deployment-secrets.json migration causes amplify[hostedUIProviderCreds] must have values error on amplify push #5942
Comments
pedramp20
changed the title
ammarkarachi
added
auth
|
@pedramp20 I am trying to reproduce this issue, what changes did you make before the second push? |
|
With the last version on env update (venv) PS C:\Users\sinap\repo\lookea\influencers-dashboard> amplify status I have noticed alsa that in cognito it is removing information from hostedUIProviderCreds #index e17e1e5..5a40678 100644 },"categories": {"auth": {#- "cognito937499ef": { }, |
|
Hello guys, Encountering the same error in my project. Parameters: [hostedUIProviderCreds] must have values. Encountered the problem after the CLI update. Is this related to the update? Also tried creating a new project but encountered the same error when creating a REST API. BTW, it says "move secrets from team-provider-info.json to deployment-secrets.json" but where is the deployment-secrets.json located? Maybe, the CLI failed to create the file... |
|
Same here. I downgraded Amplify CLI to 4.29.0 and keeps happening, so I'm not sure it's related to the latest update. |
|
|
Yes, I do. My the I got this code from aws-amplify/amplify-hosting#206 |
|
Hi guys, Tried using southeast with root account. encountering the same error after doing an update.
|
|
I think #5733 introduced this change, and was approved by at least one contributor to the project. It looks like the migration code has been tested here: amplify-cli/packages/amplify-cli/src/__tests__/team-provider-migrate.test.ts Lines 143 to 144 in d18f795 If I understand the test correctly it appears to assert that some code was called but does nothing to verify the behaviour (i.e. that a file is created on disk, that the contents of the file are correct, that a subsequent invocation of The description in the PR mentions a {
"appSecrets": []
}I've found the following type that specifies the expected format of the new JSON file: amplify-cli/packages/amplify-cli-core/src/index.ts Lines 59 to 65 in ad7b028 Given the severity of this issue (any affected customer will be unable to push changes to any Amplify backend) I'd like to humbly request a post-mortem on how this problem found its way to customers, and how the Amplify team plan to avoid causing this sort of disruption in future. I hope some of the info above is helpful. If there's anything else I can do to help triage and resolve please holla. 📣 |
|
@wcomicho The file should be under |
ammarkarachi
added
the
pending-response
|
I am also having this issue. I upgraded to 4.35.0 and am receiving this error when trying to amplify push:
The {
"appSecrets": []
} |
|
Ok, so I was able to get this to work. It seems like version 4.34.0 removed the I updated the "auth": {
"[api_name]": {
"hostedUIProviderCreds": "[]"
},
"userPoolGroups": {}
},The next time I ran {
"appSecrets": [
{
"rootStackId": "[stack_id]",
"environments": {
"dev": {
"auth": {
"[api_name]": {
"hostedUIProviderCreds": "[]"
}
}
}
}
}
]
} |
|
The |
|
@ammarkarachi I do not remember if the CLI threw an error at me or not. After I upgraded to version 4.34.0 I do remember it asking me if I wanted to backup When I updated to version 4.35.0 this morning and tried to do a push, it gave me the "[api_name]": {
"hostedUIProviderCreds": "[]"
},So I added that back into my I hope all that made sense. I'm guessing forcing the migration again must correct something in the CLI? |
|
This is a really rough one, I though it was just me so I tweeted about it then forgot about it https://twitter.com/CodingCatDev/status/1330596528889745410 There has to be a better way of making this and the Especially in regards to the auth redirects. Those need to be moved from |
