search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.38k stars 3.78k forks source link

(aws-cognito): enable mfa on existing user pool #21284

Closed HariboDev closed 1 month ago

HariboDev commented 1 year ago

Describe the bug

Using old Cognito console to require MFA on an existing user pool results in an error being thrown and the deployment failing.

However, in the new Cognito console this is possible, but not through the CDK.

Considering that the CDK uses CloudFormation to deploy its resources, I am aware that this could be a CloudFormation bug rather than one with the CDK.

Expected Behavior

Due to it being possible in the new Cognito console, it is expected that the CDK can update the Cognito User Pool MFA settings and set MFA to required.

Current Behavior

The CDK and CloudFormation return an error stating that MFA cannot be set to required on an existing user pool. The stack then fails to deploy.

Reproduction Steps

Deploy the below Cognito User Pool:

new Cognito.UserPool(this, "UserPool", {
      userPoolName: "my-user-pool",
      selfSignUpEnabled: true,
      userVerification: {
        emailSubject: "Email Verification",
        emailBody: emailVerificationTemplate,
        emailStyle: Cognito.VerificationEmailStyle.CODE
      },
      email: Cognito.UserPoolEmail.withCognito("no-reply@my-website.com"),
      signInAliases: {
        username: false,
        email: true
      },
      passwordPolicy: {
        minLength: 8,
        requireLowercase: true,
        requireUppercase: true,
        requireDigits: true,
        requireSymbols: false
      },
      accountRecovery: Cognito.AccountRecovery.EMAIL_ONLY
    });

Then update to include:

mfa: Cognito.Mfa.REQUIRED,
mfaSecondFactor: {
  sms: false,
  otp: true
},

Possible Solution

According to the Cognito developer documentation, MFA can only be set as Required when initially creating the user pool. It states to switch to the new console or use the SetUserPoolMfaConfig API to set MFA to required for an existing user pool.

Therefore, should the API used by the CDK to deploy MFA changes be the SetUserPoolMfaConfig API?

Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html#user-pool-settings-mfa-prerequisites

Additional Information/Context

No response

CDK CLI Version

2.33.0 (build 859272d)

Framework Version

No response

Node.js Version

16.13.2

OS

Ubuntu (Linux)

Language

Typescript

Language Version

TypeScript (3.9.7)

Other information

No response

corymhall commented 1 year ago

@HariboDev this is indeed a CloudFormation limitation. https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1176

This will be blocked until CloudFormation supports this behavior.

metametadata commented 1 month ago

I think this issue can be closed. https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1176 was shipped and CDK works as expected now.

khushail commented 1 month ago

Supported thru cdk - https://github.com/aws/aws-cdk/blob/3ee5ce03905e5d12d569bcc58b8134c81a97d7c7/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts#L378

github-actions[bot] commented 1 month ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.