Hello. Consider the following snippet:
CognitoUserPoolLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: [redacted]
RetentionInDays: 365
CognitoLogDeliveryConfig:
Type: AWS::Cognito::LogDeliveryConfiguration
Properties:
LogConfigurations:
CloudWatchLogsConfiguration:
LogGroupArn: !GetAtt CognitoUserPoolLogGroup.Arn
UserPoolId: [redacted]
We get the following validation error, causing a rollback:
Value 'arn:aws:logs:eu-central-1:[redacted]:log-group:/aws/cognito/TestUserPool-Staging:*' at 'logConfigurations.1.member.cloudWatchLogsConfiguration.logGroupArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-])?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?
This validation regex seems to be broken and does not match the one in the documentation. The correct regex for LogGroupArn is shown in the documentation here:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration.html#cfn-cognito-logdeliveryconfiguration-cloudwatchlogsconfiguration-loggrouparn
From docs: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?
From error: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-])?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?
Our value matches the regex from the docs. It does not match the actual regex being used, because the regex is missing an asterisk and therefore requires the AWS region to be exactly 1 character long.
Is this something we can work around somehow? How to get this fixed? We are currently stuck here and cannot continue deploying our stack.
Thanks. Out of curiosity: You were able to report this using a paid support plan, right? Paid support is fine and all, but I find it somewhat ridiculous I have to pay AWS to tell them their service (I'm already paying for) is broken.
Yes, I reported this using paid support. I don't necessarily think of it like that, we are all working on something weather that be for our job or passion projects. Update on our issue though, I did get a message back from support try this:
!Select [ 0, !Split [ ':*', !GetAtt CognitoLogGroup.Arn ] ]
it worked for me. Honestly they should just fix their regex pattern so we can just use!GetAtt
That actually works, although I don't understand why. Thanks for getting back to me, much appreciated!