NOTICE: aws-cognito-identitypool-alpha: "Resource of type 'AWS::Cognito::IdentityPoolRoleAttachment' with identifier '[...]' already exists." >=2.179.0 breaks deployment of existing identity pools

[monholm]

Please add your +1 👍 to let us know you have encountered this

Status: IN-PROGRESS

Overview:

Describe the bug

Upgrading past v2.178.2 causes deployment of stack with existing (deployed with version <= 2.178.2) identity pool to fail.

Last Known Working CDK Version

2.178.2

Expected Behavior

Stack to deploy without issues.

Current Behavior

Deployment fails with the following error:

The stack named AwsCdkReproStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Resource of type 'AWS::Cognito::IdentityPoolRoleAttachment' with identifier 'eu-north-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' already exists." (RequestToken: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx, HandlerErrorCode: AlreadyExists)

Reproduction Steps

npx aws-cdk@2.178.2 init app --language typescript

npm add @aws-cdk/aws-cognito-identitypool-alpha@2.178.2-alpha.0

Add an identity pool to the stack, e.g.:

import { IdentityPool } from "@aws-cdk/aws-cognito-identitypool-alpha";
import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";

export class AwsCdkReproStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new IdentityPool(this, "IdentityPool");
  }
}

cdk deploy

npm i aws-cdk@2.179.0 aws-cdk-lib@2.179.0 @aws-cdk/aws-cognito-identitypool-alpha@2.179.0-alpha.0

cdk deploy

Workaround

Bump to the latest CDK library version, v2.181.1.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.179.0

Framework Version

No response

Node.js Version

22.14.0

OS

macOS 15.3.1

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Before re-deployment, can you run cdk diff and see what's going to be changed?

Might be related to this:

Alpha modules (2.179.0-alpha.0)
⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
cognito-identitypool-alpha: The IdentityPoolRoleAttachment construct and IdentityPool.addRoleMappings() function will no longer exist. This is to disambiguate that only one role attachment can exist per Identity Pool. If you are using the IdentityPool construct, this change will trigger a redeployment. If you need to add role mappings, please do so when the IdentityPool is created.

see #33305

[monholm]

Sure. This is the cdk diff output:

Stack AwsCdkReproStack
Resources
[-] AWS::Cognito::IdentityPoolRoleAttachment IdentityPool/DefaultRoleAttachment IdentityPoolDefaultRoleAttachmentD81AFC39 destroy
[+] AWS::Cognito::IdentityPoolRoleAttachment IdentityPool/DefaultRoleAttachment IdentityPoolDefaultRoleAttachment40247836


✨  Number of stacks with differences: 1

[monholm]

@pahud thank you for the quick response by the way.

I couldn't help but notice the p3 label that you put on the issue - I don't wanna step on anyone's toes here, and I get that it's an alpha module. But leaving every stack that's using the main construct from the module, in an undeployable state, should probably warrant a higher than lowest priority? At least until an acceptable workaround is found?

I've not had much time to dig into this yet, but it seems to be caused by the change to a L1 construct to create the IdentityPoolRoleAttachment, which causes a new attachment to be created, prior to deleting the L2 one.