How to deploy update of only certain resources

Serverless Framework
1

Hi,

I got serverless.yml that deploys multiple resources:
Cognito UserPool, Cognito IdentityPool, CognitoAuthRole …

Is there a way to update certain resource (i.e CognitoAuthRole) without affecting other resources (without making them to be deleted and deployed as new)

For Example - I want to be able to change the policy in CognitoAuthRole and to keep the Cognito resource pool as is - so all the users that are already in it won’t be deleted.

My serverless.yml:

service: cloud-manager-web-ui-cognito-pool

provider:
name: aws
runtime: python2.7
region: eu-west-1
stage: prod
timeout: 300

resources:
Resources:
cidrs:
Type: AWS::Cognito::UserPool
Properties:
AutoVerifiedAttributes:
- email
UserPoolName: cidrstest1637

CognitoUserPoolClient:
  Type: "AWS::Cognito::UserPoolClient"
  Properties:
    ClientName: cidrs-app
    UserPoolId:
      Ref: cidrs
    GenerateSecret: false
    RefreshTokenValidity: 30
    ReadAttributes:
      - name
      - email
    WriteAttributes:
      - name
      - email

CognitoIdentityPool:
  Type: AWS::Cognito::IdentityPool
  Properties:
    IdentityPoolName: "cidrs app test"
    AllowUnauthenticatedIdentities: false
    CognitoIdentityProviders:
      - ClientId:
          Ref: CognitoUserPoolClient
        ProviderName:
          Fn::GetAtt: [cidrs, ProviderName]

CognitoIdentityPoolRoles:
  Type: AWS::Cognito::IdentityPoolRoleAttachment
  Properties:
    IdentityPoolId:
      Ref: CognitoIdentityPool
    Roles:
      authenticated:
        Fn::GetAtt: [CognitoAuthRole, Arn]
      unauthenticated:
        Fn::GetAtt: [CognitoUnauthRole, Arn]

CognitoAuthRole:
  Type: AWS::IAM::Role
  Properties:
    RoleName: appAuthRole
    Path: /
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: "Allow"
          Principal:
            Federated: "cognito-identity.amazonaws.com"
          Action:
            - "sts:AssumeRoleWithWebIdentity"
          Condition:
            StringEquals:
              "cognito-identity.amazonaws.com:aud":
                Ref: CognitoIdentityPool
            "ForAnyValue:StringLike":
              "cognito-identity.amazonaws.com:amr": authenticated
    Policies:
      - PolicyName: "CognitoAuthorizedPolicy"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - "mobileanalytics:PutEvents"
                - "cognito-sync:*"
                - "cognito-identity:*"
              Resource: "*"
    ManagedPolicyArns:
      - "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"

CognitoUnauthRole:
  Type: AWS::IAM::Role
  Properties:
    RoleName: appUnauthRole
    Path: /
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: "Allow"
          Principal:
            Federated: "cognito-identity.amazonaws.com"
          Action:
            - "sts:AssumeRoleWithWebIdentity"
          Condition:
            StringEquals:
              "cognito-identity.amazonaws.com:aud":
                Ref: CognitoIdentityPool
            "ForAnyValue:StringLike":
              "cognito-identity.amazonaws.com:amr": unauthenticated
    Policies:
      - PolicyName: "CognitoUnauthorizedPolicy"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - "mobileanalytics:PutEvents"
                - "cognito-sync:*"
              Resource: "*"
2

If you don’t want resources to be updated when you do a deploy, it’s usually a sign they belong in a different service.

3

but the resource has a reference to other resource in the file (policy is part of CognitoAuthRole which have ref to CognitoIdentityPool)

And another question -
Is it possible to change the attributes of the resource without making it to be created as new (to only update the resource without creating a new one. i.e changing one of the cognito pool attributes so the cognito pool wont be recreated and all of the users will be kept)

4

That’s what CloudFormation outputs (which are supported by sls variables) and cross-stack references are for.

The specific resource property determines if a resource will be edited or replaced when it’s changed - check the “Update requires” field for the relevant resource in the CFN docs (e.g. Cognito User Pools)

5

I’m pretty sure that changing the role wont result in a delete/replace of your userpool. I would test this first, but I’m 90% certain of two things:

  1. Cloudformation looks for diffs on resources - if you haven’t updated the specific resource, nothing about that resource will change when you update the stack.
  2. If resource B depends on resource A and you make a change to B, this does not effect resource A. E.g. If I change the IAM role attached to an EC2 instance, I don’t need to shut down/re-create the instance; same thing most other AWS services AFAIK.

With those things in mind, I’m not sure you have a problem. The way to verify this is pretty simple. Deploy your stack, log into the console and create a user in your userpool. Then make some changes to the AuthRole and redeploy. If your user is still there, you have no problem.

6

I tried to do this, therefore I asked the question. the problem exists - a new cognito pool with a new id is created when changing the policy and try to deploy again.

7

I just verified this on my own stack that is nearly identical to yours. I am able to change the policy statement in the cognito auth/unauth roles without deleting and recreating the userpools. Not sure exactly what you are doing to make them delete/re-create themselves.