Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cognito unused_account_validity_days bug with 2.47 #11858

Closed
alemazz opened this issue Feb 3, 2020 · 11 comments · Fixed by #12001
Closed

Cognito unused_account_validity_days bug with 2.47 #11858

alemazz opened this issue Feb 3, 2020 · 11 comments · Fixed by #12001
Assignees
@bflad
Labels
bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement.
Milestone
v2.49.0

Comments

@alemazz
Copy link

alemazz commented Feb 3, 2020
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.20
Provider AWS 2.47

Affected Resource(s)

  • aws_cognito_user_pool

Terraform Configuration Files

resource "aws_cognito_user_pool" "this" {
  name = var.pool_name

  password_policy {
    minimum_length    = 8
    require_lowercase = true
    require_numbers   = true
    require_symbols   = true
    require_uppercase = true
    temporary_password_validity_days = 90
  }

  admin_create_user_config {
    allow_admin_create_user_only = true
  }

  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    name                     = "email"
    required                 = true

    string_attribute_constraints {
      min_length = 0
      max_length = 2048
    }
  }

  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    name                     = "name"
    required                 = true

    string_attribute_constraints {
      min_length = 0
      max_length = 2048
    }
  }

  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    name                     = "family_name"
    required                 = true

    string_attribute_constraints {
      min_length = 0
      max_length = 2048
    }
  }

  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    name                     = "profile"
    required                 = false

    string_attribute_constraints {
      min_length = 0
      max_length = 2048
    }
  }
  
  tags = merge(var.common_tags)
}

Debug Output

https://gist.github.com/alemazz/e7f72c95f47405107ff1c8686f10b611

Panic Output

Expected Behavior

Terraform report a clean plan/apply with new value "temporary_password_validity_days = 90"

Actual Behavior

Terraform keep re add the old configuration with deprecated value "unused_account_validity_days"

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000
@ghost ghost added the service/cognito label Feb 3, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Feb 3, 2020
@jlsjonas
Copy link

jlsjonas commented Feb 3, 2020

From what I've noticed the aws-provider reports the existence of the unused_account_validity_days even if it was never declared, automatically matching the new temporary_password_validity_days, presumably there's some mapping that remains, or that will need to be done due to how aws configures things internally.

@nickdgriffin
Copy link

Also getting this with TF 0.12.18 and AWS provider 2.47, guessing it's because the old attribute is still in the state.

@alemazz
Copy link
Author

alemazz commented Feb 4, 2020

@nickdgriffin I thought so, I tried to pull (terraform pull) and repush (terraform push) the state dropping the keyword "unused_account_validity_days"

@brianabston001
Copy link

I am also seeing this issues. 12.18 and provider 2.47

In the mean time i am getting around it with this:

lifecycle { ignore_changes = [ admin_create_user_config.0.unused_account_validity_days ] }

@jlsjonas
Copy link

jlsjonas commented Feb 5, 2020

Also getting this with TF 0.12.18 and AWS provider 2.47, guessing it's because the old attribute is still in the state.

@nickdgriffin I thought the same, but also had this on a completely new state (had several environments to set up, coincidentally :) )

@ghost ghost mentioned this issue Feb 6, 2020
Merged
ghost pushed a commit to mkruliv/terraform-aws-cognito-user-pool that referenced this issue Feb 6, 2020
Fix aws provider bug
89ce00b 
Temporary solution for the fixing bug
hashicorp/terraform-provider-aws#11858
@ghost ghost mentioned this issue Feb 6, 2020
Merged
@michalschott
Copy link
Contributor

See #10890 for wider context, this is AWS API.

@bflad bflad added bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. and removed needs-triage Waiting for first response or review from a maintainer. labels Feb 11, 2020
@bflad bflad self-assigned this Feb 11, 2020
@bflad
Copy link
Contributor

bflad commented Feb 11, 2020

Ah, looks like the unused_account_validity_days field is missing Computed: true on the schema, since we want to ignore when folks are not adding it to their Terraform configurations. Will submit fix shortly.

bflad added a commit that referenced this issue Feb 11, 2020
@bflad
resource/aws_cognito_user_pool: Allow admin_create_user_config config…
322ee57 
…uration block unused_account_validity_days to be omitted

Reference: #11858
Reference: #10890

There was previously no test configuration covering both admin_create_user_config and password_policy being defined. The upstream API has deprecated a field in the former, however if the configuration block was defined, the attribute would errantly show a difference on the deprecated field.

