search

aws-amplify / amplify-hosting

AWS Amplify Hosting provides a Git-based workflow for deploying and hosting fullstack serverless web applications.
https://aws.amazon.com/amplify/hosting/
Apache License 2.0
448 stars 113 forks source link

Unable to automatically provision backend for previews when application has Google Oauth #3247

Open Femi-lawal opened 1 year ago

Femi-lawal commented 1 year ago

Before opening, please confirm:

App Id

d2rkwhxguawvjc

AWS Region

us-west-2

Amplify Hosting feature

Backend builds, Web previews

Describe the bug

My Amplify application has Google Oauth, and previews fail to create an ephemeral backend during pull requests because the auth resources fail to create. image

Expected behavior

A preview should create a new ephemeral backend even when the application has social auth providers like Google.

Reproduction steps

  1. Add Google Oauth provider to an amplify application
  2. Enable previews and select Create new backend environment for every Pull Request option
  3. Create a pull request and wait to see if the backend is created successfully.

Build Settings

version: 1
backend:
  phases:
    build:
      commands:
        - '# Execute Amplify CLI with the helper script'
        - amplifyPush --simple
frontend:
  phases:
    preBuild:
      commands:
        - npm ci
    build:
      commands:
        - npm run build
  artifacts:
    baseDirectory: .next
    files:
      - '**/*'
    cache:
      paths:
        - 'node_modules/**/*'
        - '.next/cache/**/*'

Log output

``` # Put your logs below this line { "Status": "FAILED", "Reason": "See the details in CloudWatch Log Stream: 20XX/XX/XX/[$LATEST]XXXXXXXXXXXX", "PhysicalResourceId": "20XX/XX/XX/[$LATEST]XXXXXXXXXXXX", "StackId": "arn:aws:cloudformation:us-west-2:XXXXXXXX:stack/amplify-XXXXXXX-XXXXXX-XXXXXXX-XXXXX-XXXXX/XXXXXXXX", "RequestId": "XXXXXXXXXXXXXXXXX", "LogicalResourceId": "OAuthCustomResourceInputs", "NoEcho": false, "Data": { "err": { "message": "The provider Google does not exist for User Pool us-west-2XXXXXXXXX.", "code": "InvalidParameterException", "time": "XXXXXXXX", "requestId": "XXXXXXXXX", "statusCode": 400, "retryable": false, "retryDelay": 69.68117398457674 } } } ```

Additional information

The error occurs in the OAuthCustomResourceInputs custom resource in the auth stack.

image I downloaded the preview root stack from the s3 bucket and compared it to the root stack from an existing backend that works fine. I noticed that there were no values provided for the hostedUIProviderCreds in the preview root stack, the value defaulted to "hostedUIProviderCreds": "[]"

For example, the existing backend root stack has this:

"authXXXXXXXXXX": {
  "Type": "AWS::CloudFormation::Stack",
  "Properties": {
    "TemplateURL": "https://s3.amazonaws.com/amplify-XXXXXXXapp-XXXX-XXXX-deployment/amplify-cfn-templates/auth/XXXXXXXXXX-cloudformation-template.json",
    "Parameters": {
      ...,
      "googleClientId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com",
      "oAuthMetadata": "{\"AllowedOAuthFlows\":[\"code\"],\"AllowedOAuthScopes\":[\"phone\",\"email\",\"openid\",\"profile\",\"aws.cognito.signin.user.admin\"],\"CallbackURLs\":[XXXXXX],\"LogoutURLs\":[XXXXXX]}",
      "hostedUIProviderCreds": "[{\"ProviderName\":\"Google\",\"client_id\":\"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com\",\"client_secret\":\"XXXXXXXXXXXXXXXXXXXXX\"}]",
      "env": "XXXX"
    }
  }
}

The preview root stack has this:

"authXXXXXXXXXX": {
  "Type": "AWS::CloudFormation::Stack",
  "Properties": {
    "TemplateURL": "https://s3.amazonaws.com/amplify-XXXXXXXapp-XXXX-XXXX-deployment/amplify-cfn-templates/auth/XXXXXXXXXX-cloudformation-template.json",
    "Parameters": {
      ...,
      "googleClientId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com",
      "oAuthMetadata": "{\"AllowedOAuthFlows\":[\"code\"],\"AllowedOAuthScopes\":[\"phone\",\"email\",\"openid\",\"profile\",\"aws.cognito.signin.user.admin\"],\"CallbackURLs\":[XXXXXXXX],\"LogoutURLs\":[XXXXXX]}",
      "hostedUIProviderCreds": "[]",
      "env": "XXXX"
    }
  }
}

The application makes use of google Oauth, and the Google client secret appears not to be present in the web preview backends, even though the AMPLIFY_GOOGLE_CLIENT_SECRET environment variable is visible by all branches.

I manually added the hostedUIProviderCreds in the preview root stack and tried to create it in the CloudFormation console from that template. It created all the auth resources successfully. So I suspect that the absence of hostedUIProviderCreds in the preview root stack is the cause of the issue.

ghost commented 1 year ago

Hi @Femi-lawal thanks for raising this issue. Glad you were able to identify a workaround for this bug! We are working on reproducing this bug and prioritizing this for mitigation.