Hi - I’m trying to create a Cognito User Pool &...
# awss
swift-account-41358
12/13/2024, 12:18 PMHi - I’m trying to create a Cognito User Pool & Cognito App Client set up which allows both user/pass sign in and SAML. Previously this was achieved using CDK and worked fine and I’m trying to migrate to using Pulumi (we were using SST v2 and are migrating to v3)
Creating a standard pool without SAML seems to be ok. however, once I add the creation of a
awsNative.cognito.UserPoolIdentityProvider Copy code
Error: 13 INTERNAL: Request message serialization failure: b.Va is not a function
at callErrorFromStatus (/Users/rosscoundon/Documents/GitHub/omw-pso-be/.sst/platform/node_modules/@grpc/grpc-js/src/call.ts:82:17)
at Object.onReceiveStatus (/Users/rosscoundon/Documents/GitHub/omw-pso-be/.sst/platform/node_modules/@grpc/grpc-js/src/client.ts:360:55)
at Object.onReceiveStatus (/Users/rosscoundon/Documents/GitHub/omw-pso-be/.sst/platform/node_modules/@grpc/grpc-js/src/client-interceptors.ts:458:34)
at Object.onReceiveStatus (/Users/rosscoundon/Documents/GitHub/omw-pso-be/.sst/platform/node_modules/@grpc/grpc-js/src/client-interceptors.ts:419:48)
at /Users/rosscoundon/Documents/GitHub/omw-pso-be/.sst/platform/node_modules/@grpc/grpc-js/src/resolving-call.ts:132:24
at processTicksAndRejections (node:internal/process/task_queues:77:11)
for call at
time=2024-12-13T12:04:30.020Z level=INFO msg="INFO unlocking app=omw-pso-be stage=local-dev"
at ServiceClientImpl.makeUnaryRequest (/Users/rosscoundon/Documents/GitHub/omw-pso-be/.sst/platform/node_modules/@grpc/grpc-js/src/client.ts:325:42)
at ServiceClientImpl.registerResourceOutputs (/Users/rosscoundon/Documents/GitHub/omw-pso-be/.sst/platform/node_modules/@grpc/grpc-js/src/make-client.ts:189:15)
at /Users/rosscoundon/Documents/GitHub/omw-pso-be/.sst/platform/node_modules/@pulumi/runtime/resource.ts:1161:33
at new Promise (<anonymous>)
at Object.<anonymous> (/Users/rosscoundon/Documents/GitHub/omw-pso-be/.sst/platform/node_modules/@pulumi/runtime/resource.ts:1160:21)
at Generator.next (<anonymous>)
at fulfilled (/Users/rosscoundon/Documents/GitHub/omw-pso-be/.sst/platform/node_modules/@pulumi/pulumi/runtime/resource.js:18:58)
at processTicksAndRejections (node:internal/process/task_queues:95:5) {
code: 13,
details: 'Request message serialization failure: b.Va is not a function',
metadata: Metadata { internalRepr: Map(0) {}, options: {} },
promise: Promise { <rejected> [Circular *1] }
}swift-account-41358
12/13/2024, 12:20 PMThe code looks like this:
Copy code
import * as awsNative from '@pulumi/aws-native';
import { UserPoolClientArgs } from '@pulumi/aws/cognito';
import getRetainOnDelete from '../helpers/utils/getRetainOnDelete';
import { CognitoUserPoolArgs } from '../../.sst/platform/src/components/aws';
const SAML_PROVIDER_NAME = process.env.SAML_PROVIDER_NAME || 'SingleSignOn';
const VALID_EMAIL_DOMAINS = process.env.VALID_EMAIL_DOMAINS;
const DEMO_PERMISSIONS = process.env.DEMO_PERMISSIONS || 'false';
const standardAttributes = [
'name',
'family_name',
'given_name',
'middle_name',
'nickname',
'preferred_username',
'profile',
'picture',
'website',
'gender',
'birthdate',
'zoneinfo',
'locale',
'updated_at',
'address',
'email',
'phone_number',
'sub',
];
const retainOnDelete = getRetainOnDelete();
const clientReadAttributes = structuredClone(standardAttributes);
const cognitoUserPoolArgs: CognitoUserPoolArgs = {
transform: {
