https://pulumi.com logo
Join Slack
Powered by
When I try to import an aws:cognito:UserPoolClient...
# aws
p
When I try to import an awscognitoUserPoolClient I get 2 warnings. if I ignore the warnings and attempt the import anyway, I get a very basic resource imported with none of the config set. Then if I run a preview it wants to replace the client, and add all the settings (the settings were copied from the existing client in the first place). I haven't run an up as this is the live cognito pool on my test server, and the devs will be unable to work if it breaks things. But the warning claims this is a bug in the AWS provider, so I thought I'd report it here. I haven't tried updating all the libs, I'll do that next as maybe it has been fixed already...
l
If it is a bug, then you can live with it and work around it. Edit the code created by import to match what's actually there -- you can figure out the differences from the preview.
p
Nah there were no updates to the AWS libs and even on the latest I still get these warnings:
Copy code
Diagnostics:
  aws:cognito:UserPoolClient (test-cognito-client):
    warning: One or more imported inputs failed to validate. This is almost certainly a bug in the `aws` provider. The import will still proceed, but you will need to edit the generated code after copying it into your program.
    warning: aws:cognito/userPoolClient:UserPoolClient resource 'test-cognito-client' has a problem: Missing required property 'userPoolId'

Resources:
    = 1 to import
l
The warning says it all:
but you will need to edit the generated code after copying it into your program.
p
This is the resource it creates:
Copy code
{
  "urn": "urn:pulumi:test-cognito::infra-cognito::aws:cognito/userPoolClient:UserPoolClient::test-cognito-client",
  "custom": true,
  "id": "us-east-2_M8CtVEMCW5/5vkag2eve0jed2vq64r35gk7nt",
  "type": "aws:cognito/userPoolClient:UserPoolClient",
  "parent": "urn:pulumi:test-cognito::infra-cognito::pulumi:pulumi:Stack::infra-cognito-test-cognito",
  "protect": true,
  "provider": "urn:pulumi:test-cognito::infra-cognito::pulumi:providers:aws::AWSprovider::82869575-27a3-4ec1-8ee6-f75ec7092a8b",
  "created": "2025-09-30T17:46:22.247602892Z",
  "modified": "2025-09-30T17:46:22.247602892Z"
}
I have written the code before I started trying any imports
l
Eh?
So you used the 
import
opt? Or did you use 
pulumi import
?
p
pulumi import -s test-cognito --provider urn:pulumi:test-cognito::infra-cognito::pulumi:providers:aws::AWSprovider aws:cognito/userPoolClient:UserPoolClient test-cognito-client us-east-2_M8ABCDEF/5vkag2eabcdefghij64r35gk7nt
I get the warning when I run that.
if I ignore the warning it imports the barebones resource above
l
pulumi import
does two things: creates the code, and creates the state that links the code with the resource in AWS. But if you already have the code, then you don't want that. Instead, you want just the import opt, which creates the state without the code.
p
if I then run a preview it wants to delete and recreate my Client
oooh
so how does the import opt work?
l
Did you put the code that 
pulumi import
created into your code?
p
no
l
Good
Edit your code to match whatever the 
pulumi preview
diff tells you
This will fix things
And in future, either write the code and use the 
import
opt, or don't write the code and use 
pulumi import
.
p
OK I'll go away and make fresh tea and then check the code I wrote matches the existing Client. I'm pretty sure it does, but I'll check. Thanks for the link to the docs, will also read them
l
Note the final line of that page:
Once a resource is successfully imported, remove the import option because Pulumi is now managing the resource.
p
oooh that looks much more like what I need.
l
It can't match: if it matched, it wouldn't be trying to delete and recreate.
p
but I think the issue is that the import failed, so the resource in the pulumi json isn't the same as the real one in AWS. When I run 
pulumi refresh -s test-cognito --target urn:pulumi:test-cognito::infra-cognito::aws:cognito/userPoolClient:UserPoolClient::test-cognito-client
is says:
Copy code
Previewing refresh (test-cognito):
     Type                           Name                        Plan
     pulumi:pulumi:Stack            infra-cognito-test-cognito
 -   ā””ā”€ aws:cognito:UserPoolClient  test-cognito-client         delete

Resources:
    - 1 to delete
i.e. the resource in the stack isn't really linked to any real infra so it wants to delete the resource from the stack
But the import opt looks like a better plan anyway, so I'll go play with that
l
Yes. So to fix that, you change the code to match what's really in AWS. Then you run a 
pulumi refresh
. Then everything is sorted.
Nothing in AWS gets changed.
p
No this is still very broken. I changed the code to have 
}, {provider: provider, import: "us-east-2_M8CtVEMCW5/5vkagabcdefgh2vq64r35gk7nt"});
for the user pool client but it still gives me a warning:
Copy code
warning: previously-imported resources that still specify an ID may not be replaced; please remove the `import` declaration from your program
and the preview says it will replace the UserPoolClient. When I look at the --diff it says that it will add parameters to the client such as:
Copy code
+ refreshTokenValidity                    : 30
      + region                                  : "us-east-2"
      + supportedIdentityProviders              : [
      +     [0]: "COGNITO"
      +     [1]: "Google"
        ]
      + tokenValidityUnits                      : {
          + accessToken : "days"
          + idToken     : "days"
          + refreshToken: "days"
        }
but when I look in AWS those parameters are already set to those values in the existing client, the one it says it will replace. I do not wish to break my currently working user pool so I am not going to run the up. Can someone please fix this bug?
l
You have an import id and the message says to remove the import id. Fixing that won't fix your problem but will remove the confusing and unrelated warning message. Does the output from 
pulumi up
say that this is a delete and create, or a delete-replace? If it is a delete-replace, does it say which property is causing the replacement? You may need to inspect the state file closely to figure out why Pulumi isn't detecting that the two resources aren't in fact the same resource. If you have a paid Pulumi subscription with support, I recommend contacting them and asking for help.
p
This is the line from pulumi preview
Copy code
+-  ā”œā”€ aws:cognito:UserPoolClient    test-cognito-client                  replace     [diff: +accessTokenValidity,allowedOauthFlows,allowedOauthFlowsUserPoolClient,allowedOauthScopes,callbackUrls,enablePropagateAdditionalUserContextData,enableTokenRevocation,explicitAuthFlows,idTokenValidity,name,preventUserExistenceErrors,readAttributes,refreshTokenValidity,region,supportedIdentityProviders,tokenValidityUnits,userPoolId,writeAttributes]; 1 warning
the replace is purple and the diff elements are all green. I think that is a delete replace, but I'm not sure which of the elements causes the replacement.
l
Yes, that's a delete-replace. Let me check the doc page to see which properties it can be.
p
Sadly we don't pay for pulumi as we're a poor startup šŸ˜œ so no support option. I'll delve into the state file and see if I can work out what's awry. I also need to launch a new instance of our system shortly as part of our annual DR test, so I can test if the code makes a functional cognito setup and then maybe I'll be brave enough to run the replace
I imagine the name is one of the properties it can be
and that is a valid change, i.e. the name in AWS is not the same. So perhaps I can make it so that it is.
l
Ah yes, likely. If necessary, you can take this workaround which should work, but it's a bit onerous: ā€¢ Keep (or re-insert) the import ID for the user pool client. ā€¢ Change the name (and any other differently-valued property) in code to match what's in AWS ā€¢ Evict the user pool client from state via 
pulumi state delete
. ā€¢ Run 
pulumi up
again to re-import with everything.
If the code and AWS match properly, Pulumi can rebuild the state to match both, using this technique.
p
Yeah, I've done similar fiddles in the past with other infra.
l
Drift is a plague of IaC.
100 rainbow 1
p
Thanks for the help, I think I'll leave it for tomorrow me deal with.
šŸ‘ 1
I just re ran the import and it gave me these warnings: Diagnostics:
Copy code
aws:cognito:UserPoolClient (test-cognito-client):
    warning: One or more imported inputs failed to validate. This is almost certainly a bug in the `aws` provider. The import will still proceed, but you will need to edit the generated code after copying it into your program.
    warning: aws:cognito/userPoolClient:UserPoolClient resource 'test-cognito-client' has a problem: Missing required property 'userPoolId'

  pulumi:pulumi:Stack (infra-cognito-test-cognito):
    warning: refresh operation is using an older version of package 'aws' than the specified program version: 7.7.0 < 7.8.0

Resources:
    = 1 imported
    7 unchanged

Duration: 4s
and the code it spat out for the new client is :
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const test_cognito_client = new aws.cognito.UserPoolClient("test-cognito-client", {userPoolId: ""}, {
    provider: provider,
    protect: true,
});
Which doesn't look like it will make the fully featured client which exists in AWS.
and this is the json it wrote to the state file
Copy code
{
  "urn": "urn:pulumi:test-cognito::infra-cognito::aws:cognito/userPoolClient:UserPoolClient::test-cognito-client",
  "custom": true,
  "id": "us-east-2_M8CtVEMCW5/5vkag2eve0jed2vq64r35gk7nt",
  "type": "aws:cognito/userPoolClient:UserPoolClient",
  "parent": "urn:pulumi:test-cognito::infra-cognito::pulumi:pulumi:Stack::infra-cognito-test-cognito",
  "protect": true,
  "provider": "urn:pulumi:test-cognito::infra-cognito::pulumi:providers:aws::AWSprovider::82869575-27a3-4ec1-8ee6-f75ec7092a8b",
  "created": "2025-10-10T15:51:19.084168089Z",
  "modified": "2025-10-10T15:51:19.084168089Z"
}
I guess I need to edit the statefile by hand to match what is in AWS and my pre-written code, and then hopefully the up won't want to do a delete-replace and a refresh will agree about the configuration of the existing state.
I updated the statefile to look like:
Untitled.jsonld
Untitled.jsonld
and then copied it back to the bucket but the preview still wants to delete replace and add lots of things which are already set e.g.
Copy code
+ writeAttributes                         : [
      +     [0]: "address"
      +     [1]: "birthdate"
      +     [2]: "email"
      +     [3]: "family_name"
      +     [4]: "gender"
      +     [5]: "given_name"
      +     [6]: "locale"
      +     [7]: "middle_name"
      +     [8]: "name"
      +     [9]: "nickname"
      +     [10]: "phone_number"
      +     [11]: "picture"
      +     [12]: "preferred_username"
      +     [13]: "profile"
      +     [14]: "updated_at"
      +     [15]: "website"
      +     [16]: "zoneinfo"
        ]
I'll try a completely fresh stack and infra and see if it creates a working client and then come back to trying to make the import work.
l
Generally, updating the state file by hand is the last recourse. I'd work on getting the code and cloud to match, then use 
up
and/or 
refresh
until Pulumi untwists its knickers. But sometimes a manual edit is required, unfortunately.
7 Views
Open in Slack
PreviousNext
Powered by