Issues cloning a new environment

[pr0g]

Amplify CLI Version

12.10.1

Question

I am attempting to create a new backend environment to use as a personal developer stack from one of our existing internal backend environments. This is to allow individual developers to have their own personal stacks when iterating on features without stomping on other developer's work.

The steps I have followed are:

1. Do an amplify pull --appId <app-id> --envName <existing-env> # (environment to start from)
2. Run amplify add env <new-env-name> # (new environment)
3. amplify push # (push new environment to cloud)

I'm currently hitting an issue with Cognito though where I get this error:

🛑 The following resources failed to deploy:
Resource Name: UserPoolClientWeb (AWS::Cognito::UserPoolClient)
Event Type: create
Reason: Resource handler returned message: "Invalid read attributes specified while creating a client (Service: CognitoIdentityProvider, Status Code: 400, Request ID: #######)" (RequestToken: #######, HandlerErrorCode: InvalidRequest)

Resource Name: UserPoolClient (AWS::Cognito::UserPoolClient)
Event Type: create
Reason: Resource handler returned message: "Invalid read attributes specified while creating a client (Service: CognitoIdentityProvider, Status Code: 400, Request ID: #######)" (RequestToken: #######, HandlerErrorCode: InvalidRequest)

🛑 Resource is not in the state stackUpdateComplete
Name: UserPoolClientWeb (AWS::Cognito::UserPoolClient), Event Type: create, Reason: Resource handler returned message: "Invalid read attributes specified while creating a client (Service: CognitoIdentityProvider, Status Code: 400, Request ID: #######)" (RequestToken: #######, HandlerErrorCode: InvalidRequest), IsCustomResource: false

Name: UserPoolClient (AWS::Cognito::UserPoolClient), Event Type: create, Reason: Resource handler returned message: "Invalid read attributes specified while creating a client (Service: CognitoIdentityProvider, Status Code: 400, Request ID: #######)" (RequestToken: ####### HandlerErrorCode: InvalidRequest), IsCustomResource: false

Which then fails stack creation. I believe we do have some overrides in amplify/backend/auth/<app>/override.ts which might be contributing to the problem?

I've also tried to see if it's possible to remove auth, and add it back manually after (after coming across this issue: #12821) but when I try and do that I get an error that another AWS resource relies on it (an S3 bucket), and when I try and remove that I get this error:

ResourceRemoveError: Resource cannot be removed because it has a dependency on another resource

But it doesn't tell my what resource that is...

I might be going about this the wrong way, but ideally all I want is a way to create a new backend environment from an existing one as simply as possible. If there is any guidance on how to do this or to get around the problems I am seeing I'd be incredibly grateful to know!

Thank you very much for your help in advance!

[pr0g]

I should also mention when I try and use Actions -> Clone from the AWS Amplify Console things also fail. I also unfortunately get no output of why things failed in that case either.

[pr0g]

This explanation here seems to roughly match what I'm doing

You can alternatively, have developers setup their own isolated replica of these environments in a different AWS account. To do this simply:

1. Clone the existing project
2. Run amplify env add and set up a new environment (e.g. "mydev") with that developer's account and AWS profile
3. Deploy with amplify push

But as our project is a bit more complicated it seems something somewhere is going wrong 🤔 I tried cloning a new repo and doing amplify init instead of checking out an existing environment, then did amplify push but that seemed to have the same issue.

[ykethan]

Hey @pr0g, could you run amplify diagnose --send-report and provide us the project identifier output?
Does the override file add any custom attributes? could you provide us information/example of the override to reproduce the behavior.

[pr0g]

Hi @ykethan, thank you very much for getting back to me.

Sure thing, I've just run amplify diagnose --send-report and this is the project identifier - 666fb0d39262a6da0a0ac52508aa2deb

The override file does add several custom attributes. It looks like this:

import { AmplifyAuthCognitoStackTemplate } from '@aws-amplify/cli-extensibility-helper';

export function override(resources: AmplifyAuthCognitoStackTemplate) {
  resources.userPool.schema = [
    {
      name: "email",
      required: true,
      mutable: true,
    },

    {
      name: "name",
      required: true,
      mutable: true,
    },
    {
      name: "company",
      required: false,
      mutable: true,
      attributeDataType: "String",
    },
    {
      name: "jobrole",
      required: false,
      mutable: true,
      attributeDataType: "String",
    },
    {
      name: "agreetcs",
      required: false,
      mutable: true,
      attributeDataType: "String",
    },
    {
      name: "marketing",
      required: false,
      mutable: true,
      attributeDataType: "String",
    },
    {
      name: "created",
      required: false,
      mutable: true,
      attributeDataType: "String",
    },
  ];

  resources.userPool.emailConfiguration = {
    emailSendingAccount: "DEVELOPER",
    from: "<company-email>",
    sourceArn: "<arn>",
  };
}

There are also quite a lot of config options in cli-inputs.json that may also be contributing, though I'm not sure where or how. Thank you!

[pr0g]

Is there any other info I could provide that could be helpful @ykethan? I can try and send the config with some identifying info removed, was the diagnosis output any help? Thanks!

[ykethan]

Hey @pr0g, thank you for the information tried to reproduce the issue using the following steps, but did not observe this error message.

1. amplify add auth
2. modify the cli-inputs.json file userpoolClientWriteAttributes and userpoolClientReadAttributes with some custom attributes
3. amplify override auth with the custom attributes
4. amplify push
5. once the push completes run amplify add env
6. then amplify push

Could you check the project auth stack events on the AWS CloudFormation, do you observe any notable event messages?
does removing the custom read/write attributes on the cli-inputs.json and the override.ts, push successfully?

[pr0g]

Huge thanks for the update @ykethan, I'll give that a try tomorrow (I'm UTC+0 sorry) but this is really helpful info, I'll try and get the Cloudwatch logs shared before then if I can. Thanks! 🙂

[pr0g]

Hi @ykethan, I had a look in CloudFormation at the Events log for my new stack that is failing to deploy.

The first failure I see is:

Logical ID: auth<our-app-name> 
Status: CREATE_FAILED
Status Reason: Embedded stack arn:aws:cloudformation:eu-west-2<....> was not successfully created: The following resource(s) failed to create: [UserPoolClientWeb, UserPoolClient]. 

Then

Logical ID: amplify-<our-app-name>-<env>-161129
Status: UPDATE_ROLLBACK_IN_PROGRESS
Status Reason: The following resource(s) failed to create: [auth<our-app-name>]. 

And then all the rollbacks/deletes happen.

Perhaps I could send you the template from CloudFormation for this stack? Would that be helpful? Is there a way to look into what internally failed inside Cognito trying to create the UserPoolClientWeb and UserPoolClient?

Thanks again for your help!

[pr0g]

Please let me know if there's anything else I can do to help investigate and resolve this issue @ykethan, this is something we'd really love to get resolved soon if we can. Thanks!

[ykethan]

@pr0g tried reproducing the issue but did not observe this error message. Do you observe any other error messages on the auth stack on the AWS cloudforamtion console?
Did you try removing the override and attributes from the cli-inputs.json and pushing?
I have currently reached out to the Amplify team, will reach out once i get some additional information.

[pr0g]

Thank you very much for following-up @ykethan.

Do you observe any other error messages on the auth stack on the AWS cloudforamtion console?

I don't think so, though I could be looking in the wrong place. Where exactly can I find the auth stack from the AWS CloudFormation console sorry?

Did you try removing the override and attributes from the cli-inputs.json and pushing?

I haven't tried this yet but that's a good idea, I'll see if that makes any difference first thing on Monday.

I have currently reached out to the Amplify team, will reach out once i get some additional information.

That's fantastic thank you, do you think it might be worth me creating a case via the AWS Support service to help with this too?

Thanks again for your help, much appreciated!

[pr0g]

Hi @ykethan,

I just wanted to check with the updates to userpoolClientWriteAttributes and userpoolClientReadAttributes, shall I just delete these and then try and amplify push?

Right now the values in amplify/backend/auth/<app>/cli-inputs.json are:

...
    "userpoolClientWriteAttributes": [
      "email",
      "name",
      "custom:company",
      "custom:jobrole",
      "custom:agreetcs",
      "custom:marketing",
      "custom:level",
      "custom:marketsource",
      "custom:created"
    ],
    "userpoolClientReadAttributes": [
      "email",
      "name",
      "custom:company",
      "custom:jobrole",
      "custom:agreetcs",
      "custom:marketing",
      "custom:level",
      "custom:marketsource",
      "custom:created"
    ],
...

Shall I just delete these or keep them but set them to be empty lists? (I'll try and see what happens 😅).

We also have authProviders including Facebook, Google and Apple, I wonder if they might also be causing problems? I could try and share the whole cli-inputs.json with some of the confidential information removed if that would help for you to potential reproduce?

Thanks again for your help, I'll give this a try now, if you have any other suggestions or have heard back from the Amplify (or Cognito 😝) team that would be great! 🙂

[pr0g]

Hi @ykethan, I came across this issue (#10647) and @josefaidt suggested zipping-up and sharing the amplify/ folder to amplify-cli@amazon.com, might this be an option to help see what's going on too? Thanks!

[pr0g]

I had a breakthrough and it seems deleting all the "custom:...." values in userpoolClientWriteAttributes and userpoolClientReadAttributes worked!! 🥳 🙌 Running amplify push completed successfully!

So in cli-inputs.json things now look like this:

...
    "userpoolClientWriteAttributes": [
      "email",
      "name"
    ],
    "userpoolClientReadAttributes": [
      "email",
      "name"
    ],
...

I think I do need to add these back again now everthing is stood up 😅 I need to dig into exactly how to do this but I think using amplify auth somehow is the right way to go, if you know how please let me know 😝

I wonder if we can document this somewhere as it's a tricky one but I'm glad to (hopefully 🤞) have things working. I'm going to test I can get everything running the same as our existing environments, I'll leave an update here if everything seems to be working as expected and can then close this issue (maybe with an action item to update the docs, maybe this page?)

Thanks!

[ykethan]

hey @pr0g, thank you for the confirmation. Adding custom attributes to an auth resource is currently here, you dont need to add the attributes to the cli-inputs.json as well.
Closing the issue.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[pr0g]

Thanks @ykethan,

I was just thining it might be worth documenting having custom attributes in cli-inputs.json can cause cloning new environments to fail. If someone does hit this again then hopefully they'll find this issue that might help, but maybe having a brief callout on the Troubleshooting page could be helpful.

Thanks again for your help 👍