Terraform-provider-aws: Cognito User Pool support for MFA options

need this +1

Hi,

Is there any news on this as it's currently rendering trying to control MFA enabled user pools soley via Terraform impossible?

It looks to me like this capability is missing from the underlying Amazon API. Even CloudFormation is missing this capability: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html

It's the https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html API that covers it. Could be modeled as a separate resource, or included inline like the potential config above

It's the https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html API that covers it. Could be modeled as a separate resource, or included inline like the potential config above

Any plan to make it available through the Terraform AWS provider?

I came across the same problem and ended up using this workaround:

resource "aws_cognito_user_pool" "main" {
  name              = "my_user_pool"

  provisioner "local-exec" {
    command = "aws cognito-idp set-user-pool-mfa-config --user-pool-id ${aws_cognito_user_pool.main.id} --software-token-mfa-configuration Enabled=true --mfa-configuration OPTIONAL"
  }
}

Hey guys, any updates on this?! I tried using @petrkohut technique to no success :/

@renatoargh what error you got?
Did you have AWS credentials configured in your terminal from where you ran terraform apply?

Hey @petrkohut yes, I had credentials properly setup. The thing is that I added this provisioner to an existing user pool and nothing happened. Is it going to apply only when creating the resource, right?

Thanks, I appreciate your solution but having an official solution would be optimal.

@renatoargh Yes, it is going to be applied only when creating the resource I believe.
And yes, official solution would be great but I had to finish my project thus I had to use this workaround.

Not to bug, but any updates on this? It's been ~5 months since discussion on this and figured it worth checking. 🙂

Yeah, this is a security requirement for every sane implementation so hopefully we're not going to be taken care of based on upvotes. :)

Hi folks 👋 Apologies for the delay here after picking up this issue. The Cognito API behaviors made this change take longer than expected. I have submitted the following pull request to add this functionality to the existing aws_cognito_user_pool resource: https://github.com/terraform-providers/terraform-provider-aws/pull/12358

Support for this functionality (in the form of a new software_token_mfa_configuration configuration block in the aws_cognito_user_pool resource) has been merged and will release with version 2.53.0 of the Terraform AWS Provider, likely later today. 👍

This has been released in version 2.53.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!