userPool: (args, opts) => {
opts.retainOnDelete = retainOnDelete;
args.aliasAttributes = ['email'];
args.autoVerifiedAttributes = ['email'];
// Missing selfSignUpEnabled: true,
args.passwordPolicy = {
minimumLength: 8,
requireLowercase: true,
requireNumbers: true,
requireSymbols: false,
requireUppercase: true,
};
args.accountRecoverySetting = {
recoveryMechanisms: [
{
name: 'verifiedEmail',
priority: 1,
},
],
};
args.emailVerificationSubject = 'Your Appointment Assistant Portal verification code';
args.emailVerificationMessage =
'Thanks for signing up to the Appointment Assistant Portal! Your verification code is {####}';
// missing emailStyle: cognito.VerificationEmailStyle.CODE,
},
},
};
const cognitoUserPool = new aws.cognito.UserPool(`${$app.stage}-cognitoUserPool`, cognitoUserPoolArgs);
const samlProviderArgs: awsNative.cognito.UserPoolIdentityProviderArgs = {
providerType: 'SAML',
providerName: SAML_PROVIDER_NAME,
userPoolId: cognitoUserPool.id,
attributeMapping: {
email: '<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress>',
},
providerDetails: {
IDPInit: 'true',
IDPSignout: 'true',
EncryptedResponses: 'true',
MetadataURL: process.env.SAML_METADATA_URL,
RequestSigningAlgorithm: 'rsa-sha256',
},
};
console.log('about to create samlProvider');
const samlProvider = new awsNative.cognito.UserPoolIdentityProvider(`${$app.stage}-samlIdentityProvider`, samlProviderArgs);
console.log('created samlProvider');
let userPoolClientArgs: UserPoolClientArgs = {
userPoolId: cognitoUserPool.id,
name: `${$app.stage}-cognitoUserPoolClient`,
generateSecret: false,
readAttributes: clientReadAttributes,
supportedIdentityProviders: ['COGNITO'],
explicitAuthFlows: ['ALLOW_USER_SRP_AUTH', 'ALLOW_REFRESH_TOKEN_AUTH'],
};
if (process.env.SAML_METADATA_URL) {
if (!process.env.PORTAL_URL) {
throw new Error('PORTAL_URL environment variable is required');
}
userPoolClientArgs = {
...userPoolClientArgs,
preventUserExistenceErrors: 'ENABLED',
allowedOauthFlows: ['code'],
allowedOauthScopes: ['email', 'openid', 'profile', 'aws.cognito.signin.user.admin'],
allowedOauthFlowsUserPoolClient: true,
defaultRedirectUri: `${process.env.PORTAL_URL}/dashboard`,
callbackUrls: [
process.env.PORTAL_URL,
`${process.env.PORTAL_URL}/dashboard`,
`${process.env.PORTAL_URL}/sso`,
`${process.env.PORTAL_URL}/signin`,
],
supportedIdentityProviders: [SAML_PROVIDER_NAME, 'COGNITO'],
};
}
console.log('about to create cognitoUserPoolClient');
const cognitoUserPoolClient = new aws.cognito.UserPoolClient(`${$app.stage}-cognitoUserPoolClient`, userPoolClientArgs);
console.log('created cognitoUserPoolClient');
export { cognitoUserPool, cognitoUserPoolClient };swift-account-41358
12/13/2024, 1:08 PMAfter battling with this for a while, I switched to
@pulumi/aws@pulumi/aws-nativeIDPInit: 'true'g
great-sunset-355
12/16/2024, 8:34 AMI wanted to add.. rule no.1 … avoid
aws-natives
swift-account-41358
12/16/2024, 8:59 AMI see, thanks for the advice, I’m very new to this ecosystem so shared and shown battle scars are very welcome
g
great-sunset-355
12/16/2024, 10:37 AManother good thing to know is that 90% of pulumi providers are ported from terraform so it is often useful to search the terraform problem instead of pulumi
s
swift-account-41358
12/16/2024, 10:47 AMI see, good advice. Thank you
q
quick-house-41860
12/17/2024, 9:53 AMThis might be an issue with incompatible protobuf versions in your
node_modulesnode_modules8 Views