search

pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
429 stars 151 forks source link

Cognito UserPool drifts birthdate schema #4158

Open t0yv0 opened 5 days ago

t0yv0 commented 5 days ago

Describe what happened

Provisioning an aws.cognito.UserPool now automatically injects a "birthdate" schema into outputs, and subsequent pulumi up shows a diff that wants to remove it.

This problem was detected by TestRegress2868 test (addressing https://github.com/pulumi/pulumi-aws/issues/2868) that started failing without any code changes in pulumi-aws. There possibly is a change to the underlying service behavior. The test passed on 6.42.1 release but is now failing as of Jul 2, 2024.

Sample program

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

export const AppUsersPool = new aws.cognito.UserPool("test-user-pool-4", {
    accountRecoverySetting: {
        recoveryMechanisms: [{
            name: "verified_email",
            priority: 1,
        }],
    },
    autoVerifiedAttributes: ["email"],
    mfaConfiguration: "OPTIONAL",
    name: "test-user-pool-4",
    passwordPolicy: {
        minimumLength: 8,
        requireLowercase: true,
        requireNumbers: true,
        requireSymbols: true,
        requireUppercase: true,
        temporaryPasswordValidityDays: 300,
    },
    schemas: [{
        attributeDataType: "String",
        mutable: true,
        name: "name",
        required: true,
        stringAttributeConstraints: {
            maxLength: "2048",
            minLength: "0",
        },
    }],
    softwareTokenMfaConfiguration: {
        enabled: true,
    },
    usernameAttributes: ["email"],
    usernameConfiguration: {
        caseSensitive: false,
    },
});

Log output

pulumi preview diff shows this:

Previewing update (repro-2868)

View Live: https://app.pulumi.com/anton-pulumi-corp/regress-2868/repro-2868/previews/df782276-b2d7-40eb-8262-dd1f9b2b2da4

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:repro-2868::regress-2868::pulumi:pulumi:Stack::regress-2868-repro-2868]
    ~ aws:cognito/userPool:UserPool: (update)
        [id=us-west-2_9WcQQRrMr]
        [urn=urn:pulumi:repro-2868::regress-2868::aws:cognito/userPool:UserPool::test-user-pool-4]
        [provider=urn:pulumi:repro-2868::regress-2868::pulumi:providers:aws::default_6_42_1::253529ba-3ef5-49fa-89d7-6a4efb3617b4]
      ~ schemas: [
          ~ [0]: {
                  + __defaults                : []
                  - attributeDataType         : "String"
                  - attributeDataType         : "String"
                  - developerOnlyAttribute    : false
                  - mutable                   : true
                  - mutable                   : true
                  - name                      : "birthdate"
                  - name                      : "birthdate"
                  ~ required                  : false => true
                  ~ stringAttributeConstraints: {
                      + __defaults: []
                      - maxLength : "10"
                      - maxLength : "10"
                      - minLength : "4"
                      - minLength : "4"
                    }
                }
          - [1]: {
                  - attributeDataType         : "String"
                  - developerOnlyAttribute    : false
                  - mutable                   : true
                  - name                      : "name"
                  - numberAttributeConstraints: <null>
                  - required                  : true
                  - stringAttributeConstraints: {
                      - maxLength: "2048"
                      - minLength: "0"
                    }
                }
        ]
    --outputs:--
  ~ AppUsersPool: {
        accountRecoverySetting       : {
            recoveryMechanisms: [
                [0]: {
                    name    : "verified_email"
                    priority: 1
                }
            ]
        }
        adminCreateUserConfig        : {
            allowAdminCreateUserOnly: false
            inviteMessageTemplate   : <null>
        }
      + aliasAttributes              : []
        arn                          : "arn:aws:cognito-idp:us-west-2:616138583583:userpo
ol/us-west-2_9WcQQRrMr"
        autoVerifiedAttributes       : [
            [0]: "email"
        ]
        creationDate                 : "2024-07-02T15:12:22Z"
        deletionProtection           : "INACTIVE"
        emailConfiguration           : {
            configurationSet   : ""
            emailSendingAccount: "COGNITO_DEFAULT"
            fromEmailAddress   : ""
            replyToEmailAddress: ""
            sourceArn          : ""
        }
        endpoint                     : "cognito-idp.us-west-2.amazonaws.com/us-west-2_9Wc
QQRrMr"
        estimatedNumberOfUsers       : 0
        id                           : "us-west-2_9WcQQRrMr"
        lastModifiedDate             : "2024-07-02T15:12:22Z"
        mfaConfiguration             : "OPTIONAL"
        name                         : "test-user-pool-4"
        passwordPolicy               : {
            minimumLength                : 8
            requireLowercase             : true
            requireNumbers               : true
            requireSymbols               : true
            requireUppercase             : true
            temporaryPasswordValidityDays: 300
        }
        softwareTokenMfaConfiguration: {
            enabled: true
        }
        urn                          : "urn:pulumi:repro-2868::regress-2868::aws:cognito/
userPool:UserPool::test-user-pool-4"
        usernameAttributes           : [
            [0]: "email"
        ]
        usernameConfiguration        : {
            caseSensitive: false
        }
        verificationMessageTemplate  : {
            defaultEmailOption: "CONFIRM_WITH_CODE"
            emailMessage      : ""
            emailMessageByLink: ""
            emailSubject      : ""
            emailSubjectByLink: ""
            smsMessage        : ""
        }
    }
Resources:              
    ~ 1 to update
    1 unchanged

This is a confusing presentation (due to set diffs being confusing) but what is happening it's trying to remove the birthday schema. From `pulumi stack export, the outputs now contain this:

                   "schemas": [
                        {
                            "attributeDataType": "String",
                            "developerOnlyAttribute": false,
                            "mutable": true,
                            "name": "birthdate",
                            "numberAttributeConstraints": null,
                            "required": false,
                            "stringAttributeConstraints": {
                                "maxLength": "10",
                                "minLength": "4"
                            }
                        },
                        {
                            "attributeDataType": "String",
                            "developerOnlyAttribute": false,
                            "mutable": true,
                            "name": "name",
                            "numberAttributeConstraints": null,
                            "required": true,
                            "stringAttributeConstraints": {
                                "maxLength": "2048",
                                "minLength": "0"
                            }
                        }
                    ],

Affected Resource(s)

aws.cognito.UserPool

Output of pulumi about

CLI          
Version      3.121.0
Go Version   go1.22.4
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  aws     6.42.1
language  nodejs  unknown

Host     
OS       darwin
Version  14.5
Arch     arm64

This project is written in nodejs: executable='/Users/anton/bin/node' version='v18.18.2'

Current Stack: anton-pulumi-corp/regress-2868/repro-2868

TYPE                           URN
pulumi:pulumi:Stack            urn:pulumi:repro-2868::regress-2868::pulumi:pulumi:Stack::regress-2868-repro-2868
pulumi:providers:aws           urn:pulumi:repro-2868::regress-2868::pulumi:providers:aws::default_6_42_1
aws:cognito/userPool:UserPool  urn:pulumi:repro-2868::regress-2868::aws:cognito/userPool:UserPool::test-user-pool-4

Found no pending operations associated with repro-2868

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/anton-pulumi-corp
User           anton-pulumi-corp
Organizations  anton-pulumi-corp, moolumi, demo, pulumi
Token type     personal

Dependencies:
NAME            VERSION
@pulumi/aws     6.42.1
@pulumi/pulumi  3.122.0
@types/aws-sdk  2.7.0
@types/node     8.10.66

Pulumi locates its logs in /var/folders/gd/3ncjb1lj5ljgk8xl5ssn_gvc0000gn/T/com.apple.shortcuts.mac-helper// by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

jamie1911 commented 5 days ago

Hello, I was about to open a case on this. It seems to be an issue with AWS Cognito itself as they recently changed or broke something. I've been tracking it here: https://github.com/hashicorp/terraform-provider-aws/issues/38197

t0yv0 commented 5 days ago

Thanks @jamie1911 this is super helpful to have the upstream linked here!

I could workaround in our test by adding "birhtdate" to the source program in https://github.com/pulumi/pulumi-aws/pull/4159 - can you similarly workaround for your Pulumi use case?