Amplify-cli: Can't remove Cognito triggers/lambda with amplify update auth

@fdelhoste
Was not able to reproduce the issue.
This looks like there is some issue during npm or yarn installation.
Did you use "yarn" or "npm" to install the CLI?
Could you try to first completely remove the Amplify CLI and then use npm install -g @aws-amplify/cli to install it again?

It happened the same to me. I tried to reinstall @aws-amplify/cli globally and it didn't work. I only get this solved by re-adding auth category.

I think I ran into a similar issue with trying to remove the capability: "Email Verification Link with Redirect". Which I believe is just trying to remove a Lambda from Cognito.

I am trying to disable the Email verification link after having already pushed and deployed it.

Do you want to enable any of the following capabilities? (Press <space> to select, <a> to toggle all, <i> to invert selection)
❯◯ Add Google reCaptcha Challenge
 ◉ Email Verification Link with Redirect
 ◯ Add User to Group
 ◯ Email Domain Filtering (blacklist)
 ◯ Email Domain Filtering (whitelist)
 ◯ Custom Auth Challenge Flow (basic scaffolding - not for production)
 ◯ Override ID Token Claims

I get this too while trying to remove Google reCaptcha Challenge

This is preventing me from removing DefineAuthChallenge, CreateAuthChallenge, and VerifyAuthChallengeResponse lambda functions that Amplify auth created. If I try to remove them manually with amplify function remove I get Resource cannot be removed because it has a dependency on another resource. 🚒

@patspam @KidSysco Which version of the CLI are you'll on and do you see get the same error messahe as the one in the description - Error: Function plugin not installed in the CLI. You need to install it to use th...?

I think I was on 3.15 at the time. I am on 3.16 now. I don't know if it is still an issue. I deleted the category and added it again to clean up the lambda that would not remove.

I don't feel like going through all of that again, sorry, but I don't have time to test this stuff. I have apps to write, and honestly, I have to deal with the fact that I keep deleting categories in order to fix things. That is not really going to be a very acceptable answer if we get to production with Amplify, so... I am just reporting a bug.

However, we are currently evaluating Amplify for our next app, so I would be interested in knowing if the issue gets fixed, I just don't have time to be the tester.

@patspam @KidSysco Which version of the CLI are you'll on and do you see get the same error messahe as the one in the description - Error: Function plugin not installed in the CLI. You need to install it to use th...?

I'm on 3.16.0 and still seeing it.

Error is:

Error: Function plugin not installed in the CLI. You need to install it to use this feature.
    at /Users/foo/.config/yarn/global/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:228:23
    at step (/Users/foo/.config/yarn/global/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:33:23)
    at Object.next (/Users/foo/.config/yarn/global/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:14:53)
    at /Users/foo/.config/yarn/global/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:8:71
    at new Promise (<anonymous>)
    at __awaiter (/Users/foo/.config/yarn/global/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:4:12)
    at AmplifyToolkit.deleteTrigger [as _deleteTrigger] (/Users/foo/.config/yarn/global/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:216:60)
    at /Users/foo/.config/yarn/global/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:205:54
    at step (/Users/foo/.config/yarn/global/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:33:23)
    at Object.next (/Users/foo/.config/yarn/global/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:14:53)

Tried upgrading to 3.17.0, same error.

It works if I delete and recreate the entire auth category, but that's going to cause a whole lot of pain elsewhere.

Yea, that is my general experience with Amplify. Once I start using it seriously enough for a production app, I find myself in one of two positions which are rather bad...

1. I must delete a category and re-add it to fix something.

or...

1. I find that I cannot deploy due to a failure in Amplify-Console.

I find myself in one of those 2 positions quite frequently. Neither of those situations is a good place to be once we land in production.

We love the idea of Amplify, but we will probably need to see substantial work done on Amplify before we would feel comfortable taking it to production. It's just not ready for our needs quite yet.

Coming across this as well (amplify cli v3.17.0). If it's any help, I got the same error as above but with the following edit to the last steps:

...

1. Run amplify update auth
2. Add a Lambda Triggers ◉ Pre Sign-up is enabled
3. setup pre sign-up function and pushed it and tested it a few times
4. decided I want the function to run at a different step
5. Run amplify update auth
6. Walk through the list (not modifying anything) until:
   ? Which triggers do you want to enable for Cognito (Press <space> to select, <a> to toggle all, <i> to invert selection)
7. deselect pre sign-up: ❯◯ Pre Sign-up
8. Accept the changes
9. See the error:

Do you want to use an OAuth flow? No
? Do you want to configure Lambda Triggers for Cognito? Yes
? Which triggers do you want to enable for Cognito 
Error: Function plugin not installed in the CLI. You need to install it to use this feature.
    at /usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:228:23
    at step (/usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:33:23)
    at Object.next (/usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:14:53)
    at /usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:8:71
    at new Promise (<anonymous>)
    at __awaiter (/usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:4:12)
    at AmplifyToolkit.deleteTrigger [as _deleteTrigger] (/usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:216:60)
    at /usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:205:54
    at step (/usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:33:23)
    at Object.next (/usr/local/lib/node_modules/@aws-amplify/cli/lib/extensions/amplify-helpers/trigger-flow.js:14:53)
There was an error adding the auth resource

I just hit this same issue trying to remove an add to group trigger that isn't working.

I will be re-adding auth as well.

still there on version 4.2.0

To get out of the situation whithout deleting the category and recreating it, the best is to remove everywhere the desired trigger:

• Cloudformation template on the S3 deployment bucket (just download it, remove the references and put it back on S3) -> nested-cloudformation-stack.yml
• Cloudformation with changeset (designer can be useful to run a changeset)
• amplify folders (backend and #current-cloud-backend) (the function folder + all the reference to the function in auth params, cloudformation, amplify-meta,....)

Then run amplify init and select the desired env and now when running amplify status, it should show you the function in Detele operation.
I'm not sure all the steps of deletion are mandatory (some could be skipped I suppose) but at least, I managed to remove the function with this without deleting my user pool.

@fdelhoste I believe I've found the root cause of this - currently working on/testing a fix.

I'm not even able to see the option to add or remove auth triggers when running amplify update auth. I used to have triggers working but they silently broke and now I cannot try to reconnect them in the CLI.

@houmark the Lambda triggers are use-case based and is a part of the update flow (in the latest version of the CLI - 4.12).
Are you not able to see the below mentioned options?

f45c89966b0d:oliand kaustavg$ amplify update auth
Please note that certain attributes may not be overwritten if you choose to use defaults settings.

You have configured resources that might depend on this Cognito resource.  Updating this Cognito resource could have unintended side effects.

Using service: Cognito, provided by: awscloudformation
 What do you want to do? Walkthrough all the auth configurations
 Select the authentication/authorization services that you want to use: User Sign-Up, Sign-In, connected with AWS IAM controls (Enables per-user Storage features for i
mages or other content, Analytics, and more)
 Allow unauthenticated logins? (Provides scoped down permissions that you can control via AWS IAM) Yes
 Do you want to enable 3rd party authentication providers in your identity pool? Yes
 Select the third party identity providers you want to configure for your identity pool: Facebook

 You've opted to allow users to authenticate via Facebook.  If you haven't already, you'll need to go to https://developers.facebook.com and create an App ID. 

 Enter your Facebook App ID for your identity pool:  njn
 Do you want to add User Pool Groups? Yes
? Provide a name for your user pool group: sdfdsf
? Do you want to add another User Pool Group No
✔ Sort the user pool groups in order of preference · sdfdsf
 Do you want to add an admin queries API? No
 Multifactor authentication (MFA) user login options: OFF
 Email based user registration/forgot password: Enabled (Requires per-user email entry at registration)
 Please specify an email verification subject: Your verification code
 Please specify an email verification message: {####}
 Do you want to override the default password policy for this User Pool? No
 Specify the app's refresh token expiration period (in days): 30
 Do you want to specify the user attributes this app can read and write? No
 Do you want to enable any of the following capabilities? (Press <space> to select, <a> to toggle all, <i> to invert selection)
❯◯ Add Google reCaptcha Challenge
 ◯ Email Verification Link with Redirect
 ◯ Add User to Group
 ◯ Email Domain Filtering (blacklist)
 ◯ Email Domain Filtering (whitelist)
 ◯ Custom Auth Challenge Flow (basic scaffolding - not for production)
 ◯ Override ID Token Claims
 Do you want to use an OAuth flow? No
? Do you want to configure Lambda Triggers for Cognito? Yes
? Which triggers do you want to enable for Cognito (Press <space> to select, <a> to toggle all, <i> to invert selection)
❯◯ Learn More
 ──────────────
 ◉ Create Auth Challenge
 ◉ Custom Message
 ◉ Define Auth Challenge
 ◯ Post Authentication
 ◯ Post Confirmation

The fix for the original issue - tied to removing of auth triggers has been merged and release in CLI v4.12.0. Please comment on this thread if you're still seeing issues tied to removal of auath triggers.

