-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(cognito): Client Secret handler resource update breaks references #23796
(cognito): Client Secret handler resource update breaks references #23796
Comments
Thanks for the report, I'm seeing the same issue. From the changelog it seems like this could be related to the Cognito changes introduced in 2.60.0 #23796 |
@Mattias- It was a changed introduced in 2.60.0; however, it was actually the "aws-custom-resource: switch off installLatestAwsSdk by default" fix instead of the Cognito one. At least for the specific issue above. The new feature that relates to client secrets is for configuring the Google IdP and specifying a Secrets Manager secret for its But I do worry other custom resources may have similar issues due to #23591. It'd be probably any custom resource that specifies
Also anyone else who uses any |
This seems to still be broken in 2.62.x and 2.63.x versions. |
…erence (#23798) Because there wasn't previously a handler for `onUpdate` events, an empty object would be returned. When `installLatestAwsSdk` was changed to `false`, this was an update. Typically, updates aren't an issue because basically any other property being updated signifies a replacement. `installLatestAwsSdk` is just a very unique case where it doesn't (and where a user usually can't update it). When the empty object is returned, this results in an update failure in CloudFormation because the specific property isn't available. Fixes: #23796 ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
For anyone else that ends up here, I can confirm that this is still an issue for
when running the latest CDK |
Same error with the latest CDK
|
Fixed in |
…y Group reference (#29620) ### Issue # (if applicable) Closes #23796 ### Reason for this change In #23591 `installLatestAwsSdk`. This results in a resource update for custom resources. The custom resource that fetches the security groups does not have an onUpdate handler (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-globalaccelerator/lib/_accelerator-security-group.ts#L32). When the empty object is returned, this results in an update failure in CloudFormation because the specific property isn't available and so it will fail with error below: ``` CustomResource attribute error: Vendor response doesn't contain SecurityGroups.0.GroupId key in object ``` When the update occurs, the response object does not have a `SecurityGroups.0.GroupId` field, resulting in failures when `SecurityGroups` is referenced. ### Description of changes Update the onCreate to onUpdate for custom resources to mitigate the CloudFormation update failure. Documentations: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources.AwsCustomResource.html#oncreate. Similar fix for Cognito: #23798 ### Description of how you validated changes The integration test is updated with the latest assets. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
In #23591
installLatestAwsSdk
. This results in a resource update for custom resources. The custom resource that fetches the client secret does not have anonUpdate
handler (https://github.com/aws/aws-cdk/blame/0798876e5e6c1a665033c759aed3bc0eab05a892/packages/%40aws-cdk/aws-cognito/lib/user-pool-client.ts#L449).When the update occurs, the response object does not have a
UserPoolClient.ClientSecret
field, resulting in failures when.userPoolClientSecret
is referenced.This results in stacks that fail to update
Expected Behavior
Updates should happen gracefully. The same content as the
onCreate
handler should be run for update events.Current Behavior
There is no update handler. Updates fail with an error like:
CloudWatch Logs shows:
I can confirm, but do not want to share, the contents of the
Create
object match between the two events.Reproduction Steps
installLatestAwsSdk
by default #23591Possible Solution
Copy the
onCreate
handler toonUpdate
.Additional Information/Context
Typically, if the User Pool ID or the User Pool Client ID changes, the User Pool Client Secret would too. But other properties passed to the resource can change (like
installLatestAwsSdk
) and this will result in a resource updateCDK CLI Version
2.61.1
Framework Version
No response
Node.js Version
16
OS
Linux
Language
Typescript
Language Version
No response
Other information
I am preparing a patch that implements the suggested fix.
The text was updated successfully, but these errors were encountered: