Cognito UserPool constructor incorrectly attaches lambdaConfig lambdas

[samueltanner]

When I deploy changes to my cognito user pool, I will often find that my postConfirmation lambda and preTokenGeneration lambda will fail to invoke. I will get access denied exceptions despite having my execution role's trust relationships set correctly.

I have found that I have to go into the AWS console and re-attach the lambdas in order for them to function correctly.

I am running pulumi within a sst V3 instance

  const userPool = new aws.cognito.UserPool(`GGUserPool${$app.stage}`, {
    name: `GGUserPool${$app.stage}`,
    usernameAttributes: ["email"],
    autoVerifiedAttributes: ["email"],
    verificationMessageTemplate: {
      defaultEmailOption: "CONFIRM_WITH_CODE",
      emailMessage:
        "Hello, Thanks for signing up! Your verification code is {####}",
      emailSubject: "Verify your email!",
      smsMessage:
        "Hello, Thanks for signing up! Your verification code is {####}",
    },
    lambdaConfig: {
      postConfirmation: postConfirmationLambdaArn,
      preTokenGeneration: tokenLambdaArn,
    },
  })

[t0yv0]

Could you please include a fully self-contained example that reproduces the issue? Much appreciated.