Add Cognito User Pool Triggers #3657
Conversation
This includes unit tests and documentation. A simple integration test has been added.
Now includes test cases for single/multiple user pools with single/multiple event definitions on single/multiple functions.
|
Any word on the priority of this? I'm looking to have lambda's using cognito triggers in my project and would very much like to be able to configure that directly in serverless rather than having to go to the console for it. |
@HeroesDieYoung sure! We've added it to the Once merged you might want to work with |
|
Fantastic, thanks for the prompt reply! I'll keep an eye on this PR then. |
|
The milestone says |
There was a problem hiding this comment.
This is super nice! Well done @hassankhan 👍 🥇
Nice code and big +1 for adding integration tests. 💯
I just read through the code and added some comments (most of the time some minor things).
Really excited about this feature!
I ran the integration tests. Unfortunately they failed with the message: Cannot read property 'Id' of undefined
Could you provide a simple serverless.yml file (or quick step by step guide) so that we can test it manually?
Thanks in advance!
| @@ -0,0 +1,139 @@ | |||
| <!-- | |||
| title: Serverless Framework - AWS Lambda Events - CloudWatch Log | |||
There was a problem hiding this comment.
This title needs to be updates (still refers to CloudWatch log
| --> | ||
|
|
||
| <!-- DOCS-SITE-LINK:START automatically generated --> | ||
| ### [Read this on the main serverless docs site](https://www.serverless.com/framework/docs/providers/aws/events/) |
There was a problem hiding this comment.
This link should point to the event readme (cognito-user-pool-trigger) in that case.
There was a problem hiding this comment.
Ahh I thought it auto-generated that so I left it alone 😄
There was a problem hiding this comment.
😄 Yes, for some reason it's not auto-generated. Don't know why though 😄
| - cognitoUserPool: | ||
| pool: MyUserPoolFromResources | ||
| trigger: PostConfirmation | ||
| resources: |
There was a problem hiding this comment.
A newline between the end of the functions definition and the resources section would make this easier to digest.
| ``` | ||
|
|
||
| [aws-triggers-list]: http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html#cognito-user-pools-lambda-trigger-syntax-shared | ||
| [logical-resource-names]: https://serverless.com/framework/docs/providers/aws/guide/resources#aws-cloudformation-resource-reference |
There was a problem hiding this comment.
This link should be relative so that we can change the URL / structure later on.
lib/plugins/aws/lib/naming.test.js
Outdated
| 'functionName', | ||
| 'poolId', | ||
| 'TriggerSource' | ||
| )).to.equal('FunctionNameLambdaPermissionCognitoUserPoolTriggerSourcePoolIdTriggerSource'); |
There was a problem hiding this comment.
Quick question: Do you know if there's a limit for the resource logical Id length in CloudFormation?
There was a problem hiding this comment.
Can't seem to find any information regarding length limits, the only thing I can find is this.
| }; | ||
|
|
||
| // Check if pool name has been declared in `Resources` | ||
| if (_.has( |
There was a problem hiding this comment.
Should we maybe check for the Type as well? Might be pretty unlikely but I'm thinking about the case when one has defined another Resource (e.g. an S3 bucket) with the name of a pool.
There was a problem hiding this comment.
Good idea 👍 A little extra validation won't hurt
As requested in PR review
There were several resource names that were incorrectly specified that were causing the tests to fail. `Utils.getCognitoUserPoolId` was only returning a single item, which was also causing failures.
If multiple pools were specified that had the same trigger i.e. `PreSignUp` then the last function would incorrectly be attached to each pool. Also added a test case.
|
Hi @pmuens, I think I've covered everything you requested. The integration tests were indeed failing, my fault for making assumptions. I thought Travis would have failed the build 😕 . Also fixed a bug found during the Please let me know if it's all up to scratch 👍 |
As per PR review
|
I've just found what could be an annoying error - occasionally the Cognito User Pool gets created before the Lambdas do. This causes a problem because the User Pool CF template has a I think the best way to deal with it might be to add something like: |
There was a problem hiding this comment.
Thanks for updating @hassankhan 👍
I just ran the integration tests again. 7 passed and 2 failed. Here are the error messages:
● AWS - Cognito User Pool Trigger: Single User Pool with single event with single function › should call the specified function when PreSignUp event is triggered
TypeError: Cannot read property 'Id' of undefined
and
● AWS - Cognito User Pool Trigger: Single User Pool with multiple events with multiple functions › should call the specified function when CustomMessage event is triggered
Command failed: /app/bin/serverless logs --function customMessage1 --noGreeting true
Adding a DependsOn to the corresponding resource (e.g. Lambda) sounds reasonable.
We do this with other events as well 👍
|
@hassankhan @pmuens Regarding the dependency declaration I think this is a good solution to ensure that everything works on deployment. |
|
@hassankhan just wanted to do a quick follow-up on this PR. Do you need any help here? Can we do smth. so that it's ready to be merged in v1.15? |
|
@pmuens Sorry I haven't had time to update it. Weirdly the integration tests seemed to run fine on my machine (I ran them with this: I'm not sure how much time I'll have this week as I have work commitments, I'll try my best 👍 |
|
Thanks for the update @hassankhan 👍 I'll debug this integration test issue again this week and will also look into the
No worries! Don't want to hurry you. Just wanted to make sure that we can get this into the next release since it's a super valuable feature. |
| @@ -103,12 +103,16 @@ class AwsCompileCognitoUserPoolEvents { | |||
|
|
|||
| const userPoolLogicalId = this.provider.naming.getCognitoUserPoolLogicalId(poolName); | |||
|
|
|||
| const DependsOn = _.map(currentPoolTriggerFunctions, (value) => this | |||
| .provider.naming.getLambdaLogicalId(value.functionName)); | |||
|
|
|||
| const userPoolTemplate = { | |||
| Type: 'AWS::Cognito::UserPool', | |||
There was a problem hiding this comment.
I'm not sure if it is wise to create the user pool for the user (if he did not declare it in the resources) at all. There are lots of other User Pool settings that have to be made available in that case (e.g. password complexity, MFA, any many more). The standard settings are not usable in a production environment.
This comment is generic, not scoped to this PR.
There was a problem hiding this comment.
Thanks for the feedback @HyperBrain 👍
I'm not too familiar with Cognito User Pools. Should we keep it here or remove it? I'm always in favor of having a default (even if it's super rudimentary).
Since this is not possible because resources are merged after all the events are compiled.
To reflect the event name.
There was a problem hiding this comment.
Just did a final code review and tested it thoroughly.
Works like a charm! Thanks @hassankhan 👍 💯
Merging this now 
|
@hassankhan @pmuens I have already updated sls to 1.5.1, and I can't seem to successfully test cognitoUserPool event. When deploying, I don't get any errors. And going in cognito console, I don't see the trigger link setup with the lambda. Also, it might help to clarify what |
|
@keshavkaul thanks for the comment 👍 . This feature was added to Serverless Could you open up a new issue which shows your Thanks in advance! |
|
@pmuens Sorry I have |
|
Is there some example code to go with this? |
|
I am struggling trying to get this to work correctly. I've got a UserPool defined in my resources, and have the lambda trigger defined under functions. But when I view the user pool in the console, it has no triggers assigned to the user pool. Both are created separately, but unlinked. Here's a sample project I'm testing this with (latest version of serverless 1.25.0): |
|
You might be experiencing the same issue I had.
Can you also share your resources section where you define the CognitoUserPool as this w help resolve the issue
…Sent from my Commodore 64
On 14 Jan 2018, at 3:23 pm, dbligh ***@***.***> wrote:
I am struggling trying to get this to work correctly.
I've got a UserPool defined in my resources, and have the lambda trigger defined under functions. But when I view the user pool in the console, it has no triggers assigned to the user pool. Both are created separately, but unlinked.
Here's a sample project I'm testing this with (latest version of serverless 1.25.0):
`service: testService
provider:
name: aws
runtime: nodejs6.10
functions:
hello:
handler: handler.hello
events:
- cognitoUserPool:
pool: SampleUserPool
trigger: CustomMessage
resources:
Resources:
CognitoUserPoolSampleUserPool:
Type: AWS::Cognito::UserPool
`
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I think I finally resolved this, 2 days of hair pulling :) The 'hello' function gets turned into 'HelloLambdaFunction' (case sensitive) in the Cfn script, so that's how you need to reference it. I can now see both the UserPool and the Trigger properly configured. Hope this helps anyone else that has been struggling on this. |
|
@dbligh your solution certainly works, but that was possible before this PR! I am also unable to get the new event trigger working. My serverless.yml looks like this: I'm then checking the Triggers section in the Cognito AWS console, but it remains empty. Does anyone have any ideas as to why this is not working? |
|
Man I really messed up when writing the docs 😞 functions:
customCognitoMessages:
handler: src/CustomCognitoMessages.handler
events:
- cognitoUserPool:
pool: [my-user-pool-id]
trigger: CustomMessage
resources:
Resources:
CognitoIdentityPool[my-identity-pool-id]:
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: false |
|
Hassan, That is much more clear.
