Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_cognito_user_pool passes obsolete value UnusedAccountValidityDays #9143

Closed
alanbaldwin opened this issue Jun 26, 2019 · 10 comments
Closed

Comments

@alanbaldwin
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.3

  • provider.aws v2.16.0

Affected Resource(s)

  • aws_cognito_user_pool

Terraform Configuration Files

provider "aws" {
  region = "us-east-1"
  version = "2.16.0"
}
data "aws_caller_identity" "current" {}

resource "aws_cognito_user_pool" "user_pool" {
  name = "test123_users"

  username_attributes = ["email"]
  auto_verified_attributes = ["email"]

  admin_create_user_config {

    allow_admin_create_user_only = false

  }
}

Debug Output

https://gist.github.com/alanbaldwin/eb0f1facc3290c7a83677b3de2dcffca

Expected Behavior

The cognito user pool should be updated to remove the tag added, and the allow_admin_create_user_only flag should be changed from true to false.

Actual Behavior

We get an error of
Error: Error updating Cognito User pool: InvalidParameterException: Please use TemporaryPasswordValidityDays instead of UnusedAccountValidityDays.

Steps to Reproduce

  1. terraform apply
  2. Go into the AWS console, add a tag to the cognito user pool.
  3. Toggle the allow_admin_create_user_only field, causing the user pool to update.
  4. terraform apply

Important Factoids

After talking with AWS Support, they have made the UnusedAccountValidityDays field obsolete (not deprecated). It looks like the updates are passing this field along when it tries to update the fields, but it doesn't appear to break without changing Cognito from an outside source like the console.

@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jun 26, 2019
@bbbryan14
Copy link

what's the work around right now to allow terraform apply to work? i tried deleting the pool from tfstate and import again, but terraform apply still breaks.

@alanbaldwin
Copy link
Author

Our solution was to just remove Cognito from terraform until this is fixed. It sucks but it was our best choice.

@dskrvk
Copy link

dskrvk commented Aug 28, 2019

This issue only happens if you try to modify something in the admin_create_user_config block. Changing the corresponding values through AWS console (the Policies screen) or CLI and running apply works to bring the state file in sync. Changing other blocks and keys through terraform works fine.

@dskrvk
Copy link

dskrvk commented Aug 28, 2019

Duplicate of #8827

@mgreen-sm
Copy link

This issue only happens if you try to modify something in the admin_create_user_config block. Changing the corresponding values through AWS console (the Policies screen) or CLI and running apply works to bring the state file in sync. Changing other blocks and keys through terraform works fine.

Not entirely. An end-user had manually made a change to the Cognito user pool via the AWS console (specifically: changed the email subject) and Terraform tries to correct this inconsistency.

As part of that, the plan includes the admin_create_user_config block, even though it wasn't defined in the resource definition:

       admin_create_user_config {
            allow_admin_create_user_only = false
            unused_account_validity_days = 7

            invite_message_template {
                email_message = "Your username is {username} and temporary password is {####}. "
                email_subject = "Your temporary password"
                sms_message   = "Your username is {username} and temporary password is {####}. "
            }
        }

And this results in the above described error as well:

Error: Error updating Cognito User pool: InvalidParameterException: Please use TemporaryPasswordValidityDays instead of UnusedAccountValidityDays
	status code: 400, request id: ...

While looking at the plan, it seems to want to correct the sms_ args as well, which we have also not defined in the resource (so AWS used defaullt values):

      - sms_authentication_message = "Your authentication code is {####}. " -> null
      - sms_verification_message   = "Your verification code is {####}. " -> null

But that's separate to this issue.

@mgreen-sm
Copy link

mgreen-sm commented Sep 12, 2019

SMS bug resolved in #9758

@talesporto
Copy link

talesporto commented Oct 30, 2019

Hi,

Same issue for me. Terraform can not update cognito. Just CREATE and DESTROY working.

@lgallard
Copy link

Same issue here, but I was changing auto_verified_attributes

@aeschright
Copy link
Contributor

Hi @alanbaldwin 👋 Thanks for reporting this! I'm closing it in preference of the older issue #8827 which references the same problem.

@aeschright aeschright removed the needs-triage Waiting for first response or review from a maintainer. label Dec 12, 2019
@ghost
Copy link

ghost commented Mar 28, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants