Permitted pattern for PrimaryUserPoolId does not align with pool name requirement of Cognito service

rjd1 commented 3 years ago

Describe the bug It's possible to have a user pool in place with a name that is not accepted by this solution. This is because the permitted pattern of PrimaryUserPoolId is not consistent with the Cognito service requirement.

To Reproduce Through the AWS console or via CLI, it's possible to create, e.g., a pool named MY-POOL. Then if this is specified in the PrimaryUserPoolId parameter to cognito-user-profiles-export-reference-architecture.template it will cause an error.

Expected behavior The solution should accept a name with a dash in it and proceed with the CF stack create.

Please complete the following information about the solution:

[x] Version: 1.0.0

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0126) - Cognito User Profiles Export Reference Architecture. Version v1.0.0". If the description does not contain the version information, you can look at the mappings section of the template:

Mappings:
  SourceCode:
    General:
      S3Bucket: "solutions"
      KeyPrefix: "cognito-user-profiles-export-reference-architecture/v1.0.0"

[x] Region: us-east-1
[x] Was the solution modified from the version published on this repository? Yes. In order to at least try to get the stack to create, I did just modify the regex in the CF template to accept a pool name with a dash.

[x] If the answer to the previous question was yes, are the changes available on GitHub? No. This is the only change made:

[ryan@server-01 deployment]$ diff regional-s3-assets/cognito-user-profiles-export-reference-architecture.template regional-s3-assets/cognito-user-profiles-export-reference-architecture.template.orig
17c17
<     AllowedPattern: ^[\w\s+=,.@-]+$
---
>     AllowedPattern: ^[\w-]+_[0-9a-zA-Z]+$
[ryan@server-01 deployment]$

[x] Have you checked your service quotas for the sevices this solution uses? Thanks to another AWS Solution, we get automatic alerts on this.

[x] Were there any errors in the CloudWatch Logs?

2021-04-01T11:26:57.226Z    a7a2e1e1-e95a-43a4-9e48-da8eff3fc5c6    ERROR   InvalidParameterException: 1 validation error detected: Value 'MY-POOL' at 'userPoolId' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w-]+_[0-9a-zA-Z]+
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:52:27)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
code: 'InvalidParameterException',
time: 2021-04-01T11:26:57.126Z,
requestId: 'fbbb4c2f-f447-456d-a958-56d144cf07e4',
statusCode: 400,
retryable: false,
retryDelay: 55.143687261934524
}

Screenshots N/A

Additional context The Cognito console and API documentation provide the regex name pattern as [\w\s+=,.@-]+

I also have an AWS Support case open on this (ID 8143657001), they suggested I create an Issue here.

ericquinones commented 3 years ago

Hi @rjd1 -

It appears that you're attempting to use the user pool's name as the value for this parameter instead of the pool's Id, which is separate. To find a user pool's ID, you can use the AWS Console:

Click on your user pool
Make sure General settings is selected in the menu on the left
You will find the Pool Id as the first item listed on the right

The Pool Id is what needs to be supplied as a parameter to the CloudFormation template.

Apologies for the confusion. I've made a note to be more clear about this in the parameter description and our documentation.

Thank you

rjd1 commented 3 years ago

Hi @ericquinones,

Thanks for the response and clarification, not sure how I was getting those two mixed up.

I'm hitting another issue that appears to be permissions related. This is happening with the solution as built following the instructions in this project as well as a separate attempt just with the template version straight from the AWS Solutions documentation (that uses aws pre-configured buckets)...

