Yesterday I had to migrate my AWS app to a new setup on CloudFormation. Code is easy but Cognito User Pool and DynamoDB table(s) took some time to investigate. Here is my experience and a solution (for small to medium apps).
Note that there are several ways to migrate Cognito User pool, two main ones are described here: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-import-users.html
Basically you keep both pools active; app is normally linked to the new pool but on every failed login Lambda will check user against the old pool and migrate it to a new pool seamlessly (if exists and credentials are ok).
Simple but not seamless. Using Cognito console you can import users from CSV file, but they'll be put into RESET_REQUIRED status. Then, your app needs to be changed a bit to forward users with this status to "forgot password" workflow. There they will re-confirm their email and it's done. Getting a CSV file to import is another story as Cognito console does not export users (yet).
- because it is much simpler for small to medium apps
- because I didn't want to keep both user pools active for that long (my users migrate very slowly)
- because my database links some data with username (which is a login alias for email) so in "seamless" method there was a chance that a completely new user would "steal" old username (although with new email) exposing that data to him.
Exporting users from Cognito user pool is still not available in console, but a cognito-backup-restore does the job very well. However, it does not (yet) create proper CSV for import through console. Some simple Node scripting and it's done (link to code at the end).
Note that cognito-backup-restore does have a restore feature too, but it sends out emails to users which was not what I wanted. I wanted this migration silent.
Again, there are several options to migrate DynamoDB. Amazon suggests AWS Data Pipeline but for small to medium tables that's an overkill. Many other variations and methods to do this exist online, free or commercial. Also many different JSON formats are used in diffrente tools which require some parsing. At the end I decided to use AWS CLI commands wrapped in a Node script to automate the process.
aws dynamodb scan downloads DynamoDB JSON
aws dynamodb put-item in a loop sends all records to a new table, one by one
batch-write was something to think about (it can do 25 records in a batch) but my table was small enough to do it this way.
Complete code is on GitHub: cognito-dynamodb-migrate