(cognito): Client Secret handler resource update breaks references

[laurelmay]

Describe the bug

In #23591 installLatestAwsSdk. This results in a resource update for custom resources. The custom resource that fetches the client secret does not have an onUpdate handler (https://github.com/aws/aws-cdk/blame/0798876e5e6c1a665033c759aed3bc0eab05a892/packages/%40aws-cdk/aws-cognito/lib/user-pool-client.ts#L449).

When the update occurs, the response object does not have a UserPoolClient.ClientSecret field, resulting in failures when .userPoolClientSecret is referenced.

This results in stacks that fail to update

Expected Behavior

Updates should happen gracefully. The same content as the onCreate handler should be run for update events.

Current Behavior

There is no update handler. Updates fail with an error like:

CustomResource attribute error: Vendor response doesn't contain UserPoolClient.ClientSecret key in object arn:aws-us-gov:cloudformation:us-gov-west-1:123456789012:stack/StackName/UUID|ResourceId|UUID in S3 bucket cloudformation-custom-resource-storage-usgovwest1

CloudWatch Logs shows:

{
    "RequestType": "Update",
    "ResourceType": "Custom::DescribeCognitoUserPoolClient",
    "ResourceProperties": {
        "ServiceToken": "...",
        "InstallLatestAwsSdk": "true",
        "Create": "{\"region\":\"us-gov-west-1\",\"service\":\"CognitoIdentityServiceProvider\",\"action\":\"describeUserPoolClient\",\"parameters\":{\"UserPoolId\":\"...\",\"ClientId\":\"...\"},\"physicalResourceId\":{\"id\":\"...\"}}"
    },
    "OldResourceProperties": {
        "ServiceToken": "...",
        "InstallLatestAwsSdk": "false",
        "Create": "{\"region\":\"us-gov-west-1\",\"service\":\"CognitoIdentityServiceProvider\",\"action\":\"describeUserPoolClient\",\"parameters\":{\"UserPoolId\":\"...\",\"ClientId\":\"...\"},\"physicalResourceId\":{\"id\":\"...\"}}"
    }
}

{
    "Status": "SUCCESS",
    "Reason": "OK",
    "PhysicalResourceId": "...",
    "StackId": "...",
    "RequestId": "...",
    "LogicalResourceId": "...",
    "NoEcho": false,
    "Data": {}
}

I can confirm, but do not want to share, the contents of the Create object match between the two events.

Reproduction Steps

• use a version of the CDK prior to fix(aws-custom-resource): switch off installLatestAwsSdk by default #23591

import * as cdk from "aws-cdk-lib";
import * as cognito from "aws-cdk-lib/aws-cognito";
import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";

const app = new cdk.App();
const stack = new cdk.Stack(app, 'TestStack');
const userPool = new cognito.UserPool(stack, 'UserPool');
const client = userPool.addClient('TestClient', { generateSecret: true });
const secret = new secretsmanager.Secret(stack, 'ClientSecret', {
  secretStringValue: client.userPoolClientSecret;
});

• update the stack using v2.61.1

Possible Solution

Copy the onCreate handler to onUpdate.

Additional Information/Context

Typically, if the User Pool ID or the User Pool Client ID changes, the User Pool Client Secret would too. But other properties passed to the resource can change (like installLatestAwsSdk) and this will result in a resource update

CDK CLI Version

2.61.1

Framework Version

No response

Node.js Version

16

OS

Linux

Language

Typescript

Language Version

No response

Other information

I am preparing a patch that implements the suggested fix.

[Mattias-]

Thanks for the report, I'm seeing the same issue. From the changelog it seems like this could be related to the Cognito changes introduced in 2.60.0 #23796

[laurelmay]

@Mattias- It was a changed introduced in 2.60.0; however, it was actually the "aws-custom-resource: switch off installLatestAwsSdk by default" fix instead of the Cognito one. At least for the specific issue above.

The new feature that relates to client secrets is for configuring the Google IdP and specifying a Secrets Manager secret for its clientSecretValue.

But I do worry other custom resources may have similar issues due to #23591. It'd be probably any custom resource that specifies onCreate but not onUpdate, had installLatestAwsSdk changed to false, and has a reference to its return value. So I think that could include:

• AcceleratorSecurityGroupPeer.fromVpc:

  aws-cdk/packages/@aws-cdk/aws-globalaccelerator/lib/_accelerator-security-group.ts

  Lines 31 to 60 in ba14612

  	const lookupAcceleratorSGCustomResource = new AwsCustomResource(scope, id + 'CustomResource', {
  	onCreate: {
  	service: 'EC2',
  	action: 'describeSecurityGroups',
  	parameters: {
  	Filters: [
  	{
  	Name: 'group-name',
  	Values: [
  	globalAcceleratorSGName,
  	],
  	},
  	{
  	Name: 'vpc-id',
  	Values: [
  	vpc.vpcId,
  	],
  	},
  	],
  	},
  	// We get back a list of responses, but the list should be of length 0 or 1
  	// Getting no response means no resources have been linked to the AGA
  	physicalResourceId: PhysicalResourceId.fromResponse(ec2ResponseSGIdField),
  	},
  	policy: AwsCustomResourcePolicy.fromSdkCalls({
  	resources: AwsCustomResourcePolicy.ANY_RESOURCE,
  	}),
  	// APIs are available in 2.1055.0
  	installLatestAwsSdk: false,
  	});

• Table.addPartitionIndex:

  aws-cdk/packages/@aws-cdk/aws-glue/lib/table.ts

  Lines 369 to 390 in ba14612

  	const partitionIndexCustomResource = new cr.AwsCustomResource(this, `partition-index-${indexName}`, {
  	onCreate: {
  	service: 'Glue',
  	action: 'createPartitionIndex',
  	parameters: {
  	DatabaseName: this.database.databaseName,
  	TableName: this.tableName,
  	PartitionIndex: {
  	IndexName: indexName,
  	Keys: index.keyNames,
  	},
  	},
  	physicalResourceId: cr.PhysicalResourceId.of(
  	indexName,
  	),
  	},
  	policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
  	resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
  	}),
  	// APIs are available in 2.1055.0
  	installLatestAwsSdk: false,
  	});

  It doesn't seem like the output is used
• EmrContainerStartJobRun.updateRoleTrustPolicy:

  aws-cdk/packages/@aws-cdk/aws-stepfunctions-tasks/lib/emrcontainers/start-job-run.ts

  Lines 330 to 345 in ba14612

  	const eksClusterInfo = new cr.AwsCustomResource(this, 'GetEksClusterInfo', {
  	onCreate: {
  	service: 'EMRcontainers',
  	action: 'describeVirtualCluster',
  	parameters: {
  	id: this.props.virtualCluster.id,
  	},
  	outputPaths: ['virtualCluster.containerProvider.info.eksInfo.namespace', 'virtualCluster.containerProvider.id'],
  	physicalResourceId: cr.PhysicalResourceId.of('id'),
  	},
  	policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
  	resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
  	}),
  	// APIs are available in 2.1055.0
  	installLatestAwsSdk: false,
  	});

Also anyone else who uses any AwsCustomResource, directly or indirectly would be impacted if they change the feature flag of their existing app and that definition doesn't specify onUpdate.

[joelgarrett]

This seems to still be broken in 2.62.x and 2.63.x versions.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[alexb-uk]

For anyone else that ends up here, I can confirm that this is still an issue for AcceleratorSecurityGroupPeer.fromVpc:

CustomResource attribute error: Vendor response doesn't contain SecurityGroups.0.GroupId key in object arn:aws:cloudformation:eu-west-1:xxxxx:stack/test/aa-bb-cc|AcceleratorListenerAcceleratorGroupGlobalAcceleratorSGCustomResource0000|cc-bb-aa in S3 bucket cloudformation-custom-resource-storage-euwest1

when running the latest CDK 2.75.0

[denyskublytskyi]

Same error with the latest CDK 2.75.1

CustomResource attribute error: Vendor response doesn't contain UserPoolClient.ClientSecret key in object

[markusz]

Fixed in 2.79.1