Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cognito - always replacing resource

See original GitHub issue

I’m deploying a Cognito resource with the following config:

new aws.cognito.UserPool("api-user-pool", {
        passwordPolicy: {
            minimumLength: 8,
            requireLowercase: false,
            requireNumbers: false,
            requireSymbols: false,
            requireUppercase: false,
            temporaryPasswordValidityDays: 7
        },
        adminCreateUserConfig: {
            allowAdminCreateUserOnly: true
        },
        autoVerifiedAttributes: ["email"],
        emailConfiguration: {
            emailSendingAccount: "COGNITO_DEFAULT"
        },
        mfaConfiguration: "OFF",
        userPoolAddOns: {
            advancedSecurityMode: "OFF" /* required */
        },
        usernameAttributes: ["email"],
        verificationMessageTemplate: {
            defaultEmailOption: "CONFIRM_WITH_CODE"
        },
        schemas: [
            {
                attributeDataType: "String",
                name: "email",
                required: true,
                developerOnlyAttribute: false,
                mutable: true
            },
            {
                attributeDataType: "String",
                name: "family_name",
                required: true,
                developerOnlyAttribute: false,
                mutable: true
            },
            {
                attributeDataType: "String",
                name: "given_name",
                required: true,
                developerOnlyAttribute: false,
                mutable: true
            }
        ]
    })

After trying to redeploy the stack, the userPool always gets replaced, even though the config is the same. This should not happen.

Expected Behavior

The Cognito user pool should not get replaced, it should stay the same.

Current Behavior

The Cognito user pool is being replaced.

Steps to Reproduce

  1. Create a simple Pulumi index.ts and paste the above code.
  2. Run pulumi up
  3. Run pulumi up again - it will tell you that it will replace the Cognito user pool

What I’ve discovered

I went to my state file, and discovered that in there, in the schemas property, each item has also:

stringAttributeConstraints: {
                    maxLength: "2048",
                    minLength: "0"
                }

After I’ve added this to each item in my template, everything started to work correctly.

So it seems that for some reason, the state file and my template are not the same (because of stringAttributeConstraints property difference), and then Pulumi decides to replace the resource. Not sure if this means something to you guys, but nevertheless, I decided to include it in the report.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:1
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
stack72commented, Aug 17, 2020

Thank you!!

0reactions
lukehobancommented, Nov 19, 2022

FWIW - I now see this in the diff:

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev::testaws::pulumi:pulumi:Stack::testaws-dev]
    ~ aws:cognito/userPool:UserPool: (update)
        [id=us-west-2_WAb4b9DxY]
        [urn=urn:pulumi:dev::testaws::aws:cognito/userPool:UserPool::api-user-pool]
        [provider=urn:pulumi:dev::testaws::pulumi:providers:aws::default_5_21_1::0856075f-1ec7-42ae-9e4f-c349510331c0]
      ~ schemas: [
          ~ [0]: {
                  ~ attributeDataType         : "String" => "String"
                  + developerOnlyAttribute    : false
                  ~ mutable                   : true => true
                  ~ name                      : "family_name" => "email"
                  ~ required                  : true => true
                  - stringAttributeConstraints: {
                      - maxLength: "2048"
                      - minLength: "0"
                    }
                }
          ~ [1]: {
                  ~ attributeDataType         : "String" => "String"
                  + developerOnlyAttribute    : false
                  ~ mutable                   : true => true
                  ~ name                      : "given_name" => "family_name"
                  ~ required                  : true => true
                  - stringAttributeConstraints: {
                      - maxLength: "2048"
                      - minLength: "0"
                    }
                }
          ~ [2]: {
                  ~ attributeDataType         : "String" => "String"
                  + developerOnlyAttribute    : false
                  ~ mutable                   : true => true
                  ~ name                      : "email" => "given_name"
                  ~ required                  : true => true
                  - stringAttributeConstraints: {
                      - maxLength: "2048"
                      - minLength: "0"
                    }
                }
        ]

The reordering rendering being noisy is due to https://github.com/pulumi/pulumi-terraform-bridge/issues/186.

The removal of stringAttributeConstraints is due to https://github.com/hashicorp/terraform-provider-aws/issues/20276.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Cognito - always replacing resource · Issue #1080 - GitHub
I'm deploying a Cognito resource with the following config: new aws.cognito.UserPool("api-user-pool", { passwordPolicy: { minimumLength: 8, ...
Read more >
Remember devices in an Amazon Cognito user pool
To use remembered devices to replace multi-factor authentication (MFA) ... For Do you want to remember your user's devices, choose Always or ...
Read more >
Secure your API Gateway with Amazon Cognito User Pools
Amazon Cognito is a powerful AWS service that enables user logins and federated identities. Cognito can be leveraged as an authentication ...
Read more >
aws_cognito_user | Resources | hashicorp/aws
Resource : aws_cognito_user. Provides a Cognito User Resource. ... The welcome message always contains only temporary_password value.
Read more >
Authentication with AWS Cognito ⋆ Mark McDonnell - integralist
User Pools deal with 'authentication', whereas Identity Pools deal with 'authorization' (and specifically that means AWS based resources only).
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

aws.budgets.Budget will always be updated without any changes made

Next page

Destroying stack containing Lambda@Edge fails