User Pool Properties are removed after add trigger to existing a pool

[hiramatsutaku]

This is a Bug Report

Description

• What went wrong?

After add trigger to existing a pool, AutoVerifiedAttributes property of the pool was removed.

• What did you expect should have happened?

I expect not to remove AutoVerifiedAttributes property after add trigger to existing pools.

• What was the config you used?

I've used the serverless.yml below.

functions:
  hello:
    handler: handler.hello
    events:
      - cognitoUserPool:
          pool: sample
          trigger: PostConfirmation
          existing: true

The whole is here: https://github.com/hiramatsutaku/sls-debug-for-trigger-existing-pools/blob/master/serverless.yml

• What stacktrace or error message from your provider did you see?

1. Create User Pool

$ aws cognito-idp create-user-pool --pool-name sample --auto-verified-attributes email | jq '.UserPool.Id'
"ap-northeast-1_B9u8qsQOT"
$ aws cognito-idp describe-user-pool --user-pool-id ap-northeast-1_B9u8qsQOT | jq '.UserPool.AutoVerifiedAttributes'
[
  "email"
]

2. Add trigger to existing User Pool

sls deploy

$ npx sls deploy --profile my-profile-here
Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Installing dependencies for custom CloudFormation resources...
Serverless: Creating Stack...
Serverless: Checking Stack create progress...
.....
Serverless: Stack create finished...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service sample.zip file to S3 (87.16 KB)...
Serverless: Uploading custom CloudFormation resources...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
........................
Serverless: Stack update finished...
Service Information
service: sample
stage: dev
region: ap-northeast-1
stack: sample-dev
resources: 8
api keys:
  None
endpoints:
  None
functions:
  hello: sample-dev-hello
layers:
  None
Serverless: Run the "serverless" command to setup monitoring, troubleshooting and testing.

3. Check user pool

$ aws cognito-idp describe-user-pool --user-pool-id ap-northeast-1_B9u8qsQOT  --profile my-profile-here | jq '.UserPool.AutoVerifiedAttributes'
null

I expect to return

not null but ↓

[
  "email"
]

Diff of User Pool (aws cognito-idp describe-user-pool command output)

% diff -u etc/before.json etc/after.json
--- etc/before.json	2019-08-03 23:29:05.000000000 +0900
+++ etc/after.json	2019-08-03 23:28:59.000000000 +0900
@@ -218,15 +218,12 @@
         "VerificationMessageTemplate": {
             "DefaultEmailOption": "CONFIRM_WITH_CODE"
         },
-        "LastModifiedDate": 1564839772.279,
+        "LastModifiedDate": 1564842153.819,
         "AdminCreateUserConfig": {
             "UnusedAccountValidityDays": 7,
             "AllowAdminCreateUserOnly": false
         },
         "EmailConfiguration": {},
-        "AutoVerifiedAttributes": [
-            "email"
-        ],
         "Policies": {
             "PasswordPolicy": {
                 "RequireLowercase": true,
@@ -240,6 +237,8 @@
         "CreationDate": 1564839772.279,
         "EstimatedNumberOfUsers": 0,
         "Id": "ap-northeast-1_M2sH6hGdb",
-        "LambdaConfig": {}
+        "LambdaConfig": {
+            "PostConfirmation": "arn:aws:lambda:ap-northeast-1:***********:function:sample-dev-hello"
+        }
     }
 }

Similar or dependent issues:

• The feature I used was added Add support for existing Cognito User Pools #6362.

Additional Data

• Serverless Framework Version you're using: 1.49.0
• Operating System: macOS Mojave Version 10.14.3
• Stack Trace: -
• Provider Error messages: -

[ahmetcetin]

Other settings are also affected. I have the following CognitoUserPool definition:

Type: AWS::Cognito::UserPool
Properties:
  # Generate a name based on the stage
  UserPoolName: "${self:custom.${self:custom.stage}UserPoolName}"
  # Set email as an alias
  UsernameAttributes:
    - email
  AutoVerifiedAttributes:
    - email
  Schema:
    - Name: name
      AttributeDataType: String
      Mutable: true
      Required: true
    - Name: email
      AttributeDataType: String
      Mutable: false
      Required: true
  Policies:
    PasswordPolicy:
      RequireLowercase: true
      RequireUppercase: false
      RequireSymbols: false
      RequireNumbers: false
      MinimumLength: 8

And function defined as:

functions:
  presign:
    handler: backend/pre_signup.handler
    events:
      - cognitoUserPool:
          pool: "${self:custom.${self:custom.stage}UserPoolName}"
          trigger: PreSignUp
          existing: true

After adding existing: true in function trigger, the password policy reset to default cognito settings, which requires lowercase, uppercase, symbol, and a number.

Strangely, when I change the any of the password policy settings, like changing minimum length to 6, after deploying, it corrects the password policy settings, but this time, PreSignUp trigger is removed in cognito userpool.

[pmuens]

Interesting. Thanks for the in-depth bug report @hiramatsutaku 👍

We've just worked on some CognitoUserPool improvements which will be shipped via 1.50.0. I wonder if those also fix the problems described here. Can someone use the recent master to see if the problem still exists?

One thing to keep in mind is that as soon as you use a CognitoUserPool event you're handing over the trigger management to Serverless, so there's no way to do both: manual Tigger management and Trigger management via Serverless.

[pmuens]

@hiramatsutaku @ahmetcetin after digging deeper I was able to reproduce the problem and fixed it via #6519.

This fix seems to work on my end. Could you approve that it also fixes the problem on your end? Thanks!

[hiramatsutaku]

@pmuens
Thank you for the fixed 😄

I checked https://github.com/serverless/serverless/tree/retain-cognito-user-pool-config and it works as expected 🎉

(The log is here. hiramatsutaku/sls-debug-for-trigger-existing-pools#1 (comment))

[pmuens]

Great! Thanks for testing and confirming @hiramatsutaku 👍

[jonathan-kosgei]

Hi @pmuens I'm having a similar issue. Any change to the userpool eg. adding an attribute, removing an attribute, updating the email configuration causes all triggers to be removed after serverless deploy.

I'm creating the userpool in cloudformation and I'm on the latest serverless version 1.72.0

[harleyguru]

Hi @pmuens , I am also facing same issue with @jonathan-kosgei .
I have 2 services(2 serverless yml) by splitting the resources into application service like api gateway, lambda and infrastructure one like cognito, s3, db etc.
When I deploy the infrastructure service at first and then deploy application service, everything works right.
But once I would change some configuration in infrastructure service (i.e, cognito attributes) and deploy it, then it will set triggers to none. And even though I would deploy application service again, it won't attach lambda triggers to existing cognito user pool.
Have you checked this case?
I'd like to get your quick update for this issue.
Thanks

[DavidWells]

I just noticed this as well. Adding an attribute to schema detached the triggers. Odd 😅

I might wire these up to the cognito pool using the function ARNs to work around this