error creating Cognito User Pool: InvalidParameterException: Required custom attributes are not supported currently

[zachdelano]

Terraform CLI and Terraform AWS Provider Version

$ terraform -version
Terraform v0.14.9
+ provider registry.terraform.io/cloudflare/cloudflare v2.17.0
+ provider registry.terraform.io/gitlabhq/gitlab v3.5.0
+ provider registry.terraform.io/hashicorp/aws v3.34.0
+ provider registry.terraform.io/hashicorp/kubernetes v1.13.3
+ provider registry.terraform.io/terraform-providers/cloudflare v2.10.1

Affected Resource(s)

• aws_cognito_user_pool

Terraform Configuration Files

resource "aws_cognito_user_pool" "main" {
  # name and other attributes specified

  alias_attributes         = ["email"]
  auto_verified_attributes = ["email"]

  device_configuration {
    device_only_remembered_on_user_prompt = true
  }

  schema {
    attribute_data_type      = "Number"
    mutable                  = false
    name                     = "user_id"
    required                 = true
    developer_only_attribute = false
    number_attribute_constraints {
      min_value = 0
      max_value = 99999999999
    }
  }

  tags = local.labels
}

Expected Behavior

I should have been able to create the Cognito user pool with the configuration I have (with required set to true) since the required attribute is listed in the Terraform resource documentation.

Actual Behavior

I get an error when trying to create the Cognito user pool with a custom user_id attribute.

module.cas.aws_cognito_user_pool.main: Creating...

Error: error creating Cognito User Pool: InvalidParameterException: Required custom attributes are not supported currently.

  on modules/cas/main.tf line 51, in resource "aws_cognito_user_pool" "main":
  51: resource "aws_cognito_user_pool" "main" {

Steps to Reproduce

1. Try to create a Cognito user pool with the same schema used in the "Terraform Configuration Files" section.

[lsacco-nutreense]

Any update when this may be added?

[jaceklabuda]

AWS doesn't support requirements for custom attributes.

"Cognito assigns all users a set of standard attributes based on the OpenID Connect (OIDC) standard."

You can use a requirement of attribute during user pool creation only for predefined attributes.

I think the documentation should describes this limitation.

Example for correct usage of require property:

resource "aws_cognito_user_pool" "administration" {
  name = "example-user-pool"
  username_attributes = ["email"]
  auto_verified_attributes = ["email"]

  password_policy  {
    minimum_length = 8
    require_lowercase = false
    require_numbers = false
    require_symbols = false
    require_uppercase = false
    temporary_password_validity_days = 1
  }
# Predefined attribute
  schema {
    name                = "email"
    attribute_data_type = "String"
    mutable             = true
    required            = true
    developer_only_attribute = false
    string_attribute_constraints {
      max_length = "2048"
      min_length = "5"
    }
  }

# Custom attribute
  schema {
    name                     = "roles"
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    required                 = false
    string_attribute_constraints {
      min_length = 0
      max_length = 100
    }
  }
}

[rafaelcpalmeida]

AWS doesn't support requirements for custom attributes.

"Cognito assigns all users a set of standard attributes based on the OpenID Connect (OIDC) standard."

You can use a requirement of attribute during user pool creation only for predefined attributes.

I think the documentation should describes this limitation.

Example for correct usage of require property:

resource "aws_cognito_user_pool" "administration" {
  name = "example-user-pool"
  username_attributes = ["email"]
  auto_verified_attributes = ["email"]

  password_policy  {
    minimum_length = 8
    require_lowercase = false
    require_numbers = false
    require_symbols = false
    require_uppercase = false
    temporary_password_validity_days = 1
  }
# Predefined attribute
  schema {
    name                = "email"
    attribute_data_type = "String"
    mutable             = true
    required            = true
    developer_only_attribute = false
    string_attribute_constraints {
      max_length = "2048"
      min_length = "5"
    }
  }

# Custom attribute
  schema {
    name                     = "roles"
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    required                 = false
    string_attribute_constraints {
      min_length = 0
      max_length = 100
    }
  }
}

