cognito-idp update-user-pool Overwrites Lambda Triggers When Not Specified In The Command

[kurtislamb]

Describe the bug

When calling cognito-idp update-user-pool to update the --admin-create-user-config option, the CLI Overwrites or drops the Lambda Triggers (--lambda-config) even though they are not specified.

Expected Behavior

When calling the AWS CLI with aws cognito-idp update-user-pool --user-pool-id $USER_POOL_ID --admin-create-user-config "$JSON" I expected only the --admin-create-user-config to be updated and all other existing cognito options to remain unchanged.

Current Behavior

When calling the AWS CLI with aws cognito-idp update-user-pool --user-pool-id $USER_POOL_ID --admin-create-user-config "$JSON" the --lambda-config is removed, thus removing lambda-triggers from Cognito User Pool Properties

Note JSON used in above

JSON=$(jq --null-input \
  --arg admin_create_only "$ALLOW_ADMIN_CREATE_USER_ONLY" \
  --arg sms_message "$SMS_MESSAGE_STRING" \
  --arg email_message "$EMAIL_MESSAGE_STRING" \
  --arg email_subject "$EMAIL_SUBJECT" \
  '{
        "AllowAdminCreateUserOnly": ($admin_create_only=="true"),
        "InviteMessageTemplate":{
            "SMSMessage": ($sms_message|@text),
            "EmailMessage": ($email_message|@text),
        "EmailSubject": ($email_subject|@text)
        }
    }')

echo $JSON

Reproduction Steps

To recreate take an existing User Pool with a Lambda Trigger attached.

Observe Lambda Triggers attached by navigating to the User Pool Properties Page like so;

Run an update to that user pool's --admin-create-user-config using the below (note we use Terraform to call this so variables have been substituted at the top of the script for ease)

ALLOW_ADMIN_CREATE_USER_ONLY="true"
SMS_MESSAGE_STRING="You've been invited to join Project. Please login using username {username} and password {####}"
EMAIL_MESSAGE_STRING="This is the email message which for {username} which will be updated {####}"
EMAIL_SUBJECT="You've been invited to Project"
USER_POOL_ID="<user pool id>"



JSON=$(jq --null-input \
  --arg admin_create_only "$ALLOW_ADMIN_CREATE_USER_ONLY" \
  --arg sms_message "$SMS_MESSAGE_STRING" \
  --arg email_message "$EMAIL_MESSAGE_STRING" \
  --arg email_subject "$EMAIL_SUBJECT" \
  '{
        "AllowAdminCreateUserOnly": ($admin_create_only=="true"),
        "InviteMessageTemplate":{
            "SMSMessage": ($sms_message|@text),
            "EmailMessage": ($email_message|@text),
        "EmailSubject": ($email_subject|@text)
        }
    }')

echo $JSON

aws cognito-idp update-user-pool --user-pool-id $USER_POOL_ID --admin-create-user-config "$JSON"

Now observe User Pool Properties agian and the Lambda-triggers have gone like so;

Possible Solution

The update-user-pool, should only update the options it is specified and ignore all others. This means the user would only be expecting items they have specified to be updated to be updated.

For example running aws cognito-idp update-user-pool --user-pool-id $USER_POOL_ID --admin-create-user-config "$JSON" should only result in the --admin-create-user-config been updated and any other options like --lambda-config should remain the same as what it was before the command was run

Additional Information/Context

The initial creation of our User Pool is done via Terraform, the reason we call the AWS CLI this way is terraform creates a circular dependency between creating the cognito user pool and passing the User Pool ID in at creation.

We split this up by deploying the Cognito User Pool first, then after we make an update to the User Pool using the below null_resrouce which makes the above mentioned AWS CLI call. The Lambda-config elements are deployed by Terraform and work correctly until the email is updated by using aws cognito-idp update-user-pool --user-pool-id $USER_POOL_ID --admin-create-user-config "$JSON"

resource "null_resource" "cognito_email_message" {
  provisioner "local-exec" {
    command = "./${path.module}/lib/cognito/cognito-update-email.sh"


    interpreter = ["/bin/sh", "-c"] // for docker support

    environment = {
      ALLOW_ADMIN_CREATE_USER_ONLY = true
      EMAIL_MESSAGE_STRING         = data.template_file.invite_email_message.rendered
      EMAIL_SUBJECT                = local.invite_email_subject
      SMS_MESSAGE_STRING           = local.invite_sms_message_string
      USER_POOL_ID                 = aws_cognito_user_pool.pool.id
    }
  }
  triggers = {
    config_hash        = sha256(data.template_file.invite_email_message.rendered)
    EMAIL_SUBJECT      = local.invite_email_subject
    SMS_MESSAGE_STRING = local.invite_sms_message_string
  }

}

CLI version used

aws-cli/2.5.1

Environment details (OS name and version, etc.)

Ubuntu 20.4 (Windows Subsystem for Linux)

[kurtislamb]

This is different to this bug as we don't specify the lambda-config at all, nor do we need to (this is handled by terraform)

[kurtislamb]

Following up on this I checked the docs and there is this section

Updates the specified user pool with the specified attributes. You can get a list of the current user pool settings using [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . If you don’t provide a value for an attribute, it will be set to the default value.

Which makes me think this is intended peculiar behaviour due to how the API works