Cannot get resource: xxxPostConfirmation from 'function' category

[OperationalFallacy]

How did you install the Amplify CLI?

yarn

If applicable, what version of Node.js are you using?

20.x

Amplify CLI Version

12.10.0

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

yes, added custom category amplifyTriggersPermissions to allow cognito triggers access grapqhl; I don't think its going "just work", I read more about grapqhl auth mode. Anyways, now I'm trying to clean up these triggers and it fails.

Describe the bug

can not delete PostConfirmation function, amplify push fails with obscure error "🛑 Cannot get resource: xxxPostConfirmation from 'function' category."

Expected behavior

Should delete function

Reproduction steps

I'm not sure how to reproduce it.

Project Identifier

not sure, sending report fails :(

Log output

    Current Environment: stage
    
┌──────────────────────────┬──────────────────────────────────┬───────────┬───────────────────┐
│ Category                 │ Resource name                    │ Operation │ Provider plugin   │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Lambdatriggerpermissions │ postConfirmationPermissions      │ Update    │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Function                 │ xxxPostConfirmation │ Delete    │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Api                      │ xxx                         │ No Change │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Auth                     │ xxx                 │ No Change │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Auth                     │ userPoolGroups                   │ No Change │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Custom                   │ xxx                           │ No Change │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Function                 │ xxx                    │ No Change │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Function                 │ xxx                    │ No Change │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Function                 │ xxx                           │ No Change │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Function                 │ xxx                     │ No Change │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Function                 │ xxxCustomMessage    │ No Change │ awscloudformation │
├──────────────────────────┼──────────────────────────────────┼───────────┼───────────────────┤
│ Function                 │ xxxPreSignup        │ No Change │ awscloudformation │
└──────────────────────────┴──────────────────────────────────┴───────────┴───────────────────┘
✔ Are you sure you want to continue? (Y/n) · yes
Overrides functionality is not implemented for this category
🛑 Cannot get resource: xxxPostConfirmation from 'function' category.

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

PushResourcesError: Cannot get resource: xxxPostConfirmation from 'function' category.

Additional information

can somebody explain if it's conceptually even possible the way amplify manages resources to configure cognito lambda triggers to access graphql?

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[ykethan]

Hey @OperationalFallacy, thank you for reaching out. Could you check the amplify-meta.json file, for any dependOn blocks that points to trigger Lambda function? If present, we will need to update the resource and remove the dependancy.

[OperationalFallacy]

There were probably some, but I gave up and deleted env.

The underlying issues that lead to these deployment failures and causing me headaches are these

1. permissions for Cognito Lambda triggers to access graphq api. There is bunch of hacks and workarounds in the multiple threads. What's the "official" way of doing it?

2. The hosted ui, it creates custom CloudFormation resources using Lambda and makes it brittle to update anything related to Cognito (see above). Not sure why it's even needed? Is it possible to disable it completely? There is hostedUI boolean option in cli-input.json but it doesn't do anything.

[ykethan]

@OperationalFallacy

1. permissions for Cognito Lambda triggers to access graphql api

To add permissions/provide access to a resource for a Lambda functions, the expected flow is to run amplify update function and select the resource. refer to https://docs.amplify.aws/react/build-a-backend/functions/set-up-function/#function-templates providing an example.
But do note when providing function permissions to a graphQL API, you may need to invoke a update in the API and push.
Refer to the GitHub issue providing this information.

2. The hosted ui, it creates custom CloudFormation resources using Lambda

Are you referring to the custom callout lambda function deployed by the auth category? This callout function was implemented to extend/customize the behavior of AWS Cognito as CloudFormation didn't yet fully support all the attributes.

[OperationalFallacy]

1. The permissions for usual functions work just fine, but not for the Cognito Lambda triggers, due to cyclical dependency between api and auth. See this long thread here for example, Get apiaivyGraphQLAPIIdOutput in auto generated PostConfirmation Lambda? #1874

I had to resort to creating a custom category, which has a CloudFormation to store API information in SSM parameter and configure IAM permissions for the Cognito trigger functions. Which still wouldn't solve the problem, because GrapqlAPI is using IAM "Admin" roles to allow access from Lambda functions.

So I had to add these functions roles to custom-roles.json to make it functional, along with the custom category.

My question is what Amplify's "official" workaround to setup permission on Cognito trigger Lambda's to access GraphQL?

2. I'm referring to the whole hostedui set of resources, including Cloudformation custom resources.

The questions I have about hosted UI: do I need hosted UI for anything? I'm not using it, the website not referencing it in any way.

How do disable it, if it's not required.

[josefaidt]

@OperationalFallacy 👋 sorry to hear about the rough experience, but a few notes:

• there is an active issue where granting access to your AppSync API does not regenerate the auth resolvers. Despite your Function now having the necessary IAM permissions, requests will be rejected by the resolvers since they were not regenerated. To workaround this, add a space in your schema to force recompilation Function access to API not applied amplify-category-api#679 (comment)
• Functions that are used as Cognito triggers do not also need to be granted access to auth. Since the Function is attached to auth it will have permissions. Removing this access should resolve the circular dependency, and any env vars that would be generated by the CLI when granting access (e.g. the Cognito user pool ID) are available on the trigger event
• for Hosted UI, I don't believe we offer a way to disable it with the CLI but you can likely use an override for this with amplify override auth. It is enabled for use with OAuth or social providers

[OperationalFallacy]

Thank you, that's important bits of information.

Regarding Cognito trigger functions, even before getting to the resources generated correctly, the permissions must be configured and cli can't do it because of circular dependencies. Again, this is for granting api access to Cognito Lambda triggers.

Regarding amplify override auth I'd be hesitant to touch it after experiencing this cli-induced resources management nightmare.

I hope you'll migrate all this mess to cdk one day, so we can have proper abstraction and interfaces to work with resources.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.