|
Tried putting an entry in the deployment-secrets.json: but now I am getting error message in cloudformation: The following resource(s) failed to create: [testDynamoDB]. The following resource(s) failed to update: [authtest2020]. |
|
@askurat's fix worked for me too. I restored my |
|
I'm having the same problem as others here with Amplify CLI v4.35.0. When I try to run So I selected "yes", and it removed the And since I didn't know what was going on, I tried a bunch of different things to no avail, including running
After checking this thread, I have the hostedUIProviderCreds in If I remove the facebookAppId and googleClientId entires, I get a new error: I tried @askurat 's fix as well, but it still gives me the same So I'm a bit stuck. I'll try a few more things and then I'll likely have to revert back to an old CLI version for the time-being. |
|
@ngnathan US-EAST-1 Region is having a ton of issues at the moment. This may be causing some of your problems: AWS Status |
|
I thought i was going crazy and kept checking the status. I really dig the new personal health dashboard. |
Yeah I just saw this as well... I just tried (in a separate env) removing FB/Google (so that I can try adding it again). And I think the us-east-1 issues are causing my CLI to be stuck on updating the IdentityPool during my amplify push lol. Anyway, I'm not sure how recent this outage is, but I was dealing with the same problems all of yesterday too. |
|
@ngnathan Can you check if the file |
Yes, it did back when I tried it yesterday, which is why it was weird when it said |
ammarkarachi
added
critical-bug
|
I finally got it working on a test environment. Had to remove social auth completely, run
I'll see if this happens again later, when I push these changes to another environment. |
|
@evertson90 we release a new beta can you test it with the new version and let me know |
|
I installed version 4.40.0-beta.0 and tried the following:
Then I did amplify update auth, "Update OAuth social providers", selected Facebook and Google and added the ID and secrets. What happens is it removes the "hostedUIProviderCreds" from categories.auth.cognito in my team-provider-info.json. Reverting to 4.32.1 fixes the problem for now. The beta does not fix the problem yet unfortunately. |
|
@evertson90 Those values are being written to |
|
ok here is what fixed this for me... but the jury is still out because it's been a long few hours of debugging this issue
hostedUIProviderCreds:
Type: String
Default: "hostedUIProviderCreds"
The deployment-secrets.json file should be created I hope this fixes it for others. |
|
@dwamianm Can you confirm the if the Auth CFN is being updated after the migration? |
|
@ammarkarachi it adds the following to the Outputs section of the CFN file AppClientSecret:
Value: !GetAtt UserPoolClientInputs.appSecret
...however, as previously pointed out, it removes any customizations made to the CFN templates... but that may be for another bug report Edit: It actually adds more that just the above @ammarkarachi ... there is a lambda function that is generated and several other params |
|
@dwamianm The credentials should be temporarily stored in the file |
|
@ammarkarachi ... that is not the case for me. The deployment-secrets.json file looks like this even after several pushes {
"appSecrets": [
{
"rootStackId": "",
"environments": {
"dev": {
"auth": {
"authResourceName": {
"hostedUIProviderCreds": "[{\stuff in here"}]"
}
}
}
}
}
]
}
|
|
Can you share your latest generated CFN file you can redact the info you think is sensitive |
|
@ammarkarachi absolutley.. here you go AWSTemplateFormatVersion: 2010-09-09
Parameters:
env:
Type: String
authRoleArn:
Type: String
unauthRoleArn:
Type: String
functionjournelyv2AuthCustomMessageArn:
Type: String
Default: functionjournelyv2AuthCustomMessageArn
functionjournelyv2AuthCustomMessageName:
Type: String
Default: functionjournelyv2AuthCustomMessageName
functionjournelyv2AuthPreSignupArn:
Type: String
Default: functionjournelyv2AuthPreSignupArn
functionjournelyv2AuthPreSignupName:
Type: String
Default: functionjournelyv2AuthPreSignupName
identityPoolName:
Type: String
allowUnauthenticatedIdentities:
Type: String
resourceNameTruncated:
Type: String
userPoolName:
Type: String
autoVerifiedAttributes:
Type: CommaDelimitedList
mfaConfiguration:
Type: String
mfaTypes:
Type: CommaDelimitedList
smsAuthenticationMessage:
Type: String
smsVerificationMessage:
Type: String
emailVerificationSubject:
Type: String
emailVerificationMessage:
Type: String
defaultPasswordPolicy:
Type: String
passwordPolicyMinLength:
Type: Number
passwordPolicyCharacters:
Type: CommaDelimitedList
requiredAttributes:
Type: CommaDelimitedList
userpoolClientGenerateSecret:
Type: String
userpoolClientRefreshTokenValidity:
Type: Number
userpoolClientWriteAttributes:
Type: CommaDelimitedList
userpoolClientReadAttributes:
Type: CommaDelimitedList
userpoolClientLambdaRole:
Type: String
userpoolClientSetAttributes:
Type: String
resourceName:
Type: String
authSelections:
Type: String
useDefault:
Type: String
usernameAttributes:
Type: CommaDelimitedList
triggers:
Type: String
userPoolGroupList:
Type: CommaDelimitedList
parentStack:
Type: String
permissions:
Type: CommaDelimitedList
dependsOn:
Type: CommaDelimitedList
userPoolGroups:
Type: String
adminQueries:
Type: String
hostedUI:
Type: String
verificationBucketName:
Type: String
hostedUIDomainName:
Type: String
authProvidersUserPool:
Type: CommaDelimitedList
hostedUIProviderMeta:
Type: String
oAuthMetadata:
Type: String
hostedUIProviderCreds:
Type: String
Default: "hostedUIProviderCreds"
Conditions:
ShouldNotCreateEnvResources: !Equals [ !Ref env, NONE ]
Resources:
CustomMessageConfirmationBucket:
Type: AWS::S3::Bucket
DeletionPolicy: "Retain"
Properties:
BucketName: !If [ShouldNotCreateEnvResources, !Ref verificationBucketName, !Join ['',[!Ref verificationBucketName, '-', !Ref env]]]
AccessControl: "Private"
WebsiteConfiguration:
IndexDocument: "index.html"
ErrorDocument: "index.html"
CorsConfiguration:
CorsRules:
-
AllowedHeaders:
- "Authorization"
- "Content-Length"
AllowedMethods:
- "GET"
AllowedOrigins:
- "*"
MaxAge: 3000
# BEGIN SNS ROLE RESOURCE
SNSRole:
# Created to allow the UserPool SMS Config to publish via the Simple Notification Service during MFA Process
Type: AWS::IAM::Role
Properties:
RoleName: !If [ShouldNotCreateEnvResources, 'journea6e2faad_sns-role', !Join ['',[ 'sns', 'undefined', !Select [3, !Split ['-', !Ref 'AWS::StackName']], '-', !Ref env]]]
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
Service: "cognito-idp.amazonaws.com"
Action:
- "sts:AssumeRole"
Condition:
StringEquals:
sts:ExternalId: journea6e2faad_role_external_id
Policies:
-
PolicyName: journea6e2faad-sns-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "sns:Publish"
Resource: "*"
# BEGIN USER POOL RESOURCES
UserPool:
# Created upon user selection
# Depends on SNS Role for Arn if MFA is enabled
Type: AWS::Cognito::UserPool
UpdateReplacePolicy: Retain
Properties:
UserPoolName: !If [ShouldNotCreateEnvResources, !Ref userPoolName, !Join ['',[!Ref userPoolName, '-', !Ref env]]]
UsernameConfiguration:
CaseSensitive: false
Schema:
-
Name: email
Required: true
Mutable: true
-
Name: name
Required: true
Mutable: true
LambdaConfig:
CustomMessage: !Ref functionjournelyv2AuthCustomMessageArn
PreSignUp: !Ref functionjournelyv2AuthPreSignupArn
AutoVerifiedAttributes: !Ref autoVerifiedAttributes
EmailVerificationMessage: !Ref emailVerificationMessage
EmailVerificationSubject: !Ref emailVerificationSubject
Policies:
PasswordPolicy:
MinimumLength: !Ref passwordPolicyMinLength
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
UsernameAttributes: !Ref usernameAttributes
MfaConfiguration: !Ref mfaConfiguration
SmsVerificationMessage: !Ref smsVerificationMessage
SmsConfiguration:
SnsCallerArn: !GetAtt SNSRole.Arn
ExternalId: journea6e2faad_role_external_id
UserPoolCustomMessageLambdaInvokePermission:
Type: "AWS::Lambda::Permission"
DependsOn: UserPool
Properties:
Action: "lambda:invokeFunction"
Principal: "cognito-idp.amazonaws.com"
FunctionName: !Ref functionjournelyv2AuthCustomMessageName
SourceArn: !GetAtt UserPool.Arn
UserPoolPreSignupLambdaInvokePermission:
Type: "AWS::Lambda::Permission"
DependsOn: UserPool
Properties:
Action: "lambda:invokeFunction"
Principal: "cognito-idp.amazonaws.com"
FunctionName: !Ref functionjournelyv2AuthPreSignupName
SourceArn: !GetAtt UserPool.Arn
# Updating lambda role with permissions to Cognito
UserPoolClientWeb:
# Created provide application access to user pool
# Depends on UserPool for ID reference
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: journea6e2faad_app_clientWeb
RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity
UserPoolId: !Ref UserPool
DependsOn: UserPool
UserPoolClient:
# Created provide application access to user pool
# Depends on UserPool for ID reference
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: journea6e2faad_app_client
GenerateSecret: !Ref userpoolClientGenerateSecret
RefreshTokenValidity: !Ref userpoolClientRefreshTokenValidity
UserPoolId: !Ref UserPool
DependsOn: UserPool
# BEGIN USER POOL LAMBDA RESOURCES
UserPoolClientRole:
# Created to execute Lambda which gets userpool app client config values
Type: 'AWS::IAM::Role'
Properties:
RoleName: !If [ShouldNotCreateEnvResources, !Ref userpoolClientLambdaRole, !Join ['',['upClientLambdaRole', 'undefined', !Select [3, !Split ['-', !Ref 'AWS::StackName']], '-', !Ref env]]]
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
DependsOn: UserPoolClient
UserPoolClientLambda:
# Lambda which gets userpool app client config values
# Depends on UserPool for id
# Depends on UserPoolClientRole for role ARN
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- ' if (event.RequestType == ''Delete'') { '
- ' response.send(event, context, response.SUCCESS, {})'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' const params = {'
- ' ClientId: event.ResourceProperties.clientId,'
- ' UserPoolId: event.ResourceProperties.userpoolId'
- ' };'
- ' identity.describeUserPoolClient(params).promise()'
- ' .then((res) => {'
- ' response.send(event, context, response.SUCCESS, {''appSecret'': res.UserPoolClient.ClientSecret});'
- ' })'
- ' .catch((err) => {'
- ' response.send(event, context, response.FAILED, {err});'
- ' });'
- ' }'
- '};'
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: UserPoolClientRole
UserPoolClientLambdaPolicy:
# Sets userpool policy for the role that executes the Userpool Client Lambda
# Depends on UserPool for Arn
# Marked as depending on UserPoolClientRole for easier to understand CFN sequencing
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: journea6e2faad_userpoolclient_lambda_iam_policy
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:DescribeUserPoolClient'
Resource: !GetAtt UserPool.Arn
DependsOn: UserPoolClientLambda
UserPoolClientLogPolicy:
# Sets log policy for the role that executes the Userpool Client Lambda
# Depends on UserPool for Arn
# Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: journea6e2faad_userpoolclient_lambda_log_policy
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref UserPoolClientLambda}
DependsOn: UserPoolClientLambdaPolicy
UserPoolClientInputs:
# Values passed to Userpool client Lambda
# Depends on UserPool for Id
# Depends on UserPoolClient for Id
# Marked as depending on UserPoolClientLambdaPolicy for easier to understand CFN sequencing
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt UserPoolClientLambda.Arn
clientId: !Ref UserPoolClient
userpoolId: !Ref UserPool
DependsOn: UserPoolClientLogPolicy
HostedUICustomResource:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- ' const userPoolId = event.ResourceProperties.userPoolId;'
- ' const inputDomainName = event.ResourceProperties.hostedUIDomainName;'
- ' let deleteUserPoolDomain = (domainName) => {'
- ' let params = { Domain: domainName, UserPoolId: userPoolId };'
- ' return identity.deleteUserPoolDomain(params).promise();'
- ' };'
- ' if (event.RequestType == ''Delete'') {'
- ' deleteUserPoolDomain(inputDomainName)'
- ' .then(() => {response.send(event, context, response.SUCCESS, {})})'
- ' .catch((err) => { console.log(err); response.send(event, context, response.FAILED, {err}) });'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' let checkDomainAvailability = (domainName) => {'
- ' let params = { Domain: domainName };'
- ' return identity.describeUserPoolDomain(params).promise().then((res) => {'
- ' if (res.DomainDescription && res.DomainDescription.UserPool) {'
- ' return false;'
- ' }'
- ' return true;'
- ' }).catch((err) => { return false; });'
- ' };'
- ' let createUserPoolDomain = (domainName) => {'
- ' let params = { Domain: domainName, UserPoolId: userPoolId };'
- ' return identity.createUserPoolDomain(params).promise();'
- ' };'
- ' identity.describeUserPool({UserPoolId: userPoolId }).promise().then((result) => {'
- ' if (inputDomainName) {'
- ' if (result.UserPool.Domain === inputDomainName) {'
- ' return;'
- ' } else {'
- ' if (!result.UserPool.Domain) {'
- ' return checkDomainAvailability(inputDomainName).then((isDomainAvailable) => {'
- ' if (isDomainAvailable) {'
- ' return createUserPoolDomain(inputDomainName);'
- ' } else {'
- ' throw new Error(''Domain not available'');'
- ' }'
- ' });'
- ' } else {'
- ' return checkDomainAvailability(inputDomainName).then((isDomainAvailable) => {'
- ' if (isDomainAvailable) {'
- ' return deleteUserPoolDomain(result.UserPool.Domain).then(() => createUserPoolDomain(inputDomainName));'
- ' } else {'
- ' throw new Error(''Domain not available'');'
- ' }'
- ' });'
- ' }'
- ' }'
- ' } else {'
- ' if (result.UserPool.Domain) {'
- ' return deleteUserPoolDomain(result.UserPool.Domain);'
- ' }'
- ' }'
- ' }).then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
- ' console.log(err); response.send(event, context, response.FAILED, {err});'
- ' });'
- '}}'
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: UserPoolClientRole
HostedUICustomResourcePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUI']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:CreateUserPoolDomain'
- 'cognito-idp:DescribeUserPool'
- 'cognito-idp:DeleteUserPoolDomain'
Resource: !GetAtt UserPool.Arn
- Effect: Allow
Action:
- 'cognito-idp:DescribeUserPoolDomain'
Resource: '*'
DependsOn: HostedUICustomResource
HostedUICustomResourceLogPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUILogPolicy']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref HostedUICustomResource}
DependsOn: HostedUICustomResourcePolicy
HostedUICustomResourceInputs:
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt HostedUICustomResource.Arn
userPoolId: !Ref UserPool
hostedUIDomainName: !If [ShouldNotCreateEnvResources, !Ref hostedUIDomainName, !Join ['-',[!Ref hostedUIDomainName, !Ref env]]]
DependsOn: HostedUICustomResourceLogPolicy
HostedUIProvidersCustomResource:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- 'try{'
- ' const userPoolId = event.ResourceProperties.userPoolId;'
- ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);'
- ' let hostedUIProviderCreds = JSON.parse(event.ResourceProperties.hostedUIProviderCreds);'
- ' if(hostedUIProviderCreds.length === 0) {'
- ' response.send(event, context, response.SUCCESS, {});'
- ' }'
- ' if (event.RequestType == ''Delete'') {'
- ' response.send(event, context, response.SUCCESS, {});'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' let getRequestParams = (providerName) => {'
- ' let providerMetaIndex = hostedUIProviderMeta.findIndex((provider) => provider.ProviderName === providerName);'
- ' let providerMeta = hostedUIProviderMeta[providerMetaIndex];'
- ' let providerCredsIndex = hostedUIProviderCreds.findIndex((provider) => provider.ProviderName === providerName);'
- ' let providerCreds = hostedUIProviderCreds[providerCredsIndex];'
- ' let requestParams = {'
- ' ProviderDetails: {'
- ' ''client_id'': providerCreds.client_id,'
- ' ''client_secret'': providerCreds.client_secret,'
- ' ''authorize_scopes'': providerMeta.authorize_scopes'
- ' },'
- ' ProviderName: providerMeta.ProviderName,'
- ' UserPoolId: userPoolId,'
- ' AttributeMapping: providerMeta.AttributeMapping'
- ' };'
- ' return requestParams;'
- ' };'
- ' let createIdentityProvider = (providerName) => {'
- ' let requestParams = getRequestParams(providerName);'
- ' requestParams.ProviderType = requestParams.ProviderName;'
- ' return identity.createIdentityProvider(requestParams).promise();'
- ' };'
- ' let updateIdentityProvider = (providerName) => {'
- ' let requestParams = getRequestParams(providerName);'
- ' return identity.updateIdentityProvider(requestParams).promise();'
- ' };'
- ' let deleteIdentityProvider = (providerName) => {'
- ' let params = {ProviderName: providerName, UserPoolId: userPoolId};'
- ' return identity.deleteIdentityProvider(params).promise();'
- ' };'
- ' let providerPromises = [];'
- ' identity.listIdentityProviders({UserPoolId: userPoolId, MaxResults: 60}).promise()'
- ' .then((result) => {'
- ' let providerList = result.Providers.map(provider => provider.ProviderName);'
- ' let providerListInParameters = hostedUIProviderMeta.map(provider => provider.ProviderName);'
- ' hostedUIProviderMeta.forEach((providerMetadata) => {'
- ' if(providerList.indexOf(providerMetadata.ProviderName) > -1) {'
- ' providerPromises.push(updateIdentityProvider(providerMetadata.ProviderName));'
- ' } else {'
- ' providerPromises.push(createIdentityProvider(providerMetadata.ProviderName));'
- ' }'
- ' });'
- ' providerList.forEach((provider) => {'
- ' if(providerListInParameters.indexOf(provider) < 0) {'
- ' providerPromises.push(deleteIdentityProvider(provider));'
- ' }'
- ' });'
- ' return Promise.all(providerPromises);'
- ' }).then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
- ' console.log(err.stack); response.send(event, context, response.FAILED, {err})'
- ' });'
- ' } '
- ' } catch(err) { console.log(err.stack); response.send(event, context, response.FAILED, {err});};'
- '} '
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: UserPoolClientRole
HostedUIProvidersCustomResourcePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUIProvider']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:CreateIdentityProvider'
- 'cognito-idp:UpdateIdentityProvider'
- 'cognito-idp:ListIdentityProviders'
- 'cognito-idp:DeleteIdentityProvider'
Resource: !GetAtt UserPool.Arn
DependsOn: HostedUIProvidersCustomResource
HostedUIProvidersCustomResourceLogPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'hostedUIProviderLogPolicy']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref HostedUIProvidersCustomResource}
DependsOn: HostedUIProvidersCustomResourcePolicy
HostedUIProvidersCustomResourceInputs:
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt HostedUIProvidersCustomResource.Arn
userPoolId: !Ref UserPool
hostedUIProviderMeta: !Ref hostedUIProviderMeta
hostedUIProviderCreds: !Ref hostedUIProviderCreds
DependsOn: HostedUIProvidersCustomResourceLogPolicy
OAuthCustomResource:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Join
- |+
- - 'const response = require(''cfn-response'');'
- 'const aws = require(''aws-sdk'');'
- 'const identity = new aws.CognitoIdentityServiceProvider();'
- 'exports.handler = (event, context, callback) => {'
- 'try{'
- ' const userPoolId = event.ResourceProperties.userPoolId;'
- ' let webClientId = event.ResourceProperties.webClientId;'
- ' let nativeClientId = event.ResourceProperties.nativeClientId;'
- ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);'
- ' let oAuthMetadata = JSON.parse(event.ResourceProperties.oAuthMetadata);'
- ' let providerList = hostedUIProviderMeta.map(provider => provider.ProviderName);'
- ' providerList.push(''COGNITO'');'
- ' if (event.RequestType == ''Delete'') {'
- ' response.send(event, context, response.SUCCESS, {});'
- ' }'
- ' if (event.RequestType == ''Update'' || event.RequestType == ''Create'') {'
- ' let params = {'
- ' UserPoolId: userPoolId,'
- ' AllowedOAuthFlows: oAuthMetadata.AllowedOAuthFlows,'
- ' AllowedOAuthFlowsUserPoolClient: true,'
- ' AllowedOAuthScopes: oAuthMetadata.AllowedOAuthScopes,'
- ' CallbackURLs: oAuthMetadata.CallbackURLs,'
- ' LogoutURLs: oAuthMetadata.LogoutURLs,'
- ' SupportedIdentityProviders: providerList'
- ' };'
- ' let updateUserPoolClientPromises = [];'
- ' params.ClientId = webClientId;'
- ' updateUserPoolClientPromises.push(identity.updateUserPoolClient(params).promise());'
- ' params.ClientId = nativeClientId;'
- ' updateUserPoolClientPromises.push(identity.updateUserPoolClient(params).promise());'
- ' Promise.all(updateUserPoolClientPromises)'
- ' .then(() => {response.send(event, context, response.SUCCESS, {})}).catch((err) => {'
- ' console.log(err.stack); response.send(event, context, response.FAILED, {err});'
- ' });'
- ' }'
- '} catch(err) { console.log(err.stack); response.send(event, context, response.FAILED, {err});};'
- '}'
Handler: index.handler
Runtime: nodejs10.x
Timeout: '300'
Role: !GetAtt
- UserPoolClientRole
- Arn
DependsOn: HostedUIProvidersCustomResourceInputs
OAuthCustomResourcePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'OAuth']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'cognito-idp:UpdateUserPoolClient'
Resource: !GetAtt UserPool.Arn
DependsOn: OAuthCustomResource
OAuthCustomResourceLogPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: !Join ['-',[!Ref UserPool, 'OAuthLogPolicy']]
Roles:
- !Ref UserPoolClientRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub
- arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*
- { region: !Ref "AWS::Region", account: !Ref "AWS::AccountId", lambda: !Ref OAuthCustomResource}
DependsOn: OAuthCustomResourcePolicy
OAuthCustomResourceInputs:
Type: 'Custom::LambdaCallout'
Properties:
ServiceToken: !GetAtt OAuthCustomResource.Arn
userPoolId: !Ref UserPool
hostedUIProviderMeta: !Ref hostedUIProviderMeta
oAuthMetadata: !Ref oAuthMetadata
webClientId: !Ref 'UserPoolClientWeb'
nativeClientId: !Ref 'UserPoolClient'
DependsOn: OAuthCustomResourceLogPolicy
# BEGIN IDENTITY POOL RESOURCES
IdentityPool:
# Always created
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: !If [ShouldNotCreateEnvResources, 'journelyv2Auth_identitypool_967bea7b', !Join ['',['journelyv2Auth_identitypool_967bea7b', '__', !Ref env]]]
CognitoIdentityProviders:
- ClientId: !Ref UserPoolClient
ProviderName: !Sub
- cognito-idp.${region}.amazonaws.com/${client}
- { region: !Ref "AWS::Region", client: !Ref UserPool}
- ClientId: !Ref UserPoolClientWeb
ProviderName: !Sub
- cognito-idp.${region}.amazonaws.com/${client}
- { region: !Ref "AWS::Region", client: !Ref UserPool}
AllowUnauthenticatedIdentities: !Ref allowUnauthenticatedIdentities
DependsOn: UserPoolClientInputs
IdentityPoolRoleMap:
# Created to map Auth and Unauth roles to the identity pool
# Depends on Identity Pool for ID ref
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
unauthenticated: !Ref unauthRoleArn
authenticated: !Ref authRoleArn
DependsOn: IdentityPool
Outputs :
IdentityPoolId:
Value: !Ref 'IdentityPool'
Description: Id for the identity pool
IdentityPoolName:
Value: !GetAtt IdentityPool.Name
HostedUIDomain:
Value: !If [ShouldNotCreateEnvResources, !Ref hostedUIDomainName, !Join ['-',[!Ref hostedUIDomainName, !Ref env]]]
OAuthMetadata:
Value: !Ref oAuthMetadata
UserPoolId:
Value: !Ref 'UserPool'
Description: Id for the user pool
UserPoolName:
Value: !Ref userPoolName
AppClientIDWeb:
Value: !Ref 'UserPoolClientWeb'
Description: The user pool app client id for web
AppClientID:
Value: !Ref 'UserPoolClient'
Description: The user pool app client id
AppClientSecret:
Value: !GetAtt UserPoolClientInputs.appSecret
|
|
@ammarkarachi ...My push happiness was short lived. I am not unable to push with the following message Failed to delete resource. See the details in CloudWatch Log Stream: 2020/12/15/[$LATEST]fe9f95bab9b84cff81db847ddce2fa72 and this in the cloudwatch logs 2020-12-15T22:03:36.452Z 23d5e182-7094-4de1-b0a9-45ab65c7fb91 INFO SyntaxError: Unexpected token h in JSON at position 0 at JSON.parse () at Runtime.exports.handler (/var/task/index.js:1:360) at Runtime.handleOnce (/var/runtime/Runtime.js:66:25) These seem to be happening in the |
|
@ammarkarachi ... 4.40.0 looks like it fixed the issue for me. |
|
Let me know if anyone else is still facing any issues with latest version. If this is still ongoing we would like to have this squared out |
|
4.41.2 - my hosteduiprovidercred="[]" but every couple of pushes deployment-secrets.json loses the current environment and I get the "must have values" error...adding the hosteduiprovidercred="[]" back into the team-provider-info.json and pushing re-runs the upgrade and puts the correct environment settings back in deployment-secrets.json (along with other pre-existing environments)...but after a few pushes it disappears again.... |
|
@GeorgeBellTMH There's a minor fix in #6485 to add additional guard rails which should potentially solve your problem. We'll make it part of our upcoming releases. |
|
I was experiencing |
|
Huge pain on this one, fix for me on this was on the current version of amplify Create manually by-hand a file called Add a file similar to this: For me the migration and nothing from the cli was working to generate this file. After digging for a couple hours I got the format, name/numbers right etc. |
|
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
and others
After upgrading cli to 4.34.0, the cli forces to move secrets from team-provider-info.json to deployment-secrets.json on amplify push
After selecting Yes, it seem like the migration is successful and push works just fine. However, the deployment-secrets.json is never created and on the future pushes, I get the following error:
It is due to deletion of the hostedUIProviderCreds from the team-provider-info.
The text was updated successfully, but these errors were encountered: