Cognito UserPool + UserPoolClient does not refresh cleanly

[t0yv0]

What happened?

Follow up from the fix to #2868 it appears that the test case examples/regress-2868 cannot pass the ProgramTest refresh checks cleanly, that is refreshing the resources creates a non-empty diff, possibly indicating further issues in the bridge.

Example

See examples/regress-2868, remove SkipRefresh.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

export const AppUsersPool = new aws.cognito.UserPool("test-user-pool", {
    accountRecoverySetting: {
        recoveryMechanisms: [{
            name: "verified_email",
            priority: 1,
        }],
    },
    autoVerifiedAttributes: ["email"],
    mfaConfiguration: "OPTIONAL",
    name: "test-user-pool",
    passwordPolicy: {
        minimumLength: 8,
        requireLowercase: true,
        requireNumbers: true,
        requireSymbols: true,
        requireUppercase: true,
        temporaryPasswordValidityDays: 300,
    },
    schemas: [{
        attributeDataType: "String",
        mutable: true,
        name: "name",
        required: true,
        stringAttributeConstraints: {
            maxLength: "2048",
            minLength: "0",
        },
    }],
    softwareTokenMfaConfiguration: {
        enabled: true,
    },
    usernameAttributes: ["email"],
    usernameConfiguration: {
        caseSensitive: false,
    },
});

export const testuserpoolclient = new aws.cognito.UserPoolClient("test-userpool-client", {
    analyticsConfiguration: undefined,
    accessTokenValidity: 60,
    enableTokenRevocation: true,
    explicitAuthFlows: [
        "ALLOW_USER_SRP_AUTH",
        "ALLOW_USER_PASSWORD_AUTH",
        "ALLOW_REFRESH_TOKEN_AUTH",
    ],
    idTokenValidity: 60,
    name: "test-userpool-client",
    preventUserExistenceErrors: "ENABLED",
    readAttributes: [
        "given_name",
        "email_verified",
        "zoneinfo",
        "website",
        "preferred_username",
        "name",
        "locale",
        "phone_number",
        "family_name",
        "birthdate",
        "middle_name",
        "phone_number_verified",
        "profile",
        "picture",
        "address",
        "gender",
        "updated_at",
        "nickname",
        "email",
    ],
    tokenValidityUnits: {
        accessToken: "minutes",
        idToken: "minutes",
    },
    userPoolId: AppUsersPool.id,
    writeAttributes: [
        "given_name",
        "zoneinfo",
        "website",
        "preferred_username",
        "name",
        "locale",
        "phone_number",
        "family_name",
        "birthdate",
        "middle_name",
        "profile",
        "picture",
        "address",
        "gender",
        "updated_at",
        "nickname",
        "email",
    ],
});

pulumi up
pulumi refresh

Now:

No resources will be modified as part of this refresh; just your stack's state will be.
 details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:repro-this::regress-2868::pulumi:pulumi:Stack::regress-2868-repro-this]
    ~ aws:cognito/userPoolClient:UserPoolClient: (update)
        [id=2100qvra00ocv2rcvpdap4fq4m]
        [urn=urn:pulumi:repro-this::regress-2868::aws:cognito/userPoolClient:UserPoolClient::test-userpool-client]
        [provider=urn:pulumi:repro-this::regress-2868::pulumi:providers:aws::default_6_32_0::40ca8a13-b7d3-4cef-839d-1eb3e47bc114]
        --outputs:--
      ~ explicitAuthFlows                       : [
          ~ [0]: "ALLOW_USER_PASSWORD_AUTH" => "ALLOW_REFRESH_TOKEN_AUTH"
          ~ [1]: "ALLOW_USER_SRP_AUTH" => "ALLOW_USER_PASSWORD_AUTH"
          ~ [2]: "ALLOW_REFRESH_TOKEN_AUTH" => "ALLOW_USER_SRP_AUTH"
        ]
      ~ readAttributes                          : [
          ~ [0]: "zoneinfo" => "address"
          ~ [1]: "website" => "birthdate"
          ~ [2]: "email_verified" => "email"
          ~ [3]: "birthdate" => "email_verified"
          ~ [4]: "address" => "family_name"
            [5]: "gender"
          ~ [6]: "profile" => "given_name"
          ~ [7]: "phone_number_verified" => "locale"
          ~ [8]: "preferred_username" => "middle_name"
          ~ [9]: "given_name" => "name"
          ~ [10]: "locale" => "nickname"
          ~ [11]: "middle_name" => "phone_number"
          ~ [12]: "picture" => "phone_number_verified"
          ~ [13]: "updated_at" => "picture"
          ~ [14]: "name" => "preferred_username"
          ~ [15]: "nickname" => "profile"
          ~ [16]: "phone_number" => "updated_at"
          ~ [17]: "family_name" => "website"
          ~ [18]: "email" => "zoneinfo"
        ]
      ~ writeAttributes                         : [
          ~ [0]: "zoneinfo" => "address"
          ~ [1]: "website" => "birthdate"
          ~ [2]: "birthdate" => "email"
          ~ [3]: "address" => "family_name"
            [4]: "gender"
          ~ [5]: "profile" => "given_name"
          ~ [6]: "preferred_username" => "locale"
          ~ [7]: "given_name" => "middle_name"
          ~ [8]: "locale" => "name"
          ~ [9]: "middle_name" => "nickname"
          ~ [10]: "picture" => "phone_number"
          ~ [11]: "updated_at" => "picture"
          ~ [12]: "name" => "preferred_username"
          ~ [13]: "nickname" => "profile"
          ~ [14]: "phone_number" => "updated_at"
          ~ [15]: "family_name" => "website"
          ~ [16]: "email" => "zoneinfo"
        ]
    ~ aws:cognito/userPool:UserPool: (update)
        [id=us-east-1_h9JQKdiu1]
        [urn=urn:pulumi:repro-this::regress-2868::aws:cognito/userPool:UserPool::test-user-pool]
        [provider=urn:pulumi:repro-this::regress-2868::pulumi:providers:aws::default_6_32_0::40ca8a13-b7d3-4cef-839d-1eb3e47bc114]
        --outputs:--
      + aliasAttributes              : []

Output of pulumi about

N/A

Additional context

N/A

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[t0yv0]

CLI          
Version      3.111.1
Go Version   go1.22.1
Go Compiler  gc

Plugins
NAME    VERSION
aws     6.32.0
nodejs  unknown

Host     
OS       darwin
Version  14.4.1
Arch     x86_64

This project is written in nodejs: executable='/Users/t0yv0/bin/node' version='v18.18.2'

Current Stack: anton-pulumi-corp/regress-2868/repro-this

TYPE                                       URN
pulumi:pulumi:Stack                        urn:pulumi:repro-this::regress-2868::pulumi:pulumi:Stack::regress-2868-repro-this
pulumi:providers:aws                       urn:pulumi:repro-this::regress-2868::pulumi:providers:aws::default_6_32_0
aws:cognito/userPool:UserPool              urn:pulumi:repro-this::regress-2868::aws:cognito/userPool:UserPool::test-user-pool
aws:cognito/userPoolClient:UserPoolClient  urn:pulumi:repro-this::regress-2868::aws:cognito/userPoolClient:UserPoolClient::test-userpool-client


Found no pending operations associated with repro-this

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/anton-pulumi-corp
User           anton-pulumi-corp
Organizations  anton-pulumi-corp, moolumi, pulumi
Token type     personal

Dependencies:
NAME            VERSION
@types/aws-sdk  2.7.0
@types/node     8.10.66
@pulumi/aws     6.32.0
@pulumi/pulumi  3.113.3

Pulumi locates its logs in /var/folders/gk/cchgxh512m72f_dmkcc3d09h0000gp/T/com.apple.shortcuts.mac-helper// by default