Get apiaivyGraphQLAPIIdOutput in auto generated PostConfirmation Lambda? #1874
Comments
|
@davidbiller What exactly is the error you’re seeing? |
|
It was a circular dependency error. |
|
I'm having the same issue when I do Then pushing: edit: here is my backend-config.json https://gist.github.com/ErickTamayo/2fc64c7d886527f968f28c58727be2a7 |
UnleashedMind
added
functions
|
I second that. Also looking for the way to pass API ID (for the table names) to the postConfirmation lambda. |
|
Same here, if you give a congnito trigger lambda with |
|
I'm also had this problem, but when trying to allow lambda access to auth. I have created a PostConfirmation trigger for cognito auth (through amplify update auth) and want to set the value of a custom cognito attribute for the user when they confirm their account. (using aws-sdk adminUpdateUserAttributes). Currently my workaround is to manually edit the auth cloudformation template and add the permissions, however it would be better if we could do this through the cli. |
kaustavghosh06
added
bug
|
Is there an update? I also did a function update and add permissions to API to access the appsyncid. But I received an Circular dependency error |
|
Having same issue |
|
+1 |
|
Any updates? |
|
Same issue here at the moment. I need the API Id in my CF template. Anyone with a workaround for the time being? I need the same as @rpostulart, |
|
I am facing the same issue when updating API and adding a new endpoint |
|
I'm having the same issue when adding API access to my postConfirmation function. I tried to update the function again to remove API access, and I still get the circular dependency error. I'm not sure how to undo the issue. |
Amplify env checkout yourEnvName —restore |
|
Alternatively you can search through the cloudformation-template and delete all references to the the post confirmation trigger. I am having the same issue, where i am unable to add access to my graphql api in the post confirmation trigger, the same circular reference occurs. |
|
@kaustavghosh06 any updates on this very common problem? Is there a recommended best practice from the Amplify team to work around this? Thanks, |
|
+1 |
|
+1 didn't find a good solution yet. would love to get some hints on how to do this correctly. I guess one must create a custom resource and bind both api and postConfirmation function to those as dependencies? not sure tho. |
|
A work around for us, we added the graphql ids to out cloudformation which allows us to get the table name and access it by Additions to the cloudformation template are Mappings, Variables and the dynamodb:putitem arn permissions policy under lambdaexecutionpolicy |
|
if anyone is OK with a more manual solution to this issue, you can do the following:
|
|
The same issue. I appreciate the "workaround" but it seems really convoluted to implement when it should be something really common. We need to access to dynamoDB tables in the pre-jwt-token generation lambda:
|
|
Hey @kylekirkby , your solution almost worked for me but I think that the replacements are partially wrong. The one that worked for me are: File File {
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "",
"Parameters": {
"env": {
"Type": "String"
},
"api{YOUR-API-NAME}GraphQLAPIEndpointOutput": {
"Type": "String",
"Default": "api{YOUR-API-NAME}Output"
},
"api{YOUR-API-NAME}GraphQLAPIIdOutput": {
"Type": "String",
"Default": "api{YOUR-API-NAME}GraphQLAPIEndpointOutput"
},
"function{YOUR-FUNCTION-NAME}LambdaExecutionRole": {
"Type": "String",
"Default": "function{YOUR-FUNCTION-NAME}LambdaExecutionRole"
}
},
"Conditions": {},
"Resources": {
"GraphQLEndpointParam": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": {
"Fn::Join": [
"",
[
"GraphQLEndpoint-",
{
"Ref": "env"
}
]
]
},
"Type": "String",
"Value": {
"Ref": "api{YOUR-API-NAME}GraphQLAPIEndpointOutput"
},
"Description": "GraphQL API Endpoint for current stage"
}
},
"PostConfirmationCognitoResourcesPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "post-confirmation-api-execution-policy",
"Roles": [
{
"Ref": "function{YOUR-FUNCTION-NAME}LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"appsync:Create*",
"appsync:StartSchemaCreation",
"appsync:GraphQL",
"appsync:Get*",
"appsync:List*",
"appsync:Update*",
"appsync:Delete*"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:appsync:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":apis/",
{
"Ref": "api{YOUR-API-NAME}GraphQLAPIIdOutput"
},
"/*"
]
]
}
]
}
]
}
}
}
},
"Outputs": {}
}
file {
"api{YOUR-API-NAME}GraphQLAPIEndpointOutput": {
"Fn::GetAtt": [
"{YOUR-API-NAME}",
"Outputs.GraphQLAPIEndpointOutput"
]
},
"api{YOUR-API-NAME}GraphQLAPIIdOutput": {
"Fn::GetAtt": [
"{YOUR-API-NAME}",
"Outputs.GraphQLAPIIdOutput"
]
},
"function{YOUR-FUNCTION-NAME}LambdaExecutionRole": {
"Fn::GetAtt": [
"function{YOUR-FUNCTION-NAME}",
"Outputs.LambdaExecutionRole"
]
}
}
|
|
Thanks @paulsson @kylekirkby .The solution works perfectly. However is there a way to call a graphql end point using a seperate lambda (due to 5 sec constraint ) using a custom SQS deployment and triggering the lambda . |
|
After putting some effort into this issue I also got faced with I came up with the following solution. I had the exact same use case as @MontoyaAndres: A circular dependency issue caused by a post confirmation function that needs API access (at least to get the GraphQL ID). After diving into this problem and reading tons of solutions and explanations, especially by @paulsson and @kylekirkby I came up with an own, in my opinion even simpler solution. I used the custom resource stack ( Now I can use this exported value (which contains the dynamic part of all DynamoDB tables) to access DynamoDB from my Lambda function directly importing this value like this: You now have access to process.env.GRAPHQLID from your NodeJS Lambda function and can execute DynamoDB actions according to your personal use case. For DynamoDB access you might extend your post confirmation function resource by corresponding resource policy (also in {your-post-confirmation-function}-cloudformation-template.json). Hope it helps so that you don't have to spend hours and hours of research. Solving this circular dependency issue in amplify-cli would be appreciated. |
|
It amazes me, that in so many common use cases for Amplify you need to circumvent Amplify and hack it yourself. I like the idea of Amplify, but being told these workarounds to dive into generated files you should rarely see (let alone edit) feels bad. At least these kinds of workarounds should not be necessary on your first tutorial implementing basic functionality. It would be great to see this handled by Amplify. Btw: For me this problem is actually yak shaving for another basic functionality: syncing your Cognito users with the users in your AppSync. If that first thing would be included in Amplify, I wouldn't even need the Lambda permission to access AppSync in the trigger. |
|
@morgler Absolutely. And beside of that authentication rules are not flexible enough. Simple use cases like showing all properties to some groups but exclude some for public access isn't possible in combination with connections. That's why we decided to build a good old fashioned REST API microservice architecture using serverless framework instead of Amplify Backend. |
|
@bart I also use serverless in production - it's more mature and flexible. However I haven't completely given up on Amplify over the past years. I still hope this develops into a mature tool that makes micro services even more convenient than serverless. My feeling is, that while two years ago I couldn't use Amplify for anything, today I can at least work around the missing pieces using serverless. I will keep playing with Amplify, but will likely rely on serverless in production for quite some time. |
|
I initially plan to use a Post Confirmation Lambda to call AppSync and auto-create a user profile for each user at the database upon a successful confirm sign up. After reading this thread, it sounds like such a hassle to work around it in Post Confirmation Lambda due to circular dependency. I realize I am better off letting users to call AppSync directly and create their own profile in the client side when they first login. To me, it is easier to set up a custom createProfile resolver in vtl for user to call. For people experiencing similar issue with post confirmation lambda, I think it is possible to re-consider your use case. And if it can be moved to client side with a custom resolver, it can be an easier alternative to consider. Cheers |
|
@bart your solution did not work for me as. I got "No export named api::StaticGraphQLApiId found". Don't you need to add a dependsOn on the lambda since it now depends on the graphql api outputs? But wouldn't this re-introduce the circular issue? I think your solution would work if I do the deploy in two phases (one to export the output, the other to add the lambda), but it didn't work for me in one step. |
|
@hisham Maybe you did something different. I didn't add the dependency because as you said it would re-introduce this circular dependency problem. And I also didn't deploy in two phases. Just did it as described. |
|
I have added dependency to storage->tablename to post-confirmation lambda to save user data, but also have the same issue. |
|
Update: (08/12/2020) Steps: yarn global add @aws-amplify/cli aws-amplify/amplify-cli#4.38.0
amplify push --yes |
|
Yet another workaround is to simply not register any trigger when configuring your auth and just set them in the AWS Console afterwards (or through the AWS CLI). While this goes outside of the Amplify CLI and is not IaC, it's arguably the easiest and quickest option, least prone to errors, maintains dynamic env vars, and involves a quick manual step on the likely least changing part of your stack. This works as far as I can tell, at least for those using an API with Cognito Auth + Cognito triggers that use API/Dynamo access. Relevant Steps From Scratch:
Steps for those already suffering with cyclic dependency issue:
You may ask why all the trouble for the second set of steps? I'm not able to remove a single remaining trigger, hence the manual edits. See #5986 Note to the CLI team: You guys have done an amazing job and I'm sure addressing these problems is quite complex. Nevertheless, if you can fix issues like this, the one I linked to above, being able to add lambda environment vars from the CLI and other common things like that, I'd be much more inclined to recommend Amplify to others. It seems like the vast majority of work for a lot of use cases is done, it's just last mile nitty gritty work. Thanks for all your efforts. |
|
As a workaround, I set up custom SQS resource and add dependency/permission to post on it from postcomfrirmation function, finally added another trigger from SQS which writes to DynamoDB. |
|
@ayeganyan can you post how you set it up? |
|
Hi @waltermvp
Hope this will help! |
|
@waltermvp the functionality is broken in latest version (at least 4.39.0) |
Just a Follow up on @bart Answer, i have the same use case and solved it with the help of his instructions. To give your lambda access to DynamoDB you can add the following cloudformation snippet to Please not that you can also change Also you can remove / edit allowed Action to fit your use case! |
|
Closing in favor of: #4568 |
|
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
and others
How get apiaivyGraphQLAPIIdOutput in auto generated PostConfirmation Lambda?
i tried function update, and allow access to appSync, but this dosent work, because a dependsOn Failure.
Any infos?
The text was updated successfully, but these errors were encountered: