resource/aws_cognito_user_pool_client: Add prevent_user_existence_err…

…ors argument (#11604) Output from acceptance testing: ``` --- PASS: TestAccAWSCognitoUserPoolClient_disappears (8.86s) --- PASS: TestAccAWSCognitoUserPoolClient_basic (9.71s) --- PASS: TestAccAWSCognitoUserPoolClient_allFields (10.04s) --- PASS: TestAccAWSCognitoUserPoolClient_Name (14.09s) --- PASS: TestAccAWSCognitoUserPoolClient_allFieldsUpdatingOneField (14.44s) --- PASS: TestAccAWSCognitoUserPoolClient_RefreshTokenValidity (14.81s) --- PASS: TestAccAWSCognitoUserPoolClient_analyticsConfig (30.07s) ```
hashicorp · Mar 17, 2020 · 39333bc · 39333bc
1 parent d7a9edd
commit 39333bc
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/aws/resource_aws_cognito_user_pool_client.go b/aws/resource_aws_cognito_user_pool_client.go
@@ -144,6 +144,12 @@ func resourceAwsCognitoUserPoolClient() *schema.Resource {
 				},
 			},
 
+			"prevent_user_existence_errors": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+
 			"supported_identity_providers": {
 				Type:     schema.TypeSet,
 				Optional: true,
@@ -242,6 +248,10 @@ func resourceAwsCognitoUserPoolClientCreate(d *schema.ResourceData, meta interfa
 		params.AnalyticsConfiguration = expandAwsCognitoUserPoolClientAnalyticsConfig(v.([]interface{}))
 	}
 
+	if v, ok := d.GetOk("prevent_user_existence_errors"); ok {
+		params.PreventUserExistenceErrors = aws.String(v.(string))
+	}
+
 	log.Printf("[DEBUG] Creating Cognito User Pool Client: %s", params)
 
 	resp, err := conn.CreateUserPoolClient(params)
@@ -290,6 +300,7 @@ func resourceAwsCognitoUserPoolClientRead(d *schema.ResourceData, meta interface
 	d.Set("callback_urls", flattenStringSet(resp.UserPoolClient.CallbackURLs))
 	d.Set("default_redirect_uri", resp.UserPoolClient.DefaultRedirectURI)
 	d.Set("logout_urls", flattenStringSet(resp.UserPoolClient.LogoutURLs))
+	d.Set("prevent_user_existence_errors", resp.UserPoolClient.PreventUserExistenceErrors)
 	d.Set("supported_identity_providers", flattenStringSet(resp.UserPoolClient.SupportedIdentityProviders))
 
 	if err := d.Set("analytics_configuration", flattenAwsCognitoUserPoolClientAnalyticsConfig(resp.UserPoolClient.AnalyticsConfiguration)); err != nil {
@@ -351,6 +362,10 @@ func resourceAwsCognitoUserPoolClientUpdate(d *schema.ResourceData, meta interfa
 		params.LogoutURLs = expandStringSet(v.(*schema.Set))
 	}
 
+	if v, ok := d.GetOk("prevent_user_existence_errors"); ok {
+		params.PreventUserExistenceErrors = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("supported_identity_providers"); ok {
 		params.SupportedIdentityProviders = expandStringSet(v.(*schema.Set))
 	}

diff --git a/aws/resource_aws_cognito_user_pool_client_test.go b/aws/resource_aws_cognito_user_pool_client_test.go
@@ -152,6 +152,7 @@ func TestAccAWSCognitoUserPoolClient_allFields(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "default_redirect_uri", "https://www.example.com/redirect"),
 					resource.TestCheckResourceAttr(resourceName, "logout_urls.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "logout_urls.2102268273", "https://www.example.com/login"),
+					resource.TestCheckResourceAttr(resourceName, "prevent_user_existence_errors", "LEGACY"),
 				),
 			},
 			{
@@ -210,6 +211,7 @@ func TestAccAWSCognitoUserPoolClient_allFieldsUpdatingOneField(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "default_redirect_uri", "https://www.example.com/redirect"),
 					resource.TestCheckResourceAttr(resourceName, "logout_urls.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "logout_urls.2102268273", "https://www.example.com/login"),
+					resource.TestCheckResourceAttr(resourceName, "prevent_user_existence_errors", "LEGACY"),
 				),
 			},
 			{
@@ -451,7 +453,8 @@ resource "aws_cognito_user_pool_client" "test" {
   read_attributes  = ["email"]
   write_attributes = ["email"]
 
-  refresh_token_validity = %d
+  refresh_token_validity        = %d
+  prevent_user_existence_errors = "LEGACY"
 
   allowed_oauth_flows                  = ["code", "implicit"]
   allowed_oauth_flows_user_pool_client = "true"

diff --git a/website/docs/r/cognito_user_pool_client.markdown b/website/docs/r/cognito_user_pool_client.markdown
@@ -123,6 +123,7 @@ The following arguments are supported:
 * `generate_secret` - (Optional) Should an application secret be generated.
 * `logout_urls` - (Optional) List of allowed logout URLs for the identity providers.
 * `name` - (Required) The name of the application client.
+* `prevent_user_existence_errors` - (Optional) Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.
 * `read_attributes` - (Optional) List of user pool attributes the application client can read from.
 * `refresh_token_validity` - (Optional) The time limit in days refresh tokens are valid for.
 * `supported_identity_providers` - (Optional) List of provider names for the identity providers that are supported on this client.