Amplify-cli: deployment-secrets.json migration causes amplify[hostedUIProviderCreds] must have values error on amplify push
After upgrading cli to 4.34.0, the cli forces to move secrets from team-provider-info.json to deployment-secrets.json on amplify push
After selecting Yes, it seem like the migration is successful and push works just fine. However, the deployment-secrets.json is never created and on the future pushes, I get the following error:
amplify[hostedUIProviderCreds] must have values
It is due to deletion of the hostedUIProviderCreds from the team-provider-info.
pedramp20
All 45 comments
@pedramp20 I am trying to reproduce this issue, what changes did you make before the second push?
ammarkarachi
on 24 Nov 2020
With the last version on env update
(venv) PS C:\Users\sinap\repo\lookea\influencers-dashboard> amplify status
? Amplify has been upgraded to handle secrets more securely by migrating some values in team-provider-info.json to deployment-secrets.json
You can create a back up of the team-provider-info.json file before proceeding. Yes
Error updating Cognito resource
File at path: 'C:\Users\sinap\repo\lookea\influencers-dashboard\amplify\backend\amplify-meta.json' does not exist
Error: File at path: 'C:\Users\sinap\repo\lookea\influencers-dashboard\amplify\backend\amplify-meta.json' does not exist
at Function.JSONUtilities.readJson (C:\Users\sinap\scoop\persist\nodejs\bin\node_modules\@aws-amplify\cli\node_modules\amplify-cli-core\src\jsonUtilities.ts:25:15)
at StateManager.getData (C:\Users\sinap\scoop\persist\nodejs\bin\node_modules\@aws-amplify\cli\node_modules\amplify-cli-core\src\state-manager\stateManager.ts:207:32)
at StateManager.getMeta (C:\Users\sinap\scoop\persist\nodejs\bin\node_modules\@aws-amplify\cli\node_modules\amplify-cli-core\src\state-manager\stateManager.ts:24:23)
at AmplifyToolkit.updateamplifyMetaAfterResourceAdd [as _updateamplifyMetaAfterResourceAdd] (C:\Users\sinap\scoop\persist\nodejs\bin\node_modules\@aws-amplify\cli\src\extensions\amplify-helpers\update-amplify-meta.ts:78:36)
at Object.externalAuthEnable (C:\Users\sinap\scoop\persist\nodejs\bin\node_modules\@aws-amplify\cli\node_modules\amplify-category-auth\src\index.js:137:21)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at Object.exports.migrateTeamProviderInfo (C:\Users\sinap\scoop\persist\nodejs\bin\node_modules\@aws-amplify\cli\src\utils\team-provider-migrate.ts:26:7)
at Object.run (C:\Users\sinap\scoop\persist\nodejs\bin\node_modules\@aws-amplify\cli\src\index.ts:82:11)
I have noticed alsa that in cognito it is removing information from hostedUIProviderCreds
index e17e1e5..5a40678 100644
--- a/amplify/team-provider-info.json
+++ b/amplify/team-provider-info.json
@@ -13,10 +13,9 @@
},
"categories": {
"auth": {
- "cognito937499ef": {
- "hostedUIProviderCreds": "[{\"ProviderName\":\"Facebook\",\"client_id\":\"XXXXXX\",\"client_secret\":\"XXXXXX\"},#{\"ProviderName\":\"Google\",\"client_id\":\"XXXX-XXX.apps.googleusercontent.com\",\"client_secret\":\"XXXX\"}]"
- },
- "userPoolGroups": {}
+ "cognito937499ef": {},
+ "userPoolGroups": {},
+ "cognito7904e5ed": {}
},
erodrig
on 24 Nov 2020
Hello guys,
Encountering the same error in my project.
Parameters: [hostedUIProviderCreds] must have values. Encountered the problem after the CLI update. Is this related to the update?
Also tried creating a new project but encountered the same error when creating a REST API.
BTW, it says "move secrets from team-provider-info.json to deployment-secrets.json" but where is the deployment-secrets.json located? Maybe, the CLI failed to create the file...
wcomicho
on 24 Nov 2020
Same here. I downgraded Amplify CLI to 4.29.0 and keeps happening, so I'm not sure it's related to the latest update.
asungomez
on 24 Nov 2020
Same here. I downgraded Amplify CLI to 4.29.0 and keeps happening, so I'm not sure it's related to the latest update.
Do you still encounter the error after downgrade?
wcomicho
on 24 Nov 2020
Yes, I do.
