hashicorp · bflad · Mar 17, 2020 · Jan 15, 2020 · Mar 17, 2020 · Mar 17, 2020
diff --git a/aws/resource_aws_cognito_user_pool_client.go b/aws/resource_aws_cognito_user_pool_client.go
@@ -144,6 +144,12 @@ func resourceAwsCognitoUserPoolClient() *schema.Resource {
  },
  },
 
+ "prevent_user_existence_errors": {
+ Type: schema.TypeString,
+ Optional: true,
+ Computed: true,
+ },
+
  "supported_identity_providers": {
  Type: schema.TypeSet,
  Optional: true,
@@ -242,6 +248,10 @@ func resourceAwsCognitoUserPoolClientCreate(d *schema.ResourceData, meta interfa
  params.AnalyticsConfiguration = expandAwsCognitoUserPoolClientAnalyticsConfig(v.([]interface{}))
  }
 
+ if v, ok := d.GetOk("prevent_user_existence_errors"); ok {
+ params.PreventUserExistenceErrors = aws.String(v.(string))
+ }
+
  log.Printf("[DEBUG] Creating Cognito User Pool Client: %s", params)
 
  resp, err := conn.CreateUserPoolClient(params)
@@ -290,6 +300,7 @@ func resourceAwsCognitoUserPoolClientRead(d *schema.ResourceData, meta interface
  d.Set("callback_urls", flattenStringSet(resp.UserPoolClient.CallbackURLs))
  d.Set("default_redirect_uri", resp.UserPoolClient.DefaultRedirectURI)
  d.Set("logout_urls", flattenStringSet(resp.UserPoolClient.LogoutURLs))
+ d.Set("prevent_user_existence_errors", resp.UserPoolClient.PreventUserExistenceErrors)
  d.Set("supported_identity_providers", flattenStringSet(resp.UserPoolClient.SupportedIdentityProviders))
 
  if err := d.Set("analytics_configuration", flattenAwsCognitoUserPoolClientAnalyticsConfig(resp.UserPoolClient.AnalyticsConfiguration)); err != nil {
@@ -351,6 +362,10 @@ func resourceAwsCognitoUserPoolClientUpdate(d *schema.ResourceData, meta interfa
  params.LogoutURLs = expandStringSet(v.(*schema.Set))
  }
 
+ if v, ok := d.GetOk("prevent_user_existence_errors"); ok {
+ params.PreventUserExistenceErrors = aws.String(v.(string))
+ }
+
  if v, ok := d.GetOk("supported_identity_providers"); ok {
  params.SupportedIdentityProviders = expandStringSet(v.(*schema.Set))
  }

diff --git a/aws/resource_aws_cognito_user_pool_client_test.go b/aws/resource_aws_cognito_user_pool_client_test.go
@@ -152,6 +152,7 @@ func TestAccAWSCognitoUserPoolClient_allFields(t *testing.T) {
  resource.TestCheckResourceAttr(resourceName, "default_redirect_uri", "https://www.example.com/redirect"),
  resource.TestCheckResourceAttr(resourceName, "logout_urls.#", "1"),
  resource.TestCheckResourceAttr(resourceName, "logout_urls.2102268273", "https://www.example.com/login"),
+ resource.TestCheckResourceAttr(resourceName, "prevent_user_existence_errors", "LEGACY"),
  ),
  },
  {
@@ -210,6 +211,7 @@ func TestAccAWSCognitoUserPoolClient_allFieldsUpdatingOneField(t *testing.T) {
  resource.TestCheckResourceAttr(resourceName, "default_redirect_uri", "https://www.example.com/redirect"),
  resource.TestCheckResourceAttr(resourceName, "logout_urls.#", "1"),
  resource.TestCheckResourceAttr(resourceName, "logout_urls.2102268273", "https://www.example.com/login"),
+ resource.TestCheckResourceAttr(resourceName, "prevent_user_existence_errors", "LEGACY"),
  ),
  },
  {
@@ -451,7 +453,8 @@ resource "aws_cognito_user_pool_client" "test" {
  read_attributes = ["email"]
  write_attributes = ["email"]
 
- refresh_token_validity = %d
+ refresh_token_validity = %d
+ prevent_user_existence_errors = "LEGACY"
 
  allowed_oauth_flows = ["code", "implicit"]
  allowed_oauth_flows_user_pool_client = "true"

diff --git a/website/docs/r/cognito_user_pool_client.markdown b/website/docs/r/cognito_user_pool_client.markdown
@@ -123,6 +123,7 @@ The following arguments are supported:
 * `generate_secret` - (Optional) Should an application secret be generated.
 * `logout_urls` - (Optional) List of allowed logout URLs for the identity providers.
 * `name` - (Required) The name of the application client.
+* `prevent_user_existence_errors` - (Optional) Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to `ENABLED` and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs will return a `UserNotFoundException` exception if the user does not exist in the user pool.
 * `read_attributes` - (Optional) List of user pool attributes the application client can read from.
 * `refresh_token_validity` - (Optional) The time limit in days refresh tokens are valid for.
 * `supported_identity_providers` - (Optional) List of provider names for the identity providers that are supported on this client.