(gen2-migration) `generate` does not preserve "Email based user registration/forgot password: Disabled" setting

[dgandhi62]

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

NA

What operating system are you using?

NA

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

NA

Describe the bug

Summary

When migrating an Amplify Gen1 auth resource that had email-based verification disabled (using SMS/TOTP as an alternative), the Gen2 migration tool generates a configuration that re-enables email-based verification, breaking feature parity with the original Gen1 setup.

---

Gen1 Configuration (Source of Truth)

CLI selection:

Email based user registration/forgot password: Disabled (Uses SMS/TOTP as an alternative)

cli-inputs.json:

{
  "cognitoConfig": {
    "autoVerifiedAttributes": ["phone_number"],
    "mfaConfiguration": "OFF",
    "smsVerificationMessage": "Your verification code is {####}",
    "emailVerificationSubject": "Your verification code",
    "emailVerificationMessage": "Your verification code is {####}",
    "requiredAttributes": ["email"]
  }
}

CloudFormation template — UserPool resource:

{
  "AutoVerifiedAttributes": ["phone_number"],
  "SmsVerificationMessage": { "Ref": "smsVerificationMessage" },
  "SmsConfiguration": {
    "ExternalId": "userpo7ed36813_role_external_id",
    "SnsCallerArn": { "Fn::GetAtt": ["SNSRole", "Arn"] }
  },
  "UserAttributeUpdateSettings": {
    "AttributesRequireVerificationBeforeUpdate": ["phone_number"]
  }
}

CloudFormation template — SNSRole resource (created specifically for SMS verification):

{
  "SNSRole": {
    "Type": "AWS::IAM::Role",
    "Properties": {
      "AssumeRolePolicyDocument": {
        "Statement": [{
          "Effect": "Allow",
          "Principal": { "Service": "cognito-idp.amazonaws.com" },
          "Action": ["sts:AssumeRole"]
        }]
      },
      "Policies": [{
        "PolicyDocument": {
          "Statement": [{
            "Effect": "Allow",
            "Action": ["sns:Publish"],
            "Resource": "*"
          }]
        }
      }]
    }
  }
}

Gen1 behavior:

• Account verification: SMS code sent to phone number
• Forgot password: SMS code sent to phone number
• Email: collected as a required attribute but not used for verification
• Auto-verified attribute: phone_number
• SNS role: created and linked to user pool for SMS delivery

---

Gen2 Configuration (Migration Output)

amplify/auth/resource.ts:

import { defineAuth } from '@aws-amplify/backend';

export const auth = defineAuth({
  loginWith: {
    email: true,  // ← Incorrectly enables email-based verification
  },
  userAttributes: {
    email: {
      required: true,
      mutable: true,
    },
  },
  multifactor: {
    mode: 'OFF',
  },
});

amplify/backend.ts (overrides):
No SMS-related overrides are present. No SNS role configuration. No SmsConfiguration on the user pool.

Gen2 behavior:

• Account verification: email code (changed from SMS)
• Forgot password: email code (changed from SMS)
• Auto-verified attribute: email (changed from phone_number)
• SNS role: not created (missing)
• SMS configuration: not present (missing)

---

What the migration tool should have generated

The migration tool should detect that autoVerifiedAttributes is ["phone_number"] (not ["email"]) and that email verification is disabled. The Gen2 output should:

1. Use phone-based login/verification instead of email:

   loginWith: {
     phone: true,
   },

2. Keep email as a required attribute only (not a verification channel):

   userAttributes: {
     email: {
       required: true,
       mutable: true,
     },
   },

3. Ensure SMS configuration and SNS permissions are provisioned on the underlying user pool, either through defineAuth options or CDK overrides in backend.ts.

---

Impact

• User-facing regression: Users who previously verified via SMS will now receive email verification codes instead, or verification may fail entirely if SES is not configured.
• Forgot password broken: Password recovery switches from SMS to email without the user's knowledge.
• SNS role missing: The IAM role granting Cognito permission to send SMS is not created, so even if SMS were configured manually, it would fail.
• Data inconsistency: Existing users in the pool were verified via phone number. New verification flows via email create an inconsistent state.

Reproduction Steps

1. Create a Gen1 Amplify app with amplify add auth using manual configuration
2. Select "Email based user registration/forgot password: Disabled (Uses SMS/TOTP as an alternative)"
3. Run the Gen1-to-Gen2 migration tool
4. Inspect the generated amplify/auth/resource.ts
5. Observe that loginWith: { email: true } is set instead of loginWith: { phone: true }

Labels

bug, auth, migration, gen2, cognito

Expected behavior

NA

Reproduction steps

NA

Project Identifier

No response

Log output

Details

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.