Hi, Unfortunately, after upgrading to 4.12.0, I always have the issue
Resource cannot be removed because it has a dependency on another resource
Dependency: Cognito:mycognito3a5da5dc
Error: Resource cannot be removed because it has a dependency on another resource,

On 4.13.1 and I can't remove amplify remove auth as I end up with this error

Resource cannot be removed because it has a dependency on another resource Dependency: API Gateway:AdminQueries

@bijanv Yes, since the Admin Queries require and reference your auth resource, that's the reason you can't just remove auth independently - since that you break your AdminQueries API which depends on auth.

Thanks @kaustavghosh06. Understand that piece and there is no issue on the reasoning behind it. There's just no clear path on removing the Admin Queries so that I could remove my auth cleanly after that. Had to manually go and edit contents of config files to remove references to the Admin Query, and then manually delete the API Gateway from the AWS Console before I could run amplify remove auth. I assume this process is not intended? Or if it is then hopefully some documentation can be added to clarify the right way to approach this process.

FWIW, I am on 4.13.3 and just walked to the steps in amplify update auth and deselected my Post Authentication trigger then ran amplify push. It deleted the function from my IDE and in the console under lambda. It did throw an error during the push, but it was that it couldn't delete the IAM Role attached to that function because I had policies on it I created. I deleted the policies and then the role in the AWS console and seem to be good to go.

This is still an issue. Why is it closed?

I have remove Auth after a couple failed attempts. I had to pull then remove auth, then push to achieve this.

However i can't for the life of me remove these Functions via command line or otherwise:

| Category | Resource name                               | Operation | Provider plugin   |
| -------- | ------------------------------------------- | --------- | ----------------- |
| Api      | stations                                    | No Change | awscloudformation |
| Function | stations7f3b2269DefineAuthChallenge         | No Change | awscloudformation |
| Function | stations7f3b2269CreateAuthChallenge         | No Change | awscloudformation |
| Function | stations7f3b2269VerifyAuthChallengeResponse | No Change | awscloudformation |
| Function | stations7f3b2269CustomMessage               | No Change | awscloudformation |
| Function | stations7f3b2269PostConfirmation            | No Change | awscloudformation |
| Function | stations7f3b2269PreSignup                   | No Change | awscloudformation |

Any ideas?

Thanks in advance!

@bmilesp Did you try amplify function remove?

@kaustavghosh06 that did it! Thank you!

I solved it with the following steps:

Execute amplify update auth

? What do you want to do? Walkthrough all the auth configurations
... 

_On the next step, you choose "yes" and unselect all triggers from that list_

? Do you want to configure Lambda Triggers for Cognito? Yes     
? Which triggers do you want to enable for Cognito (Press <space> to select, <a> to toggle all, <i> to invert selection)
 ◯ Create Auth Challenge
 ◯ Custom Message
 ◯ Define Auth Challenge
 ◯ Post Authentication
 ◯ Post Confirmation

Then you can run amplify push and the triggers should be removed.

Same problem, why is this closed? amplify update auth does not work. Deselect trigger, do an "amplify push" and it insists there's been "no change" to Auth. This is just one of many issues with dependencies, I'm noticing. Using layers is also pretty broken. I've lost count of how many times I've had to tear down and reinstall everything from scratch.

Same problem, why is this closed? amplify update auth does not work. Deselect trigger, do an "amplify push" and it insists there's been "no change" to Auth. This is just one of many issues with dependencies, I'm noticing. Using layers is also pretty broken. I've lost count of how many times I've had to tear down and reinstall everything from scratch.

Same here (cli version 4.40.0). Triggers are not actually removed when deselecting them in the amplify auth update walkthrough. No changes are made to local (tracked) files.

They are removed if you add a new trigger at the same time. Although you're then stuck with a different redundant trigger and manually removing the trigger from the yaml/json doesn't get picked up as a change by the cli.

Does this need to be reopened @kaustavghosh06 ?