. After removing it, amplify push worked fine. However, I just noticed that after upgrading to Amplify CLI 12 and updating auth (walkthrough options with the same configuration when using amplify cli version 6), the number of resources in the auth category was reduced to 7 (from 11 before).

Do you have any idea why this might have happened? I’m not sure if it will affect the authentication flow or not.

Resource which was removed

No matter how I add it back to the CloudFormation file, after running amplify push, it always creates a build folder with the CloudFormation file containing only 7 resources.

ykethan commented 1 week ago

Hey @JaysZila, this is currently the expected behavior and should not effect the authentication flow. The resources were refactored as part of our improvements to the Auth resource.