2021-04-08T02:13:47.870Z    49c7548b-1b31-4dfe-a9e3-32f5cd4366e9    INFO    List Operation Results Response: {
    "ResponseMetadata": {
        "RequestId": "b9f5097a-9837-4da7-b334-d6965e89a956"
    },
    "Summaries": [
        {
            "Account": "[accound-id]",
            "Region": "us-east-1",
            "Status": "PENDING",
            "OrganizationalUnitId": ""
        },
        {
            "Account": "[accound-id]",
            "Region": "us-west-2",
            "Status": "RUNNING",
            "StatusReason": "The following resource(s) failed to create: [NotificationTopic, CognitoUserImportCloudWatchLogsRole, ImportNewUsersDeadLetterQueue, ImportCheckNewUserPoolLambdaRole, CheckExecutionsLambdaRole, UserImportJobMappingFilesLogsBucket]. Delete requested by user.",
            "AccountGateResult": {
                "Status": "SKIPPED",
                "StatusReason": "Insufficient permissions to invoke AWSCloudFormationStackSetAccountGate"
            },
            "OrganizationalUnitId": ""
        }
    ]
}

2021-04-08T02:15:31.244Z    c31fc5cb-57e5-4178-b462-aef291765a78    INFO    List Operation Results Response: 
{
    "ResponseMetadata": {
        "RequestId": "bf2173df-9529-4d98-b095-108389601e2c"
    },
    "Summaries": [
        {
            "Account": "[accound-id]",
            "Region": "us-west-2",
            "Status": "SUCCEEDED",
            "AccountGateResult": {
                "Status": "SKIPPED",
                "StatusReason": "Insufficient permissions to invoke AWSCloudFormationStackSetAccountGate"
            },
            "OrganizationalUnitId": ""
        },
        {
            "Account": "[accound-id]",
            "Region": "us-east-1",
            "Status": "SUCCEEDED",
            "AccountGateResult": {
                "Status": "SKIPPED",
                "StatusReason": "CloudFormation stack not found"
            },
            "OrganizationalUnitId": ""
        }
    ]
}

Any ideas on this?

Thank you, Ryan

ericquinones commented 3 years ago

Hi @rjd1 -

This seems like there might be a problem with the deployment of one of the StackSet instances and when it fails, it rolls back the entire deployment. When this solution is launched, your main CloudFormation template will begin deploying and then it will deploy a StackSet with one instance in each region.

To troubleshoot a bit more:

If you go to the CloudFormation console and navigate to the Stacks section. If you then change the filter at the top from Active to Deleted, you should then see a list of previously deleted stacks
In that list, you should find StackSet instances for this solution. The stack name will start with StackSet-.
If you click on that stack and go to the Events tab, are you able to see a specific resource that failed to deploy and any associated information as to why?
If you didn't see anything there (i.e. it looks like the stack was deployed and then deleted successfully), can you please follow the same steps in the other region and see if that stack has any information?

rjd1 commented 3 years ago

Hey @ericquinones,

I only see deleted StackSet stacks in the secondary region. Following is the resource failure from the CF events there.

Logical ID | Status | Status reason

NotificationTopic | CREATE_FAILED | Invalid parameter: Attributes Reason: DisplayName (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 40d8b625-a850-5c7c-acb9-eecdc0a7a8f3; Proxy: null)
-- | -- | --

Thanks, Ryan

ericquinones commented 3 years ago

Hi @rjd1 -

I believe this is due to a known issue. The name of the CloudFormation stack used when the solution is launched is used to create the name of the SNS topic.

There’s a character limit for the topic Display Name but in cases where a long CloudFormation stack name is used, it puts us over that limit, hence the error.

Can you please try to launch the solution with a short CloudFormation stack name and see if that resolves it?

Thanks

rjd1 commented 3 years ago

Hi @ericquinones,

Looks like you're right about the issue, with a shorter name the stack created successfully. It'd definitely be good to have a warning about this in the documentation somewhere. Especially with the solution name being so long - I was actually just trying to use a shortened version of that originally for the stack (but obviously not shortened enough).

Really nice to finally get this to deploy properly. Thanks so much for your help!

Regards, Ryan

ericquinones commented 3 years ago

Hi @rjd1 -

Great, I'm glad you were able to deploy. Apologies for that issue with the stack name. This is something we'll be fixing the next time we update the solution.

Thanks

tomnight commented 3 years ago

Fixed in version 1.0.1

aws-solutions / cognito-user-profiles-export-reference-architecture

Permitted pattern for PrimaryUserPoolId does not align with pool name requirement of Cognito service #10