Bug: SAM linter doesn't accept AWS::Cognito::UserPool's UserPoolTier property

[pavitra-infocusp]

Description:

I'm trying to deploy a Cognito UserPool with Lite tier. But, the SAM linter doesn't accept AWS::Cognito::UserPool's UserPoolTier property as defined in the docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpooltier

Steps to reproduce:

In the SAM template, add this Cognito UserPool resource:

  MyCognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: cognito-phone-auth-poc-user-pool
      UsernameAttributes:
        - phone_number
      Schema:
        - AttributeDataType: String
          Name: phone_number
          Required: true
      SmsConfiguration:
        ExternalId: !Sub ${AWS::StackName}-external
        SnsCallerArn: !GetAtt CognitoSMSRole.Arn
      # MfaConfiguration: "OFF"
      UserPoolTier: LITE  <------ reported as not allowed by the SAM linter.

Then, run the command:

sam validate --lint

Observed result:

❯ sam validate --lint
[[E0001: Error found when transforming the template] (Error transforming template: Resource with id [MyCognitoUserPool] is invalid. property UserPoolTier not defined for resource of type AWS::Cognito::UserPool) matched 1]
Error: Linting failed. At least one linting rule was matched to the provided template.

Expected result:

It should validate.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

1. OS: Ubuntu 22.04 LTS
2. sam --version: 1.132.0
3. AWS region: ap-south-1

# Paste the output of `sam --info` here
{
  "version": "1.132.0",
  "system": {
    "python": "3.11.10",
    "os": "Linux-6.8.0-51-generic-x86_64-with-glibc2.35"
  },
  "additional_dependencies": {
    "docker_engine": "27.4.1",
    "aws_cdk": "2.149.0 (build c8e5924)",
    "terraform": "1.10.3"
  },
  "available_beta_feature_env_vars": [
    "SAM_CLI_BETA_FEATURES",
    "SAM_CLI_BETA_BUILD_PERFORMANCE",
    "SAM_CLI_BETA_TERRAFORM_SUPPORT",
    "SAM_CLI_BETA_RUST_CARGO_LAMBDA"
  ]
}

