Transform fails when DeletionProtection specified in AWS::Cognito::UserPool with Cognito event
#2581
Comments
jjaimez
added
stage/needs-triage
jjaimez
changed the title
|
Thanks for the feature request. I will discuss this with the team and post updates here. |
|
|
|
Feel free to reopen this issue if you notice that CloudFormation has started to support this property |
ssenchenko
removed
the
stage/needs-triage
|
still seeing the error when adding the DeletionProtection to a user pool |
|
I'm using SAM CLI to version 1.76.0, I identified that according to Cloud formation docs this feature should be supported. However, if you don't use the Ref build in cloud formation function to refer to the cognito user pool anywhere in the template, it'll work fine. Surprisingly, if you add at least one instance of Ref to a cognito user pool with DeletionProtection enabled, it will show this error. In my case, I'm using cognito events on lambda resources that need a reference to a cognito user pool in the template. If using this particular configuration, it will fail with the error mentioned above. I guess is a very similar use case for the other devs reporting this issue. Please let me know if I can provide additional details or if you recommend that I open a separated issue for this. As a temporary solution, I removed the DeletionProtection from my user pool, but this is risky on a production scenario. |
|
@jjaimez @benconnito Could you clarify what the ask is?
Transform: AWS::Serverless-2016-10-31
Parameters:
DeletionProtection:
Type: String
Default: ACTIVE
Resources:
MyUserPool:
Type: AWS::Cognito::UserPool
Properties:
DeletionProtection: !Ref DeletionProtectionDeploy: sam deploy --region us-west-2 --resolve-s3 --capabilities CAPABILITY_IAM --stack-name test-deletion-protection --template template.yaml |
|
@JP-tech-sh Would you be able to provide a template reproducing the issue? |
|
@hoffa Yes, I'll provide a minimal working template reproducing the issue, so you can test it. I'll try to have it ready for today. |
|
i am actually unable to get NEW cognito domains (wether initially inactive or active) to have the issue. however updating an existing cognito domain (created BEFORE the deletion protection feature) to have deletion protection seems to fail all i added to my existing cognito resource in cloudformation was and its actually failing for our staging cognito to update it to INACTIVE (it is not active atm) |
hoffa
added
the
blocked/more-info-needed
|
Hello, this is the example sam project showing the error, sorry about the delay. https://github.com/JP-tech-sh/deletion-protection-sam-error |
Thanks a lot for this, I was able to reproduce. Here's a minimal example. Save as Transform: AWS::Serverless-2016-10-31
Resources:
MyUserPool:
Type: AWS::Cognito::UserPool
Properties:
DeletionProtection: ACTIVE
MyFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.8
InlineCode: foo
Handler: bar
Events:
CognitoEvent:
Type: Cognito
Properties:
Trigger: CustomMessage
UserPool: !Ref MyUserPoolCreating the change set will fail with:
If you remove the Cognito event, it succeeds: Transform: AWS::Serverless-2016-10-31
Resources:
MyUserPool:
Type: AWS::Cognito::UserPool
Properties:
DeletionProtection: ACTIVE
MyFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.8
InlineCode: foo
Handler: bar |
hoffa
added
type/bug
and removed
type/feature
blocked/more-info-needed
hoffa
changed the title
DeletionProtection specified in AWS::Cognito::UserPool with Cognito event
|
I've created a fix for this in #3041. I'll also look into a more longer-term fix so these issues don't occur for every new property. |
Describe your idea/feature/enhancement
I wish the SAM Translator would support DeletionProtection in Cognito User Pool definition.
Proposal
Things to consider:
Additional Details
I tried to do it and i got the following error.
property DeletionProtection not defined for resource of type AWS::cognito::UserPoolThe text was updated successfully, but these errors were encountered: