Aws-cdk: [core] Unable to set CfnIdentityPoolProps allowUnauthenticatedIdentities to false

Created on 21 Sep 2020 · 4Comments · Source: aws/aws-cdk

When creating a Cognito Identity pool using the CfnIdentityPool class, setting the allowUnauthenticatedIdentities field to false on the CfnIdentityPoolProps builder results in no properties being included in the cloudformation template produced by running cdk synth. This property is required to be set, and so any attempt at a cdk deploy will fail to create the resource. When the value is set to true, the property is correctly included in the synthesised cloudformation.

Reproduction Steps

Main app:

public class ProductionApp {

    public static void main(final String[] args) {
        App app = new App();

        Environment environment = Environment.builder().account(Constants.AWS_ACCOUNT_ID).region(Constants.DEPLOYMENT_REGION).build();
        StackProps stackProperties = StackProps.builder().env(environment).build();

        new ReproductionStack(app, "test", stackProperties);

        app.synth();
    }
}

ReproductionStack:

public class ReproductionStack extends Stack {
    public ReproductionStack(final Construct scope, final String id, final StackProps props) {
        super(scope, id, props);

        CfnIdentityPoolProps properties = CfnIdentityPoolProps.builder()
                .allowUnauthenticatedIdentities(false)
                .build();

        new CfnIdentityPool(this, "testMyPool", properties);
    }
}

Output of cdk synth:

Resources:
  testMyPool:
    Type: AWS::Cognito::IdentityPool
    Metadata:
      aws:cdk:path: test/testMyPool
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Modules: aws-cdk=1.63.0,@aws-cdk/assets=1.63.0,@aws-cdk/aws-applicationautoscaling=1.63.0,@aws-cdk/aws-autoscaling-common=1.63.0,@aws-cdk/aws-certificatemanager=1.63.0,@aws-cdk/aws-cloudformation=1.63.0,@aws-cdk/aws-cloudwatch=1.63.0,@aws-cdk/aws-codeguruprofiler=1.63.0,@aws-cdk/aws-cognito=1.63.0,@aws-cdk/aws-ec2=1.63.0,@aws-cdk/aws-efs=1.63.0,@aws-cdk/aws-events=1.63.0,@aws-cdk/aws-iam=1.63.0,@aws-cdk/aws-kms=1.63.0,@aws-cdk/aws-lambda=1.63.0,@aws-cdk/aws-logs=1.63.0,@aws-cdk/aws-route53=1.63.0,@aws-cdk/aws-s3=1.63.0,@aws-cdk/aws-s3-assets=1.63.0,@aws-cdk/aws-sns=1.63.0,@aws-cdk/aws-sqs=1.63.0,@aws-cdk/aws-ssm=1.63.0,@aws-cdk/cloud-assembly-schema=1.63.0,@aws-cdk/core=1.63.0,@aws-cdk/custom-resources=1.63.0,@aws-cdk/cx-api=1.63.0,@aws-cdk/region-info=1.63.0,jsii-runtime=Java/1.8.0_261

Output of cdk synth when .allowUnauthenticatedIdentities(true) is used:

Resources:
  testMyPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      AllowUnauthenticatedIdentities: true
    Metadata:
      aws:cdk:path: test/testMyPool
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Modules: aws-cdk=1.63.0,@aws-cdk/assets=1.63.0,@aws-cdk/aws-applicationautoscaling=1.63.0,@aws-cdk/aws-autoscaling-common=1.63.0,@aws-cdk/aws-certificatemanager=1.63.0,@aws-cdk/aws-cloudformation=1.63.0,@aws-cdk/aws-cloudwatch=1.63.0,@aws-cdk/aws-codeguruprofiler=1.63.0,@aws-cdk/aws-cognito=1.63.0,@aws-cdk/aws-ec2=1.63.0,@aws-cdk/aws-efs=1.63.0,@aws-cdk/aws-events=1.63.0,@aws-cdk/aws-iam=1.63.0,@aws-cdk/aws-kms=1.63.0,@aws-cdk/aws-lambda=1.63.0,@aws-cdk/aws-logs=1.63.0,@aws-cdk/aws-route53=1.63.0,@aws-cdk/aws-s3=1.63.0,@aws-cdk/aws-s3-assets=1.63.0,@aws-cdk/aws-sns=1.63.0,@aws-cdk/aws-sqs=1.63.0,@aws-cdk/aws-ssm=1.63.0,@aws-cdk/cloud-assembly-schema=1.63.0,@aws-cdk/core=1.63.0,@aws-cdk/custom-resources=1.63.0,@aws-cdk/cx-api=1.63.0,@aws-cdk/region-info=1.63.0,jsii-runtime=Java/1.8.0_261

What did you expect to happen?

A Cloudformation template including the correct properties for the defined identity pool would be created.

What actually happened?

The incorrect Cloudformation template is generated.

Environment

CLI Version : 1.63.0 (build 7a68125)
Framework Version: 1.63.0 (build 7a68125)
Node.js Version: v12.14.1
OS : macOS Catalina Version 10.15.4
Language (Version): Java 8

This is :bug: Bug Report

@aws-cdcore bug efforsmall p2

Source

harry-stevenson-privitar

Most helpful comment

The bug is in the core module and a fix has been prepared - https://github.com/aws/aws-cdk/pull/10539

nija-at on 25 Sep 2020

🎉2

All 4 comments

Also of note, the same behaviour occurs when trying to use the CfnResource class.
When the pool is created with the code below, the same Cloudformation template is output as when created with CfnIdentityPool (correct when true, missing the property when false):

CfnResource.Builder.create(this, poolId)
                .type("AWS::Cognito::IdentityPool")
                .properties(new HashMap<String, Object>() {{
                            put("AllowUnauthenticatedIdentities", false);
                }}).build();

harry-stevenson-privitar on 21 Sep 2020

Currently working around the issue with:

CfnIdentityPool pool = new CfnIdentityPool(this, "testMyPool", properties);
pool.addOverride("Properties.AllowUnauthenticatedIdentities", false);

harry-stevenson-privitar on 21 Sep 2020

Definitely something weird going on here.

It seems that when there all properties on a Cfn construct is false, they don't render into the CloudFormation template. There needs to be at least one property that is truthy for the properties section to be rendered.

Simply typescript app that reproduces this problem -

import { App, Duration, Stack } from '@aws-cdk/core';
import { CfnIdentityPool } from '@aws-cdk/aws-cognito';

const app = new App();
const stack = new Stack(app, 'mystack');

new CfnIdentityPool(stack, 'pool', {
  allowUnauthenticatedIdentities: false,
});

nija-at on 25 Sep 2020

The bug is in the core module and a fix has been prepared - https://github.com/aws/aws-cdk/pull/10539

nija-at on 25 Sep 2020

🎉2

Was this page helpful?

0 / 5 - 0 ratings