Merge pull request #27620 from DrFaust92/cognito_user_pool_client_aut…

…h_session_valid

cognito user pool client - add `auth_session_validity` arg

.changelog/27620.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_cognito_user_pool_client: Add `auth_session_validity` argument
+```

internal/service/cognitoidp/user_pool_client.go

@@ -101,6 +101,12 @@ func ResourceUserPoolClient() *schema.Resource {
 					},
 				},
 			},
+			"auth_session_validity": {
+				Type:         schema.TypeInt,
+				Optional:     true,
+				Default:      3,
+				ValidateFunc: validation.IntBetween(3, 15),
+			},
 			"callback_urls": {
 				Type:     schema.TypeSet,
 				Optional: true,
@@ -261,6 +267,10 @@ func resourceUserPoolClientCreate(d *schema.ResourceData, meta interface{}) erro
 		UserPoolId: aws.String(d.Get("user_pool_id").(string)),
 	}
 
+	if v, ok := d.GetOk("auth_session_validity"); ok {
+		params.AuthSessionValidity = aws.Int64(int64(v.(int)))
+	}
+
 	if v, ok := d.GetOk("generate_secret"); ok {
 		params.GenerateSecret = aws.Bool(v.(bool))
 	}
@@ -384,6 +394,7 @@ func resourceUserPoolClientRead(d *schema.ResourceData, meta interface{}) error
 	d.Set("supported_identity_providers", flex.FlattenStringSet(userPoolClient.SupportedIdentityProviders))
 	d.Set("enable_token_revocation", userPoolClient.EnableTokenRevocation)
 	d.Set("enable_propagate_additional_user_context_data", userPoolClient.EnablePropagateAdditionalUserContextData)
+	d.Set("auth_session_validity", userPoolClient.AuthSessionValidity)
 
 	if err := d.Set("analytics_configuration", flattenUserPoolClientAnalyticsConfig(userPoolClient.AnalyticsConfiguration)); err != nil {
 		return fmt.Errorf("error setting analytics_configuration: %w", err)
@@ -477,6 +488,10 @@ func resourceUserPoolClientUpdate(d *schema.ResourceData, meta interface{}) erro
 		params.EnablePropagateAdditionalUserContextData = aws.Bool(v.(bool))
 	}
 
+	if v, ok := d.GetOk("auth_session_validity"); ok {
+		params.AuthSessionValidity = aws.Int64(int64(v.(int)))
+	}
+
 	log.Printf("[DEBUG] Updating Cognito User Pool Client: %s", params)
 
 	_, err := tfresource.RetryWhenAWSErrCodeEquals(2*time.Minute, func() (interface{}, error) {

internal/service/cognitoidp/user_pool_client_test.go

@@ -36,6 +36,7 @@ func TestAccCognitoIDPUserPoolClient_basic(t *testing.T) {
 					resource.TestCheckTypeSetElemAttr(resourceName, "explicit_auth_flows.*", "ADMIN_NO_SRP_AUTH"),
 					resource.TestCheckResourceAttr(resourceName, "token_validity_units.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "analytics_configuration.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "auth_session_validity", "3"),
 				),
 			},
 			{
@@ -521,6 +522,41 @@ func TestAccCognitoIDPUserPoolClient_analyticsWithARN(t *testing.T) {
 	})
 }
 
+func TestAccCognitoIDPUserPoolClient_authSessionValidity(t *testing.T) {
+	var client cognitoidentityprovider.UserPoolClientType
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_cognito_user_pool_client.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t); testAccPreCheckIdentityProvider(t) },
+		ErrorCheck:               acctest.ErrorCheck(t, cognitoidentityprovider.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckUserPoolClientDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccUserPoolClientConfig_authSessionValidity(rName, 3),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckUserPoolClientExists(resourceName, &client),
+					resource.TestCheckResourceAttr(resourceName, "auth_session_validity", "3"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportStateIdFunc: testAccUserPoolClientImportStateIDFunc(resourceName),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccUserPoolClientConfig_authSessionValidity(rName, 15),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckUserPoolClientExists(resourceName, &client),
+					resource.TestCheckResourceAttr(resourceName, "auth_session_validity", "15"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccCognitoIDPUserPoolClient_disappears(t *testing.T) {
 	var client cognitoidentityprovider.UserPoolClientType
 	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
@@ -860,6 +896,17 @@ resource "aws_cognito_user_pool_client" "test" {
 `, rName)
 }
 
+func testAccUserPoolClientConfig_authSessionValidity(rName string, validity int) string {
+	return testAccUserPoolClientBaseConfig(rName) + fmt.Sprintf(`
+resource "aws_cognito_user_pool_client" "test" {
+  name                  = %[1]q
+  auth_session_validity = %[2]d
+  user_pool_id          = aws_cognito_user_pool.test.id
+  explicit_auth_flows   = ["ADMIN_NO_SRP_AUTH"]
+}
+`, rName, validity)
+}
+
 func testAccPreCheckPinpointApp(t *testing.T) {
 	conn := acctest.Provider.Meta().(*conns.AWSClient).PinpointConn
 

website/docs/r/cognito_user_pool_client.markdown

@@ -142,6 +142,7 @@ The following arguments are optional:
 * `allowed_oauth_flows` - (Optional) List of allowed OAuth flows (code, implicit, client_credentials).
 * `allowed_oauth_scopes` - (Optional) List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
 * `analytics_configuration` - (Optional) Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. [Detailed below](#analytics_configuration).
+* `auth_session_validity` - (Optional) Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between `3` and `15`. Default value is `3`.
 * `callback_urls` - (Optional) List of allowed callback URLs for the identity providers.
 * `default_redirect_uri` - (Optional) Default redirect URI. Must be in the list of callback URLs.
 * `enable_token_revocation` - (Optional) Enables or disables token revocation.