Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NOTICE: aws-cognito-identitypool-alpha: "Resource of type 'AWS::Cognito::IdentityPoolRoleAttachment' with identifier '[...]' already exists." >=2.179.0 breaks deployment of existing identity pools #33510

Closed
monholm opened this issue Feb 19, 2025 · 6 comments · Fixed by #33609
Closed

NOTICE: aws-cognito-identitypool-alpha: "Resource of type 'AWS::Cognito::IdentityPoolRoleAttachment' with identifier '[...]' already exists." >=2.179.0 breaks deployment of existing identity pools #33510

monholm opened this issue Feb 19, 2025 · 6 comments · Fixed by #33609
Assignees
@Leo10Gama
Labels
@aws-cdk/aws-cognito-identitypool bug This issue is a bug. effort/medium Medium work item – several days of effort management/tracking Issues that track a subject or multiple issues p1

Comments

@monholm
Copy link
Contributor

monholm commented Feb 19, 2025
edited by Leo10Gama
Loading

Please add your +1 👍 to let us know you have encountered this

Status: IN-PROGRESS

Overview:

Describe the bug

Upgrading past v2.178.2 causes deployment of stack with existing (deployed with version <= 2.178.2) identity pool to fail.

Last Known Working CDK Version

2.178.2

Expected Behavior

Stack to deploy without issues.

Current Behavior

Deployment fails with the following error:

The stack named AwsCdkReproStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Resource of type 'AWS::Cognito::IdentityPoolRoleAttachment' with identifier 'eu-north-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' already exists." (RequestToken: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx, HandlerErrorCode: AlreadyExists)

Reproduction Steps

npx aws-cdk@2.178.2 init app --language typescript
npm add @aws-cdk/aws-cognito-identitypool-alpha@2.178.2-alpha.0

Add an identity pool to the stack, e.g.:

import { IdentityPool } from "@aws-cdk/aws-cognito-identitypool-alpha";
import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";

export class AwsCdkReproStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new IdentityPool(this, "IdentityPool");
  }
}
cdk deploy
npm i aws-cdk@2.179.0 aws-cdk-lib@2.179.0 @aws-cdk/aws-cognito-identitypool-alpha@2.179.0-alpha.0
cdk deploy

Workaround

Bump to the latest CDK library version, v2.181.1.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.179.0

Framework Version

No response

Node.js Version

22.14.0

OS

macOS 15.3.1

Language

TypeScript

Language Version

No response

Other information

No response
@monholm monholm added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 19, 2025
@github-actions github-actions bot added @aws-cdk/aws-cognito-identitypool potential-regression Marking this issue as a potential regression to be checked by team member labels Feb 19, 2025
@pahud pahud self-assigned this Feb 19, 2025
@pahud
Copy link
Contributor

pahud commented Feb 19, 2025
edited
Loading

Before re-deployment, can you run cdk diff and see what's going to be changed?

Might be related to this:

Alpha modules (2.179.0-alpha.0)
⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
cognito-identitypool-alpha: The IdentityPoolRoleAttachment construct and IdentityPool.addRoleMappings() function will no longer exist. This is to disambiguate that only one role attachment can exist per Identity Pool. If you are using the IdentityPool construct, this change will trigger a redeployment. If you need to add role mappings, please do so when the IdentityPool is created.

see #33305

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 and removed needs-triage This issue or PR still needs to be triaged. potential-regression Marking this issue as a potential regression to be checked by team member labels Feb 19, 2025
@pahud pahud removed their assignment Feb 19, 2025
@pahud pahud added the effort/medium Medium work item – several days of effort label Feb 19, 2025
@monholm
Copy link
Contributor Author

monholm commented Feb 20, 2025

Sure. This is the cdk diff output:

Stack AwsCdkReproStack
Resources
[-] AWS::Cognito::IdentityPoolRoleAttachment IdentityPool/DefaultRoleAttachment IdentityPoolDefaultRoleAttachmentD81AFC39 destroy
[+] AWS::Cognito::IdentityPoolRoleAttachment IdentityPool/DefaultRoleAttachment IdentityPoolDefaultRoleAttachment40247836


✨  Number of stacks with differences: 1

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Feb 20, 2025
@monholm
Copy link
Contributor Author

monholm commented Feb 21, 2025
edited
Loading

@pahud thank you for the quick response by the way.

I couldn't help but notice the p3 label that you put on the issue - I don't wanna step on anyone's toes here, and I get that it's an alpha module. But leaving every stack that's using the main construct from the module, in an undeployable state, should probably warrant a higher than lowest priority? At least until an acceptable workaround is found?

I've not had much time to dig into this yet, but it seems to be caused by the change to a L1 construct to create the IdentityPoolRoleAttachment, which causes a new attachment to be created, prior to deleting the L2 one.

@Leo10Gama
Copy link
Member

Hi @monholm,

Yes you are right, this is definitely a higher-priority issue. Testing this on my machine, I can see that this not only triggers redeployment, but prevents any deployments from happening at all, since it attempts to create the new IdentityPoolRoleAttachment before deleting the previous one. Since only one role attachment can exist per IdentityPool, the deployment fails with that error that the resource already exists.

We're working on a fix for this now, and should have the issue patched soon.

@Leo10Gama Leo10Gama added p1 and removed p3 labels Feb 27, 2025
@Leo10Gama Leo10Gama self-assigned this Feb 27, 2025
@Leo10Gama Leo10Gama mentioned this issue Feb 27, 2025
Merged
1 task
@Leo10Gama Leo10Gama added the management/tracking Issues that track a subject or multiple issues label Feb 27, 2025
@Leo10Gama Leo10Gama changed the title aws-cognito-identitypool-alpha: >=2.179.0 breaks deployment of existing identity pools NOTICE: aws-cognito-identitypool-alpha: "Resource of type 'AWS::Cognito::IdentityPoolRoleAttachment' with identifier '[...]' already exists." >=2.179.0 breaks deployment of existing identity pools Feb 27, 2025
@Leo10Gama Leo10Gama pinned this issue Feb 27, 2025
@mergify mergify bot closed this as completed in #33609 Feb 27, 2025
@mergify mergify bot closed this as completed in e220bc8 Feb 27, 2025
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 27, 2025
Leo10Gama added a commit that referenced this issue Feb 27, 2025
@Leo10Gama
fix(cognito-identitypool-alpha): prevent stacks from not deploying co…
a1e2afe 
…rrectly (#33609)

### Issue # (if applicable)

Closes #33510 

### Reason for this change

A previous change ([PR33305](#33305)) removed the `IdentityPoolRoleAttachment` L2 construct, which also changed the creation logic of the default role attachment in the `IdentityPool` L2. This not only triggered redeployments, but did not allow for redeployment at all, as the new role attachment (with a different resource hash) was trying to be created before the old one was removed. This led to failed deployments, as only one role attachment can exist per identity pool.

### Description of changes

Brought back the `IdentityPoolRoleAttachment` L2 logic to prevent redeployment for customers using CDK `<v2.179.0`. However, the construct is now no longer being exported, which preserves the original intention of preventing confusion about using this resource.

### Describe any new or updated permissions being added

N/A

### Description of how you validated changes

`yarn test && yarn integ test/integ.identitypool.js --update-on-failed`

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

**BREAKING CHANGE**: Any `IdentityPool` resources deployed in versions `>=2.179.0` will now fail to deploy. You will need to delete the `IdentityPoolRoleAttachment` from your stack via the console before redeploying.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Leo10Gama Leo10Gama

Labels
@aws-cdk/aws-cognito-identitypool bug This issue is a bug. effort/medium Medium work item – several days of effort management/tracking Issues that track a subject or multiple issues p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cognito-identitypool-alpha): prevent stacks from not deploying correctly Leo10Gama/aws-cdk
3 participants
@pahud @Leo10Gama @monholm