Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

aws-cognito: CfnLogDeliveryConfiguration wrong regular expression #31241

Open
AllanOricil opened this issue Aug 28, 2024 · 3 comments
Open

aws-cognito: CfnLogDeliveryConfiguration wrong regular expression #31241

AllanOricil opened this issue Aug 28, 2024 · 3 comments
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2

Comments

@AllanOricil
Copy link

AllanOricil commented Aug 28, 2024

Describe the bug

I can't create a CfnLogDeliveryConfiguration because it is not accepting my log group arn

const userpolLogsGroup = new logs.LogGroup(
      this,
      "node-ready-user-pool-logs-group",
      {
        logGroupName: "/node-ready/cognito/userpool/node-ready-user-pool",
        removalPolicy: cdk.RemovalPolicy.DESTROY,
        retention: logs.RetentionDays.ONE_WEEK,
      },
    );


    new cognito.CfnLogDeliveryConfiguration(
      this,
      "node-ready-user-pool-log-delivery-configuration",
      {
        userPoolId: this.cognitoUserPool.userPoolId,
        logConfigurations: [
          {
            cloudWatchLogsConfiguration: {
              logGroupArn: userpolLogsGroup.logGroupArn,
            },
            eventSource: "userNotification",
            logLevel: "ERROR",
          },
        ],
      },
    );

image

As you can see, the issue is with the "*" at the end, which the regular expression for CloudWatchLogsConfiguration.logGroupArn doesn't accept.

Regression Issue

  • [X ] Select this option if this issue appears to be a regression.

Apparently you touched it already, according to a ticket a guy reported few months ago. But it broke again in a different part of the regex

https://repost.aws/questions/QUhjYRB83zR_Od3frN-PRQww/cloudformation-regex-validation-error-in-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration-loggrouparn

Last Known Working CDK Version

2.154.0

Expected Behavior

CfnLogDeliveryConfiguration.logConfigurations.cloudWatchLogsConfiguration.logGroupArn must accept Logs Group Arns that end with "*"

The official documentation for this property is also wrong, as you can see in the image below

image source: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration.html

Current Behavior

image

Reproduction Steps

Try to deploy a CDK V2 Stack with these constructs in it

const userpolLogsGroup = new logs.LogGroup(
      this,
      "node-ready-user-pool-logs-group",
      {
        logGroupName: "/node-ready/cognito/userpool/node-ready-user-pool",
        removalPolicy: cdk.RemovalPolicy.DESTROY,
        retention: logs.RetentionDays.ONE_WEEK,
      },
    );

    new cognito.CfnLogDeliveryConfiguration(
      this,
      "node-ready-user-pool-log-delivery-configuration",
      {
        userPoolId: this.cognitoUserPool.userPoolId,
        logConfigurations: [
          {
            cloudWatchLogsConfiguration: {
              logGroupArn: userpolLogsGroup.logGroupArn,
            },
            eventSource: "userNotification",
            logLevel: "ERROR",
          },
        ],
      },
    );

Possible Solution

Before validating the ARN, which is generated by cloudformation, split it by : , remove the last token, validate. This way you don't need to change the regex expression you currently use.

WORKAROUND

Build the arn yourself instead of relying on cloudfromation

new cognito.CfnLogDeliveryConfiguration(
      this,
      "node-ready-user-pool-log-delivery-configuration",
      {
        userPoolId: this.cognitoUserPool.userPoolId,
        logConfigurations: [
          {
            cloudWatchLogsConfiguration: {
              logGroupArn: `arn:aws:logs:${getEnvVar("CDK_DEFAULT_REGION")}:${getEnvVar("CDK_DEFAULT_ACCOUNT")}:log-group:${userpolLogsGroup.logGroupName}`,
            },
            eventSource: "userNotification",
            logLevel: "ERROR",
          },
        ],
      },
    );

Additional Information/Context

No response

CDK CLI Version

2.154.0

Framework Version

No response

Node.js Version

18.19

OS

macos

Language

TypeScript

Language Version

5.0.4

Other information

No response

@AllanOricil AllanOricil added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 28, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cognito Related to Amazon Cognito label Aug 28, 2024
@ashishdhingra ashishdhingra self-assigned this Aug 29, 2024
@ashishdhingra ashishdhingra added p2 needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Aug 29, 2024
@ashishdhingra
Copy link
Contributor

