Adding custom cognito user pool attribute forces new resource #3891
Comments
bflad
added
enhancement
|
I am not sure how the deletion of custom attributes work as AWS doesn't seem to support deletion of custom attributes or updating custom attributes. |
|
As suspected, One cannot update or delete custom attributes once created as part of the user_pool. So the current behavior is the only way out I think 🤔 Further details in the AWS documentation |
|
Right, once the attributes are added they cannot be removed. However you can add new attributes. |
|
Is there a workaround for adding new attributes via terraform without having to re-create the entire user pool? Seems like it'll be tricky to add a new attribute in the future when the application is live. Edit: Looks like pegging the version to 1.12 fixed this for us. |
|
In the meantime, you can do it outside Terraform (web console, CLI, etc.) and just sync your Terraform configuration afterwards. |
|
Doing a bit more research. I've found the problem. If the schema attribute (in my case String) does not include the The following generates a new resource each time: While this does not: Most likely it's a different bug. |
|
@Puneeth-n Yes - seems like that will be the case. At the moment there is a I've referenced (see above) another issue I encountered after I added an identity provider (Google) to the user Pool. Looks like AWS adds a custom attribute called |
|
Looks like terraform forces a destroy and create of a user pool even if nothing changed in the .tf file. $ cat main.tf $ terraform -v $ terraform apply $terraform plan |
|
@pankajku The issue you are facing is different. However, IMHO terraform should be able to catch such errors. There is an error in your config. For variable "region" {
default = "us-east-1"
}
provider "aws" {
version = "1.14.1"
region = "${var.region}"
}
resource "aws_cognito_user_pool" "pankajk_security" {
name = "pankajk-security"
email_verification_subject = "Your Verification Code"
email_verification_message = "Please use the following code: {####}"
alias_attributes = ["email", "preferred_username"]
auto_verified_attributes = ["email"]
verification_message_template {
default_email_option = "CONFIRM_WITH_CODE"
}
password_policy {
minimum_length = 10
require_lowercase = true
require_numbers = true
require_symbols = true
require_uppercase = true
}
schema {
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "email"
required = true
string_attribute_constraints {
min_length = 7
max_length = 256
}
}
schema {
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "oid"
required = false
string_attribute_constraints {
min_length = 1
max_length = 256
}
}
} |
|
@Puneeth-n , Thanks for catching the problem in my config. I changed it as per your suggestion and now terraform updates only the changed attributes. I did notice that after I make a simple change (such as verification message text) in config file and run "terraform apply", the email verification flag gets unset. $ terraform apply $ terraform plan Wonder if this is also due to some error in the config file or a bug. |
|
This still seems to be a problem and is going to cause someone a lot of heartache one day when tf drops the user pool and they lose all their users... Adding this to the schema causes the user pool to be destroyed, despite being able to be created in the console/cli without destroying. |
|
Yea. I have |
|
Still hitting the resource recreate issue when I try to add new custom attributes. Terraform Version Before adding new custom attribute Add new custom attribute Debug Ouput |
|
FYI: I made custom attribute without After I added empty I really appreciate everyone's workaround! |
|
Workaround doesn't work for me. Plan: Versions: This is a huge issue for anyone who is developing new applications and require to add/experiment with custom attributes. We had our pool destroyed 10+ times because of this. |
|
Any progress on this? You guys are forcing us to blow away a resource that involves asking the customer to reset their passwords (assuming we even have backup data to import in the first place), or for me, I setup a lifecycle ignore_changes * and hope someone finally gets around to fixing this before I need another change. The fact this has been sitting out there for 9 months is seriously making me wonder whether I should trust critical infrastructure to Terraform. |
|
The workaround doesn't work for me either. It always recreates the pool even if there are no changes to the templates. |
|
still an isssue |
|
And still... |
|
I'm also affected by this, none of the workarounds have worked for me. |
