Unable to deploy subscription auth resolvers after upgrading amplify cli

[rezab777]

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

12.0.0

What operating system are you using?

Windows

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

I had been using amplify cli version 10.5.1 until I upgraded to the latest version i.e. amplify cli version 12.0.0 in order to use the --minify flag ( the flag did not work as expected in version 10.5.1) .

We are overriding all the auth resolvers as we're using Lambda authorization.

I have noticed that there has been additional logic added to the auth resolvers in the newest version (12.0.0) , namely to search (related to the @searchable directive) and subscription (graphql) auth resolvers .

So I went ahead and updated the search and subscriptions resolvers so they include the latest updates .

Here is what the issue is:

I was able to push the auth resolvers related to search e.g. Query.searchMeasurements.auth.1.req.vtl .
But the updated auth resolvers related to graphql subscriptions cause the push to fail with the error message

The following resources failed to deploy:
Resource Name: ▀▀▀redacted▀▀▀ (AWS::CloudFormation::Stack)
Event Type: update
Reason: Circular dependency between resources: [SearchableStack, ▀▀▀redacted▀▀▀]
URL: https://console.aws.amazon.com/cloudformation/home?region=▀▀▀redacted▀▀▀#/stacks/arn%3Aaws%3Acloudformation%3A▀▀▀redacted▀▀▀


Resource is not in the state stackUpdateComplete
Name: ▀▀▀redacted▀▀▀ (AWS::CloudFormation::Stack), Event Type: update, Reason: Circular dependency between resources: [▀▀▀redacted▀▀▀], ▀▀▀redacted▀▀▀

Expected behavior

After updating the custom auth resolvers, changes should deploy.

Reproduction steps

1. Override graphql subscription resolvers generated by version 10.5.1 by placing it in the resolvers folder. e.g. Subscription.onCreateCustomer.auth.1.req.vtl
2. Try to push with amplify version 12.0.0

Project Identifier

Project Identifier: 888164d0a62c44d3956d89db2613c7ec

Session Identifier: 0e8bf909-bc9d-4c5e-a038-cac108108654

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[AnilMaktala]

Hey @rezab777, Thank you for reporting this issue. Please try the instructions provided below and inform us if they successfully resolve the issue you are facing,

1. Update the CLI to the latest version (12.0.3).
2. Add the property "DisableResolverDeduping": true to the ./amplify/backend//transform.conf.json file.
3. Execute the command amplify api gql-compile.
4. Finally, run amplify push. This should successfully push the changes.

[rezab777]

Thank you @AnilMaktala . The solution you suggested fixed the issue with pushing the resolvers to the cloud .

I am still seeing an error when starting a subscription though. Here's the error:

Error: {
    "errors": [
        {
            "message": "Connection failed: AuthorizerFailureException"
        }
    ]
}
    at Object.error (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4940409)
    at b (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4369146)
    at A (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4369603)
    at e.value (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4370220)
    at Gh.<anonymous> (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4928467)
    at Generator.throw (<anonymous>)
    at s (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4925355)

If this is not helpful, please let me know if I can provide more info .

Thanks

[AnilMaktala]

Hey @rezab777, Sorry for the delay. Would it be possible for you to share the Subscription.onCreateCustomer.auth.1.req.vtl file with us?

[rezab777]

Hi @AnilMaktala
Sure please find below;

## [Start] Authorization Steps. **
$util.qr($ctx.stash.put("hasAuth", true))
#set( $isAuthorized = false )

## BEGIN LAMBDA AUTHORIZATION 
#if( $util.authType() == "Lambda Authorization" )
  #if( !$isAuthorized )
    #set( $staticGroupRoles = [{"claim":"cognito:groups","entity":"Admin"}] )
    #foreach( $groupRole in $staticGroupRoles )
      #set( $groupsInToken = $util.defaultIfNull($ctx.identity.resolverContext.get($groupRole.claim).split(","), []) )
      #if( $groupsInToken.contains($groupRole.entity) )
        #set( $isAuthorized = true )
        #break
      #end
    #end
  #end
  #set( $hasValidOwnerArgument = false )
  #set( $authRuntimeFilter = [] )
  #set( $authOwnerRuntimeFilter = [] )
  #set( $authGroupRuntimeFilter = [] )
  #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.resolverContext.owner, null) )
  #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.resolverContext.username, $util.defaultIfNull($ctx.identity.resolverContext.get("cognito:username"), null)) )
  #if( !$util.isNull($ownerClaim0) && !$util.isNull($currentClaim1) )
    #set( $ownerClaim0 = "$ownerClaim0::$currentClaim1" )
    #set( $ownerClaimsList0 = [] )
    $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.resolverContext.owner, null)))
    $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.resolverContext.username, $util.defaultIfNull($ctx.identity.resolverContext.get("cognito:username"), null))))
    $util.qr($authOwnerRuntimeFilter.add({ "owner": { "eq": $currentClaim1 } }))
    #set( $ownerEntity0 = $util.defaultIfNull($ctx.args.owner, null) )
    #if( !$isAuthorized && !$util.isNullOrEmpty($ownerEntity0) )
      #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
        #set( $isAuthorized = true )
        #set( $hasValidOwnerArgument = true )
      #else
        $util.unauthorized()
      #end
    #end
  #end
  ## Apply dynamic roles auth if not previously authorized by static groups and owner argument **
  #if( $authOwnerRuntimeFilter.size() > 0 )
    $util.qr($authRuntimeFilter.addAll($authOwnerRuntimeFilter))
  #end
  #if( $authGroupRuntimeFilter.size() > 0 )
    $util.qr($authRuntimeFilter.addAll($authGroupRuntimeFilter))
  #end
  #set( $filterArgsSize = 0 )
  #if( !$util.isNullOrEmpty($ctx.args.filter) )
    #set( $filterArgsSize = $ctx.args.filter.size() )
  #end
  #set( $isOwnerAuthAuthorizedAndNoOtherFilters = $hasValidOwnerArgument && $authRuntimeFilter.size() == 1 && $filterArgsSize == 0 )
  #set( $isOwnerOrDynamicAuthAuthorizedWithFilters = (!$isAuthorized || $hasValidOwnerArgument) && $authRuntimeFilter.size() > 0 )
  #if( !$isOwnerAuthAuthorizedAndNoOtherFilters && $isOwnerOrDynamicAuthAuthorizedWithFilters )
    #if( $util.isNullOrEmpty($ctx.args.filter) )
      #set( $ctx.args.filter = { "or": $authRuntimeFilter } )
    #else
      #set( $ctx.args.filter = { "and": [ { "or": $authRuntimeFilter }, $ctx.args.filter ]} )
    #end
    #set( $isAuthorized = true )
  #end
#end
## END LAMBDA AUTHORIZATION

#if( $util.authType() == "IAM Authorization" )
  #set( $adminRoles = ["example-role-1", "example-role-2"] )
  #foreach( $adminRole in $adminRoles )
    #if( $ctx.identity.userArn.contains($adminRole) && $ctx.identity.userArn != $ctx.stash.authRole && $ctx.identity.userArn != $ctx.stash.unauthRole )
      #return($util.toJson({}))
    #end
  #end
  #if( !$isAuthorized )
    #if( $ctx.identity.userArn == $ctx.stash.unauthRole )
      #set( $isAuthorized = true )
    #end
  #end
#end
#if( $util.authType() == "User Pool Authorization" )
  #if( !$isAuthorized )
    #set( $staticGroupRoles = [{"claim":"cognito:groups","entity":"Admin"}] )
    #foreach( $groupRole in $staticGroupRoles )
      #set( $groupsInToken = $util.defaultIfNull($ctx.identity.claims.get($groupRole.claim), []) )
      #if( $groupsInToken.contains($groupRole.entity) )
        #set( $isAuthorized = true )
        #break
      #end
    #end
  #end
  #set( $hasValidOwnerArgument = false )
  #set( $authRuntimeFilter = [] )
  #set( $authOwnerRuntimeFilter = [] )
  #set( $authGroupRuntimeFilter = [] )
  #set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get("sub"), null) )
  #set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), null)) )
  #if( !$util.isNull($ownerClaim0) && !$util.isNull($currentClaim1) )
    #set( $ownerClaim0 = "$ownerClaim0::$currentClaim1" )
    #set( $ownerClaimsList0 = [] )
    $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get("sub"), null)))
    $util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), null))))
    $util.qr($authOwnerRuntimeFilter.add({ "owner": { "eq": $currentClaim1 } }))
    #set( $ownerEntity0 = $util.defaultIfNull($ctx.args.owner, null) )
    #if( !$isAuthorized && !$util.isNullOrEmpty($ownerEntity0) )
      #if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
        #set( $isAuthorized = true )
        #set( $hasValidOwnerArgument = true )
      #else
        $util.unauthorized()
      #end
    #end
  #end
  ## Apply dynamic roles auth if not previously authorized by static groups and owner argument **
  #if( $authOwnerRuntimeFilter.size() > 0 )
    $util.qr($authRuntimeFilter.addAll($authOwnerRuntimeFilter))
  #end
  #if( $authGroupRuntimeFilter.size() > 0 )
    $util.qr($authRuntimeFilter.addAll($authGroupRuntimeFilter))
  #end
  #set( $filterArgsSize = 0 )
  #if( !$util.isNullOrEmpty($ctx.args.filter) )
    #set( $filterArgsSize = $ctx.args.filter.size() )
  #end
  #set( $isOwnerAuthAuthorizedAndNoOtherFilters = $hasValidOwnerArgument && $authRuntimeFilter.size() == 1 && $filterArgsSize == 0 )
  #set( $isOwnerOrDynamicAuthAuthorizedWithFilters = (!$isAuthorized || $hasValidOwnerArgument) && $authRuntimeFilter.size() > 0 )
  #if( !$isOwnerAuthAuthorizedAndNoOtherFilters && $isOwnerOrDynamicAuthAuthorizedWithFilters )
    #if( $util.isNullOrEmpty($ctx.args.filter) )
      #set( $ctx.args.filter = { "or": $authRuntimeFilter } )
    #else
      #set( $ctx.args.filter = { "and": [ { "or": $authRuntimeFilter }, $ctx.args.filter ]} )
    #end
    #set( $isAuthorized = true )
  #end
#end
#if( !$isAuthorized )
$util.unauthorized()
#end
$util.toJson({"version":"2018-05-29","payload":{}})
## [End] Authorization Steps. **

[AnilMaktala]

Hi @rezab777, Thank you for sharing the VTL. Could you please clarify the type of authentication the logged-in user is using to initiate the subscription? Specifically, we would like to know if the user belongs to the admin Cognito user group or if they are the owner of the create mutation.

[rezab777]

Hi @AnilMaktala

Apologies for the confusion and lack of adequate testing on our end.

To clarify :

• We are using 3 auth methods for the endpoint : IAM, Cognito and Lambda .
• I did more testing and subscriptions work just fine when using IAM and Cognito auth ( both when part of the Admin group or otherwise ) ,
• When using Lambda auth, the auth error appears when the user is only part of the Client group ( we have 2 cognito groups, Admin and Client ). But when part of the admin group , the subscription works fine. So the problem appears to arise only when being part of the Client cognito group and using Lambda auth .

Please let me know if I can provide further information.

Thanks

[AnilMaktala]

Hey @rezab777, Thank you for providing clarification. It appears that the previous project identifier has expired. Could you please run below command and send us the report and share us the project identifier again.
amplify diagnose --send-report
please refer here

[rezab777]

@AnilMaktala
Sure here
Project Identifier: 888164d0a62c44d3956d89db2613c7ec

[AnilMaktala]

Hey @rezab777,Thank you for sharing the diagnose report. Upon reviewing the customer model, it appears that only the admin group is configured in the schema. Are you considering the client group as a dynamic group in this context?

[rezab777]

@AnilMaktala
Hi and sorry for the late response.
To answer the question, no we are not considering the client group as a dynamic group.

[AnilMaktala]

Hey @rezab777, Sorry for delay. Are you still experiencing this issue?

[AnilMaktala]

Hey 👋 , This issue is being closed due to inactivity. If you are still experiencing the same problem and need further assistance, please feel free to leave a comment. This will enable us to reopen the issue and provide you with the necessary support.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.