AWS Cognito User Pool - Verification Message Template configuration conflicts. #716

pedrofernandes-plank · 2023-05-26T20:16:14Z

What happened?

When configuring an AWS Cognito UserPool with a Verification Message Template set (spec.forProvider.verificationMessageTemplate[0].emailMessage), it conflicts with emailVerificationMessage even if it's not set.
It seems to automatically set the emailVerificationMessage with the same string.

This behavior apparently is expected in the terraform provider (https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/cognitoidp/user_pool_test.go#L1405-L1407) but not in Crossplane provider.

The UserPool was created correctly in AWS, with the expected email template, but the claim never gets the Ready status as true, and keeps logging the conflict error:

Status:
  At Provider:
  Conditions:
    Last Transition Time:  2023-05-26T18:41:08Z
    Reason:                Creating
    Status:                False
    Type:                  Ready
    Last Transition Time:  2023-05-26T18:59:54Z
    Message:               observe failed: cannot run refresh: refresh failed: Conflicting configuration arguments: "verification_message_template.0.email_message": conflicts with email_verification_message
Conflicting configuration arguments: "verification_message_template.0.email_subject": conflicts with email_verification_subject
Conflicting configuration arguments: "verification_message_template.0.sms_message": conflicts with sms_verification_message
Conflicting configuration arguments: "sms_verification_message": conflicts with verification_message_template.0.sms_message
Conflicting configuration arguments: "email_verification_message": conflicts with verification_message_template.0.email_message
Conflicting configuration arguments: "email_verification_subject": conflicts with verification_message_template.0.email_subject
    Reason:                ReconcileError
    Status:                False
    Type:                  Synced
    Last Transition Time:  2023-05-26T18:42:51Z
    Reason:                Finished
    Status:                True
    Type:                  AsyncOperation
    Last Transition Time:  2023-05-26T18:42:51Z
    Reason:                Success
    Status:                True
    Type:                  LastAsyncOperation

If I change the composition and set only the emailVerificationMessage instead of the verificationMessageTemplate[0].emailMessage the problem still happens.

How can we reproduce it?

I'm using the 0.29.0 version of the upbound/provider-aws:v0.29.0, but the problem also happens with the 0.35.0.

This is the composition:

apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cognito.aws.toff.tech
  labels:
    provider: aws
spec:
  compositeTypeRef:
    apiVersion: aws.toff.tech/v1alpha1
    kind: XCognito
  resources:
    - name: EmailIdentity
      base:
        apiVersion: ses.aws.upbound.io/v1beta1
        kind: EmailIdentity
        spec:
          forProvider:
            email: test-mail@toffa.tecg
            region: us-west-2
      patches:
        - fromFieldPath: spec.parameters.emailFrom
          toFieldPath: spec.forProvider.email
        - type: ToCompositeFieldPath
          fromFieldPath: status.atProvider.arn
          toFieldPath: status.emailIdentityArn

    - name: UserPool
      base:
        apiVersion: cognitoidp.aws.upbound.io/v1beta1
        kind: UserPool
        spec:
          deletionPolicy: Orphan
          forProvider:
            name: ""
            accountRecoverySetting:
              - recoveryMechanism:
                  - name: verified_email
                    priority: 1
            adminCreateUserConfig:
              - allowAdminCreateUserOnly: true
                inviteMessageTemplate:
                  - emailMessage: "Something has gone wrong, please request a new invite and contact support@toff.tech if this persists. Please provide support the following information to assist you: \n UserType: \n UserId: {username}\nCode: {####}"
                    emailSubject: "Invitation"
                    smsMessage: "Password Invitation\n{####} {username}"
            aliasAttributes:
              - email
              - phone_number
            autoVerifiedAttributes:
              - email
            emailConfiguration:
              - replyToEmailAddress: test-mail@toff.tecg
                emailSendingAccount: "DEVELOPER"
                fromEmailAddress: test-mail@toff.tecg
            mfaConfiguration: OPTIONAL
            softwareTokenMfaConfiguration:
              - enabled: true
            passwordPolicy:
              - minimumLength: 10
                requireLowercase: false
                requireNumbers: true
                requireUppercase: false
                requireSymbols: true
                temporaryPasswordValidityDays: 7
            region: us-west-2
            verificationMessageTemplate:
              - emailMessage: "Something has gone wrong, please request a new invite and contact support@toff.tech if this persists. Please provide support the following information to assist you: \n UserType: {UserType} \n UserId: {username}\nCode: {####}"
                emailSubject: "Password Reset"
                smsMessage: "Password Reset\n{####}"
      patches:
        - fromFieldPath: spec.id
          toFieldPath: spec.forProvider.name
        - type: ToCompositeFieldPath
          fromFieldPath: status.atProvider.arn
          toFieldPath: status.userPoolArn
        - type: CombineFromComposite
          combine:
            variables:
              - fromFieldPath: spec.parameters.emailReplyTo
              - fromFieldPath: spec.parameters.userType
            strategy: string
            string:
              fmt: "Something has gone wrong, please request a new invite and contact %s if this persists. Please provide support the following information to assist you:\nUserType: %s\nUserId: {username}\nCode: {####}"
          toFieldPath: spec.forProvider.verificationMessageTemplate[0].emailMessage
        - type: CombineFromComposite
          combine:
            variables:
              - fromFieldPath: spec.parameters.emailReplyTo
              - fromFieldPath: spec.parameters.userType
            strategy: string
            string:
              fmt: "Something has gone wrong, please request a new invite and contact %s if this persists. Please provide support the following information to assist you:\nUserType: %s\nUserId: {username}\nCode: {####}"
          toFieldPath: spec.forProvider.adminCreateUserConfig[0].inviteMessageTemplate[0].emailMessage
        - fromFieldPath: status.emailIdentityArn
          toFieldPath: spec.forProvider.emailConfiguration[0].sourceArn
        - fromFieldPath: spec.parameters.emailReplyTo
          toFieldPath: spec.forProvider.emailConfiguration[0].replyToEmailAddress
        - fromFieldPath: spec.parameters.emailFrom
          toFieldPath: spec.forProvider.emailConfiguration[0].fromEmailAddress
        - fromFieldPath: spec.parameters.strongPassword
          transforms:
            - type: map
              map:
                "false": "6"
                "true": "10"
            - type: convert
              convert:
                toType: int
          toFieldPath: spec.forProvider.passwordPolicy[0].minimumLength
        - fromFieldPath: spec.parameters.strongPassword
          transforms:
            - type: convert
              convert:
                toType: bool
          toFieldPath: spec.forProvider.passwordPolicy[0].requireNumbers
        - fromFieldPath: spec.parameters.strongPassword
          transforms:
            - type: convert
              convert:
                toType: bool
          toFieldPath: spec.forProvider.passwordPolicy[0].requireSymbols
        - fromFieldPath: spec.parameters.tags
          toFieldPath: spec.forProvider.tags
          policy:
            mergeOptions:
              keepMapValues: true
          type: FromCompositeFieldPath

This is the claim:

---
apiVersion: aws.toff.tech/v1alpha1
kind: Cognito
metadata:
  name: testing-conginito-user-pool-domain-metadata-name
spec:
  id: testing-conginito-user-pool-domain-id
  parameters:
    emailFrom: test-mail@toff.tech
    emailReplyTo: test-mail@toff.tech
    strongPassword: "true"
    userPoolId: testing_cognito_user_pool_id
    userPoolDomain: testing-conginito-user-pool-domain
    userType: test

What environment did it happen in?

Crossplane Version: 1.21.0
Provider Version: 0.29.0 / 0.35.0
Kubernetes Version:
Client Version: v1.25.9
Kustomize Version: v4.5.7
Server Version: v1.25.9
Kubernetes Distribution: Docker desktop

The text was updated successfully, but these errors were encountered:

svscheg · 2023-05-29T10:25:09Z

Late init issue
The issue still reproduced in the latest master

svscheg · 2023-07-17T11:01:00Z

Related upjet issue: crossplane/upjet#197

pedrofernandes-plank added bug Something isn't working needs:triage labels May 26, 2023

github-actions bot added the community label May 26, 2023

svscheg added is:triaged Indicates that an issue has been reviewed. and removed needs:triage labels May 29, 2023

svscheg self-assigned this Jul 13, 2023

svscheg mentioned this issue Jul 18, 2023

Fix issue716: AWS Cognito User Pool - Verification Message Template configuration conflicts #790

Merged

1 task

svscheg closed this as completed in #790 Jul 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AWS Cognito User Pool - Verification Message Template configuration conflicts. #716

AWS Cognito User Pool - Verification Message Template configuration conflicts. #716

pedrofernandes-plank commented May 26, 2023

svscheg commented May 29, 2023

svscheg commented Jul 17, 2023

AWS Cognito User Pool - Verification Message Template configuration conflicts. #716

AWS Cognito User Pool - Verification Message Template configuration conflicts. #716

Comments

pedrofernandes-plank commented May 26, 2023

What happened?

How can we reproduce it?

What environment did it happen in?

svscheg commented May 29, 2023

svscheg commented Jul 17, 2023