Lambda Triggers auto detached after updates to Cognito

[gorbinphilip]

Before opening, please confirm:

• I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
• I have searched for duplicate or closed issues.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

14.17.4

Amplify CLI Version

7.4.4

What operating system are you using?

MacOS 10

Amplify Categories

auth

Amplify Commands

push, update

Describe the bug

Cognito lambda triggers getting automatically detached while pushing any updates to Cognito configuration.
Note: Not regarding updates to lambda function itself but to Cognito configurations like change of password policy etc.

It's clear that the approach for attaching triggers to Cognito is through an authTriggerFn function. From logs I cannot see an invocation after update here in this new version but old version used to get a delete which was causing similar trouble. But in all cases triggers gets detached automatically after any updates to Cognito cloudformation.

This is consistent across amplify versions 5, 6 & 7 at least.

I have reproduced this in a minimal code base here: https://github.com/gorbinphilip1/amplify-cognito-trigger-sample

Expected behavior

After update Cognito should retain previously attached lambda triggers.

Reproduction steps

Simply put steps to reproduce is to

1. Deploy an amplify app with auth category (Cognito) that has lambda trigger setup
2. Deploy an update to the same stack with amplify push after altering auth category using amplify auth update

Please find the steps below that I used to reproduce this myself in a minimal code base

# install amplify, current latest is 7.4.4
npm install -g @aws-amplify/cli
# init project with default setting
amplify init
# configure auth with cognito at least one trigger
amplify add auth
# deploy -- equivalent to commit a3ed91fb86479f3e26871ba95af05e0372fe9dab
amplify push

# all good at this point, triggers are attached.

# update cognito password policy
amplify auth update
# deploy -- equivalent to commit 12bcb24389ac4cb5f36854e61fa0338163c6c0e8
amplify push

# password policy gets updated and existing triggers are now detached from cognito :(

GraphQL schema(s)

# Put schemas below this line

Log output

# Put your logs below this line

Additional information

No response

[marcvberg]

I was able to reproduce this bug following the steps provided above

[sarahsga]

Prior to v7.x.x, when I ran amplify push, the auth triggers were successfully attached to the userpool. But when I updated the amplify-cli to the latest v7.4.5, the auth triggers are no longer attached.

Amplify push using v7.4.5

Amplify push using v6.4.0

[wbroek]

Got the same thing after upgrade to CLI. 7.5.x (updated to latest 7.5.4 for latest test) when pushing the latest changes all triggers where wiped out.
When we ran amplify update auth we get the comment we need to migrate: A migration is needed to support latest updates on auth resources
After we said yes to the migration and confirmed all the current settings (we did not add or remove settings) and pushed again all triggers where back.
Question is if this migration is mandatory?? (got more Amplify projects so would be nice if we know)

[attilah]

@wbroek yes the migration is mandatory because the underlying implementation changed to use the CDK from the previous static EJS templates and also some state files in certain categories are refactored to use the new cli-inputs.json as a singular parameter source.

[github-actions]

👋 Hi, this issue was referenced in the v7.6.5 release!

Check out the release notes here https://github.com/aws-amplify/amplify-cli/releases/tag/v7.6.5.

[cespin]

@akshbhu , I just built with v7.6.5 and the Cognito triggers are still being removed. In order to fix it I had to add this code in the override.ts:

    // START - Lambda Triggers
    // This is being done because the generated stack is missing Cognito triggers - Don't know why
    const newLambdaConfig = {
        ...resources.userPool.lambdaConfig,
    };

    if (!newLambdaConfig["preSignUp"]) {
        newLambdaConfig["preSignUp"] = {
            "Ref": "functionmyprojectauthPreSignupArn"
        };
    }

    resources.userPool.lambdaConfig = newLambdaConfig
    // END - Lambda Triggers

What I find strange is that the CloudFormation parameter functionmyprojectauthPreSignupArn is available but not set.

I also have a post confirmation trigger and that one is being correctly set. No need to do anything in the override.ts for that one.

[paulnolan7]

I think there is an issue with the case difference between SignUp and signup. See this issue #9351

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.