My amplify.yml script is:
- backend:
phases:
build:
commands:
- chmod +x amplifypush.sh
- ./amplifypush.sh -e dev
the amplifypush.sh file:
#!/usr/bin/env bash
set -e
IFS='|'
help_output () {
echo "usage: amplify-push <--environment|-e <name>> <--simple|-s>"
echo " --environment The name of the Amplify environment to use"
echo " --simple Optional simple flag auto-includes stack info from env cache"
exit 1
}
init_env () {
ENV=$1
AMPLIFY=$2
PROVIDERS=$3
CODEGEN=$4
AWSCONFIG=$5
CATEGORIES=$6
echo "# Start initializing Amplify environment: ${ENV}"
if [[ -z ${STACKINFO} ]];
then
echo "# Initializing new Amplify environment: ${ENV} (amplify init)"
amplify init --amplify ${AMPLIFY} --providers ${PROVIDERS} --codegen ${CODEGEN} --categories ${CATEGORIES} --yes;
echo "# Environment ${ENV} details:"
amplify env get --name ${ENV}
else
echo "STACKINFO="${STACKINFO}
echo "# Importing Amplify environment: ${ENV} (amplify env import)"
amplify env import --name ${ENV} --config "${STACKINFO}" --awsInfo ${AWSCONFIG} --categories ${CATEGORIES} --yes;
echo "# Initializing existing Amplify environment: ${ENV} (amplify init)"
amplify init --amplify ${AMPLIFY} --providers ${PROVIDERS} --codegen ${CODEGEN} --yes;
echo "# Environment ${ENV} details:"
amplify env get --name ${ENV}
fi
echo "# Done initializing Amplify environment: ${ENV}"
}
ENV=""
IS_SIMPLE=false
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case ${key} in
-e|--environment)
ENV=$2
shift
;;
-r|--region)
REGION=$2
shift
;;
-s|--simple)
IS_SIMPLE=true
shift
;;
*)
POSITIONAL+=("$1")
shift
;;
esac
done
set -- "${POSITIONAL[@]}"
# if no provided environment name, use default env variable, then user override
if [[ ${ENV} = "" ]];
then
ENV=${AWS_BRANCH}
fi
if [[ ${USER_BRANCH} != "" ]];
then
ENV=${USER_BRANCH}
fi
# Check valid environment name
if [[ -z ${ENV} || "${ENV}" =~ [^a-zA-Z0-9\-]+ ]] ; then help_output ; fi
AWSCONFIG="{\
\"configLevel\":\"project\",\
\"useProfile\":true,\
\"profileName\":\"default\"\
}"
AMPLIFY="{\
\"envName\":\"${ENV}\"\
}"
PROVIDERS="{\
\"awscloudformation\":${AWSCONFIG}\
}"
CODEGEN="{\
\"generateCode\":false,\
\"generateDocs\":false\
}"
AUTHCONFIG="{\
\"googleAppIdUserPool\":\"${GOOGLE_CLIENT_ID}\",\
\"googleAppSecretUserPool\":\"${GOOGLE_CLIENT_SECRET}\"\
}"
CATEGORIES="{\
\"auth\":$AUTHCONFIG\
}"
# Handle old or new config file based on simple flag
if [[ ${IS_SIMPLE} ]];
then
echo "# Getting Amplify CLI Cloud-Formation stack info from environment cache"
export STACKINFO="$(envCache --get stackInfo)"
init_env ${ENV} ${AMPLIFY} ${PROVIDERS} ${CODEGEN} ${AWSCONFIG} ${CATEGORIES}
echo "# Store Amplify CLI Cloud-Formation stack info in environment cache"
STACKINFO="$(amplify env get --json --name ${ENV})"
envCache --set stackInfo ${STACKINFO}
echo "STACKINFO="${STACKINFO}
else
# old config file, above steps performed outside of this script
init_env ${ENV} ${AMPLIFY} ${PROVIDERS} ${CODEGEN} ${AWSCONFIG} ${CATEGORIES}
fi
I got this code from https://github.com/aws-amplify/amplify-console/issues/206
asungomez
on 24 Nov 2020
Hi guys,
Tried using southeast with root account. encountering the same error after doing an update.
wcomicho
on 24 Nov 2020
I think https://github.com/aws-amplify/amplify-cli/pull/5733 introduced this change, and was approved by at least one contributor to the project.
It looks like the migration code has been tested here: https://github.com/aws-amplify/amplify-cli/blob/d18f795560f0e671f63f1dcbe38931c951794619/packages/amplify-cli/src/__tests__/team-provider-migrate.test.ts#L143-L144
If I understand the test correctly it appears to assert that some code was called but does nothing to verify the behaviour (i.e. that a file is created on disk, that the contents of the file are correct, that a subsequent invocation of amplify push succeeds).
The description in the PR mentions a ~/,aws/amplify/deployment-secrets.json, which I'm guessing is a typo and should be ~/.aws/amplify/deployment-secrets.json? Mine contains this:
{
"appSecrets": []
}
I've found the following type that specifies the expected format of the new JSON file:
Given the severity of this issue (any affected customer will be unable to push changes to any Amplify backend) I'd like to humbly request a post-mortem on how this problem found its way to customers, and how the Amplify team plan to avoid causing this sort of disruption in future.
I hope some of the info above is helpful. If there's anything else I can do to help triage and resolve please holla. :mega:
jcf
on 24 Nov 2020
@wcomicho The file should be under~/.aws/amplify/deployment-secrets.json
ammarkarachi
on 24 Nov 2020
I am also having this issue. I upgraded to 4.35.0 and am receiving this error when trying to amplify push:
[hostedUIProviderCreds] must have values
The deployment-secrets.json file gets created but only has this in it:
{
"appSecrets": []
}
askurat
on 24 Nov 2020
Ok, so I was able to get this to work. It seems like version 4.34.0 removed the hostedUIProviderCreds: [] in the team-provider-info.json but didn't successfully add it to deployment-secrets.json.
I updated the categories section in team-provider-info.json with:
"auth": {
"[api_name]": {
"hostedUIProviderCreds": "[]"
},
"userPoolGroups": {}
},
The next time I ran amplify push it asked me to migrate to deployment-secrets.json and if I wanted to backup team-provider-info.json. I said yes and it successfully updated deployment-secrets.json:
{
"appSecrets": [
{
"rootStackId": "[stack_id]",
"environments": {
"dev": {
"auth": {
"[api_name]": {
"hostedUIProviderCreds": "[]"
}
}
}
}
}
]
}
The hostedUIProviderCreds gets managed in deployment secrets and then gets discarded after a successful push. I am curious whether there is a failure on the CLI end where this file isn't being written.
@askurat did the file have the hostedUIProviderCreds before the push?
ammarkarachi
on 24 Nov 2020
@ammarkarachi I do not remember if the CLI threw an error at me or not. After I upgraded to version 4.34.0 I do remember it asking me if I wanted to backup team-provider-info.json. I recall typing yes but don't remember if it errored on me or not. I was able to push after that upgrade.
When I updated to version 4.35.0 this morning and tried to do a push, it gave me the [hostedUIProviderCreds] must have values error. I then checked my team-provider-info.json on another branch, pre-upgrade, and noticed under the categories -> auth section, I had:
"[api_name]": {
"hostedUIProviderCreds": "[]"
},
So I added that back into my team-provider-info.json file, re-ran amplify push, and the CLI then asked me to migrate to deployment-secrets.json again. After it migrated I checked the deployment-secrets.json file and the hostedUIProviderCreds were added. Upon a successful push, hostedUIProviderCreds were removed but every push since has worked.
I hope all that made sense.
I'm guessing forcing the migration again must correct something in the CLI?
askurat
on 24 Nov 2020
This is a really rough one, I though it was just me so I tweeted about it then forgot about it https://twitter.com/CodingCatDev/status/1330596528889745410
There has to be a better way of making this and the team-provider-info.json details work more easily.
Especially in regards to the auth redirects. Those need to be moved from amplify-meta.json to team-provider-info.json. We are opening a door here (all be it not a huge one) as you are allowing other domains access in your production environments if you add them to this list.
ajonp
on 25 Nov 2020
Tried putting an entry in the deployment-secrets.json:
{
"rootStackId": "[my stack id here]",
"environments": {
"dev": {
"auth": {
"my auth input": {
"hostedUIProviderCreds": "[my google config]"
}
}
}
}
}
but now I am getting error message in cloudformation: The following resource(s) failed to create: [testDynamoDB]. The following resource(s) failed to update: [authtest2020].
wcomicho
on 25 Nov 2020
@askurat's fix worked for me too. I restored my team-provider-info.json from a btrfs snapshot, ran amplify push, and was prompted to migrate. Answering yes to the prompt resulted in my ~/.aws/amplify/deployment-secrets.json being updated to contain my hostedUIProviderCreds.
jcf
on 25 Nov 2020
I'm having the same problem as others here with Amplify CLI v4.35.0.
When I try to run amplify push, it asked me to back up to deployment-secrets.json (selecting "no" by the way, cancels the push process, so you must backup in order to continue... this (a) really needs a rephrased question for clarity, and (b) needs documentation as I searched everywhere for deployment-secrets in my project (thought it would be a file to .gitignore or something), only to find out in this thread that it's in my local AWS config...).
So I selected "yes", and it removed the hostedUIProviderCreds object in the team-provider-info.json. It then threw an error
UPDATE_FAILED auth<AUTH_NAME> AWS::CloudFormation::Stack Tue Nov 24 2020 21:14:46 GMT-0500 (Eastern Standard Time) Parameters: [hostedUIProviderCreds] do not exist in the template
And since I didn't know what was going on, I tried a bunch of different things to no avail, including running amplify update auth to re-add the FB / Google IDs in. This actually added the following into my team-provider-info.json:
"categories": {
"auth": {
"<AUTH_NAME_": {
"facebookAppId": "<FB_ID>",
"googleClientId": "<GOOGLE_ID>"
}
},
After checking this thread, I have the hostedUIProviderCreds in deployment-secrets.json, but I'm still encountering the same [hostedUIProviderCreds] do not exist in the template error.
If I remove the facebookAppId and googleClientId entires, I get a new error:
UPDATE_FAILED authtraintheoryweb843b1bda AWS::CloudFormation::Stack Wed Nov 25 2020 11:28:45 GMT-0500 (Eastern Standard Time) Parameters: [facebookAppId, googleClientId] do not exist in the template
I tried @askurat 's fix as well, but it still gives me the same [hostedUIProviderCreds] do not exist in the template error.
So I'm a bit stuck. I'll try a few more things and then I'll likely have to revert back to an old CLI version for the time-being.
ngnathan
on 25 Nov 2020
@ngnathan US-EAST-1 Region is having a ton of issues at the moment. This may be causing some of your problems: AWS Status
askurat
on 25 Nov 2020
I thought i was going crazy and kept checking the status. I really dig the new personal health dashboard.
ajonp
on 25 Nov 2020
@ngnathan US-EAST-1 Region is having a ton of issues at the moment. This may be causing some of your problems: AWS Status
Yeah I just saw this as well... I just tried (in a separate env) removing FB/Google (so that I can try adding it again). And I think the us-east-1 issues are causing my CLI to be stuck on updating the IdentityPool during my amplify push lol.
Anyway, I'm not sure how recent this outage is, but I was dealing with the same problems all of yesterday too.
ngnathan
on 25 Nov 2020
@ngnathan Can you check if the file ~/.aws/amplify/deployment-secrets.json has the hostedproviderUICreds
ammarkarachi
on 25 Nov 2020
@ngnathan Can you check if the file
~/.aws/amplify/deployment-secrets.jsonhas the hostedproviderUICreds
Yes, it did back when I tried it yesterday, which is why it was weird when it said [hostedUIProviderCreds] do not exist in the template, because it was definitely in the deployment-secrets.json. There were a few other environments that I had previously removed too, so I just cleaned it up, but I haven't been able to try again due to the us-east-1 issues. So I'll wait to try again.
ngnathan
on 25 Nov 2020
I finally got it working on a test environment. Had to remove social auth completely, run amplify push and then add it back in through amplify update auth, and run amplify push again. The only weird thing is that
- My
deployment-secrets.jsonis just an empty "appSecrets" array - The
team-provider-info.jsonhas changed to just using the FB Client ID and Google Client ID now (which I guess works since the secrets are just pulled through environment variables configured in Amplify console.) - My Cognito domain name for that environment was actually erased when that happened, so I had to manually add it back in through console (even though it's configured properly in my
amplify-meta.jsonfile.
I'll see if this happens again later, when I push these changes to another environment.
ngnathan
on 26 Nov 2020
@wcomicho The file should be under
~/.aws/amplify/deployment-secrets.json
@ammarkarachi Got it. Thanks
wcomicho
on 26 Nov 2020
to solve this, I performed the following steps:
- confirm empty array for appSecrets in ~/.aws/amplify/deployment-secrets.json
- re-added "hostedUIProviderCreds": "[]" to team-provider-info.json
amplify pushanswerywhen prompted for backup creation- verify item is added to array in ~/.aws/amplify/deployment-secrets.json
In my app, there is no hostedUIProvider creds. The existing behavior should not require a config in deployment-secrets if there are none in the app.
jgroom33
on 1 Dec 2020
Same story, after upgrading the CLI, more "secure" option just doesn't work at all. Had to roll back to 4.24.1
fkirill
on 5 Dec 2020
Same story, after upgrading the CLI, more "secure" option just doesn't work at all. Had to roll back to 4.24.1
@fkirill, same here... keep on putting back the config in team-provider-info before I use the command amplify push
wcomicho
on 5 Dec 2020
Getting the same issue trying to perform a very simple schema update (not sure why the auth update is even necessary in this situation)
Rolling back version is not helpful
NotSoShaby
on 5 Dec 2020
Same issue here. On top of that my Cognito schema (which contains custom fields) gets overwritten.
arturocanalda
on 7 Dec 2020
Ok, so I was able to get this to work. It seems like version 4.34.0 removed the
hostedUIProviderCreds: []in theteam-provider-info.jsonbut didn't successfully add it todeployment-secrets.json.I updated the
categoriessection inteam-provider-info.jsonwith:"auth": { "[api_name]": { "hostedUIProviderCreds": "[]" }, "userPoolGroups": {} },The next time I ran
amplify pushit asked me to migrate todeployment-secrets.jsonand if I wanted to backupteam-provider-info.json. I said yes and it successfully updateddeployment-secrets.json:{ "appSecrets": [ { "rootStackId": "[stack_id]", "environments": { "dev": { "auth": { "[api_name]": { "hostedUIProviderCreds": "[]" } } } } } ] }
And this overrides some information on Auth Cloud Formation template, like UsernameConfiguration or AccountRecoverySetting 馃憥 so any time that I need to push, I have to do this step plus modify the template and push again.
lexfaraday
on 7 Dec 2020
This still doesn't work for me the hosted ui provider cred doesn't seem to be the only problem, after replying to migration
PS C:\Users\sinap\repo\lookea\influencers-dashboard> amplify push
? Amplify has been upgraded to handle secrets more securely by migrating some values in team-provider-info.json to deployment-secrets.json
You can create a back up of the team-provider-info.json file before proceeding. Yes
Error updating Cognito resource
File at path: 'C:\Users\sinap\repo\lookea\influencers-dashboard\amplify\backendamplify-meta.json' does not exist
Error: File at path: 'C:\Users\sinap\repo\lookea\influencers-dashboard\amplify\backendamplify-meta.json' does not exist
erodrig
on 11 Dec 2020
reverted back to 4.32.1 after much debugging
djdam
on 13 Dec 2020
I have the same issue.
evertson90
on 15 Dec 2020
@evertson90 we release a new beta can you test it with the new version and let me know
ammarkarachi
on 15 Dec 2020
I installed version 4.40.0-beta.0 and tried the following:
- amplify status:
? Amplify has been upgraded to handle secrets more securely by migrating some values in team-provider-info.json to deployment-secrets.json You can create a back up of the team-provider-info.json file before proceeding. Yes Successfully updated auth resource locally.
Then I did amplify update auth, "Update OAuth social providers", selected Facebook and Google and added the ID and secrets. What happens is it removes the "hostedUIProviderCreds" from categories.auth.cognito in my team-provider-info.json.
Reverting to 4.32.1 fixes the problem for now. The beta does not fix the problem yet unfortunately.
evertson90
on 15 Dec 2020
@evertson90 Those values are being written to ~/.aws/amplify/deployment-secrets.json and the values are being served from there
ammarkarachi
on 15 Dec 2020
ok here is what fixed this for me... but the jury is still out because it's been a long few hours of debugging this issue
- Re-add
hostedUIProviderCredsto theteam-provider.jsonfile (hopefully you backed this up before) - Open the cloudformation file under the
authresource and add a default underhostedUIProviderCreds... e.g.
hostedUIProviderCreds:
Type: String
Default: "hostedUIProviderCreds"
- Delete the
#current-cloud-backendfolder found under the amplify folder - run
amplify env checkout <current-env> - run
amplify push -y(this _should_ ask you to add your federated credentials again)...if not, then this probably wont work for you and you can abort now... if you are feeling lucky keep going - Answer 'y` to the secrets migration
- Cross your fingers
The deployment-secrets.json file should be created
I hope this fixes it for others.
dwamianm
on 15 Dec 2020
@dwamianm Can you confirm the if the Auth CFN is being updated after the migration?
ammarkarachi
on 15 Dec 2020
@ammarkarachi it adds the following to the Outputs section of the CFN file
AppClientSecret:
Value: !GetAtt UserPoolClientInputs.appSecret
...however, as previously pointed out, it removes any customizations made to the CFN templates... but that may be for another bug report
Edit: It actually adds more that just the above @ammarkarachi ... there is a lambda function that is generated and several other params
dwamianm
on 15 Dec 2020
@dwamianm The credentials should be temporarily stored in the file deployment-secrests.json and the next push should server up an empty hostedUIProviderCres marked as '[]'
ammarkarachi
on 15 Dec 2020
@ammarkarachi ... that is not the case for me. The deployment-secrets.json file looks like this even after several pushes
{
"appSecrets": [
{
"rootStackId": "",
"environments": {
"dev": {
"auth": {
"authResourceName": {
"hostedUIProviderCreds": "[{\stuff in here"}]"
}
}
}
}
}
]
}
dwamianm
on 15 Dec 2020
Can you share your latest generated CFN file you can redact the info you think is sensitive
ammarkarachi
on 15 Dec 2020
@ammarkarachi absolutley.. here you go
AWSTemplateFormatVersion: 2010-09-09
Parameters:
env:
Type: String
authRoleArn:
Type: String
unauthRoleArn:
Type: String
functionjournelyv2AuthCustomMessageArn:
Type: String
Default: functionjournelyv2AuthCustomMessageArn
functionjournelyv2AuthCustomMessageName:
Type: String
Default: functionjournelyv2AuthCustomMessageName
functionjournelyv2AuthPreSignupArn:
Type: String
Default: functionjournelyv2AuthPreSignupArn
functionjournelyv2AuthPreSignupName:
Type: String
Default: functionjournelyv2AuthPreSignupName
identityPoolName:
Type: String
allowUnauthenticatedIdentities:
Type: String
resourceNameTruncated:
Type: String
userPoolName:
Type: String
autoVerifiedAttributes:
Type: CommaDelimitedList
mfaConfiguration:
Type: String
mfaTypes:
Type: CommaDelimitedList
smsAuthenticationMessage:
Type: String
smsVerificationMessage:
Type: String
emailVerificationSubject:
Type: String
emailVerificationMessage:
Type: String
defaultPasswordPolicy:
Type: String
passwordPolicyMinLength:
Type: Number
passwordPolicyCharacters:
Type: CommaDelimitedList
requiredAttributes:
Type: CommaDelimitedList
userpoolClientGenerateSecret:
Type: String
userpoolClientRefreshTokenValidity:
Type: Number
userpoolClientWriteAttributes:
Type: CommaDelimitedList
userpoolClientReadAttributes:
Type: CommaDelimitedList
userpoolClientLambdaRole:
Type: String
userpoolClientSetAttributes:
Type: String
resourceName:
Type: String
authSelections:
Type: String
useDefault:
Type: String
usernameAttributes:
Type: CommaDelimitedList
triggers:
Type: String
userPoolGroupList:
Type: CommaDelimitedList
parentStack:
Type: String
permissions:
Type: CommaDelimitedList
dependsOn:
Type: CommaDelimitedList
userPoolGroups:
Type: String
adminQueries:
Type: String
hostedUI:
Type: String
verificationBucketName:
Type: String
hostedUIDomainName:
Type: String
authProvidersUserPool:
Type: CommaDelimitedList
hostedUIProviderMeta:
Type: String
oAuthMetadata:
Type: String
hostedUIProviderCreds:
Type: String
Default: "hostedUIProviderCreds"
Conditions:
ShouldNotCreateEnvResources: !Equals [ !Ref env, NONE ]
Resources:
CustomMessageConfirmationBucket:
Type: AWS::S3::Bucket
DeletionPolicy: "Retain"
Properties:
BucketName: !If [ShouldNotCreateEnvResources, !Ref verificationBucketName, !Join ['',[!Ref verificationBucketName, '-', !Ref env]]]
AccessControl: "Private"
WebsiteConfiguration:
IndexDocument: "index.html"
ErrorDocument: "index.html"
CorsConfiguration:
CorsRules:
-
AllowedHeaders:
- "Authorization"
- "Content-Length"
AllowedMethods:
- "GET"
AllowedOrigins:
- "*"
MaxAge: 3000
# BEGIN SNS ROLE RESOURCE
SNSRole:
# Created to allow the UserPool SMS Config to publish via the Simple Notification Service during MFA Process
Type: AWS::IAM::Role
Properties:
RoleName: !If [ShouldNotCreateEnvResources, 'journea6e2faad_sns-role', !Join ['',[ 'sns', 'undefined', !Select [3, !Split ['-', !Ref 'AWS::StackName']], '-', !Ref env]]]
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
Service: "cognito-idp.amazonaws.com"
Action:
- "sts:AssumeRole"
Condition:
StringEquals:
sts:ExternalId: journea6e2faad_role_external_id
Policies:
-
PolicyName: journea6e2faad-sns-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "sns:Publish"
Resource: "*"
# BEGIN USER POOL RESOURCES
UserPool:
# Created upon user selection
# Depends on SNS Role for Arn if MFA is enabled
Type: AWS::Cognito::UserPool
UpdateReplacePolicy: Retain
Properties:
UserPoolName: !If [ShouldNotCreateEnvResources, !Ref userPoolName, !Join ['',[!Ref userPoolName, '-', !Ref env]]]
UsernameConfiguration:
CaseSensitive: false
Schema:
-
Name: email
Required: true
Mutable: true
-
Name: name
Required: true
Mutable: true
LambdaConfig:
CustomMessage: !Ref functionjournelyv2AuthCustomMessageArn
PreSignUp: !Ref functionjournelyv2AuthPreSignupArn
AutoVerifiedAttributes: !Ref autoVerifiedAttributes
EmailVerificationMessage: !Ref emailVerificationMessage
EmailVerificationSubject: !Ref emailVerificationSubject
Policies:
PasswordPolicy:
MinimumLength: !Ref passwordPolicyMinLength
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
UsernameAttributes: !Ref usernameAttributes
MfaConfiguration: !Ref mfaConfiguration
SmsVerificationMessage: !Ref smsVerificationMessage
SmsConfiguration:
SnsCallerArn: !GetAtt SNSRole.Arn
ExternalId: journea6e2faad_role_external_id
UserPoolCustomMessageLambdaInvokePermission:
Type: "AWS::Lambda::Permission"
DependsOn: UserPool
Properties:
Action: "lambda:invokeFunction"
Principal: "cognito-idp.amazonaws.com"
FunctionName: !Ref functionjournelyv2AuthCustomMessageName
SourceArn: !GetAtt UserPool.Arn
UserPoolPreSignupLambdaInvokePermission:
Type: "AWS::Lambda::Permission"
DependsOn: UserPool
Properties:
Action: "lambda:invokeFunction"
Principal: "cognito-idp.amazonaws.com"
FunctionName: !Ref functionjournelyv2AuthPreSignupName
SourceArn: !GetAtt UserPool.Arn
# Updating lambda role with permissions to Cognito
UserPoolClientWeb:
# Created provide application access to user pool
# Depends on UserPool for ID reference
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: journea6e2faad_app_clientWeb
RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity
UserPoolId: !Ref UserPool
DependsOn: UserPool
UserPoolClient:
# Created provide application access to user pool
# Depends on UserPool for ID reference
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: journea6e2faad_app_client
GenerateSecret: !Ref userpoolClientGenerateSecret
RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity
UserPoolId: !Ref UserPool
DependsOn: UserPool
# BEGIN USER POOL LAMBDA RESOURCES
UserPoolClientRole:
# Created to execute Lambda which gets userpool app client config values
Type: 'AWS::IAM::Role'
Properties:
RoleName: !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',['upClientLambdaRole', 'undefined', !Select [3, !Split ['-', !Ref 'AWS::StackName']], '-', !Ref env]]]
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
DependsOn: UserPoolClient
UserPoolClientLambda:
# Lambda which gets userpool app client config values
# Depends on UserPool for id
# Depends on UserPoolClientRole for role ARN
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- ' if (event.RequestType == ''Delete'') { '
- ' response.send(event, context, response.SUCCESS, {})'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' const params = {'
- ' ClientId: event.ResourceProperties.clientId,'
- ' UserPoolId: event.ResourceProperties.userpoolId'
- ' };'
- ' identity.describeUserPoolClient(params).promise()'
- ' .then((res) => {'
- ' response.send(event, context, response.SUCCESS, {''appSecret'': res.UserPoolClient.ClientSecret});'
- ' })'
- ' .catch((err) => {'
- ' response.send(event, context, response.FAILED, {err});'
- ' });'
- ' }'
- '};'
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: UserPoolClientRole
UserPoolClientLambdaPolicy:
# Sets userpool policy for the role that executes the Userpool Client Lambda
# Depends on UserPool for Arn
# Marked as depending on UserPoolClientRole for easier to understand CFN sequencing
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: journea6e2faad_userpoolclient_lambda_iam_policy
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:DescribeUserPoolClient'
Resource: !GetAtt UserPool.Arn
DependsOn: UserPoolClientLambda
UserPoolClientLogPolicy:
# Sets log policy for the role that executes the Userpool Client Lambda
# Depends on UserPool for Arn
# Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: journea6e2faad_userpoolclient_lambda_log_policy
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref UserPoolClientLambda}
DependsOn: UserPoolClientLambdaPolicy
UserPoolClientInputs:
# Values passed to Userpool client Lambda
# Depends on UserPool for Id
# Depends on UserPoolClient for Id
# Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt UserPoolClientLambda.Arn
clientId: !Ref UserPoolClient
userpoolId: !Ref UserPool
DependsOn: UserPoolClientLogPolicy
HostedUICustomResource:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- ' const userPoolId = event.ResourceProperties.userPoolId;'
- ' const inputDomainName = event.ResourceProperties.hostedUIDomainName;'
- ' let deleteUserPoolDomain = (domainName) => {'
- ' let params = { Domain: domainName, UserPoolId: userPoolId };'
- ' return identity.deleteUserPoolDomain(params).promise();'
- ' };'
- ' if (event.RequestType == ''Delete'') {'
- ' deleteUserPoolDomain(inputDomainName)'
- ' .then(() => {response.send(event, context, response.SUCCESS, {})})'
- ' .catch((err) => { console.log(err); response.send(event, context, response.FAILED, {err}) });'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' let checkDomainAvailability = (domainName) => {'
- ' let params = { Domain: domainName };'
- ' return identity.describeUserPoolDomain(params).promise().then((res) => {'
- ' if (res.DomainDescription && res.DomainDescription.UserPool) {'
- ' return false;'
- ' }'
- ' return true;'
- ' }).catch((err) => { return false; });'
- ' };'
- ' let createUserPoolDomain = (domainName) => {'
- ' let params = { Domain: domainName, UserPoolId: userPoolId };'
- ' return identity.createUserPoolDomain(params).promise();'
- ' };'
- ' identity.describeUserPool({UserPoolId: userPoolId }).promise().then((result) => {'
- ' if (inputDomainName) {'
- ' if (result.UserPool.Domain === inputDomainName) {'
- ' return;'
- ' } else {'
- ' if (!result.UserPool.Domain) {'
- ' return checkDomainAvailability(inputDomainName).then((isDomainAvailable) => {'
- ' if (isDomainAvailable) {'
- ' return createUserPoolDomain(inputDomainName);'
- ' } else {'
- ' throw new Error(''Domain not available'');'
- ' }'
- ' });'
- ' } else {'
