Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cognito: Device Tracking Setting Resets After Adding Lambda Triggers for Cognito via CDK #33282

Closed
1 task
cjnoname opened this issue Feb 4, 2025 · 3 comments
Closed
1 task

Cognito: Device Tracking Setting Resets After Adding Lambda Triggers for Cognito via CDK #33282

cjnoname opened this issue Feb 4, 2025 · 3 comments
Assignees
@ashishdhingra
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@cjnoname
Copy link

cjnoname commented Feb 4, 2025
edited by ashishdhingra
Loading

Describe the bug

When adding or modifying Lambda triggers for an Amazon Cognito User Pool using AWS CDK, the Device Tracking setting is unexpectedly reset. This requires manual reconfiguration after each deployment.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The Device Tracking setting should retain its configured value after adding or modifying Lambda triggers via AWS CDK.

Current Behavior

The Device Tracking setting is reset, requiring manual reconfiguration after each CDK deployment.

Reproduction Steps

The scripts we use:

  const customResourceLambdaName = `${lambdaName}-custom-resource`;
  const customResourceId = `CustomResourceCognito${generateResourceId(lambdaName)}`;

  lambda.addPermission("CognitoInvokePermission", {
    principal: new ServicePrincipal("cognito-idp.amazonaws.com"),
    action: "lambda:InvokeFunction",
    sourceArn: `arn:aws:cognito-idp:${stack.region}:${stack.account}:userpool/${cognitoUserPoolId}`
  });

  const updateUserPoolTrigger = new AwsCustomResource(stack, customResourceId, {
    functionName: customResourceLambdaName,
    role: new Role(stack, `${customResourceId}Role`, {
      roleName: `${customResourceLambdaName}-role`,
      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
      inlinePolicies: {
        InlinePolicy: new PolicyDocument({
          statements: [
            new PolicyStatement({
              effect: Effect.ALLOW,
              actions: ["cognito-idp:UpdateUserPool"],
              resources: [
                `arn:aws:cognito-idp:${stack.region}:${stack.account}:userpool/${cognitoUserPoolId}`
              ]
            })
          ]
        })
      }
    }),
    onCreate: {
      service: "CognitoIdentityServiceProvider",
      action: "updateUserPool",
      parameters: {
        UserPoolId: cognitoUserPoolId,
        LambdaConfig: events
      },
      physicalResourceId: PhysicalResourceId.of(customResourceId)
    }
  });

  updateUserPoolTrigger.node.addDependency(lambda);

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.177.0

Framework Version

No response

Node.js Version

22.13.1

OS

MacOS 15.1.1

Language

TypeScript

Language Version

No response

Other information

No response
@cjnoname cjnoname added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 4, 2025
@github-actions github-actions bot added the @aws-cdk/aws-cognito Related to Amazon Cognito label Feb 4, 2025
@ashishdhingra ashishdhingra self-assigned this Feb 5, 2025
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Feb 5, 2025
@ashishdhingra
Copy link
Contributor

@cjnoname Good afternoon. Thanks for opening the issue. Even if in your code, you are using CDK's AwsCustomResource, it's actually making a Cognito service API call updateUserPool via AWS.CognitoIdentityServiceProvider class from AWS SDK for JavaScript v3 @aws-sdk/client-cognito-identity-provider. CognitoIdentityServiceProvider.updateUserPool() invokes service API operation UpdateUserPool for AWS Cognito. There is a note on UpdateUserPool documentation page that If you don't provide a value for an attribute, Amazon Cognito sets it to its default value..

So this issue is not a CDK or AWS JavaScript SDK issue, but service API limitation. As a workaround, you could first make describeUserPool() call to retrieve DeviceConfiguration details and during updateUserPool call, set DeviceConfiguration again. Unfortunately, CDK has no control over service API design.

Thanks,
Ashish

@ashishdhingra ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 and removed p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Feb 6, 2025
@cjnoname
Copy link
Author

cjnoname commented Feb 6, 2025

@cjnoname Good afternoon. Thanks for opening the issue. Even if in your code, you are using CDK's AwsCustomResource, it's actually making a Cognito service API call updateUserPool via AWS.CognitoIdentityServiceProvider class from AWS SDK for JavaScript v3 @aws-sdk/client-cognito-identity-provider. CognitoIdentityServiceProvider.updateUserPool() invokes service API operation UpdateUserPool for AWS Cognito. There is a note on UpdateUserPool documentation page that If you don't provide a value for an attribute, Amazon Cognito sets it to its default value..

So this issue is not a CDK or AWS JavaScript SDK issue, but service API limitation. As a workaround, you could first make describeUserPool() call to retrieve DeviceConfiguration details and during updateUserPool call, set DeviceConfiguration again. Unfortunately, CDK has no control over service API design.

Thanks, Ashish

Hi Ashish,

Thanks for you help, it works!

Cheers mate

@cjnoname cjnoname closed this as completed Feb 6, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 6, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 6, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ashishdhingra ashishdhingra

Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cjnoname @ashishdhingra