Add --debug flag to command you are running

❯ sam validate --lint --debug
2025-01-13 14:38:48,898 | Config file location: /home/pavitra/Playground/cognito-phone-auth/backend/samconfig.toml                     
2025-01-13 14:38:48,899 | Loading configuration values from [default.['validate'].parameters] (env.command_name.section) in config file
at '/home/pavitra/Playground/cognito-phone-auth/backend/samconfig.toml'...                                                             
2025-01-13 14:38:48,900 | Configuration values successfully loaded.                                                                    
2025-01-13 14:38:48,901 | Configuration values are: {'stack_name': 'cognito-phone-auth-poc', 'profile': 'infocusp', 'region':          
'ap-south-1', 'lint': True}                                                                                                            
2025-01-13 14:38:48,907 | Using SAM Template at /home/pavitra/Playground/cognito-phone-auth/backend/template.yaml                      
2025-01-13 14:38:48,932 | Using config file: samconfig.toml, config environment: default                                               
2025-01-13 14:38:48,933 | Expand command line arguments to:                                                                            
2025-01-13 14:38:48,934 | --template_file=/home/pavitra/Playground/cognito-phone-auth/backend/template.yaml --lint                     
2025-01-13 14:38:49 Looking for CFLINTRC before attempting to load
2025-01-13 14:38:49 Validating User CFNLINTRC
2025-01-13 14:38:49 Validating CFNLINTRC config with given JSONSchema
2025-01-13 14:38:49 Schema used: {'$id': 'https://github.com/aws-cloudformation/cfn-python-lint/blob/main/src/cfnlint/data/CfnLintCli/config/schema.json', '$schema': 'http://json-schema.org/draft-07/schema#', 'additionalProperties': False, 'description': 'CFNLINTRC configuration schema', 'properties': {'append_rules': {'description': 'Location of directories to append rules from', 'items': {'type': 'string'}, 'type': 'array'}, 'configure_rules': {'additionalProperties': False, 'description': 'Configure rules', 'patternProperties': {'^.*$': {'patternProperties': {'^.*$': {'anyOf': [{'type': 'string'}, {'type': 'integer'}, {'type': 'boolean'}, {'items': {'type': 'string'}, 'type': 'array'}, {'items': {'type': 'integer'}, 'type': 'array'}, {'items': {'type': 'string'}, 'type': 'boolean'}]}}, 'type': 'object'}}, 'type': 'object'}, 'custom_rules': {'description': 'custom rule file to use', 'type': 'string'}, 'ignore_checks': {'description': 'List of checks to ignore', 'items': {'type': 'string'}, 'type': 'array'}, 'ignore_templates': {'description': 'Templates to ignore', 'items': {'type': 'string'}, 'type': 'array'}, 'include_checks': {'description': 'List of checks to include', 'items': {'type': 'string'}, 'type': 'array'}, 'mandatory_checks': {'description': 'List of mandatory checks to enforce', 'items': {'type': 'string'}, 'type': 'array'}, 'merge_configs': {'description': 'Merges lists between configuration layers', 'type': 'boolean'}, 'output_file': {'description': 'Path to the file to write the main output to', 'type': 'string'}, 'override_spec': {'description': 'Path to spec file to override with', 'type': 'string'}, 'regions': {'description': 'Regions to test against', 'items': {'type': 'string'}, 'type': 'array'}, 'registry_schemas': {'description': 'One or more directories of CloudFormation Registry Resource Schemas', 'items': {'type': 'string'}, 'type': 'array'}, 'templates': {'description': 'Templates to lint', 'items': {'type': 'string'}, 'type': 'array'}}, 'title': 'CFNLINTRC JSON Schema', 'type': 'object'}
2025-01-13 14:38:49 Config used: {}
2025-01-13 14:38:49 CFNLINTRC looks valid!
2025-01-13 14:38:49 Validating Project CFNLINTRC
2025-01-13 14:38:49 Validating CFNLINTRC config with given JSONSchema
2025-01-13 14:38:49 Schema used: {'$id': 'https://github.com/aws-cloudformation/cfn-python-lint/blob/main/src/cfnlint/data/CfnLintCli/config/schema.json', '$schema': 'http://json-schema.org/draft-07/schema#', 'additionalProperties': False, 'description': 'CFNLINTRC configuration schema', 'properties': {'append_rules': {'description': 'Location of directories to append rules from', 'items': {'type': 'string'}, 'type': 'array'}, 'configure_rules': {'additionalProperties': False, 'description': 'Configure rules', 'patternProperties': {'^.*$': {'patternProperties': {'^.*$': {'anyOf': [{'type': 'string'}, {'type': 'integer'}, {'type': 'boolean'}, {'items': {'type': 'string'}, 'type': 'array'}, {'items': {'type': 'integer'}, 'type': 'array'}, {'items': {'type': 'string'}, 'type': 'boolean'}]}}, 'type': 'object'}}, 'type': 'object'}, 'custom_rules': {'description': 'custom rule file to use', 'type': 'string'}, 'ignore_checks': {'description': 'List of checks to ignore', 'items': {'type': 'string'}, 'type': 'array'}, 'ignore_templates': {'description': 'Templates to ignore', 'items': {'type': 'string'}, 'type': 'array'}, 'include_checks': {'description': 'List of checks to include', 'items': {'type': 'string'}, 'type': 'array'}, 'mandatory_checks': {'description': 'List of mandatory checks to enforce', 'items': {'type': 'string'}, 'type': 'array'}, 'merge_configs': {'description': 'Merges lists between configuration layers', 'type': 'boolean'}, 'output_file': {'description': 'Path to the file to write the main output to', 'type': 'string'}, 'override_spec': {'description': 'Path to spec file to override with', 'type': 'string'}, 'regions': {'description': 'Regions to test against', 'items': {'type': 'string'}, 'type': 'array'}, 'registry_schemas': {'description': 'One or more directories of CloudFormation Registry Resource Schemas', 'items': {'type': 'string'}, 'type': 'array'}, 'templates': {'description': 'Templates to lint', 'items': {'type': 'string'}, 'type': 'array'}}, 'title': 'CFNLINTRC JSON Schema', 'type': 'object'}
2025-01-13 14:38:49 Config used: {}
2025-01-13 14:38:49 CFNLINTRC looks valid!
2025-01-13 14:38:49 User configuration loaded as
2025-01-13 14:38:49 {}
2025-01-13 14:38:49 Project configuration loaded as
2025-01-13 14:38:49 {}
2025-01-13 14:38:49 Merging configurations...
2025-01-13 14:38:49 Run scan of template None
2025-01-13 14:38:49 SAM Translator: 1.94.0
2025-01-13 14:38:49 Setting AWS_DEFAULT_REGION to ap-south-1
[[E0001: Error found when transforming the template] (Error transforming template: Resource with id [MyCognitoUserPool] is invalid. property UserPoolTier not defined for resource of type AWS::Cognito::UserPool) matched 1]
2025-01-13 14:38:49,467 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics   
2025-01-13 14:38:49,473 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics   
2025-01-13 14:38:49,473 | Sending Telemetry: {'metrics': [{'commandRun': {'requestId': '807bccc3-8fc8-454d-8646-c4a1a5bb7548',         
'installationId': 'f7826712-ea7f-4c60-b03b-e8d560546e6d', 'sessionId': 'c4db29ff-03b3-42e1-b636-3e934bbbd1f0', 'executionEnvironment': 
'CLI', 'ci': False, 'pyversion': '3.11.10', 'samcliVersion': '1.132.0', 'awsProfileProvided': True, 'debugFlagProvided': True,         
'region': 'ap-south-1', 'commandName': 'sam validate', 'metricSpecificAttributes': {'projectType': 'CFN', 'gitOrigin': None,           
'projectName': '10e08a419e850eba1ebba18fdd28eb7ec1b7e8baa9bcc3b973e2b8891ec726be', 'initialCommit': None}, 'duration': 535,            
'exitReason': 'LinterRuleMatchedException', 'exitCode': 1}}]}                                                                          
2025-01-13 14:38:49,473 | Unable to find Click Context for getting session_id.                                                         
2025-01-13 14:38:49,476 | Sending Telemetry: {'metrics': [{'events': {'requestId': '14390e92-6352-40ac-9965-e5f21bb8321c',             
'installationId': 'f7826712-ea7f-4c60-b03b-e8d560546e6d', 'sessionId': 'c4db29ff-03b3-42e1-b636-3e934bbbd1f0', 'executionEnvironment': 
'CLI', 'ci': False, 'pyversion': '3.11.10', 'samcliVersion': '1.132.0', 'commandName': 'sam validate', 'metricSpecificAttributes':     
{'events': [{'event_name': 'SamConfigFileExtension', 'event_value': '.toml', 'thread_id': '47bfa88c41784de8ab53f16fb4a080b7',          
'time_stamp': '2025-01-13 09:08:48.898', 'exception_name': None}, {'event_name': 'SamConfigFileExtension', 'event_value': '.toml',     
'thread_id': '5a4cdfb30c834bdfbe98bf61f9e6cabd', 'time_stamp': '2025-01-13 09:08:48.932', 'exception_name': None}, {'event_name':      
'UsedFeature', 'event_value': 'CFNLint', 'thread_id': 'f4ceac4f6c2e4a92901aeb69327627cf', 'time_stamp': '2025-01-13 09:08:49.320',     
'exception_name': None}]}}}]}                                                                                                          
2025-01-13 14:38:50,438 | HTTPSConnectionPool(host='aws-serverless-tools-telemetry.us-west-2.amazonaws.com', port=443): Read timed out.
(read timeout=0.1)                                                                                                                     
2025-01-13 14:38:50,441 | HTTPSConnectionPool(host='aws-serverless-tools-telemetry.us-west-2.amazonaws.com', port=443): Read timed out.
(read timeout=0.1)                                                                                                                     
Error: Linting failed. At least one linting rule was matched to the provided template.

[roger-zhangg]

Hi, thanks for reporting, does sam validate (without --lint) have the same issue? You may need to remove the lint = true in samconfig.toml as well to run sam validate