(gen2-migration) `lock` reports drift for imported auth resource

[dgandhi62]

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

NA

What operating system are you using?

NA

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

NA

Describe the bug

The lock command fails when we attempt to add an imported auth resource. In this usecase, auth was configured following these guidelines - https://docs.amplify.aws/gen1/react/tools/console/auth/import/

amplify status returns no change in state.

The error was narrowed down to be originating from an unintended assumption here. Further research and resolution is needed.

Error message

gandhya@b0f1d8510dea testappauth % node /Users/gandhya/amplify-cli/packages/amplify-cli/bin/amplify gen2-migration lock --debug
[WARNING] @aws-cdk/aws-apigatewayv2-alpha.WebSocketApiKeySelectionExpression is deprecated.
  
  This API will be removed in the next major release.
[WARNING] @aws-cdk/aws-apigatewayv2-alpha.WebSocketApiKeySelectionExpression is deprecated.
  
  This API will be removed in the next major release.
[WARNING] @aws-cdk/aws-apigatewayv2-alpha.MappingValue is deprecated.
  
  This API will be removed in the next major release.
The following official plugins are missing or inactive:
    core: core | @aws-amplify/cli-internal-gen2-migration-experimental-alpha@14.2.5

[2026-03-24T21:12:08.997Z] [lock] [testappauth/dev] → Planning
[2026-03-24T21:12:09.358Z] [lock] [testappauth/dev] • → Planning complete
[2026-03-24T21:12:09.358Z] [lock] [testappauth/dev] → Validating
[2026-03-24T21:12:09.358Z] [lock] [testappauth/dev] → Environment Status
[2026-03-24T21:12:09.359Z] [lock] [testappauth/dev] · Inspecting root stack 'amplify-testappauth-dev-0a312' status
[2026-03-24T21:12:09.462Z] [lock] [testappauth/dev] → Drift
[2026-03-24T21:12:09.462Z] [lock] [testappauth/dev] · Amplify project validated
[2026-03-24T21:12:09.465Z] [lock] [testappauth/dev] · Root Stack: amplify-testappauth-dev-0a312
[2026-03-24T21:12:09.468Z] [lock] [testappauth/dev] · CloudFormation client initialized
[2026-03-24T21:12:09.566Z] [lock] [testappauth/dev] · Syncing cloud backend
[2026-03-24T21:12:09.709Z] [lock] [testappauth/dev] → CloudFormation drift
[2026-03-24T21:12:09.709Z] [lock] [testappauth/dev] · detectStackDriftRecursive: amplify-testappauth-dev-0a312
[2026-03-24T21:12:09.710Z] [lock] [testappauth/dev] → amplify-testappauth-dev-0a312
[2026-03-24T21:12:09.772Z] [lock] [testappauth/dev] · Detecting drift with ID 1eb62f20-27c6-11f1-ae1b-0ed8b0036fd9 for stack amplify-testappauth-dev-0a312...
[2026-03-24T21:12:12.128Z] [lock] [testappauth/dev] · detectStackDriftRecursive.complete: amplify-testappauth-dev-0a312
[2026-03-24T21:12:12.128Z] [lock] [testappauth/dev] · Phase 1 complete
[2026-03-24T21:12:12.128Z] [lock] [testappauth/dev] · S3 sync completed successfully
[2026-03-24T21:12:12.128Z] [lock] [testappauth/dev] → Template changes
[2026-03-24T21:12:12.128Z] [lock] [testappauth/dev] · Checking for template drift using changesets...
[2026-03-24T21:12:12.128Z] [lock] [testappauth/dev] · Checking for #current-cloud-backend at: /Users/gandhya/Desktop/testappauth/amplify/#current-cloud-backend
[2026-03-24T21:12:12.128Z] [lock] [testappauth/dev] · Reading cached template from: /Users/gandhya/Desktop/testappauth/amplify/#current-cloud-backend/awscloudformation/build/root-cloudformation-stack.json
[2026-03-24T21:12:12.129Z] [lock] [testappauth/dev] · Fetching stack parameters from CloudFormation for: amplify-testappauth-dev-0a312
[2026-03-24T21:12:12.176Z] [lock] [testappauth/dev] · Using 3 parameters from deployed stack
[2026-03-24T21:12:12.214Z] [lock] [testappauth/dev] · Creating changeset: amplify-drift-detection-1774386732214
[2026-03-24T21:12:12.472Z] [lock] [testappauth/dev] · Changeset waiter failed, will check status...
[2026-03-24T21:12:12.532Z] [lock] [testappauth/dev] · ✓ Changeset status: No changes detected (no drift)
[2026-03-24T21:12:12.619Z] [lock] [testappauth/dev] · Phase 2 complete: 0 changes
[2026-03-24T21:12:12.619Z] [lock] [testappauth/dev] → Local changes
[2026-03-24T21:12:12.619Z] [lock] [testappauth/dev] · Checking local files vs cloud backend...
{
  resourcesToBeCreated: [],
  resourcesToBeUpdated: [],
  resourcesToBeSynced: [
    {
      service: 'Cognito',
      serviceType: 'imported',
      providerPlugin: 'awscloudformation',
      dependsOn: [],
      customAuth: false,
      output: [Object],
      frontendAuthConfig: [Object],
      lastPushTimeStamp: '2026-03-24T20:54:03.947Z',
      resourceName: 'testappauth',
      category: 'auth',
      sync: 'refresh'
    }
  ],
  resourcesToBeDeleted: [],
  rootStackUpdated: false,
  tagsUpdated: false,
  allResources: [
    {
      AuthRoleName: 'amplify-testappauth-dev-0a312-authRole',
      UnauthRoleArn: 'arn:aws:iam::615368094448:role/amplify-testappauth-dev-0a312-unauthRole',
      AuthRoleArn: 'arn:aws:iam::615368094448:role/amplify-testappauth-dev-0a312-authRole',
      Region: 'us-east-1',
      DeploymentBucketName: 'amplify-testappauth-dev-0a312-deployment',
      UnauthRoleName: 'amplify-testappauth-dev-0a312-unauthRole',
      StackName: 'amplify-testappauth-dev-0a312',
      StackId: 'arn:aws:cloudformation:us-east-1:615368094448:stack/amplify-testappauth-dev-0a312/eb48afa0-27b1-11f1-b57d-0affe557c7df',
      AmplifyAppId: 'd19hckqp5jvler',
      resourceName: 'awscloudformation',
      category: 'providers'
    },
    {
      service: 'Cognito',
      serviceType: 'imported',
      providerPlugin: 'awscloudformation',
      dependsOn: [],
      customAuth: false,
      output: [Object],
      frontendAuthConfig: [Object],
      lastPushTimeStamp: '2026-03-24T20:54:03.947Z',
      resourceName: 'testappauth',
      category: 'auth',
      sync: 'refresh'
    }
  ]
}
[2026-03-24T21:12:13.615Z] [lock] [testappauth/dev] · Phase 3 complete
[2026-03-24T21:12:13.615Z] [lock] [testappauth/dev] • → Validating complete

Failed Validations Report

Drift

AUTH
  Local Drift: Undeployed changes in this category

Validations Summary

┌────────────────────┬──────────┐
│ Validation         │ Status   │
├────────────────────┼──────────┤
│ Environment Status │ ✔ Passed │
├────────────────────┼──────────┤
│ Drift              │ ✘ Failed │
└────────────────────┴──────────┘

🛑 Validations failed

Resolution: Resolve the validation errors or skip them by running 'amplify /opt/homebrew/Cellar/node@20/20.19.6/bin/node  gen2-migration lock --debug --skip-validations'
Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

MigrationError: Validations failed
    at Object.run (/Users/gandhya/amplify-cli/packages/amplify-cli/lib/commands/gen2-migration.js:119:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.executeAmplifyCommand (/Users/gandhya/amplify-cli/packages/amplify-cli/lib/index.js:203:9)
    at async executePluginModuleCommand (/Users/gandhya/amplify-cli/packages/amplify-cli/lib/execution-manager.js:149:5)
    at async executeCommand (/Users/gandhya/amplify-cli/packages/amplify-cli/lib/execution-manager.js:47:9)
    at async Object.run (/Users/gandhya/amplify-cli/packages/amplify-cli/lib/index.js:131:5)

Expected behavior

There to not exist any drift.

Reproduction steps

Create a basic app with an imported auth resource

Project Identifier

No response

Log output

Details

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.