pulumi-aws
pulumi-aws copied to clipboard
pulumi
Cognito UserPool drifts birthdate schema
Describe what happened
Provisioning an aws.cognito.UserPool now automatically injects a "birthdate" schema into outputs, and subsequent pulumi up shows a diff that wants to remove it.
This problem was detected by TestRegress2868 test (addressing https://github.com/pulumi/pulumi-aws/issues/2868) that started failing without any code changes in pulumi-aws. There possibly is a change to the underlying service behavior. The test passed on 6.42.1 release but is now failing as of Jul 2, 2024.
Sample program
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
export const AppUsersPool = new aws.cognito.UserPool("test-user-pool-4", {
accountRecoverySetting: {
recoveryMechanisms: [{
name: "verified_email",
priority: 1,
}],
},
autoVerifiedAttributes: ["email"],
mfaConfiguration: "OPTIONAL",
name: "test-user-pool-4",
passwordPolicy: {
minimumLength: 8,
requireLowercase: true,
requireNumbers: true,
requireSymbols: true,
requireUppercase: true,
temporaryPasswordValidityDays: 300,
},
schemas: [{
attributeDataType: "String",
mutable: true,
name: "name",
required: true,
stringAttributeConstraints: {
maxLength: "2048",
minLength: "0",
},
}],
softwareTokenMfaConfiguration: {
enabled: true,
},
usernameAttributes: ["email"],
usernameConfiguration: {
caseSensitive: false,
},
});
Log output
pulumi preview diff shows this:
Previewing update (repro-2868)
View Live: https://app.pulumi.com/anton-pulumi-corp/regress-2868/repro-2868/previews/df782276-b2d7-40eb-8262-dd1f9b2b2da4
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:repro-2868::regress-2868::pulumi:pulumi:Stack::regress-2868-repro-2868]
~ aws:cognito/userPool:UserPool: (update)
[id=us-west-2_9WcQQRrMr]
[urn=urn:pulumi:repro-2868::regress-2868::aws:cognito/userPool:UserPool::test-user-pool-4]
[provider=urn:pulumi:repro-2868::regress-2868::pulumi:providers:aws::default_6_42_1::253529ba-3ef5-49fa-89d7-6a4efb3617b4]
~ schemas: [
~ [0]: {
+ __defaults : []
- attributeDataType : "String"
- attributeDataType : "String"
- developerOnlyAttribute : false
- mutable : true
- mutable : true
- name : "birthdate"
- name : "birthdate"
~ required : false => true
~ stringAttributeConstraints: {
+ __defaults: []
- maxLength : "10"
- maxLength : "10"
- minLength : "4"
- minLength : "4"
}
}
- [1]: {
- attributeDataType : "String"
- developerOnlyAttribute : false
- mutable : true
- name : "name"
- numberAttributeConstraints: <null>
- required : true
- stringAttributeConstraints: {
- maxLength: "2048"
- minLength: "0"
}
}
]
--outputs:--
~ AppUsersPool: {
accountRecoverySetting : {
recoveryMechanisms: [
[0]: {
name : "verified_email"
priority: 1
}
]
}
adminCreateUserConfig : {
allowAdminCreateUserOnly: false
inviteMessageTemplate : <null>
}
+ aliasAttributes : []
arn : "arn:aws:cognito-idp:us-west-2:616138583583:userpo
ol/us-west-2_9WcQQRrMr"
autoVerifiedAttributes : [
[0]: "email"
]
creationDate : "2024-07-02T15:12:22Z"
deletionProtection : "INACTIVE"
emailConfiguration : {
configurationSet : ""
emailSendingAccount: "COGNITO_DEFAULT"
fromEmailAddress : ""
replyToEmailAddress: ""
sourceArn : ""
}
endpoint : "cognito-idp.us-west-2.amazonaws.com/us-west-2_9Wc
QQRrMr"
estimatedNumberOfUsers : 0
id : "us-west-2_9WcQQRrMr"
lastModifiedDate : "2024-07-02T15:12:22Z"
mfaConfiguration : "OPTIONAL"
name : "test-user-pool-4"
passwordPolicy : {
minimumLength : 8
requireLowercase : true
requireNumbers : true
requireSymbols : true
requireUppercase : true
temporaryPasswordValidityDays: 300
}
softwareTokenMfaConfiguration: {
enabled: true
}
urn : "urn:pulumi:repro-2868::regress-2868::aws:cognito/
userPool:UserPool::test-user-pool-4"
usernameAttributes : [
[0]: "email"
]
usernameConfiguration : {
caseSensitive: false
}
verificationMessageTemplate : {
defaultEmailOption: "CONFIRM_WITH_CODE"
emailMessage : ""
emailMessageByLink: ""
emailSubject : ""
emailSubjectByLink: ""
smsMessage : ""
}
}
Resources:
~ 1 to update
1 unchanged
This is a confusing presentation (due to set diffs being confusing) but what is happening it's trying to remove the birthday schema. From `pulumi stack export, the outputs now contain this:
"schemas": [
{
"attributeDataType": "String",
"developerOnlyAttribute": false,
"mutable": true,
"name": "birthdate",
"numberAttributeConstraints": null,
"required": false,
"stringAttributeConstraints": {
"maxLength": "10",
"minLength": "4"
}
},
{
"attributeDataType": "String",
"developerOnlyAttribute": false,
"mutable": true,
"name": "name",
"numberAttributeConstraints": null,
"required": true,
"stringAttributeConstraints": {
"maxLength": "2048",
"minLength": "0"
}
}
],
Affected Resource(s)
aws.cognito.UserPool
Output of pulumi about
CLI
Version 3.121.0
Go Version go1.22.4
Go Compiler gc
Plugins
KIND NAME VERSION
resource aws 6.42.1
language nodejs unknown
Host
OS darwin
Version 14.5
Arch arm64
This project is written in nodejs: executable='/Users/anton/bin/node' version='v18.18.2'
Current Stack: anton-pulumi-corp/regress-2868/repro-2868
TYPE URN
pulumi:pulumi:Stack urn:pulumi:repro-2868::regress-2868::pulumi:pulumi:Stack::regress-2868-repro-2868
pulumi:providers:aws urn:pulumi:repro-2868::regress-2868::pulumi:providers:aws::default_6_42_1
aws:cognito/userPool:UserPool urn:pulumi:repro-2868::regress-2868::aws:cognito/userPool:UserPool::test-user-pool-4
Found no pending operations associated with repro-2868
Backend
Name pulumi.com
URL https://app.pulumi.com/anton-pulumi-corp
User anton-pulumi-corp
Organizations anton-pulumi-corp, moolumi, demo, pulumi
Token type personal
Dependencies:
NAME VERSION
@pulumi/aws 6.42.1
@pulumi/pulumi 3.122.0
@types/aws-sdk 2.7.0
@types/node 8.10.66
Pulumi locates its logs in /var/folders/gd/3ncjb1lj5ljgk8xl5ssn_gvc0000gn/T/com.apple.shortcuts.mac-helper// by default
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Hello, I was about to open a case on this. It seems to be an issue with AWS Cognito itself as they recently changed or broke something. I've been tracking it here: https://github.com/hashicorp/terraform-provider-aws/issues/38197
Thanks @jamie1911 this is super helpful to have the upstream linked here!
I could workaround in our test by adding "birhtdate" to the source program in https://github.com/pulumi/pulumi-aws/pull/4159 - can you similarly workaround for your Pulumi use case?
The upstream issue https://github.com/hashicorp/terraform-provider-aws/issues/38197 has been resolved:
AWS confirmed that they have reverted min length 4 for birthday, because of global issue for terraform users. Thank you for taking the time to raise this, and for the back and forth here. Given that the change has been reverted on the AWS end, it doesn't look like any additional changes are needed on the AWS Provider side. With that in mind, I'm going to close this issue.
so I'll close this issue too.
