By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFormation regex validation error in Cognito::LogDeliveryConfiguration: CloudWatchLogsConfiguration.LogGroupArn

1

Hello. Consider the following snippet:

CognitoUserPoolLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
        LogGroupName: [redacted]
        RetentionInDays: 365

CognitoLogDeliveryConfig:
    Type: AWS::Cognito::LogDeliveryConfiguration
    Properties:
        LogConfigurations:
                CloudWatchLogsConfiguration:
                    LogGroupArn: !GetAtt CognitoUserPoolLogGroup.Arn
        UserPoolId: [redacted]

We get the following validation error, causing a rollback:

Value 'arn:aws:logs:eu-central-1:[redacted]:log-group:/aws/cognito/TestUserPool-Staging:*' at 'logConfigurations.1.member.cloudWatchLogsConfiguration.logGroupArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-])?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

This validation regex seems to be broken and does not match the one in the documentation. The correct regex for LogGroupArn is shown in the documentation here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration.html#cfn-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration-loggrouparn

From docs:  arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?
From error: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-])?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

Our value matches the regex from the docs. It does not match the actual regex being used, because the regex is missing an asterisk and therefore requires the AWS region to be exactly 1 character long.

Is this something we can work around somehow? How to get this fixed? We are currently stuck here and cannot continue deploying our stack.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS CloudFormationAmazon CognitoAmazon CloudWatch
Language
English
Nico
asked 4 months ago209 views
1 Answer
1
Accepted Answer

I actually came across the exact same error tonight. I submitted a support ticket, hopefully the devs have it fixed sometime this week

Dylan Zenner
answered 4 months ago
  • Nico
    4 months ago

    Thanks. Out of curiosity: You were able to report this using a paid support plan, right? Paid support is fine and all, but I find it somewhat ridiculous I have to pay AWS to tell them their service (I'm already paying for) is broken.

  • Dylan Zenner
    4 months ago

    Yes, I reported this using paid support. I don't necessarily think of it like that, we are all working on something weather that be for our job or passion projects. Update on our issue though, I did get a message back from support try this: !Select [ 0, !Split [ ':*', !GetAtt CognitoLogGroup.Arn ] ] it worked for me. Honestly they should just fix their regex pattern so we can just use !GetAtt

  • Nico
    4 months ago

    That actually works, although I don't understand why. Thanks for getting back to me, much appreciated!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content