Terraform-provider-aws: AutoVerifiedAttributes for CognitoUserPool being removed by terraform
Hi,
I'm having a strange behaviour with aws_cognito_user_pool. Sorry if this doesn't contain enough information. I can provide a bit more if needed.
Terraform Version
Terraform v0.11.1
+ provider.archive v1.0.0
+ provider.aws v1.7.0
+ provider.external v1.0.0
+ provider.null v1.0.0
+ provider.template v1.0.0
Affected Resource
aws_cognito_user_pool
Terraform Configuration Files
# I've masked the domain name
resource "aws_cognito_user_pool" "main" {
name = "Main"
username_attributes = ["email"]
auto_verified_attributes = ["email"]
device_configuration {
device_only_remembered_on_user_prompt = "true"
}
email_configuration {
source_arn = "arn:aws:ses:eu-west-1:${var.production_account_id}:identity/comms@XXXXXX"
}
email_verification_subject = "Confirm your email"
email_verification_message = "<a href=\"https://XXXXXX/confirm?username={username}&code={####}\">Click here to verify your email address.</a>"
sms_authentication_message = "Your authentication code is {####}. "
sms_verification_message = "Your verification code is {####}. "
mfa_configuration = "OFF"
password_policy {
minimum_length = 8
require_lowercase = false
require_uppercase = false
require_numbers = false
require_symbols = false
}
admin_create_user_config {
allow_admin_create_user_only = false
unused_account_validity_days = 7
invite_message_template {
email_message = "Your username is {username} and temporary password is {####}. "
email_subject = "Your temporary password"
sms_message = "Your username is {username} and temporary password is {####}. "
}
}
schema {
name = "email"
attribute_data_type = "String"
required = true
mutable = true
}
}
Expected Behavior
AutoVerifiedAttributes should contain email
Actual Behavior
AutoVerifiedAttributes doesn't contain email
Steps to Reproduce
- Turn email verification on from the aws console
aws cognito-idp describe-user-pool --user-pool-id eu-west-2_XXXXXX > output1.txtterraform applyaws cognito-idp describe-user-pool --user-pool-id eu-west-2_XXXXXX > output2.txtdiff output1.txt output2.txt
11c11
< || LastModifiedDate | 1516123461.045 ||
---
> || LastModifiedDate | 1516124308.176 ||
20,28c20,25
< ||| AutoVerifiedAttributes |||
< ||+------------------------------------------------------------------------------------------------------------------------+||
< ||| email |||
< ||+------------------------------------------------------------------------------------------------------------------------+||
< ||| DeviceConfiguration |||
< ||+------------------------------------------------------------------------------------------------+-----------------------+||
< ||| ChallengeRequiredOnNewDevice | False |||
< ||| DeviceOnlyRememberedOnUserPrompt | True |||
< ||+------------------------------------------------------------------------------------------------+-----------------------+||
---
> |||| InviteMessageTemplate ||||
> |||+---------------------+------------------------------------------------------------------------------------------------+|||
> |||| EmailMessage | Your username is {username} and temporary password is {####}. ||||
> |||| EmailSubject | Your temporary password ||||
> |||| SMSMessage | Your username is {username} and temporary password is {####}. ||||
> |||+---------------------+------------------------------------------------------------------------------------------------+|||
You can see that for some reason AutoVerifiedAttributes is gone from output2.txt
louy
All 9 comments
Tried to see what happened here but found myself lack of understanding terraform.
- create a user pool with configuration above.
- manually disable
emailof auto_verified_attributes in aws console. - terraform plan shows no change at all.
- terraform apply doesn't re-enable the setting.
From debug log, there is no AliasAttributes in DescribeUserPool response. But terraform doesn't seem to detect the difference and just says diff is nil. I need to read more or some guide to figure out how terraform diff works.
loivis
on 16 Jan 2018
seems like when AutoVerifiedAttributes is nil, terraform just ignores that field. same for pretty much every other field
louy
on 17 Jan 2018
@louy By saying terraform just ignores that field, do you mean terraform will not take that attribute into consideration when diff?
loivis
on 17 Jan 2018
I believe so
louy
on 17 Jan 2018
So after further testing, I can confirm the following
With email verification turned on in the console:
$ aws cognito-idp describe-user-pool --user-pool-id eu-west-2_XXXXXXX --query 'UserPool.AutoVerifiedAttributes'
[
"email"
]
Then if I turn it off using the console:
$ aws cognito-idp describe-user-pool --user-pool-id eu-west-2_XXXXXXX --query 'UserPool.AutoVerifiedAttributes'
null
Looking at the code here, it looks like terraform expects an empty array in the second case but AWS returns null for some reason. I might be able to send a PR to fix that
louy
on 17 Jan 2018
The fix for this has been merged into master and will be released with v1.12.0 of the AWS provider, likely in about a week.
bflad
on 16 Mar 2018
This has been released in version 1.12.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 23 Mar 2018
I'm using v1.26.0 of the AWS provider,
and still seeing this issue.
My configuration:
resource "aws_cognito_user_pool" "cognito_user_pool" {
name = cognito_user_pool-${var.namespace}"
verification_message_template {
default_email_option = "CONFIRM_WITH_CODE"
email_message = "Your verification code is {####}."
email_subject = "Your verification code"
}
password_policy {
minimum_length = 8
require_numbers = true
require_symbols = true
require_lowercase = true
require_uppercase = true
}
admin_create_user_config {
allow_admin_create_user_only = true
unused_account_validity_days = 7
invite_message_template {
email_message = "Your login information is {username} and your password is {####}."
email_subject = "Welcome!"
sms_message = "WelcomeL! Your login information is {username} and your password is {####}."
}
}
auto_verified_attributes = ["email"]
schema {
attribute_data_type = "String"
developer_only_attribute = false
mutable = false
name = "email"
required = false
string_attribute_constraints {
min_length = 7
max_length = 30
}
}
}
Every run of terraform plan results in the following changes:
~ aws_cognito_user_pool.cognito_user_pool
auto_verified_attributes.#: "0" => "1"
auto_verified_attributes.881205744: "" => "email"
verification_message_template.0.email_message: "" => "Your verification code is {####}."
verification_message_template.0.email_subject: "" => "Your verification code"
eschwartz
on 30 Aug 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 3 Apr 2020
Related issues
marcincuber
ยท
39Comments
jch254
ยท
37Comments
Bwanabanana
ยท
46Comments
gazoakley
ยท
40Comments
tdmalone
ยท
89Comments