diff --git a/aws/resource_aws_cognito_user_pool.go b/aws/resource_aws_cognito_user_pool.go index 5ff1ac273ab..c4895ac5fe2 100644 --- a/aws/resource_aws_cognito_user_pool.go +++ b/aws/resource_aws_cognito_user_pool.go @@ -65,10 +65,11 @@ func resourceAwsCognitoUserPool() *schema.Resource { }, }, "unused_account_validity_days": { - Type: schema.TypeInt, - Optional: true, - Default: 7, - ValidateFunc: validation.IntBetween(0, 90), + Type: schema.TypeInt, + Optional: true, + Deprecated: "Use password_policy.temporary_password_validity_days instead", + ValidateFunc: validation.IntBetween(0, 90), + ConflictsWith: []string{"password_policy.0.temporary_password_validity_days"}, }, }, }, @@ -295,6 +296,12 @@ func resourceAwsCognitoUserPool() *schema.Resource { Type: schema.TypeBool, Optional: true, }, + "temporary_password_validity_days": { + Type: schema.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 365), + ConflictsWith: []string{"admin_create_user_config.0.unused_account_validity_days"}, + }, }, }, }, @@ -948,6 +955,11 @@ func resourceAwsCognitoUserPoolUpdate(d *schema.ResourceData, meta interface{}) log.Printf("[DEBUG] Received %s, retrying UpdateUserPool", err) return resource.RetryableError(err) } + if isAWSErr(err, cognitoidentityprovider.ErrCodeInvalidParameterException, "Please use TemporaryPasswordValidityDays in PasswordPolicy instead of UnusedAccountValidityDays") { + log.Printf("[DEBUG] Received %s, retrying UpdateUserPool without UnusedAccountValidityDays", err) + params.AdminCreateUserConfig.UnusedAccountValidityDays = nil + return resource.RetryableError(err) + } return resource.NonRetryableError(err) }) diff --git a/aws/resource_aws_cognito_user_pool_test.go b/aws/resource_aws_cognito_user_pool_test.go index c4224b25083..b16e2e15ae5 100644 --- a/aws/resource_aws_cognito_user_pool_test.go +++ b/aws/resource_aws_cognito_user_pool_test.go @@ -125,10 +125,21 @@ func TestAccAWSCognitoUserPool_withAdminCreateUserConfiguration(t *testing.T) { ImportState: true, ImportStateVerify: true, }, + { + Config: testAccAWSCognitoUserPoolConfig_withAdminCreateUserConfigurationUpdatedError(name), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "admin_create_user_config.0.unused_account_validity_days", "6"), + resource.TestCheckResourceAttr(resourceName, "admin_create_user_config.0.allow_admin_create_user_only", "false"), + resource.TestCheckResourceAttr(resourceName, "admin_create_user_config.0.invite_message_template.0.email_message", "Your username is {username} and constant password is {####}. "), + resource.TestCheckResourceAttr(resourceName, "admin_create_user_config.0.invite_message_template.0.email_subject", "Foo{####}BaBaz"), + resource.TestCheckResourceAttr(resourceName, "admin_create_user_config.0.invite_message_template.0.sms_message", "Your username is {username} and constant password is {####}."), + ), + ExpectNonEmptyPlan: true, + }, { Config: testAccAWSCognitoUserPoolConfig_withAdminCreateUserConfigurationUpdated(name), Check: resource.ComposeAggregateTestCheckFunc( - resource.TestCheckResourceAttr(resourceName, "admin_create_user_config.0.unused_account_validity_days", "7"), + resource.TestCheckResourceAttr(resourceName, "admin_create_user_config.0.unused_account_validity_days", "6"), resource.TestCheckResourceAttr(resourceName, "admin_create_user_config.0.allow_admin_create_user_only", "false"), resource.TestCheckResourceAttr(resourceName, "admin_create_user_config.0.invite_message_template.0.email_message", "Your username is {username} and constant password is {####}. "), resource.TestCheckResourceAttr(resourceName, "admin_create_user_config.0.invite_message_template.0.email_subject", "Foo{####}BaBaz"), @@ -484,6 +495,7 @@ func TestAccAWSCognitoUserPool_withPasswordPolicy(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_numbers", "false"), resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_symbols", "true"), resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_uppercase", "false"), + resource.TestCheckResourceAttr(resourceName, "password_policy.0.temporary_password_validity_days", "7"), ), }, { @@ -500,6 +512,7 @@ func TestAccAWSCognitoUserPool_withPasswordPolicy(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_numbers", "true"), resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_symbols", "false"), resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_uppercase", "true"), + resource.TestCheckResourceAttr(resourceName, "password_policy.0.temporary_password_validity_days", "14"), ), }, }, @@ -876,7 +889,7 @@ resource "aws_cognito_user_pool" "test" { `, name) } -func testAccAWSCognitoUserPoolConfig_withAdminCreateUserConfigurationUpdated(name string) string { +func testAccAWSCognitoUserPoolConfig_withAdminCreateUserConfigurationUpdatedError(name string) string { return fmt.Sprintf(` resource "aws_cognito_user_pool" "test" { name = "terraform-test-pool-%s" @@ -895,6 +908,25 @@ resource "aws_cognito_user_pool" "test" { `, name) } +func testAccAWSCognitoUserPoolConfig_withAdminCreateUserConfigurationUpdated(name string) string { + return fmt.Sprintf(` +resource "aws_cognito_user_pool" "test" { + name = "terraform-test-pool-%s" + + admin_create_user_config { + allow_admin_create_user_only = false + unused_account_validity_days = 6 + + invite_message_template { + email_message = "Your username is {username} and constant password is {####}. " + email_subject = "Foo{####}BaBaz" + sms_message = "Your username is {username} and constant password is {####}." + } + } +} +`, name) +} + func testAccAWSCognitoUserPoolConfig_withAdvancedSecurityMode(name string, mode string) string { return fmt.Sprintf(` resource "aws_cognito_user_pool" "test" { @@ -1086,11 +1118,12 @@ resource "aws_cognito_user_pool" "test" { name = "terraform-test-pool-%s" password_policy { - minimum_length = 7 - require_lowercase = true - require_numbers = false - require_symbols = true - require_uppercase = false + minimum_length = 7 + require_lowercase = true + require_numbers = false + require_symbols = true + require_uppercase = false + temporary_password_validity_days = 7 } } `, name) @@ -1102,11 +1135,12 @@ resource "aws_cognito_user_pool" "test" { name = "terraform-test-pool-%s" password_policy { - minimum_length = 9 - require_lowercase = false - require_numbers = true - require_symbols = false - require_uppercase = true + minimum_length = 9 + require_lowercase = false + require_numbers = true + require_symbols = false + require_uppercase = true + temporary_password_validity_days = 14 } } `, name) diff --git a/aws/structure.go b/aws/structure.go index 85986e0005a..2d9a04c4c04 100644 --- a/aws/structure.go +++ b/aws/structure.go @@ -2756,6 +2756,10 @@ func expandCognitoUserPoolPasswordPolicy(config map[string]interface{}) *cognito configs.RequireUppercase = aws.Bool(v.(bool)) } + if v, ok := config["temporary_password_validity_days"]; ok { + configs.TemporaryPasswordValidityDays = aws.Int64(int64(v.(int))) + } + return configs } @@ -3028,6 +3032,10 @@ func flattenCognitoUserPoolPasswordPolicy(s *cognitoidentityprovider.PasswordPol m["require_uppercase"] = *s.RequireUppercase } + if s.TemporaryPasswordValidityDays != nil { + m["temporary_password_validity_days"] = *s.TemporaryPasswordValidityDays + } + if len(m) > 0 { return []map[string]interface{}{m} } diff --git a/website/docs/r/cognito_user_pool.markdown b/website/docs/r/cognito_user_pool.markdown index 8fc7844945a..52d8a328775 100644 --- a/website/docs/r/cognito_user_pool.markdown +++ b/website/docs/r/cognito_user_pool.markdown @@ -48,7 +48,7 @@ The following arguments are supported: * `allow_admin_create_user_only` (Optional) - Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app. * `invite_message_template` (Optional) - The [invite message template structure](#invite-message-template). - * `unused_account_validity_days` (Optional) - The user account expiration limit, in days, after which the account is no longer usable. + * `unused_account_validity_days` (Optional) - **DEPRECATED** Use password_policy.temporary_password_validity_days instead - The user account expiration limit, in days, after which the account is no longer usable. ##### Invite Message template @@ -87,6 +87,7 @@ The following arguments are supported: * `require_numbers` (Optional) - Whether you have required users to use at least one number in their password. * `require_symbols` (Optional) - Whether you have required users to use at least one symbol in their password. * `require_uppercase` (Optional) - Whether you have required users to use at least one uppercase letter in their password. + * `temporary_password_validity_days` (Optional) - In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator. #### Schema Attributes