I'm asking myself the same question. There are a lot of critical bugs not handled for more then a year, some - for more than two years. For a lot of these bugs there are ready PR which also hangingin unlandled for more than a year. Also recently I have filled a bug report for a serious but in jsonencode function - they refused to fiz it. The reply was - it is fixed in version 12, which will be released some unknown time in the future and we don't care about version 11. BTW the issue from this topic is not the only one, that cognito user pool has. Callback_urls has to be ordered exactly as AWS doing this, otherwise terraform constantly trying to change order. |
|
@voroniys My take away from using Terraform for 3+ years is not to maintain states via Terraform. It is true for any IaC. Terraform is a powerful tool and has God access. Refrain from using it for applications having state. |
|
Still an issue. |
|
ping as well. Manually managing the state is... ridiculous |
|
Guys, any updates? We are in 2020 now... |
|
Yes, still an issue... |
|
Hope this helps everyone else, easier way than the above solution and potentially less messier than playing around with the terraform state and imports. Similar to ePoromaa, you will need to run the aws cli cmd manually to add a custom attribute to the cognito user pool. Once you've added the custom attribute via the aws cli, you will now need to add the schema block for it in your terraform cognito user pool code. For example
Once the schema block is added into terraform, terraform picks up no changes. Would consider this safe to do in prod as well. |
|
Terraform v0.12.26
Still have the issue... |
|
Hi everyone, any updates on here? |
|
Please fix this issue! |
|
This is still an issue with Please address. |
|
Workaround to prevent destruction of the user pool:
|
|
Hi there, we are also facing this issue. Any updates? Thanks! |
|
Anybody from HashiCorp out there ? Hellooo.... |
|
Facing this as well: Terraform v0.12.29 |
|
Terraform v0.13.3
Still facing the issue |
|
Hi all! 👋 Just wanted to direct you to our public roadmap for this quarter (Nov-Jan) in which this item has been mentioned. Due to the significant community interest in resolving this issue, we will be looking at merging existing contributions soon. We appreciate all the contributions and feedback thus far. |
|
Thanks, @eporomaa and @efernandes-dev-ops This workaround worked for me. Basically, it ran the following commands terraform state list # to figure out what is resource state for cognito in my project
terraform state rm aws_cognito_user_pool.my_pool # remove stateNow you can add new attributes via CLI or web console. We need to make sure that terraform resource file must contain those attributes you added via CLI or console. Actually, the terraform resource file should be synced with Cognito terraform import -var "provider_role_arn=<ROLE_ARN>" aws_cognito_user_pool.my_pool <USER_POOL_ID> |
|
Our workaround is similar to @dguisinger, except we don't ignore everything via wildcard, but only the schema changes. The problem was even when we only make changes to the load balancer or something else, Terraform would re-create the Cognito user pool, because they're in the same plan. This code bit was inserted so that our pipeline would be able to run multiple times per day: |
|
@breathingdust - We're nearing the end of January 2021. This is a very significant issue for anyone using terraform to manage Cognito user pools. Any updates? |
|
I've been looking into addressing this, but the fix is currently blocked on hashicorp/terraform-plugin-sdk#497. We need to be able to compare the two |
|
After looking back at how this could be implemented, I found another potential way to solve it. I've opened a PR with the alternate method. |
|
This has been released in version 3.35.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
|
Get errors when apply the tf to a UserPool created with 3.33 version of AWS Provider |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked as resolved and limited conversation to collaborators
and others
Adding new custom attributes should not force re-creation of the cognito user pool.
Terraform Version
Affected Resource(s)
aws_cognito_user_poolTerraform Configuration Files
Debug Output
Output of running
terraform planafter adding the custom attribute above.Panic Output
None
Expected Behavior
Add the attribute without destroying and rebuilding the cognito user pool. This is supported through the cognito UI and API (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AddCustomAttributes.html).
Actual Behavior
The cognito user pool was rebuilt.
schema.#: "" => "1" (forces new resource)Steps to Reproduce
terraform apply- Create new user poolterrform plan- viewing the output shows that it would re-build the cognito user pool.Important Factoids
None
References
None
The text was updated successfully, but these errors were encountered: