Updating Cognito User Pool EmailConfiguration->ConfigurationSet changes other settings outside this scope

[trogau]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• I've gone though the User Guide and the API reference
• I've searched for previous similar issues and didn't find any solution

Describe the bug
Updating a Cognito User Pool via AWS CLI to add a Configuration Set changes several other settings that are not specified in the payload.

SDK version number
aws-cli/2.1.22 Python/3.7.9 Windows/10 exe/AMD64 prompt/off

Platform/OS/Hardware/Device
Windows.

To Reproduce (observed behavior)

1. Dump your current user pool settings: aws cognito-idp describe-user-pool --user-pool-id ap-uat-pool > uat-pool-current-settings.json
2. Update your user pool to have a new configuration set: aws cognito-idp update-user-pool --user-pool-id uat-pool --email-configuration="SourceArn=arn:aws:ses:us-west-2:18941781714:identity/accounts@example.com,EmailSendingAccount=DEVELOPER,From=Explorate <accounts@example.com>,ConfigurationSet=SESConfSet"
3. Re-dump your current user pool settings and diff them with the ones from step 1. (You can also manually verify the changes in the console, but it might be faster/safer/easier to check via diff if you're familiar with the JSON output from this command.)

When we did this in two of our user pools, the ConfigurationSet was correctly updated, but the following features also changed:
MFA & verifications: Email verification seemed to be disabled & switched to ‘no verification’ (AutoVerifiedAttributes in the JSON diff).
– Message customizations: email verification message template & user invitation message template were both erased.
– Devices: “Do you want to remember your user’s devices” was set to No.

Expected behavior
I'd expected the changes would be limited to the EmailConfiguration scope, which was the only section passed in via CLI.

Additional context
Possibly related to this older issue: #3302

[tim-finnigan]

Hi @trogau, thanks for reaching out. Someone shared this AWS Forums Post in the issue you mentioned, where an AWS employee wrote:

This is the expected behavior of UpdateUserPool request. When you update user pool through cli, you should provide all the user pool attributes with the values you want it to be updated or kept. If you don't provide a value for the attribute, service will override it to the default setting.

The UpdateUserPool service API documentation notes the same:

If you don't provide a value for an attribute, it will be set to the default value.

So I think in your case you’d want to also specify --mfa-configuration, --sms-configuration, and --device-configuration in order to avoid those getting set to the default value.

Does that help resolve your issue? Please let us know if you have any questions.

[trogau]

@tim-finnigan : thanks for the prompt reply. You're right and my apologies, I had read the API docs for this feature but had just completely missed the bit about the default value being set if not provided.

Thanks again; closing as resolved.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.