Using the below code:

import * as cdk from 'aws-cdk-lib';
import * as cognito from 'aws-cdk-lib/aws-cognito';
import * as logs from 'aws-cdk-lib/aws-logs';

export class CdktestStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const cognitoUserPool = new cognito.UserPool(this, 'CognitoPool', {
      userPoolName: 'TestCDKCognitoPool',
      self#Enabled: true,
      signInCaseSensitive: false,
      signInAliases: {
        email: true,
        phone: true,
      },
      autoVerify: {
        email: true,
      },
      userVerification: {
        emailSubject: 'Hello from My Cool App!',
        emailBody: 'Hello, Thanks for registering in My cool app! Verification code is {####}.',
        emailStyle: cognito.VerificationEmailStyle.CODE
      },
      standardAttributes: {
        fullname: {
          required: true,
          mutable: true,
        },
        email: {
          required: true,
          mutable: true,
        }
      },
      customAttributes: {
        company: new cognito.StringAttribute({ mutable: true }),
      },
      passwordPolicy: {
        minLength: 8,
        requireLowercase: true,
        requireDigits: true,
        requireSymbols: true,
      },
      accountRecovery: cognito.AccountRecovery.EMAIL_AND_PHONE_WITHOUT_MFA,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });

    const userpoolLogsGroup = new logs.LogGroup(
      this,
      "node-ready-user-pool-logs-group",
      {
        logGroupName: "/node-ready/cognito/userpool/node-ready-user-pool",
        removalPolicy: cdk.RemovalPolicy.DESTROY,
        retention: logs.RetentionDays.ONE_WEEK,
      },
    );

    new cognito.CfnLogDeliveryConfiguration(
      this,
      "node-ready-user-pool-log-delivery-configuration",
      {
        userPoolId: cognitoUserPool.userPoolId,
        logConfigurations: [
          {
            cloudWatchLogsConfiguration: {
              logGroupArn: userpoolLogsGroup.logGroupArn,
            },
            eventSource: "userNotification",
            logLevel: "ERROR",
          },
        ],
      },
    );
  }
}

Running cdk synth emits the below CFN template:

Resources:
  CognitoPoolsmsRole554FA026:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Condition:
              StringEquals:
                sts:ExternalId: CdktestStackCognitoPoolFC4B558A
            Effect: Allow
            Principal:
              Service: cognito-idp.amazonaws.com
        Version: "2012-10-17"
      Policies:
        - PolicyDocument:
            Statement:
              - Action: sns:Publish
                Effect: Allow
                Resource: "*"
            Version: "2012-10-17"
          PolicyName: sns-publish
    Metadata:
      aws:cdk:path: CdktestStack/CognitoPool/smsRole/Resource
  CognitoPool2F2E48AB:
    Type: AWS::Cognito::UserPool
    Properties:
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
          - Name: verified_phone_number
            Priority: 2
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: false
      AutoVerifiedAttributes:
        - email
      EmailVerificationMessage: Hello, Thanks for registering in My cool app! Verification code is {####}.
      EmailVerificationSubject: Hello from My Cool App!
      Policies:
        PasswordPolicy:
          MinimumLength: 8
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: true
      Schema:
        - Mutable: true
          Name: name
          Required: true
        - Mutable: true
          Name: email
          Required: true
        - AttributeDataType: String
          Mutable: true
          Name: company
      SmsConfiguration:
        ExternalId: CdktestStackCognitoPoolFC4B558A
        SnsCallerArn:
          Fn::GetAtt:
            - CognitoPoolsmsRole554FA026
            - Arn
      SmsVerificationMessage: The verification code to your new account is {####}
      UserPoolName: TestCDKCognitoPool
      UsernameAttributes:
        - email
        - phone_number
      UsernameConfiguration:
        CaseSensitive: false
      VerificationMessageTemplate:
        DefaultEmailOption: CONFIRM_WITH_CODE
        EmailMessage: Hello, Thanks for registering in My cool app! Verification code is {####}.
        EmailSubject: Hello from My Cool App!
        SmsMessage: The verification code to your new account is {####}
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Metadata:
      aws:cdk:path: CdktestStack/CognitoPool/Resource
  nodereadyuserpoollogsgroup22DB6865:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /node-ready/cognito/userpool/node-ready-user-pool
      RetentionInDays: 7
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Metadata:
      aws:cdk:path: CdktestStack/node-ready-user-pool-logs-group/Resource
  nodereadyuserpoollogdeliveryconfiguration:
    Type: AWS::Cognito::LogDeliveryConfiguration
    Properties:
      LogConfigurations:
        - CloudWatchLogsConfiguration:
            LogGroupArn:
              Fn::GetAtt:
                - nodereadyuserpoollogsgroup22DB6865
                - Arn
          EventSource: userNotification
          LogLevel: ERROR
      UserPoolId:
        Ref: CognitoPool2F2E48AB
    Metadata:
      aws:cdk:path: CdktestStack/node-ready-user-pool-log-delivery-configuration
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/02Lyw6CMBBFv4V9GYVo/ABM3LggGNemltIMlI7pA2Oa/rsgLFzdk5tzSiiOBygy/na5aIdc4xPizXMxsPl6REHKoCeIdydtTaRZ1Zl/vpI6S42TtJ+KTIcqWO6RTGLIR4gNabloyyamSTmIc3KxFF5b/uOUWCMdBStWfePEDLUSerebyhJOsM96h5jbYDyOEpp1v7R801jFAAAA
    Metadata:
      aws:cdk:path: CdktestStack/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

Take a note that LogGroupArn is set using Fn::GetAtt: on the created log group's nodereadyuserpoollogsgroup22DB6865 property Arn.

The error is thrown by CloudFormation upon deployment.

CdktestStack: deploying... [1/1]
CdktestStack: creating CloudFormation changeset...
11:32:26 AM | CREATE_FAILED        | AWS::Cognito::LogDeliveryConfiguration | nodereadyuserpooll...iveryconfiguration
Resource handler returned message: "1 validation error detected: Value 'arn:aws:logs:us-east-2:<<REDACTED>>:log-group:/node-ready/cognito/userpool/node-ready-user
-pool:*' at 'logConfigurations.1.member.cloudWatchLogsConfiguration.logGroupArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn
:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)? (Service: CognitoIdentityProvider, Status Code: 400, Request ID: 6d
8e39b8-9c6f-4912-a9ee-57850577b3b1)" (RequestToken: 2f8b49cf-1892-3a39-2638-3decd4e6f880, HandlerErrorCode: InvalidRequest)


 ❌  CdktestStack failed: Error: The stack named CdktestStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "1 validation error detected: Value 'arn:aws:logs:us-east-2:<<REDACTED>>:log-group:/node-ready/cognito/userpool/node-ready-user-pool:*' at 'logConfigurations.1.member.cloudWatchLogsConfiguration.logGroupArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)? (Service: CognitoIdentityProvider, Status Code: 400, Request ID: 6d8e39b8-9c6f-4912-a9ee-57850577b3b1)" (RequestToken: 2f8b49cf-1892-3a39-2638-3decd4e6f880, HandlerErrorCode: InvalidRequest)
    at FullCloudFormationDeployment.monitorDeployment (/opt/homebrew/lib/node_modules/aws-cdk/lib/index.js:447:10567)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async Object.deployStack2 [as deployStack] (/opt/homebrew/lib/node_modules/aws-cdk/lib/index.js:450:200276)
    at async /opt/homebrew/lib/node_modules/aws-cdk/lib/index.js:450:181698

 ❌ Deployment failed: Error: The stack named CdktestStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "1 validation error detected: Value 'arn:aws:logs:us-east-2:<<REDACTED>>:log-group:/node-ready/cognito/userpool/node-ready-user-pool:*' at 'logConfigurations.1.member.cloudWatchLogsConfiguration.logGroupArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)? (Service: CognitoIdentityProvider, Status Code: 400, Request ID: 6d8e39b8-9c6f-4912-a9ee-57850577b3b1)" (RequestToken: 2f8b49cf-1892-3a39-2638-3decd4e6f880, HandlerErrorCode: InvalidRequest)
    at FullCloudFormationDeployment.monitorDeployment (/opt/homebrew/lib/node_modules/aws-cdk/lib/index.js:447:10567)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async Object.deployStack2 [as deployStack] (/opt/homebrew/lib/node_modules/aws-cdk/lib/index.js:450:200276)
    at async /opt/homebrew/lib/node_modules/aws-cdk/lib/index.js:450:181698

The stack named CdktestStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "1 validation error detected: Value 'arn:aws:logs:us-east-2:<<REDACTED>>:log-group:/node-ready/cognito/userpool/node-ready-user-pool:*' at 'logConfigurations.1.member.cloudWatchLogsConfiguration.logGroupArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)? (Service: CognitoIdentityProvider, Status Code: 400, Request ID: 6d8e39b8-9c6f-4912-a9ee-57850577b3b1)" (RequestToken: 2f8b49cf-1892-3a39-2638-3decd4e6f880, HandlerErrorCode: InvalidRequest)

Skipping CfnLogDeliveryConfiguration creation creates log group successfully:
Screenshot 2024-08-29 at 11 39 29 AM

Most likely this is a CloudFormation issue.

Thanks,
Ashish

@ashishdhingra ashishdhingra added needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. and removed needs-reproduction This issue needs reproduction. labels Aug 29, 2024
@ashishdhingra
Copy link
Contributor

Internal tracking ticket: P151524663

@ashishdhingra ashishdhingra removed their assignment Aug 29, 2024
@AllanOricil AllanOricil changed the title aws-cognito: Wrong regular expression aws-cognito: CfnLogDeliveryConfiguration wrong regular expression Aug 29, 2024
@pahud
Copy link
Contributor

pahud commented Oct 15, 2024

internal: V1486562731

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2
Projects
None yet
Development

No branches or pull requests

3 participants