Can't create new amplify env because MFALambdaRole already exists

[DevTGhosh]

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v20.11.0

Amplify CLI Version

12.9.0

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

Try to create a new amplify env and when you try to amplify push it fails with the following error

🛑 The following resources failed to deploy: Resource Name: MFALambdaRole (AWS::IAM::Role) Event Type: create Reason: The policy chedar678aa9d9_sns_pass_role_policy already exists on the role chedar678aa9d9_totp_lambda_role-dev.

🛑 Resource is not in the state stackUpdateComplete Name: MFALambdaRole (AWS::IAM::Role), Event Type: create, Reason: The policy chedar678aa9d9_sns_pass_role_policy already exists on the role chedar678aa9d9_totp_lambda_role-dev., IsCustomResource: false

Expected behavior

To be able to create a new amplify env.

Reproduction steps

1. Create a new amplify env
2. amplify push

Project Identifier

Project Identifier: c1df5805dc85b2b52388558184e19166

Log output

# Put your logs below this line

Additional information

My auth cloudformation template

{ "Description": "{\"createdOn\":\"Mac\",\"createdBy\":\"Amplify\",\"createdWith\":\"12.9.0\",\"stackType\":\"auth-Cognito\",\"metadata\":{}}", "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "env": { "Type": "String" }, "functionchedarAuthTestPostConfirmationArn": { "Type": "String", "Default": "functionchedarAuthTestPostConfirmationArn" }, "functionchedarAuthTestPostConfirmationName": { "Type": "String", "Default": "functionchedarAuthTestPostConfirmationName" }, "identityPoolName": { "Type": "String" }, "allowUnauthenticatedIdentities": { "Type": "String" }, "resourceNameTruncated": { "Type": "String" }, "userPoolName": { "Type": "String" }, "autoVerifiedAttributes": { "Type": "CommaDelimitedList" }, "mfaConfiguration": { "Type": "String" }, "mfaTypes": { "Type": "CommaDelimitedList" }, "smsAuthenticationMessage": { "Type": "String" }, "smsVerificationMessage": { "Type": "String" }, "emailVerificationSubject": { "Type": "String" }, "emailVerificationMessage": { "Type": "String" }, "defaultPasswordPolicy": { "Type": "String" }, "passwordPolicyMinLength": { "Type": "String" }, "passwordPolicyCharacters": { "Type": "CommaDelimitedList" }, "requiredAttributes": { "Type": "CommaDelimitedList" }, "aliasAttributes": { "Type": "CommaDelimitedList" }, "userpoolClientGenerateSecret": { "Type": "String" }, "userpoolClientRefreshTokenValidity": { "Type": "String" }, "userpoolClientWriteAttributes": { "Type": "CommaDelimitedList" }, "userpoolClientReadAttributes": { "Type": "CommaDelimitedList" }, "userpoolClientLambdaRole": { "Type": "String" }, "userpoolClientSetAttributes": { "Type": "String" }, "authSelections": { "Type": "String" }, "resourceName": { "Type": "String" }, "serviceName": { "Type": "String" }, "useDefault": { "Type": "String" }, "sharedId": { "Type": "String" }, "userPoolGroupList": { "Type": "CommaDelimitedList" }, "userPoolGroups": { "Type": "String" }, "usernameCaseSensitive": { "Type": "String" }, "adminQueries": { "Type": "String" }, "hostedUI": { "Type": "String" }, "triggers": { "Type": "String" }, "authRoleArn": { "Type": "String" }, "unauthRoleArn": { "Type": "String" }, "breakCircularDependency": { "Type": "String" }, "useEnabledMfas": { "Type": "String" }, "dependsOn": { "Type": "CommaDelimitedList" }, "permissions": { "Type": "CommaDelimitedList" }, "authTriggerConnections": { "Type": "CommaDelimitedList" }, "parentStack": { "Type": "String" }, "authProviders": { "Type": "CommaDelimitedList" }, "thirdPartyAuth": { "Type": "String" } }, "Conditions": { "ShouldNotCreateEnvResources": { "Fn::Equals": [ { "Ref": "env" }, "NONE" ] } }, "Resources": { "SNSRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "cognito-idp.amazonaws.com" }, "Action": [ "sts:AssumeRole" ], "Condition": { "StringEquals": { "sts:ExternalId": "chedar678aa9d9_role_external_id" } } } ] }, "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "*" } ] }, "PolicyName": "chedar678aa9d9-sns-policy" } ], "RoleName": { "Fn::If": [ "ShouldNotCreateEnvResources", "chedar678aa9d9_sns-role", { "Fn::Join": [ "", [ "sns678aa9d9", { "Fn::Select": [ 3, { "Fn::Split": [ "-", { "Ref": "AWS::StackName" } ] } ] }, "-", { "Ref": "env" } ] ] } ] } } }, "UserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { "AdminCreateUserConfig": { "InviteMessageTemplate": { "EmailMessage": "

