Deleting a Cloudformation stack containing a Cognito user pool can leave the user pool in an undeleteable state

Leave a reply

When you delete a Cloudformation stack that contains stateful resources, typically Cloudformation will leave the stateful resources alone (you’ll see DELETE_SKIPPED for the resource) but delete the stateless ones.

Normally that’s what you want. But sometimes you can end up with that stateful, skipped resource being stuck in a subsequently undeleteable (or even unmodifiable) state because it still references a deleted, stateless resource like an IAM role.

This happens with Cognito in the following situation:

  • You’ve got a Cognito user pool in your stack
  • You’re defining an IAM role for Cognito to assume to send SMSes in the stack
  • The Cognito pool has deletion protection (within Cognito itself, not Cloudformation) turned on

When you delete the stack, the role gets deleted (it’s stateless, who cares) but the user pool does not. However, the user pool still has a reference to the deleted role.

Again, in a lot of cases this is not much of an issue – S3 buckets with handlers defined that have gone missing for example. But here, it means that we cannot modify the user pool.

But why do I need to modify the pool to delete it?

If you try to delete the pool through the AWS console, you’ll be asked if you want to turn off deletion protection first. You can do this by hand, too.

In both cases, the deletion process is actually two-step:

  • The user pool is modified to disable deletion protection;
  • The user pool is deleted.

With our user pool intact but its SMS-sending role destroyed, Cognito rejects any attempt to modify the user pool so long as the role cannot be found or doesn’t have the right privileges.

How do I get the pool into a modifiable/deletable state then?

You’ve some options:

  • Re-instate the role. The attempt to delete the user pool will tell you the role name in the InvalidSmsRoleTrustRelationshipException that’s described in the error banner’s ‘View details’ popover
    • If you’re doing this, the role must be named exactly the same, Cognito must have the ability to assume the role (cognito-idp.amazonaws.com as the principal), and the role must grant SMS send via SNS
  • Create a new role and modify Cognito to use it – functionally the same as the above
  • Disable SMS send from the pool so the role’s redundant before deleting

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.