Cognito refresh_token_validity does not match what AWS allows

[babyhuey]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.4

• provider registry.terraform.io/alexkappa/auth0 v0.19.0
• provider registry.terraform.io/hashicorp/aws v3.24.1
• provider registry.terraform.io/hashicorp/null v3.0.0
• provider registry.terraform.io/hashicorp/random v3.0.1
• provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

• aws_cognito_user_pool_client

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_cognito_user_pool_client" "backend_auth" {
  name                   = "backend_auth"
  user_pool_id           = aws_cognito_user_pool.Atlas-dev.id
  refresh_token_validity = 30
  explicit_auth_flows = [
    "ALLOW_ADMIN_USER_PASSWORD_AUTH",
    "ALLOW_USER_SRP_AUTH",
    "ALLOW_REFRESH_TOKEN_AUTH",
    "ALLOW_CUSTOM_AUTH",
  ]
  supported_identity_providers = [
  ]
  read_attributes = [
    "given_name",
    "email_verified",
    "zoneinfo",
    "website",
    "preferred_username",
    "name",
    "locale",
    "phone_number",
    "family_name",
    "birthdate",
    "middle_name",
    "phone_number_verified",
    "profile",
    "picture",
    "address",
    "gender",
    "nickname",
    "email",
    "updated_at",
  ]
  write_attributes = [
    "given_name",
    "zoneinfo",
    "website",
    "preferred_username",
    "name",
    "locale",
    "phone_number",
    "family_name",
    "birthdate",
    "middle_name",
    "profile",
    "picture",
    "address",
    "gender",
    "nickname",
    "email",
    "updated_at",
  ]
}

Expected Behavior

According to AWS docs, we should be able to go from 60 minutes, all the way up to 10 years.

Actual Behavior

Only able to set the number in days

References

https://aws.amazon.com/about-aws/whats-new/2020/08/amazon-cognito-user-pools-supports-customization-of-token-expiration/

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_client#refresh_token_validity

[babyhuey]

Just realized I was on older versions.

Just updated and issue persists:

Terraform v0.14.6
+ provider registry.terraform.io/alexkappa/auth0 v0.19.0
+ provider registry.terraform.io/hashicorp/aws v3.27.0
+ provider registry.terraform.io/hashicorp/null v3.0.0
+ provider registry.terraform.io/hashicorp/random v3.0.1
+ provider registry.terraform.io/hashicorp/template v2.2.0

[ewbankkit]

AWS API Reference:

The time limit, in days, after which the refresh token is no longer valid and cannot be used.

Type: Integer

Valid Range: Minimum value of 0. Maximum value of 315360000.

Required: No

[babyhuey]

Doing some more research, I found a an issue on the Cloudformation Github That shows you can set it to use TokenValidityUnits of seconds

[ewbankkit]

@babyhuey Thanks for raising this issue.
We already have an open issue (#14919) for token_validity_units (and a PR to address this).
I'm going to close this issue as a duplicate.
Please upvote the linked issue to bump up priority.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!