- ' return checkDomainAvailability(inputDomainName).then((isDomainAvailable) => {'
- ' if (isDomainAvailable) {'
- ' return deleteUserPoolDomain(result.UserPool.Domain).then(() => createUserPoolDomain(inputDomainName));'
- ' } else {'
- ' throw new Error(''Domain not available'');'
- ' }'
- ' });'
- ' }'
- ' }'
- ' } else {'
- ' if (result.UserPool.Domain) {'
- ' return deleteUserPoolDomain(result.UserPool.Domain);'
- ' }'
- ' }'
- ' }).then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
- ' console.log(err); response.send(event, context, response.FAILED, {err});'
- ' });'
- '}}'
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: UserPoolClientRole
HostedUICustomResourcePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUI']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:CreateUserPoolDomain'
- 'cognito-idp:DescribeUserPool'
- 'cognito-idp:DeleteUserPoolDomain'
Resource: !GetAtt UserPool.Arn
- Effect: Allow
Action:
- 'cognito-idp:DescribeUserPoolDomain'
Resource: '*'
DependsOn: HostedUICustomResource
HostedUICustomResourceLogPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUILogPolicy']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref HostedUICustomResource}
DependsOn: HostedUICustomResourcePolicy
HostedUICustomResourceInputs:
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt HostedUICustomResource.Arn
userPoolId: !Ref UserPool
hostedUIDomainName: !If [ShouldNotCreateEnvResources, !Ref hostedUIDomainName, !Join ['-',[!Ref hostedUIDomainName, !Ref env]]]
DependsOn: HostedUICustomResourceLogPolicy
HostedUIProvidersCustomResource:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- 'try{'
- ' const userPoolId = event.ResourceProperties.userPoolId;'
- ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);'
- ' let hostedUIProviderCreds = JSON.parse(event.ResourceProperties.hostedUIProviderCreds);'
- ' if(hostedUIProviderCreds.length === 0) {'
- ' response.send(event, context, response.SUCCESS, {});'
- ' }'
- ' if (event.RequestType == ''Delete'') {'
- ' response.send(event, context, response.SUCCESS, {});'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' let getRequestParams = (providerName) => {'
- ' let providerMetaIndex = hostedUIProviderMeta.findIndex((provider) => provider.ProviderName === providerName);'
- ' let providerMeta = hostedUIProviderMeta[providerMetaIndex];'
- ' let providerCredsIndex = hostedUIProviderCreds.findIndex((provider) => provider.ProviderName === providerName);'
- ' let providerCreds = hostedUIProviderCreds[providerCredsIndex];'
- ' let requestParams = {'
- ' ProviderDetails: {'
- ' ''client_id'': providerCreds.client_id,'
- ' ''client_secret'': providerCreds.client_secret,'
- ' ''authorize_scopes'': providerMeta.authorize_scopes'
- ' },'
- ' ProviderName: providerMeta.ProviderName,'
- ' UserPoolId: userPoolId,'
- ' AttributeMapping: providerMeta.AttributeMapping'
- ' };'
- ' return requestParams;'
- ' };'
- ' let createIdentityProvider = (providerName) => {'
- ' let requestParams = getRequestParams(providerName);'
- ' requestParams.ProviderType = requestParams.ProviderName;'
- ' return identity.createIdentityProvider(requestParams).promise();'
- ' };'
- ' let updateIdentityProvider = (providerName) => {'
- ' let requestParams = getRequestParams(providerName);'
- ' return identity.updateIdentityProvider(requestParams).promise();'
- ' };'
- ' let deleteIdentityProvider = (providerName) => {'
- ' let params = {ProviderName: providerName, UserPoolId: userPoolId};'
- ' return identity.deleteIdentityProvider(params).promise();'
- ' };'
- ' let providerPromises = [];'
- ' identity.listIdentityProviders({UserPoolId: userPoolId, MaxResults: 60}).promise()'
- ' .then((result) => {'
- ' let providerList = result.Providers.map(provider => provider.ProviderName);'
- ' let providerListInParameters = hostedUIProviderMeta.map(provider => provider.ProviderName);'
- ' hostedUIProviderMeta.forEach((providerMetadata) => {'
- ' if(providerList.indexOf(providerMetadata.ProviderName) > -1) {'
- ' providerPromises.push(updateIdentityProvider(providerMetadata.ProviderName));'
- ' } else {'
- ' providerPromises.push(createIdentityProvider(providerMetadata.ProviderName));'
- ' }'
- ' });'
- ' providerList.forEach((provider) => {'
- ' if(providerListInParameters.indexOf(provider) < 0) {'
- ' providerPromises.push(deleteIdentityProvider(provider));'
- ' }'
- ' });'
- ' return Promise.all(providerPromises);'
- ' }).then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
- ' console.log(err.stack); response.send(event, context, response.FAILED, {err})'
- ' });'
- ' } '
- ' } catch(err) { console.log(err.stack); response.send(event, context, response.FAILED, {err});};'
- '} '
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: UserPoolClientRole
HostedUIProvidersCustomResourcePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUIProvider']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:CreateIdentityProvider'
- 'cognito-idp:UpdateIdentityProvider'
- 'cognito-idp:ListIdentityProviders'
- 'cognito-idp:DeleteIdentityProvider'
Resource: !GetAtt UserPool.Arn
DependsOn: HostedUIProvidersCustomResource
HostedUIProvidersCustomResourceLogPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUIProviderLogPolicy']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref HostedUIProvidersCustomResource}
DependsOn: HostedUIProvidersCustomResourcePolicy
HostedUIProvidersCustomResourceInputs:
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt HostedUIProvidersCustomResource.Arn
userPoolId: !Ref UserPool
hostedUIProviderMeta: !Ref hostedUIProviderMeta
hostedUIProviderCreds: !Ref hostedUIProviderCreds
DependsOn: HostedUIProvidersCustomResourceLogPolicy
OAuthCustomResource:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- 'try{'
- ' const userPoolId = event.ResourceProperties.userPoolId;'
- ' let webClientId = event.ResourceProperties.webClientId;'
- ' let nativeClientId = event.ResourceProperties.nativeClientId;'
- ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);'
- ' let oAuthMetadata = JSON.parse(event.ResourceProperties.oAuthMetadata);'
- ' let providerList = hostedUIProviderMeta.map(provider => provider.ProviderName);'
- ' providerList.push(''COGNITO'');'
- ' if (event.RequestType == ''Delete'') {'
- ' response.send(event, context, response.SUCCESS, {});'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' let params = {'
- ' UserPoolId: userPoolId,'
- ' AllowedOAuthFlows: oAuthMetadata.AllowedOAuthFlows,'
- ' AllowedOAuthFlowsUserPoolClient: true,'
- ' AllowedOAuthScopes: oAuthMetadata.AllowedOAuthScopes,'
- ' CallbackURLs: oAuthMetadata.CallbackURLs,'
- ' LogoutURLs: oAuthMetadata.LogoutURLs,'
- ' SupportedIdentityProviders: providerList'
- ' };'
- ' let updateUserPoolClientPromises = [];'
- ' params.ClientId = webClientId;'
- ' updateUserPoolClientPromises.push(identity.updateUserPoolClient(params).promise());'
- ' params.ClientId = nativeClientId;'
- ' updateUserPoolClientPromises.push(identity.updateUserPoolClient(params).promise());'
- ' Promise.all(updateUserPoolClientPromises)'
- ' .then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
- ' console.log(err.stack); response.send(event, context, response.FAILED, {err});'
- ' });'
- ' }'
- '} catch(err) { console.log(err.stack); response.send(event, context, response.FAILED, {err});};'
- '}'
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: HostedUIProvidersCustomResourceInputs
OAuthCustomResourcePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'OAuth']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:UpdateUserPoolClient'
Resource: !GetAtt UserPool.Arn
DependsOn: OAuthCustomResource
OAuthCustomResourceLogPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'OAuthLogPolicy']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref OAuthCustomResource}
DependsOn: OAuthCustomResourcePolicy
OAuthCustomResourceInputs:
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt OAuthCustomResource.Arn
userPoolId: !Ref UserPool
hostedUIProviderMeta: !Ref hostedUIProviderMeta
oAuthMetadata: !Ref oAuthMetadata
webClientId: !Ref 'UserPoolClientWeb'
nativeClientId: !Ref 'UserPoolClient'
DependsOn: OAuthCustomResourceLogPolicy
# BEGIN IDENTITY POOL RESOURCES
IdentityPool:
# Always created
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: !If [ShouldNotCreateEnvResources, 'journelyv2Auth_identitypool_967bea7b', !Join ['',['journelyv2Auth_identitypool_967bea7b', '__', !Ref env]]]
CognitoIdentityProviders:
- ClientId: !Ref UserPoolClient
ProviderName: !Sub
- cognito-idp.${region}.amazonaws.com/${client}
- { region: !Ref "AWS::Region", client: !Ref UserPool}
- ClientId: !Ref UserPoolClientWeb
ProviderName: !Sub
- cognito-idp.${region}.amazonaws.com/${client}
- { region: !Ref "AWS::Region", client: !Ref UserPool}
AllowUnauthenticatedIdentities: !Ref allowUnauthenticatedIdentities
DependsOn: UserPoolClientInputs
IdentityPoolRoleMap:
# Created to map Auth and Unauth roles to the identity pool
# Depends on Identity Pool for ID ref
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
unauthenticated: !Ref unauthRoleArn
authenticated: !Ref authRoleArn
DependsOn: IdentityPool
Outputs :
IdentityPoolId:
Value: !Ref 'IdentityPool'
Description: Id for the identity pool
IdentityPoolName:
Value: !GetAtt IdentityPool.Name
HostedUIDomain:
Value: !If [ShouldNotCreateEnvResources, !Ref hostedUIDomainName, !Join ['-',[!Ref hostedUIDomainName, !Ref env]]]
OAuthMetadata:
Value: !Ref oAuthMetadata
UserPoolId:
Value: !Ref 'UserPool'
Description: Id for the user pool
UserPoolName:
Value: !Ref userPoolName
AppClientIDWeb:
Value: !Ref 'UserPoolClientWeb'
Description: The user pool app client id for web
AppClientID:
Value: !Ref 'UserPoolClient'
Description: The user pool app client id
AppClientSecret:
Value: !GetAtt UserPoolClientInputs.appSecret
dwamianm
on 15 Dec 2020
@ammarkarachi ...My push happiness was short lived. I am not unable to push with the following message
Failed to delete resource. See the details in CloudWatch Log Stream: 2020/12/15/[$LATEST]fe9f95bab9b84cff81db847ddce2fa72
and this in the cloudwatch logs
2020-12-15T22:03:36.452Z 23d5e182-7094-4de1-b0a9-45ab65c7fb91 INFO SyntaxError: Unexpected token h in JSON at position 0 at JSON.parse () at Runtime.exports.handler (/var/task/index.js:1:360) at Runtime.handleOnce (/var/runtime/Runtime.js:66:25)
These seem to be happening in the HostedUIProvidersCustomResourceInputs process
dwamianm
on 15 Dec 2020
@ammarkarachi ... 4.40.0 looks like it fixed the issue for me.
dwamianm
on 16 Dec 2020
Related issues
ChrisWun
路
43Comments
DonPepone
路
70Comments
kaustavghosh06
路
51Comments
apanagos
路
47Comments
varmab
路
41Comments
Most helpful comment
Same issue here. On top of that my Cognito schema (which contains custom fields) gets overwritten.