Terraform-provider-aws: aws_cognito_user_pool passes obsolete value UnusedAccountValidityDays

Created on 26 Jun 2019  ·  10Comments  ·  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.3

  • provider.aws v2.16.0

Affected Resource(s)

  • aws_cognito_user_pool

Terraform Configuration Files

provider "aws" {
  region = "us-east-1"
  version = "2.16.0"
}
data "aws_caller_identity" "current" {}

resource "aws_cognito_user_pool" "user_pool" {
  name = "test123_users"

  username_attributes = ["email"]
  auto_verified_attributes = ["email"]

  admin_create_user_config {

    allow_admin_create_user_only = false

  }
}

Debug Output

https://gist.github.com/alanbaldwin/eb0f1facc3290c7a83677b3de2dcffca

Expected Behavior


The cognito user pool should be updated to remove the tag added, and the allow_admin_create_user_only flag should be changed from true to false.

Actual Behavior


We get an error of
Error: Error updating Cognito User pool: InvalidParameterException: Please use TemporaryPasswordValidityDays instead of UnusedAccountValidityDays.

Steps to Reproduce

  1. terraform apply
  2. Go into the AWS console, add a tag to the cognito user pool.
  3. Toggle the allow_admin_create_user_only field, causing the user pool to update.
  4. terraform apply

Important Factoids

After talking with AWS Support, they have made the UnusedAccountValidityDays field obsolete (not deprecated). It looks like the updates are passing this field along when it tries to update the fields, but it doesn't appear to break without changing Cognito from an outside source like the console.

serviccognito
Source
picture alanbaldwin
👍45

Most helpful comment

Hi,

Same issue for me. Terraform can not update cognito. Just CREATE and DESTROY working.

picture talesporto on 30 Oct 2019
👍2

All 10 comments

what's the work around right now to allow terraform apply to work? i tried deleting the pool from tfstate and import again, but terraform apply still breaks.

bbbryan14 picture bbbryan14 on 10 Jul 2019

Our solution was to just remove Cognito from terraform until this is fixed. It sucks but it was our best choice.

alanbaldwin picture alanbaldwin on 16 Jul 2019
😄2

This issue only happens if you try to modify something in the admin_create_user_config block. Changing the corresponding values through AWS console (the Policies screen) or CLI and running apply works to bring the state file in sync. Changing other blocks and keys through terraform works fine.

dskrvk picture dskrvk on 28 Aug 2019
👍1

Duplicate of https://github.com/terraform-providers/terraform-provider-aws/issues/8827

dskrvk picture dskrvk on 28 Aug 2019

This issue only happens if you try to modify something in the admin_create_user_config block. Changing the corresponding values through AWS console (the Policies screen) or CLI and running apply works to bring the state file in sync. Changing other blocks and keys through terraform works fine.

Not entirely. An end-user had manually made a change to the Cognito user pool via the AWS console (specifically: changed the email subject) and Terraform tries to correct this inconsistency.

As part of that, the plan includes the admin_create_user_config block, even though it wasn't defined in the resource definition:

       admin_create_user_config {
            allow_admin_create_user_only = false
            unused_account_validity_days = 7

            invite_message_template {
                email_message = "Your username is {username} and temporary password is {####}. "
                email_subject = "Your temporary password"
                sms_message   = "Your username is {username} and temporary password is {####}. "
            }
        }

And this results in the above described error as well:

Error: Error updating Cognito User pool: InvalidParameterException: Please use TemporaryPasswordValidityDays instead of UnusedAccountValidityDays
    status code: 400, request id: ...

While looking at the plan, it seems to want to correct the sms_ args as well, which we have also not defined in the resource (so AWS used defaullt values):

      - sms_authentication_message = "Your authentication code is {####}. " -> null
      - sms_verification_message   = "Your verification code is {####}. " -> null

But that's separate to this issue.

mgreen-sm picture mgreen-sm on 3 Sep 2019
👍2

SMS bug resolved in #9758

mgreen-sm picture mgreen-sm on 12 Sep 2019

Hi,

Same issue for me. Terraform can not update cognito. Just CREATE and DESTROY working.

talesporto picture talesporto on 30 Oct 2019
👍2

Same issue here, but I was changing auto_verified_attributes

lgallard picture lgallard on 30 Oct 2019

Hi @alanbaldwin 👋 Thanks for reporting this! I'm closing it in preference of the older issue #8827 which references the same problem.

aeschright picture aeschright on 12 Dec 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 28 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  ·  3Comments
blaltarriba picture blaltarriba  ·  3Comments
gothrek22 picture gothrek22  ·  3Comments
dvishniakov picture dvishniakov  ·  3Comments
joelittlejohn picture joelittlejohn  ·  3Comments