The implicitly (magical) prefix is hard to remember / see in the doco.
Thank you for taking the time for this update
…Sent from my Commodore 64
On 19 Jan 2018, at 3:05 am, Hassan Khan ***@***.***> wrote:
Man I really messed up when writing the docs ... everyone's very confused 😞
@robfapadmi:
functions:
customCognitoMessages:
handler: src/CustomCognitoMessages.handler
events:
- cognitoUserPool:
pool: [my-user-pool-id]
trigger: CustomMessage
resources:
Resources:
CognitoIdentityPool[my-identity-pool-id]:
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: false
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
If anyone would be so kind as to make a PR that explains this perhaps in a clearer way? @jamesladd My pleasure |
|
It turns out that the cause of most of my headaches was because of a plugin I was using to split stacks (serverless-nested-stack). Was causing a bunch of dependency issues for me that I couldn't work around. My resolution was to isolate all my cognito components into a separate project, and create stack outputs, and refer to them in my main project. The other benefit to this being that it keeps my resource count down in my main project. |
|
@hassankhan Unfortunately your example config doesn't work for me, it won't set the |
|
Same here. Following this document the lambda function and cognito pool are created but not linked (the combo to this trigger is empty). service: "CognitoTest"
provider:
name: aws
runtime: nodejs6.10
functions:
CognitoTriggerPostConfirmation:
handler: Cognito/Triggers.PostConfirmation
events:
- cognitoUserPool:
pool: TestUserPool
trigger: PostConfirmation
resources:
Resources:
CognitoUserPoolTestUserPool:
Type: AWS::Cognito::UserPoolserverless 1.32.0 |
|
I managed to get this working, w post my yml shortly
…Sent from my Commodore 64
On 16 Oct 2018, at 4:16 am, Jáder Carvalho de Medeiros ***@***.***> wrote:
Same here. Following this document the lambda function and cognito pool are created but not linked (the combo to this trigger is empty).
service: "CognitoTest"
provider:
name: aws
runtime: nodejs6.10
functions:
CognitoTriggerPostConfirmation:
handler: Cognito/Triggers.PostConfirmation
events:
- cognitoUserPool:
pool: TestUserPool
trigger: PostConfirmation
resources:
Resources:
CognitoUserPoolTestUserPool:
Type: AWS::Cognito::UserPool
serverless 1.32.0
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Here you go. I hope this helps
Note the naming of the User Pool: CognitoUserPoolCognitoUserPool
resources:
Resources:
CognitoUserPoolCognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: ${self:provider.environment.USER_POOL_NAME}
MfaConfiguration: "OFF"
AutoVerifiedAttributes:
- email
AliasAttributes:
- email
EmailVerificationMessage: "Your Account confirmation code is {####}"
EmailVerificationSubject: "Your Account confirmation code"
EmailConfiguration:
ReplyToEmailAddress: "xxx@yyy.com"
SourceArn: "arn:aws:ses:us-east-1:000:identity/xxx@yyy.com"
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireNumbers: true
RequireSymbols: false
RequireUppercase: true
Schema:
- Name: nickname
AttributeDataType: String
Mutable: true
Required: true
- Name: name
AttributeDataType: String
Mutable: true
Required: true
- Name: email
AttributeDataType: String
Mutable: true
Required: true
- Name: phone_number
AttributeDataType: String
Mutable: true
Required: true
- Name: accountNumber
AttributeDataType: String
Mutable: true
CognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: ${self:provider.environment.USER_POOL_CLIENT_NAME}
GenerateSecret: false
UserPoolId:
Ref: CognitoUserPoolCognitoUserPool
CognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: ${self:provider.environment.IDENTITY_POOL_NAME}
AllowUnauthenticatedIdentities: true
CognitoIdentityProviders:
- ClientId:
Ref: CognitoUserPoolClient
ProviderName:
Fn::GetAtt: [CognitoUserPoolCognitoUserPool, ProviderName]
CognitoIdentityPoolRoles:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPool
Roles:
authenticated:
