AutoVerifiedAttributes for CognitoUserPool being removed by terraform

[louy]

Hi,

I'm having a strange behaviour with aws_cognito_user_pool. Sorry if this doesn't contain enough information. I can provide a bit more if needed.

Terraform Version

Terraform v0.11.1
+ provider.archive v1.0.0
+ provider.aws v1.7.0
+ provider.external v1.0.0
+ provider.null v1.0.0
+ provider.template v1.0.0

Affected Resource

• aws_cognito_user_pool

Terraform Configuration Files

# I've masked the domain name
resource "aws_cognito_user_pool" "main" {
  name = "Main"

  username_attributes      = ["email"]
  auto_verified_attributes = ["email"]

  device_configuration {
    device_only_remembered_on_user_prompt = "true"
  }

  email_configuration {
    source_arn = "arn:aws:ses:eu-west-1:${var.production_account_id}:identity/comms@XXXXXX"
  }

  email_verification_subject = "Confirm your email"
  email_verification_message = "<a href=\"https://XXXXXX/confirm?username={username}&amp;code={####}\">Click here to verify your email address.</a>"
  sms_authentication_message = "Your authentication code is {####}. "
  sms_verification_message   = "Your verification code is {####}. "

  mfa_configuration = "OFF"

  password_policy {
    minimum_length    = 8
    require_lowercase = false
    require_uppercase = false
    require_numbers   = false
    require_symbols   = false
  }

  admin_create_user_config {
    allow_admin_create_user_only = false
    unused_account_validity_days = 7

    invite_message_template {
      email_message = "Your username is {username} and temporary password is {####}. "
      email_subject = "Your temporary password"
      sms_message   = "Your username is {username} and temporary password is {####}. "
    }
  }

  schema {
    name                = "email"
    attribute_data_type = "String"
    required            = true
    mutable             = true
  }
}

Expected Behavior

AutoVerifiedAttributes should contain email

Actual Behavior

AutoVerifiedAttributes doesn't contain email

Steps to Reproduce

1. Turn email verification on from the aws console
2. aws cognito-idp describe-user-pool --user-pool-id eu-west-2_XXXXXX > output1.txt
3. terraform apply
4. aws cognito-idp describe-user-pool --user-pool-id eu-west-2_XXXXXX > output2.txt
5. diff output1.txt output2.txt

11c11
< ||  LastModifiedDate                                              |  1516123461.045                                         ||
---
> ||  LastModifiedDate                                              |  1516124308.176                                         ||
20,28c20,25
< |||                                                 AutoVerifiedAttributes                                                 |||
< ||+------------------------------------------------------------------------------------------------------------------------+||
< |||  email                                                                                                                 |||
< ||+------------------------------------------------------------------------------------------------------------------------+||
< |||                                                   DeviceConfiguration                                                  |||
< ||+------------------------------------------------------------------------------------------------+-----------------------+||
< |||  ChallengeRequiredOnNewDevice                                                                  |  False                |||
< |||  DeviceOnlyRememberedOnUserPrompt                                                              |  True                 |||
< ||+------------------------------------------------------------------------------------------------+-----------------------+||
---
> ||||                                                 InviteMessageTemplate                                                ||||
> |||+---------------------+------------------------------------------------------------------------------------------------+|||
> ||||  EmailMessage       |  Your username is {username} and temporary password is {####}.                                 ||||
> ||||  EmailSubject       |  Your temporary password                                                                       ||||
> ||||  SMSMessage         |  Your username is {username} and temporary password is {####}.                                 ||||
> |||+---------------------+------------------------------------------------------------------------------------------------+|||

You can see that for some reason AutoVerifiedAttributes is gone from output2.txt

[loivis]

Tried to see what happened here but found myself lack of understanding terraform.

1. create a user pool with configuration above.
2. manually disable email of auto_verified_attributes in aws console.
3. terraform plan shows no change at all.
4. terraform apply doesn't re-enable the setting.

From debug log, there is no AliasAttributes in DescribeUserPool response. But terraform doesn't seem to detect the difference and just says diff is nil. I need to read more or some guide to figure out how terraform diff works.

[louy]

seems like when AutoVerifiedAttributes is nil, terraform just ignores that field. same for pretty much every other field

https://github.com/terraform-providers/terraform-provider-aws/blob/518084a331561401a047211049f165c90a6ac975/aws/resource_aws_cognito_user_pool.go#L623-L625

[loivis]

@louy By saying terraform just ignores that field, do you mean terraform will not take that attribute into consideration when diff?

[louy]

I believe so

[louy]

So after further testing, I can confirm the following

With email verification turned on in the console:

$ aws cognito-idp describe-user-pool --user-pool-id eu-west-2_XXXXXXX --query 'UserPool.AutoVerifiedAttributes'
[
    "email"
]

Then if I turn it off using the console:

$ aws cognito-idp describe-user-pool --user-pool-id eu-west-2_XXXXXXX --query 'UserPool.AutoVerifiedAttributes'
null

Looking at the code here, it looks like terraform expects an empty array in the second case but AWS returns null for some reason. I might be able to send a PR to fix that

[bflad]

The fix for this has been merged into master and will be released with v1.12.0 of the AWS provider, likely in about a week.

[bflad]

This has been released in version 1.12.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[eschwartz]

I'm using v1.26.0 of the AWS provider,
and still seeing this issue.

My configuration:

resource "aws_cognito_user_pool" "cognito_user_pool" {
  name = cognito_user_pool-${var.namespace}"

  verification_message_template {
    default_email_option = "CONFIRM_WITH_CODE"
    email_message        = "Your verification code is {####}."
    email_subject        = "Your verification code"
  }

  password_policy {
    minimum_length    = 8
    require_numbers   = true
    require_symbols   = true
    require_lowercase = true
    require_uppercase = true
  }

  admin_create_user_config {
    allow_admin_create_user_only = true
    unused_account_validity_days = 7

    invite_message_template {
      email_message = "Your login information is {username} and your password is {####}."
      email_subject = "Welcome!"
      sms_message   = "WelcomeL! Your login information is {username} and your password is {####}."
    }
  }

  auto_verified_attributes = ["email"]

  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = false
    name                     = "email"
    required                 = false

    string_attribute_constraints {
      min_length = 7
      max_length = 30
    }
  }
}

Every run of terraform plan results in the following changes:

  ~ aws_cognito_user_pool.cognito_user_pool
      auto_verified_attributes.#:                    "0" => "1"
      auto_verified_attributes.881205744:            "" => "email"
      verification_message_template.0.email_message: "" => "Your verification code is {####}."
      verification_message_template.0.email_subject: "" => "Your verification code"

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!