Clap! Thank you for signing up to your first scene

Bienvenue, Votre compte Chedar a bien été créé. Vous trouverez ci-dessous les accès à votre compte: Lien:app.chedar.fr Nom d'utilisateur: {username} Mot de passe temporaire: {####} Notre centre de formation est accessible ici:learn.chedar.io Happy budgeting, l'Equipe Chedar   Si vous avez des soucis à vous connectez, veuillez nous contacter à[email protected]

", "EmailSubject": "You're Invited to Chedar!" } }, "AutoVerifiedAttributes": [ "email" ], "EmailConfiguration": { "EmailSendingAccount": "DEVELOPER", "From": "[email protected]", "ReplyToEmailAddress": "[email protected]", "SourceArn": "arn:aws:ses:eu-west-1:251651594881:identity/[email protected]" }, "EmailVerificationMessage": { "Ref": "emailVerificationMessage" }, "EmailVerificationSubject": { "Ref": "emailVerificationSubject" }, "LambdaConfig": { "PostConfirmation": { "Ref": "functionchedarAuthTestPostConfirmationArn" } }, "MfaConfiguration": { "Ref": "mfaConfiguration" }, "Policies": { "PasswordPolicy": { "MinimumLength": { "Ref": "passwordPolicyMinLength" }, "RequireLowercase": false, "RequireNumbers": false, "RequireSymbols": false, "RequireUppercase": false, "TemporaryPasswordValidityDays": 60 } }, "Schema": [ { "Mutable": true, "Name": "email", "Required": true }, { "AttributeDataType": "String", "DeveloperOnlyAttribute": false, "Mutable": true, "Name": "tenantid", "Required": false } ], "SmsAuthenticationMessage": { "Ref": "smsAuthenticationMessage" }, "SmsConfiguration": { "ExternalId": "chedar678aa9d9_role_external_id", "SnsCallerArn": { "Fn::GetAtt": [ "SNSRole", "Arn" ] } }, "SmsVerificationMessage": { "Ref": "smsVerificationMessage" }, "UserAttributeUpdateSettings": { "AttributesRequireVerificationBeforeUpdate": [ "email" ] }, "UsernameConfiguration": { "CaseSensitive": false }, "UserPoolName": { "Fn::If": [ "ShouldNotCreateEnvResources", { "Ref": "userPoolName" }, { "Fn::Join": [ "", [ { "Ref": "userPoolName" }, "-", { "Ref": "env" } ] ] } ] }, "VerificationMessageTemplate": { "EmailMessage": "Your verification code for Chedar is {####}", "EmailSubject": "Your verification code for Chedar" } } }, "UserPoolPostConfirmationLambdaInvokePermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:invokeFunction", "FunctionName": { "Ref": "functionchedarAuthTestPostConfirmationName" }, "Principal": "cognito-idp.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "UserPool", "Arn" ] } } }, "chedarAuthTestPostConfirmationAddToGroupCognito": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cognito-idp:AdminAddUserToGroup", "cognito-idp:GetGroup", "cognito-idp:CreateGroup" ], "Resource": { "Fn::GetAtt": [ "UserPool", "Arn" ] } } ] }, "PolicyName": "chedarAuthTestPostConfirmationAddToGroupCognito", "Roles": [ { "Fn::Join": [ "", [ "chedarAuthTestPostConfirmation-", { "Ref": "env" } ] ] } ] } }, "UserPoolClientWeb": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ClientName": "chedar678aa9d9_app_clientWeb", "ReadAttributes": [ "email", "custom:tenantid" ], "RefreshTokenValidity": { "Ref": "userpoolClientRefreshTokenValidity" }, "TokenValidityUnits": { "RefreshToken": "days" }, "WriteAttributes": [ "email", "custom:tenantid" ] }, "DependsOn": [ "UserPool" ] }, "UserPoolClient": { "Type": "AWS::Cognito::UserPoolClient", "Properties": { "UserPoolId": { "Ref": "UserPool" }, "ClientName": "chedar678aa9d9_app_client", "GenerateSecret": { "Ref": "userpoolClientGenerateSecret" }, "ReadAttributes": [ "email", "custom:tenantid" ], "RefreshTokenValidity": { "Ref": "userpoolClientRefreshTokenValidity" }, "TokenValidityUnits": { "RefreshToken": "days" }, "WriteAttributes": [ "email", "custom:tenantid" ] }, "DependsOn": [ "UserPool" ] }, "UserPoolClientRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "RoleName": { "Fn::If": [ "ShouldNotCreateEnvResources", { "Ref": "userpoolClientLambdaRole" }, { "Fn::Join": [ "", [ "upClientLambdaRole678aa9d9", { "Fn::Select": [ 3, { "Fn::Split": [ "-", { "Ref": "AWS::StackName" } ] } ] }, "-", { "Ref": "env" } ] ] } ] } } }, "MFALambdaRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": { "Fn::If": [ "ShouldNotCreateEnvResources", "arn:aws:iam:::role/chedar678aa9d9_totp_lambda_role", { "Fn::Join": [ "", [ "arn:aws:iam:::role/chedar678aa9d9__totp_lambda_role-", { "Ref": "env" } ] ] } ] } } ] }, "PolicyName": "chedar678aa9d9_totp_pass_role_policy" }, { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": { "Fn::GetAtt": [ "SNSRole", "Arn" ] } } ] }, "PolicyName": "chedar678aa9d9_sns_pass_role_policy" } ], "RoleName": { "Fn::If": [ "ShouldNotCreateEnvResources", "chedar678aa9d9_totp_lambda_role", { "Fn::Join": [ "", [ "chedar678aa9d9_totp_lambda_role-", { "Ref": "env" } ] ] } ] } }, "DependsOn": [ "SNSRole" ] }, "MFALambda": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "ZipFile": "const response = require('cfn-response');\nconst { CognitoIdentityProviderClient, SetUserPoolMfaConfigCommand } = require('@aws-sdk/client-cognito-identity-provider');\nconst identity = new CognitoIdentityProviderClient({});\n\nexports.handler = (event, context) => {\n // Don't return promise, response.send() marks context as done internally\n void tryHandleEvent(event, context);\n};\n\nasync function tryHandleEvent(event, context) {\n try {\n await handleEvent(event);\n response.send(event, context, response.SUCCESS, {});\n } catch (e) {\n response.send(event, context, response.FAILED, { e });\n }\n}\n\nasync function handleEvent(event) {\n if (event.RequestType === 'Update' || event.RequestType === 'Create') {\n const totpParams = {\n UserPoolId: event.ResourceProperties.userPoolId,\n MfaConfiguration: event.ResourceProperties.mfaConfiguration,\n SmsMfaConfiguration: {\n SmsAuthenticationMessage: event.ResourceProperties.smsAuthenticationMessage,\n SmsConfiguration: {\n SnsCallerArn: event.ResourceProperties.smsConfigCaller,\n ExternalId: event.ResourceProperties.smsConfigExternalId,\n },\n },\n SoftwareTokenMfaConfiguration: { Enabled: event.ResourceProperties.totpEnabled.toLowerCase() === 'true' },\n };\n console.log(totpParams);\n\n await identity.send(new SetUserPoolMfaConfigCommand(totpParams));\n }\n}\n" }, "Role": { "Fn::GetAtt": [ "MFALambdaRole", "Arn" ] }, "Handler": "index.handler", "Runtime": "nodejs18.x", "Timeout": 300 }, "DependsOn": [ "MFALambdaRole" ] }, "MFALambdaPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cognito-idp:SetUserPoolMfaConfig" ], "Resource": { "Fn::GetAtt": [ "UserPool", "Arn" ] } } ] }, "PolicyName": "chedar678aa9d9_totp_lambda_iam_policy", "Roles": [ { "Fn::If": [ "ShouldNotCreateEnvResources", "chedar678aa9d9_totp_lambda_role", { "Fn::Join": [ "", [ "chedar678aa9d9_totp_lambda_role-", { "Ref": "env" } ] ] } ] } ] }, "DependsOn": [ "MFALambda" ] }, "MFALogPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": { "Fn::Sub": [ "arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*", { "region": { "Ref": "AWS::Region" }, "account": { "Ref": "AWS::AccountId" }, "lambda": { "Ref": "MFALambda" } } ] } } ] }, "PolicyName": "chedar678aa9d9_totp_lambda_log_policy", "Roles": [ { "Fn::If": [ "ShouldNotCreateEnvResources", "chedar678aa9d9_totp_lambda_role", { "Fn::Join": [ "", [ "chedar678aa9d9_totp_lambda_role-", { "Ref": "env" } ] ] } ] } ] }, "DependsOn": [ "MFALambdaPolicy" ] }, "MFALambdaInputs": { "Type": "Custom::LambdaCallout", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "MFALambda", "Arn" ] }, "mfaConfiguration": { "Ref": "mfaConfiguration" }, "totpEnabled": true, "smsConfigCaller": { "Fn::GetAtt": [ "SNSRole", "Arn" ] }, "smsAuthenticationMessage": { "Ref": "smsAuthenticationMessage" }, "smsConfigExternalId": "chedar678aa9d9_role_external_id", "userPoolId": { "Ref": "UserPool" } }, "DependsOn": [ "MFALogPolicy" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, "IdentityPool": { "Type": "AWS::Cognito::IdentityPool", "Properties": { "AllowUnauthenticatedIdentities": { "Ref": "allowUnauthenticatedIdentities" }, "CognitoIdentityProviders": [ { "ClientId": { "Ref": "UserPoolClient" }, "ProviderName": { "Fn::Sub": [ "cognito-idp.${region}.amazonaws.com/${client}", { "region": { "Ref": "AWS::Region" }, "client": { "Ref": "UserPool" } } ] } }, { "ClientId": { "Ref": "UserPoolClientWeb" }, "ProviderName": { "Fn::Sub": [ "cognito-idp.${region}.amazonaws.com/${client}", { "region": { "Ref": "AWS::Region" }, "client": { "Ref": "UserPool" } } ] } } ], "IdentityPoolName": { "Fn::If": [ "ShouldNotCreateEnvResources", "chedarv2678aa9d9_identitypool_678aa9d9", { "Fn::Join": [ "", [ "chedarv2678aa9d9_identitypool_678aa9d9__", { "Ref": "env" } ] ] } ] } } }, "IdentityPoolRoleMap": { "Type": "AWS::Cognito::IdentityPoolRoleAttachment", "Properties": { "IdentityPoolId": { "Ref": "IdentityPool" }, "RoleMappings": { "UserPoolClientRoleMapping": { "AmbiguousRoleResolution": "AuthenticatedRole", "IdentityProvider": { "Fn::Sub": [ "cognito-idp.${region}.amazonaws.com/${userPool}:${client}", { "region": { "Ref": "AWS::Region" }, "userPool": { "Ref": "UserPool" }, "client": { "Ref": "UserPoolClient" } } ] }, "Type": "Token" }, "UserPoolWebClientRoleMapping": { "AmbiguousRoleResolution": "AuthenticatedRole", "IdentityProvider": { "Fn::Sub": [ "cognito-idp.${region}.amazonaws.com/${userPool}:${webClient}", { "region": { "Ref": "AWS::Region" }, "userPool": { "Ref": "UserPool" }, "webClient": { "Ref": "UserPoolClientWeb" } } ] }, "Type": "Token" } }, "Roles": { "unauthenticated": { "Ref": "unauthRoleArn" }, "authenticated": { "Ref": "authRoleArn" } } }, "DependsOn": [ "IdentityPool", "UserPoolClient", "UserPoolClientWeb" ] } }, "Outputs": { "IdentityPoolId": { "Description": "Id for the identity pool", "Value": { "Ref": "IdentityPool" } }, "IdentityPoolName": { "Value": { "Fn::GetAtt": [ "IdentityPool", "Name" ] } }, "UserPoolId": { "Description": "Id for the user pool", "Value": { "Ref": "UserPool" } }, "UserPoolArn": { "Description": "Arn for the user pool", "Value": { "Fn::GetAtt": [ "UserPool", "Arn" ] } }, "UserPoolName": { "Value": { "Ref": "userPoolName" } }, "AppClientIDWeb": { "Description": "The user pool app client id for web", "Value": { "Ref": "UserPoolClientWeb" } }, "AppClientID": { "Description": "The user pool app client id", "Value": { "Ref": "UserPoolClient" } }, "CreatedSNSRole": { "Description": "role arn", "Value": { "Fn::GetAtt": [ "SNSRole", "Arn" ] } } } }

Before submitting, please confirm:

• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• [X] I have removed any sensitive information from my code snippets and submission.