Fn::GetAtt: [CognitoAuthRole, Arn]
unauthenticated:
Fn::GetAtt: [CognitoUnauthRole, Arn]
CognitoAuthRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:provider.environment.APP_AUTH_ROLE_NAME}
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- sts:AssumeRoleWithWebIdentity
- sts:AssumeRole
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: "CognitoAuthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- mobileanalytics:PutEvents
- cognito-sync:*
- cognito-identity:*
Resource: "*"
- Effect: "Allow"
Action:
- lambda:InvokeFunction
- lambda:InvokeAsync
Resource: "*"
- Effect: Allow
Action:
- iot:*
Resource: "*"
CognitoUnauthRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:provider.environment.APP_UNAUTH_ROLE_NAME}
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- sts:AssumeRoleWithWebIdentity
- sts:AssumeRole
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud":
Ref: CognitoIdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: "CognitoUnauthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- mobileanalytics:PutEvents
- cognito-sync:*
- cognito-identity:*
Resource: "*"
- Effect: "Allow"
Action:
- lambda:InvokeFunction
- lambda:InvokeAsync
Resource: "*"
- Effect: Allow
Action:
- iot:*
Resource: "*"
…On Tue, Oct 16, 2018 at 7:48 AM James Ladd ***@***.***> wrote:
I managed to get this working, w post my yml shortly
Sent from my Commodore 64
On 16 Oct 2018, at 4:16 am, Jáder Carvalho de Medeiros <
***@***.***> wrote:
Same here. Following this document
<https://serverless.com/framework/docs/providers/aws/events/cognito-user-pool/>
the lambda function and cognito pool are created but not linked (the combo
to this trigger is empty).
service: "CognitoTest"provider:
name: aws
runtime: nodejs6.10
functions:
CognitoTriggerPostConfirmation:
handler: Cognito/Triggers.PostConfirmation
events:
- cognitoUserPool:
pool: TestUserPool
trigger: PostConfirmation
resources:
Resources:
CognitoUserPoolTestUserPool:
Type: AWS::Cognito::UserPool
serverless 1.32.0
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3657 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAGKBAqa7pspr3QGbvQJy48K0zEQu_sdks5ulMMGgaJpZM4Nh10X>
.
|
|
Thank you for reply @jamesladd, but your configuration not have a trigger of Cognito Pool. I see some messages customized like "EmailVerificationMessage" or "EmailVerificationSubject", polices to invoke lambda functions. My and @janoist1 case is a trigger when the user confirm the registration process. The combo that we are talking about is this:
|
|
Oops, here you go.
This when run sets up my Cognito Pool AND registers the functions to be
tiggered.
functions:
hello:
handler: src/echo.hello
events:
- http: GET hello
userPreSignUp:
description: User pre-signup trigger Handler.
handler: src/api.regoPreSignUp
memorySize: ${self:provider.environment.MEMORY_DEFAULT}
timeout: ${self:provider.environment.TIMEOUT_DEFAULT}
private: true
events:
- cognitoUserPool:
pool: CognitoUserPool
trigger: PreSignUp
role: UserRegistrationRole
userCustomMessage:
description: User Custom Message trigger Handler.
handler: src/api.regoCustomMessage
memorySize: ${self:provider.environment.MEMORY_DEFAULT}
timeout: ${self:provider.environment.TIMEOUT_DEFAULT}
private: true
events:
- cognitoUserPool:
pool: CognitoUserPool
trigger: CustomMessage
role: UserRegistrationRole
userPostConfirmation:
description: User post-confirmation trigger Handler.
handler: src/api.regoPostConfirmation
memorySize: ${self:provider.environment.MEMORY_DEFAULT}
timeout: ${self:provider.environment.TIMEOUT_DEFAULT}
private: true
events:
- cognitoUserPool:
pool: CognitoUserPool
trigger: PostConfirmation
role: UserRegistrationRole
…On Tue, Oct 16, 2018 at 8:13 AM Jáder Carvalho de Medeiros < ***@***.***> wrote:
Thank you for reply @jamesladd <https://github.com/jamesladd>, but your
configuration not have a trigger of Cognito Pool.
I see some messages customized like "EmailVerificationMessage" or
"EmailVerificationSubject", polices to invoke lambda functions.
My and @janoist1 <https://github.com/janoist1> case is a trigger when the
user confirm the registration process. The combo that we are talking about
is this:
[image: screenshot_1]
<https://user-images.githubusercontent.com/33452163/46978606-4d5fe680-d0c7-11e8-97ab-cd3213608e71.png>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3657 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAGKBH2rrfZnQuq6rizYAnTqmf_-Juapks5ulPp0gaJpZM4Nh10X>
.
|
|
What is the configuration of your role "UserRegistrationRole"? I'm trying reproduce here your example. |
|
Thank you @jamesladd. I compared my yaml file with your and I found the problem with mine. This yaml file not works: functions:
CognitoTriggerPostConfirmation:
handler: Cognito/Triggers.PostConfirmation
private: true
events:
- cognitoUserPool:
pool: TestUserPool
trigger: PostConfirmation
resources:
Resources:
CognitoUserPoolTestUserPool:
Type: AWS::Cognito::UserPoolBut this code works: functions:
CognitoTriggerPostConfirmation:
handler: Cognito/Triggers.PostConfirmation
private: true
events:
- cognitoUserPool:
pool: TestUserPool
trigger: PostConfirmation
resources:
Resources:
CognitoUserPoolTestUserPool:
Type: AWS::Cognito::UserPoolThe difference is 2 spaces before the section inside of the property cognitoUserPool. The documentation show this and I lost. My mistake. @janoist1 maybe is the same for you. |
|
@hassankhan it's possible to reference the cognito user pool with another way than with prefix "CognitoUserPool"? My current stage have a CognitoUserPool with users and if I change the logical id, another cognito user pool will be created. So, how can I reference my current CognitoUserPool in this lambda? My case: functions:
CognitoTriggerPostConfirmation:
handler: Cognito/Triggers.PostConfirmation
private: true
events:
- cognitoUserPool:
pool: [how-to-get-MyExistentUserPool?]
trigger: PostConfirmation
resources:
Resources:
MyExistentUserPool:
Type: AWS::Cognito::UserPool |
|
@hassankhan I see here the function that you are using to retrieve the Cognito User Pool by the Logical Id (getCognitoUserPoolLogicalId) and I ask you for what reason you did this? My question is related with the cases of existent Cognito User Pool and we can not change the Logical Id to use this feature to link a Lambda Function to a Cognito User Pool trigger. In this case, if we use the same values of "User Pool Logical Id" and property "cognitoUserPool.pool" the link will works fine. |
|
Good to hear
…Sent from my Commodore 64
On 16 Oct 2018, at 10:50 pm, Jáder Carvalho de Medeiros ***@***.***> wrote:
Thank you @jamesladd. I compared my yaml file with your and I found the problem with mine.
This yaml file not works:
functions:
CognitoTriggerPostConfirmation:
handler: Cognito/Triggers.PostConfirmation
private: true
events:
- cognitoUserPool:
pool: TestUserPool
trigger: PostConfirmation
resources:
Resources:
CognitoUserPoolTestUserPool:
Type: AWS::Cognito::UserPool
But this code works:
functions:
CognitoTriggerPostConfirmation:
handler: Cognito/Triggers.PostConfirmation
private: true
events:
- cognitoUserPool:
pool: TestUserPool
trigger: PostConfirmation
resources:
Resources:
CognitoUserPoolTestUserPool:
Type: AWS::Cognito::UserPool
The difference is 2 spaces before the section inside of the property cognitoUserPool. The documentation show this and I lost. My mistake.
@janoist1 maybe is the same for you.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Hi @JaderCM, sorry for the delayed response.
Unfortunately no, since this is following the same Serverless naming patterns that all other resources do.
As I understand it, you cannot reference a pre-existing user pool. You would have to use the one generated by the framework.
Not entirely sure what you're referring to... For any other questions, I'd strongly suggest opening a new issue instead of commenting on this PR 😄. That way, there'd be more visibility rather than on this PR which only has a few eyes on it 👍 |
|
Hi @hassankhan, thanks for reply.
My current (pre-existing) user pool was created by the serverless framework. The problem is that now I need to link this pool with my lambda by trigger and I cannot.
My question is about if is possible to reference user pool using just the logical id without prefix. I opened the issue #5401 to discuss about. |
|
this pull requests has caused me a lot of pain. in hindsight, i wish i would have never touched this.
i was able to implement the correct trigger without any of these headaches with a single line of code here, found here: #5401 (comment) 🤦🏻♂️🤦🏻♂️🤦🏻♂️ |
What did you implement:
Closes #3637. Adds support for Cognito User Pool Triggers, and includes integration tests.
How did you implement it:
Created new plugin for the
package:compileEventshook that checkseventsinserverless.ymlfor acognitoUserPoolproperty.How can we verify it:
By running the integration tests in
tests/integration/aws/cognito-user-pool-trigger/:Todos:
Is this ready for review?: YES
Is it a breaking change?: NO