Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-appsync): userPoolConfig authorizer ignores the userpool region #13691

Closed
psoares-resilient opened this issue Mar 19, 2021 · 5 comments · Fixed by #13715
Closed

(aws-appsync): userPoolConfig authorizer ignores the userpool region #13691

psoares-resilient opened this issue Mar 19, 2021 · 5 comments · Fixed by #13715
Labels
@aws-cdk/aws-appsync Related to AWS AppSync bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@psoares-resilient
Copy link

When adding an authorizer to the appSync, using the userPoolConfig, we can import the authorizer from the Arn, however the the CF will add the deployment region rather than the authorizer region for that particular instance.

Reproduction Steps

    const currentAuthorizer = cognito.UserPool.fromUserPoolArn(this, 'AuthInAnotherRegion', userPoolArn);
    const featuresApi = new appsync.GraphqlApi(this, 'GqlApi', {
      name: 'feature-control',
      schema: appsync.Schema.fromAsset('graphql/schema.graphql'),
      authorizationConfig: {
        defaultAuthorization: {
          authorizationType: appsync.AuthorizationType.USER_POOL,
          userPoolConfig: {
            userPool: currentAuthorizer,
          },
        },
    });

What did you expect to happen?

Resources:
  GqlApi4E487465:
    Type: AWS::AppSync::GraphQLApi
    Properties:
      AuthenticationType: AMAZON_COGNITO_USER_POOLS
      Name: feature-control
      UserPoolConfig:
        AwsRegion: eu-west-2
        DefaultAction: ALLOW
        UserPoolId: eu-west-2_USERPOOLID
    Metadata:
      aws:cdk:path: FeaturesBackendFrankFurt/GqlApi/Resource

What actually happened?

Resources:
  GqlApi4E487465:
    Type: AWS::AppSync::GraphQLApi
    Properties:
      AuthenticationType: AMAZON_COGNITO_USER_POOLS
      Name: feature-control
      UserPoolConfig:
        AwsRegion: eu-central-1
        DefaultAction: ALLOW
        UserPoolId: eu-west-2_USERPOOLID
    Metadata:
      aws:cdk:path: FeaturesBackendFrankFurt/GqlApi/Resource

Environment

  • CDK CLI Version : 1.94.1
  • Framework Version:
  • Node.js Version: 14.16.0
  • OS : macOS Darwin
  • Language (Version): typescript

Other

I have tried overwriting the env to see if that would be picked up as a workaround to no avail:

defaultAuthorization: {
          authorizationType: appsync.AuthorizationType.USER_POOL,
          userPoolConfig: {
            userPool: currentAuthorizer,
          },
        },

I expect the region to be picked up based on the retuned authorizer. As it most likely will include its own region (or picked up from the id as it is also included...)

This is 🐛 Bug Report

Thanks!
@psoares-resilient psoares-resilient added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 19, 2021
@github-actions github-actions bot added the @aws-cdk/aws-appsync Related to AWS AppSync label Mar 19, 2021
@psoares-resilient
Copy link
Author

Found a workaround (not sure if it is intended to be used this way... ).

The code will set the region based on the userPoll.stack.region, by passing a new Stack and setting the region I wan as props, it will pick up the right region. It does look a but hacky, but it works:

    const currentAuthorizer = cognito.UserPool.fromUserPoolArn(
      new Stack(this, 'ImportCognitoFromAnotherRegion', {
        env: {
          region: 'eu-west-2',
        },
      }),
      'TheCognitoFromAnotherRegion',
      userPoolArn
    );

@MrArnoldPalmer
Copy link
Contributor

Nice finds on this and the workaround. Definitely will have to look into how this can be solved on the CDK side. We likely can parse out the region from the user pool arn within the GraphqlApi construct and make sure its passed correctly. It likely is just assuming same region right now.

@MrArnoldPalmer MrArnoldPalmer added effort/small Small work item – less than a day of effort p2 and removed needs-triage This issue or PR still needs to be triaged. labels Mar 19, 2021
@MrArnoldPalmer MrArnoldPalmer removed their assignment Mar 19, 2021
@DaWyz DaWyz mentioned this issue Mar 21, 2021
Merged
@DaWyz
Copy link
Contributor

DaWyz commented Mar 21, 2021

The issue is related to the way the Cognito UserPools are imported. You won't be able to parse the value from the arn as it's recreated on import. Created a PR to fix the issue.

@mergify mergify bot closed this as completed in #13715 Mar 27, 2021
mergify bot pushed a commit that referenced this issue Mar 27, 2021
@DaWyz
fix(cognito): imported userpool not retaining environment from arn (#…
aa9fd9c 
…13715)

Importing a `UserPool` using `fromUserPoolArn()` method would not retain the account/region from the ARN and would instead use the environment from the scope it is imported to.

Closes #13691

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

hollanddd pushed a commit to hollanddd/aws-cdk that referenced this issue Mar 31, 2021
@DaWyz @hollanddd
fix(cognito): imported userpool not retaining environment from arn (a…
f10164b 
…ws#13715)

Importing a `UserPool` using `fromUserPoolArn()` method would not retain the account/region from the ARN and would instead use the environment from the scope it is imported to.

Closes aws#13691

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
hollanddd pushed a commit to hollanddd/aws-cdk that referenced this issue Aug 26, 2021
@DaWyz @hollanddd
fix(cognito): imported userpool not retaining environment from arn (a…
9c659e4 
…ws#13715)

Importing a `UserPool` using `fromUserPoolArn()` method would not retain the account/region from the ARN and would instead use the environment from the scope it is imported to.

Closes aws#13691

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@ryanvaloris
Copy link

I know this issue is closed, but wanted to leave this here for anyone else still having this issue as this issue is still present after the UserPool fix above.

I have opened #20195, which will address this root issue which is in AppSync, not UserPools. It is also present in a few other modules outside of AppSync.

In the short term, a property override can be used to fix this.

const api = new GraphqlApi(this.stack, `api`, {
authorizationConfig: {
        defaultAuthorization: {
          authorizationType: AuthorizationType.USER_POOL,
          userPoolConfig: {
            userPool: UserPool.fromUserPoolArn(this.stack, 'CognitoUserPool', `arn:aws:cognito-idp:us-east-1:${this.awsAccountId}:userpool/${userPoolId}`),
            defaultAction: UserPoolDefaultAction.ALLOW
          }
        }
      },
      ...
}
const resource = api.node.defaultChild as CfnResource;
resource.addPropertyOverride('UserPoolConfig.AwsRegion', 'us-east-1'); //or whatever region the userpool is in
return api;

@ryanvaloris ryanvaloris mentioned this issue May 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-appsync Related to AWS AppSync bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cognito): imported userpool not retaining environment from arn DaWyz/aws-cdk
4 participants
@DaWyz @ryanvaloris @MrArnoldPalmer @psoares-resilient