Previous output from acceptance testing (before code fix):

```
--- FAIL: TestAccAWSCognitoUserPool_withAdminCreateUserConfigurationAndPasswordPolicy (13.28s)
    testing.go:640: Step 0 error: After applying this step, the plan was not empty:

        DIFF:

        UPDATE: aws_cognito_user_pool.test
          admin_create_user_config.#:                              "1" => "1"
          admin_create_user_config.0.allow_admin_create_user_only: "true" => "true"
          admin_create_user_config.0.invite_message_template.#:    "0" => "0"
          admin_create_user_config.0.unused_account_validity_days: "7" => ""
... omitted for clarity ...
```

Output from acceptance testing:

```
--- PASS: TestAccAWSCognitoUserPool_withAdminCreateUserConfigurationAndPasswordPolicy (18.41s)
--- PASS: TestAccAWSCognitoUserPool_basic (18.46s)
--- PASS: TestAccAWSCognitoUserPool_withAliasAttributes (27.92s)
--- PASS: TestAccAWSCognitoUserPool_withPasswordPolicy (29.64s)
--- PASS: TestAccAWSCognitoUserPool_withVerificationMessageTemplate (29.68s)
--- PASS: TestAccAWSCognitoUserPool_withDeviceConfiguration (30.52s)
--- PASS: TestAccAWSCognitoUserPool_withEmailVerificationMessage (31.38s)
--- PASS: TestAccAWSCognitoUserPool_withSmsVerificationMessage (32.67s)
--- PASS: TestAccAWSCognitoUserPool_withSchemaAttributes (33.39s)
--- PASS: TestAccAWSCognitoUserPool_withAdminCreateUserConfiguration (37.94s)
--- PASS: TestAccAWSCognitoUserPool_withAdvancedSecurityMode (39.71s)
--- PASS: TestAccAWSCognitoUserPool_withTags (44.33s)
--- PASS: TestAccAWSCognitoUserPool_withSmsConfiguration (50.12s)
--- PASS: TestAccAWSCognitoUserPool_withSmsConfigurationUpdated (51.37s)
--- PASS: TestAccAWSCognitoUserPool_update (66.06s)
--- PASS: TestAccAWSCognitoUserPool_withLambdaConfig (75.15s)
```
@bflad bflad mentioned this issue Feb 11, 2020
Merged
@bflad
Copy link
Contributor

bflad commented Feb 11, 2020

Fix submitted: #12001

@bflad bflad added this to the v2.49.0 milestone Feb 12, 2020
bflad added a commit that referenced this issue Feb 12, 2020
@bflad
resource/aws_cognito_user_pool: Allow admin_create_user_config config…
7fee424 
…uration block unused_account_validity_days to be omitted (#12001)

Reference: #11858
Reference: #10890

There was previously no test configuration covering both admin_create_user_config and password_policy being defined. The upstream API has deprecated a field in the former, however if the configuration block was defined, the attribute would errantly show a difference on the deprecated field.

Previous output from acceptance testing (before code fix):

```
--- FAIL: TestAccAWSCognitoUserPool_withAdminCreateUserConfigurationAndPasswordPolicy (13.28s)
    testing.go:640: Step 0 error: After applying this step, the plan was not empty:

        DIFF:

        UPDATE: aws_cognito_user_pool.test
          admin_create_user_config.#:                              "1" => "1"
          admin_create_user_config.0.allow_admin_create_user_only: "true" => "true"
          admin_create_user_config.0.invite_message_template.#:    "0" => "0"
          admin_create_user_config.0.unused_account_validity_days: "7" => ""
... omitted for clarity ...
```

Output from acceptance testing:

```
--- PASS: TestAccAWSCognitoUserPool_withAdminCreateUserConfigurationAndPasswordPolicy (18.41s)
--- PASS: TestAccAWSCognitoUserPool_basic (18.46s)
--- PASS: TestAccAWSCognitoUserPool_withAliasAttributes (27.92s)
--- PASS: TestAccAWSCognitoUserPool_withPasswordPolicy (29.64s)
--- PASS: TestAccAWSCognitoUserPool_withVerificationMessageTemplate (29.68s)
--- PASS: TestAccAWSCognitoUserPool_withDeviceConfiguration (30.52s)
--- PASS: TestAccAWSCognitoUserPool_withEmailVerificationMessage (31.38s)
--- PASS: TestAccAWSCognitoUserPool_withSmsVerificationMessage (32.67s)
--- PASS: TestAccAWSCognitoUserPool_withSchemaAttributes (33.39s)
--- PASS: TestAccAWSCognitoUserPool_withAdminCreateUserConfiguration (37.94s)
--- PASS: TestAccAWSCognitoUserPool_withAdvancedSecurityMode (39.71s)
--- PASS: TestAccAWSCognitoUserPool_withTags (44.33s)
--- PASS: TestAccAWSCognitoUserPool_withSmsConfiguration (50.12s)
--- PASS: TestAccAWSCognitoUserPool_withSmsConfigurationUpdated (51.37s)
--- PASS: TestAccAWSCognitoUserPool_update (66.06s)
--- PASS: TestAccAWSCognitoUserPool_withLambdaConfig (75.15s)
```
@bflad
Copy link
Contributor

bflad commented Feb 12, 2020

The fix for this has been merged and will release with version 2.49.0 of the Terraform AWS Provider, tomorrow. 👍

@ghost
Copy link

ghost commented Feb 14, 2020

This has been released in version 2.49.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Mar 27, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 27, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
bug Addresses a defect in current functionality. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement.
Projects
None yet
Milestone
v2.49.0
6 participants
@bflad @jlsjonas @nickdgriffin @alemazz @michalschott @brianabston001