Access Token Validity not supported

[Waschnick]

Currently there is only client_refresh_token_validity, but cognito also supports the validity for the access token (5min to 24h) and id token. Can you add client_access_token_validity and client_id_token_validity?

[lgallard]

@Waschnick I don't see those attributes in the resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_client

Where did you get client_access_token_validity and client_access_token_validity names ?

In fact, there's an open issue in the AWS provider at hashicorp/terraform-provider-aws#14919 which requests those attributes to be included in the resource.

As soon as there are available I can add them to the module.

Thanks por reporting them!

[Waschnick]

Argh you are right, again. I would just implement it myself and create a PR for it on the hashicorp repo, but it has nearly 700 open PRs. EDIT: No need, there is already an open PR for this...

It's the same with the Lambda hook for "CustomSender" (CustomEmailSender), which is only supported via the AWS Cli (its not even visible in the AWS console). I created a shell script running in my CI pipeline to add the lambda via AWS Cli, but that's for the user-pool, which is way easier to configure. The client has way to many attributes...

[lgallard]

@Waschnick another approach is to use a CloudFormation stack called from Terraform to define the client. Take a look at AWS::Cognito::UserPoolClient and the Terraform's resource aws_cloudformation_stack if you want to explore that option.

[Waschnick]

Hey @lgallard you should be able to add it now, it was recently released:

https://github.com/hashicorp/terraform-provider-aws/blob/v3.32.0/CHANGELOG.md
"Add support for access_token_validity"

[lgallard]

@Waschnick I will include it in the next release!

[lgallard]

@Waschnick Release 0.10.2 added the support. For the above screenshot define as follows:

# clients
clients = [
   {
     allowed_oauth_flows                  = []
     allowed_oauth_flows_user_pool_client = false
     allowed_oauth_scopes                 = []
     callback_urls                        = ["https://mydomain.com/callback"]
     default_redirect_uri                 = "https://mydomain.com/callback"
     explicit_auth_flows                  = []
     generate_secret                      = true
     logout_urls                          = []
     name                                 = "test1"
     read_attributes                      = ["email"]
     supported_identity_providers         = []
     write_attributes                     = []
     access_token_validity                = 1 
     id_token_validity                    = 1
     refresh_token_validity               = 60
     token_validity_units = {
       access_token  = "hours"
       id_token      = "hours"
       refresh_token = "days"
     }
   },
...
 ]

The complete example has this definition, alongside other clients definitions examples.