Deleting unused Cognito clients blocks deployments

[RalphKemp]

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v20.11.1

Amplify CLI Version

v12.5.1

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

Deleted automatically generated clients from Cognito

Describe the bug

At my company we've been using Amplify for about 3.5 years in production. About a year ago I removed the default clients which were auto generated for us in Cognito, as they weren't being used. For quite a while now I've been using Amplify CLI v9.2.1 to deploy to both dev and prod, and have had no problems. However this week I wanted to upgrade to Amplify V6, and part 3 of these docs say the CLI needs to be upgraded.

When I try to deploy on v12.5.1 I get the following error:

Resource handler returned message: "(cognito-idp.eu-west-1.amazonaws.com/my_userpool_id:old_cognito_client) is not a valid RoleMapping ProviderName or is not a configured provider.

In the automatically generated cloudformation file, I can see the IdentityPoolRoleMap value has changed, adding a RoleMappings value that isn't generated in v9.2.1.

"IdentityPoolRoleMap": {
      "Type": "AWS::Cognito::IdentityPoolRoleAttachment",
      "Properties": {
        "IdentityPoolId": {
          "Ref": "IdentityPool"
        },
        "RoleMappings": {
          "UserPoolClientRoleMapping": {
            "AmbiguousRoleResolution": "AuthenticatedRole",
            "IdentityProvider": {
              "Fn::Sub": [
                "cognito-idp.${region}.amazonaws.com/${userPool}:${client}",
                {
                  "region": {
                    "Ref": "AWS::Region"
                  },
                  "userPool": {
                    "Ref": "UserPool"
                  },
                  "client": {
                    "Ref": "UserPoolClient"
                  }
                }
              ]
            },
            "Type": "Token"
          },
          "UserPoolWebClientRoleMapping": {
            "AmbiguousRoleResolution": "AuthenticatedRole",
            "IdentityProvider": {
              "Fn::Sub": [
                "cognito-idp.${region}.amazonaws.com/${userPool}:${webClient}",
                {
                  "region": {
                    "Ref": "AWS::Region"
                  },
                  "userPool": {
                    "Ref": "UserPool"
                  },
                  "webClient": {
                    "Ref": "UserPoolClientWeb"
                  }
                }
              ]
            },
            "Type": "Token"
          }
        },
        "Roles": {
          "unauthenticated": {
            "Ref": "unauthRoleArn"
          },
          "authenticated": {
            "Ref": "authRoleArn"
          }
        }
      },
      "DependsOn": [
        "IdentityPool",
        "UserPoolClient",
        "UserPoolClientWeb"
      ]
    }

Even if I delete the RoleMappings in override.ts, the non-existent UserPoolClient and UserPoolClientWeb are still in the DependsOn array.

Is there any way of getting round this? We have tens of thousands of users in production, and are expecting a large increase in users in March due to a new client. Obviously it was a mistake to delete the unused clients, but I didn't think it would eventually halt all deployments. Any help would be greatly appreciated, thanks.

Expected behavior

I expected auth to be deployed correctly without relying on values which were autogenerated during project initialisation.

Reproduction steps

1. Create a new amplify project with auth and push.
2. Manually remove one of the automatically generated Client IDs in Cognito.
3. Make a change and push to Amplify

Project Identifier

No response

Log output

# Put your logs below this line

Additional information

Before understanding the bug I thought it might be a problem with Amplify CLI 12.10.1, so tried a lower version. Same error happening on both.

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[ykethan]

hey @RalphKemp, you could try removing the dependancy in the override using the following

  resources.identityPoolRoleMap.removeDependency(resources.userPoolClientWeb)
  resources.identityPoolRoleMap.removeDependency(resources.userPoolClient);

[RalphKemp]

hey @RalphKemp, you could try removing the dependancy in the override using the following

  resources.identityPoolRoleMap.removeDependency(resources.userPoolClientWeb)
  resources.identityPoolRoleMap.removeDependency(resources.userPoolClient);

Hi @ykethan, thanks for getting back to me. Cheers for the advice - didn't realise you could update dependencies as the removeDependency function type isn't on cognito.CfnIdentityPoolRoleAttachment, throws an error when pushing without @ts-ignore.

Whilst those values are removed when pushing, unfortunately I'm still getting User pool client does not exist with the following override:

export function override(resources: AmplifyAuthCognitoStackTemplate) {
  // Remove the optional roleMappings property 
  delete resources.identityPoolRoleMap.roleMappings;
  // Remove the optional identityPoolRoleMappings 
  // @ts-ignore
  resources.identityPoolRoleMap.removeDependency(resources.userPoolClientWeb);
  // @ts-ignore
  resources.identityPoolRoleMap.removeDependency(resources.userPoolClient);

  // Remove the optional cognitoIdentityProviders 
  delete resources.identityPool.cognitoIdentityProviders;
}

The only thing remaining that I feel I should delete via override would naturally be:

    "UserPoolClientWeb": {
      "Type": "AWS::Cognito::UserPoolClient",
      "Properties": {
        "UserPoolId": {
          "Ref": "UserPool"
        },
        "ClientName": "cloudl853e4797_app_clientWeb",
        "ReadAttributes": {
          "Ref": "userpoolClientReadAttributes"
        },
        "RefreshTokenValidity": {
          "Ref": "userpoolClientRefreshTokenValidity"
        },
        "TokenValidityUnits": {
          "RefreshToken": "days"
        },
        "WriteAttributes": {
          "Ref": "userpoolClientWriteAttributes"
        }
      },
      "DependsOn": [
        "UserPool"
      ]
    },
    "UserPoolClient": {
      "Type": "AWS::Cognito::UserPoolClient",
      "Properties": {
        "UserPoolId": {
          "Ref": "UserPool"
        },
        "ClientName": "cloudl853e4797_app_client",
        "GenerateSecret": {
          "Ref": "userpoolClientGenerateSecret"
        },
        "ReadAttributes": {
          "Ref": "userpoolClientReadAttributes"
        },
        "RefreshTokenValidity": {
          "Ref": "userpoolClientRefreshTokenValidity"
        },
        "TokenValidityUnits": {
          "RefreshToken": "days"
        },
        "WriteAttributes": {
          "Ref": "userpoolClientWriteAttributes"
        }
      },
      "DependsOn": [
        "UserPool"
      ]
    },

by adding

delete resources.userPoolClientWeb;
delete resources.userPoolClient;

Although I'm hesitant to do this - would this break anything to your knowledge? Thanks

[RalphKemp]

Hi @ykethan any update on this issue? I tried my comment above and still getting the same error - then I read this thread #13159 and saw you can't override resources anyway. Am I going to be stuck on 9.2.1 because of a deleted Cognito client?

[ykethan]

Hey @RalphKemp, have been trying to find a workaround but wasn't able to override the auth resource to remove the deleted client references.
But as the issue suggests you can try to enable the deletion protection the Cognito resources, remove the resource using CLI, then import the resource. But do note the amplify import auth does expect atleast 1 client to be configured on the userpool.

[RalphKemp]

But as the issue suggests you can try to enable the deletion protection the Cognito resources, remove the resource using CLI, then import the resource. But do note the amplify import auth does expect atleast 1 client to be configured on the userpool.

Hi @ykethan thanks for getting back to me - I'll give this a go and will let you know how I get on. Cheers

[willb0246]

@RalphKemp did the above steps resolve your issue? or did you resolve it another way? I am dealing with something similar.

[RalphKemp]

@RalphKemp did the above steps resolve your issue? or did you resolve it another way? I am dealing with something similar.

My solution is migrating away from Amplify! Tried the import auth method but you can't do that if you have any other resources which rely on it, like DynamoDB/storage etc.. The main reason I started this thread was because I was trying to upgrade to the latest CLI version. When I created a new environment to test things out, all the golang functions I'd written literally just stopped working, and the auth problem persisted. I know it's not useful but my honest advice can only be to migrate off of Amplify as soon as you can, especially if you have a sizeable production userbase like I do. I won't close the thread yet incase someone else has a potential fix for you + others.

[ykethan]

Sorry to hear about your experience, @RalphKemp. With Amplify Gen 2, we offer a much more comprehensive experience and customization options. Do reach out to us if this would enable building your use case.
Gen 2 repository: https://github.com/aws-amplify/amplify-backend
Closing the issue.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.