Failed to migrate auth after upgrade amplify cli from version 6 to 12

[JaysZila]

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

20.15.0

Amplify CLI Version

12.10.1

What operating system are you using?

MacOs

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

My project was recently upgraded from Amplify CLI version 6.0.0 to 12.10.1. After the upgrade, when I ran the amplify push command, it displayed the following error:

“Auth triggers have been configured using an older version of the CLI and must be migrated before they can be deployed. Run amplify update auth and select ‘yes’ at the migration prompt. Then retry the deployment using amplify push.”

I have run amplify update auth with the following options:

Using service: Cognito, provided by: awscloudformation
 What do you want to do? Walkthrough all the auth configurations
 Select the authentication/authorization services that you want to use: User Sign-Up, Sign-In, connected with AWS IAM controls (Enables per-user Storage features for
 images or other content, Analytics, and more)
 Allow unauthenticated logins? (Provides scoped down permissions that you can control via AWS IAM) Yes
 Do you want to enable 3rd party authentication providers in your identity pool? No
 Do you want to add User Pool Groups? No
 Do you want to add an admin queries API? No
 Multifactor authentication (MFA) user login options: OFF
 Email based user registration/forgot password: Enabled (Requires per-user email entry at registration)
 Specify an email verification subject: Your verification code
 Specify an email verification message: Your verification code is {####}
 Do you want to override the default password policy for this User Pool? No
 Specify the app's refresh token expiration period (in days): 1
 Do you want to specify the user attributes this app can read and write? No
 Do you want to enable any of the following capabilities? Custom Auth Challenge Flow (basic scaffolding - not for production)
 Do you want to use an OAuth flow? No
? Do you want to configure Lambda Triggers for Cognito? Yes
? Which triggers do you want to enable for Cognito Create Auth Challenge, Define Auth Challenge, Verify Auth Challenge Response
? What functionality do you want to use for Create Auth Challenge Custom Auth Challenge Scaffolding (Creation)
? What functionality do you want to use for Define Auth Challenge Custom Auth Challenge Scaffolding (Definition)
? What functionality do you want to use for Verify Auth Challenge Response Custom Auth Challenge Scaffolding (Verification)

Successfully updated the Cognito trigger locally
Successfully updated the Cognito trigger locally
Successfully updated the Cognito trigger locally
✅ Successfully updated auth resource myAuth locally

After the migration was completed, it removed myAuth-cloudformation-template.json, auth-trigger-cloudformation-template.json, and parameter.json files and added cli-input.json instead.

After that, I manually re-added myAuth-cloudformation-template.json and auth-trigger-cloudformation-template.json (my project have custom lambda trigger created before) back to the project and pushed the changes to the cloud again.

However, I encountered the following error:

The following resources failed to deploy:
Resource Name: UserPool (AWS::Cognito::UserPool)
Event Type: update
Reason: Resource handler returned message: "Invalid request provided: Updates are not allowed for property - UsernameConfiguration." (RequestToken: xxxxxx, HandlerErrorCode: InvalidRequest)

Expected behavior

amplify push needs to work normally after the migration is completed.

Reproduction steps

1. npm install -g @aws-amplify/[email protected]
2. amplify update auth
3. re-added myAuth-cloudformation-template.json and auth-trigger-cloudformation-template.json back to the project
4. amplify push

Project Identifier

No response

Log output

# Put your logs below this line

Additional information

My cloudformation stack details (Auth)

Resources

• IdentityPool
• IdentityPoolRoleMap
• SNSRole
• UserPool **
• UserPoolClient
• UserPoolClientInputs
• UserPoolClientLambda
• UserPoolClientLambdaPolicy
• UserPoolClientLogPolicy
• UserPoolClientRole
• UserPoolClientWeb

Parameters include usernameCaseSensitive: false

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[ykethan]

Hey @JaysZila, thank you for reaching out. Could provide is the cli-inputs.json generated in the backend/auth/<resource-name> folder?
From the error message the issue may be caused by using alias attributes in your existing Auth resource. If it does you may need to enable the forcealiasattributes in the cli.json present at the root of the amplify folder. Then run amplify build or amplify update auth and amplify push.

current version of the cli.json

{
  "features": {
    "graphqltransformer": {
      "addmissingownerfields": true,
      "improvepluralization": false,
      "validatetypenamereservedwords": true,
      "useexperimentalpipelinedtransformer": true,
      "enableiterativegsiupdates": true,
      "secondarykeyasgsi": true,
      "skipoverridemutationinputtypes": true,
      "transformerversion": 2,
      "suppressschemamigrationprompt": true,
      "securityenhancementnotification": false,
      "showfieldauthnotification": false,
      "usesubusernamefordefaultidentityclaim": true,
      "usefieldnameforprimarykeyconnectionfield": false,
      "enableautoindexquerynames": true,
      "respectprimarykeyattributesonconnectionfield": true,
      "shoulddeepmergedirectiveconfigdefaults": false,
      "populateownerfieldforstaticgroupauth": true,
      "subscriptionsinheritprimaryauth": false
    },
    "frontend-ios": {
      "enablexcodeintegration": true
    },
    "auth": {
      "enablecaseinsensitivity": true,
      "useinclusiveterminology": true,
      "breakcirculardependency": true,
      "forcealiasattributes": false, // enable this flag
      "useenabledmfas": true
    },
    "codegen": {
      "useappsyncmodelgenplugin": true,
      "usedocsgeneratorplugin": true,
      "usetypesgeneratorplugin": true,
      "cleangeneratedmodelsdirectory": true,
      "retaincasestyle": true,
      "addtimestampfields": true,
      "handlelistnullabilitytransparently": true,
      "emitauthprovider": true,
      "generateindexrules": true,
      "enabledartnullsafety": true,
      "generatemodelsforlazyloadandcustomselectionset": false
    },
    "appsync": {
      "generategraphqlpermissions": true
    },
    "latestregionsupport": {
      "pinpoint": 1,
      "translate": 1,
      "transcribe": 1,
      "rekognition": 1,
      "textract": 1,
      "comprehend": 1
    },
    "project": {
      "overrides": true
    }
  },
  "debug": {}
}

[JaysZila]

Hi @ykethan This is my cli-input.json

{
  "version": "1",
  "cognitoConfig": {
    "identityPoolName": "IdentityPoolName",
    "allowUnauthenticatedIdentities": true,
    "resourceNameTruncated": "xxxxxxx",
    "userPoolName": "UserPoolName",
    "autoVerifiedAttributes": [
      "email"
    ],
    "mfaConfiguration": "OFF",
    "mfaTypes": [
      "SMS Text Message"
    ],
    "smsAuthenticationMessage": "Your authentication code is {####}",
    "smsVerificationMessage": "Your verification code is {####}",
    "emailVerificationSubject": "Your verification code",
    "emailVerificationMessage": "Your verification code is {####}",
    "defaultPasswordPolicy": false,
    "passwordPolicyMinLength": "x",
    "passwordPolicyCharacters": [
      "Requires Numbers"
    ],
    "requiredAttributes": [],
    "aliasAttributes": [],
    "userpoolClientGenerateSecret": false,
    "userpoolClientRefreshTokenValidity": "1",
    "userpoolClientWriteAttributes": [
      "email"
    ],
    "userpoolClientReadAttributes": [
      "email"
    ],
    "userpoolClientLambdaRole": "userpoolclient_lambda_role",
    "userpoolClientSetAttributes": false,
    "authSelections": "identityPoolAndUserPool",
    "resourceName": "myAuth",
    "serviceName": "Cognito",
    "useDefault": "manual",
    "sharedId": "xxxxxx",
    "userPoolGroupList": [],
    "userPoolGroups": false,
    "usernameCaseSensitive": false, ---> but in AWS Cognito the value is true (case sensitive)
    "adminQueries": false,
    "hostedUI": false,
    "thirdPartyAuth": false,
    "authProviders": [],
    "triggers": {
      "CreateAuthChallenge": [
        "boilerplate-create-challenge"
      ],
      "DefineAuthChallenge": [
        "boilerplate-define-challenge"
      ],
      "VerifyAuthChallengeResponse": [
        "boilerplate-verify"
      ]
    },
    "authRoleArn": {
      "Fn::GetAtt": [
        "AuthRole",
        "Arn"
      ]
    },
    "unauthRoleArn": {
      "Fn::GetAtt": [
        "UnauthRole",
        "Arn"
      ]
    },
    "breakCircularDependency": true,
    "useEnabledMfas": false,
    "dependsOn": [
      {
        "category": "function",
        "resourceName": "myAuthCreateAuthChallenge",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      },
      {
        "category": "function",
        "resourceName": "myAuthDefineAuthChallenge",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      },
      {
        "category": "function",
        "resourceName": "myAuthVerifyAuthChallengeResponse",
        "triggerProvider": "Cognito",
        "attributes": [
          "Arn",
          "Name"
        ]
      }
    ],
    "permissions": [],
    "authTriggerConnections": "[\n  {\n    \"triggerType\": \"CreateAuthChallenge\",\n    \"lambdaFunctionName\": \"myAuthCreateAuthChallenge\"\n  },\n  {\n    \"triggerType\": \"DefineAuthChallenge\",\n    \"lambdaFunctionName\": \"myAuthDefineAuthChallenge\"\n  },\n  {\n    \"triggerType\": \"VerifyAuthChallengeResponse\",\n    \"lambdaFunctionName\": \"myAuthVerifyAuthChallengeResponse\"\n  }\n]",
    "parentStack": {
      "Ref": "AWS::StackId"
    }
  }
}     

My current cli.json does not have forceAliasAttributes. And also, user pool is configured to use username as the key for login.
Do you mean I need to add it and set the value to true?

    "auth": {
      "enablecaseinsensitivity": true,
      "useinclusiveterminology": true,
      "breakcirculardependency": true
    }

backend-config.json, amplify-meta.json
"usernameAttributes": []

[ykethan]

Hey @JaysZila, thank you for posting the cli-inputs.json, from the file it appears the alias attributes are not being utilized so you should be fine as this flag defaults to false. You could update the cli.json to have the latest flags present as well.
Could you update the "usernameCaseSensitive" as true in the cli-inputs.json and push. Do let us know if this mitigates the issue.

[JaysZila]

@ykethan Thank you for your reply. I tried updating it to true, but it still resulted in the same error message.

[ykethan]

@JaysZila by any chance was this manually updated on the console?
on the generated CloudFormation template did notice the following and updating the usernameCaseSensitive": true, did cause a similar error.

"UsernameConfiguration": {
     "CaseSensitive": false
 }

On the CloudFormation console, could you check the auth nested stack template for UsernameConfiguration? The name of the stack should start with amplify-<app-name> with auth appended in name.
Could you verify the UsernameConfiguration matches the locally generated UsernameConfiguration in the CloudFormation template.

[JaysZila]

@ykethan I'm not sure about manually updated on the console since I'm not part of the team project from the beginning

To give you more detail on UsernameConfiguration in project

Before running amplify update auth

• Amplify pull change from cloud does not have UsernameConfiguration in auth-cloudformation-template.yml file or any other folders in the local project.

After running amplify update auth
/build folder was created under backend/auth , containing the following files:

• parameter.json
• auth-trigger-cloudformation-template.json (auth-trigger-cloudformation-template.yml was removed)
• auth-cloudformation-template.json (auth-cloudformation-template.yml was removed), which now includes

"UsernameConfiguration": {
          "CaseSensitive": false
}

cli-inputs.json, which was created under the backend/auth folder

I’m not quite sure about the UsernameConfiguration in the auth stack, since it’s a property of the AWS::Cognito::UserPool which is the one of the resource in auth stack. Is this what you mean?

If not, then I ran this command in the AWS console to check the details of the User Pool

aws cognito-idp describe-user-pool --user-pool-id "myUserPoolId"

The result is that there is no UsernameConfiguration defined in the User Pool either

[ykethan]

Hey @JaysZila, on a bit of a deep dive, noticed a similar issues: #10846 and #10447. The comments #10846 (comment), #10447 (comment) provided a workaround of removing the usernameCaseSensitive parameter fixed the issue.
Could you try this and let us know if this mitigates the issue.

[JaysZila]

@ykethan Thank you so much. After removing it, amplify push worked fine. However, I just noticed that after upgrading to Amplify CLI 12 and updating auth (walkthrough options with the same configuration when using amplify cli version 6), the number of resources in the auth category was reduced to 7 (from 11 before).

Do you have any idea why this might have happened? I’m not sure if it will affect the authentication flow or not.

Resource which was removed

• UserPoolClientLambda
• UserPoolClientLambdaPolicy
• UserPoolClientLogPolicy
• UserPoolClientInputs

No matter how I add it back to the CloudFormation file, after running amplify push, it always creates a build folder with the CloudFormation file containing only 7 resources.

[ykethan]

Hey @JaysZila, this is currently the expected behavior and should not effect the authentication flow. The resources were refactored as part of our improvements to the Auth resource.

[ykethan]

Closing the issue due to inactivity. Do reach out to us if you are still experiencing this issue

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.