I tried your approach, however, I'm still getting the same error 🤔

[rhutch117]

I'm encountering the same error even when following the new approach.

resource "aws_cognito_user_pool" "primary_user_pool" {
  name               = "primary-user-pool-${var.environment}"
  username_attributes = ["email"]
  auto_verified_attributes = ["email"]

  account_recovery_setting {
    recovery_mechanism {
      name = "verified_email"
      priority = 1
    }
  }

  schema {
    name = "email"
    attribute_data_type = "String"
    mutable = true
    required = true
    developer_only_attribute = false
    string_attribute_constraints {
      min_length = "5"
      max_length = "2048"
    }
  }

  email_configuration {
     email_sending_account = "COGNITO_DEFAULT"
  }
}

Error:

unable to add custom attributes from schema: InvalidParameterException: Required custom attributes are not supported currently.

[rhutch117]

I'm encountering the same error even when following the new approach.

resource "aws_cognito_user_pool" "primary_user_pool" {
  name               = "primary-user-pool-${var.environment}"
  username_attributes = ["email"]
  auto_verified_attributes = ["email"]

  account_recovery_setting {
    recovery_mechanism {
      name = "verified_email"
      priority = 1
    }
  }

  schema {
    name = "email"
    attribute_data_type = "String"
    mutable = true
    required = true
    developer_only_attribute = false
    string_attribute_constraints {
      min_length = "5"
      max_length = "2048"
    }
  }

  email_configuration {
     email_sending_account = "COGNITO_DEFAULT"
  }
}

Error:

unable to add custom attributes from schema: InvalidParameterException: Required custom attributes are not supported currently.

So I had a simple mistake but I'm going to leave this up in case anybody else encounters it.

After creating the User Pool, you cannot modify it to mark an attribute as required. Instead the resource must be destroyed, and then redeployed for the changes to take effect.

This can be seen in the first note section of the documentation, under standard attributes: user-pool-settings

[loesak]

I'm encountering the same error even when following the new approach.

resource "aws_cognito_user_pool" "primary_user_pool" {
  name               = "primary-user-pool-${var.environment}"
  username_attributes = ["email"]
  auto_verified_attributes = ["email"]

  account_recovery_setting {
    recovery_mechanism {
      name = "verified_email"
      priority = 1
    }
  }

  schema {
    name = "email"
    attribute_data_type = "String"
    mutable = true
    required = true
    developer_only_attribute = false
    string_attribute_constraints {
      min_length = "5"
      max_length = "2048"
    }
  }

  email_configuration {
     email_sending_account = "COGNITO_DEFAULT"
  }
}

Error:

unable to add custom attributes from schema: InvalidParameterException: Required custom attributes are not supported currently.

So I had a simple mistake but I'm going to leave this up in case anybody else encounters it.

After creating the User Pool, you cannot modify it to mark an attribute as required. Instead the resource must be destroyed, and then redeployed for the changes to take effect.

This can be seen in the first note section of the documentation, under standard attributes: user-pool-settings

Then terraform should recognize this and then destroy/create the resource, no?

[codexetreme]

are there any updates on this issue? This looks like a limitation on the AWS API rather than on terraform since a quick google search shows CF gives the same error. Ref: https://stackoverflow.com/questions/59388115/deploy-aws-userpool-via-cloudformation-with-attribute-update

I am still seeing this on aws provider version 4.60.0

[russellproud]

Came across this issue today and was scratching my head for a bit. I came to the conclusion that the required = true is the issue after reading the custom attributes section here https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes

You can't require that users provide a value for the attribute.

As soon as I set required = false, deployed as expected.

Not the optimal behaviour I was after, but, acceptable for me.

[nschandu]

setting the filed required = false did the job for me. Thank you

Came across this issue today and was scratching my head for a bit. I came to the conclusion that the required = true is the issue after reading the custom attributes section here https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes

You can't require that users provide a value for the attribute.

As soon as I set required = false, deployed as expected.

Not the optimal behaviour I was after, but, acceptable for me.

[blancahot]

My solution:
I had to destroy and create the aws_cognito_user_pool resource to apply my required standard & custom attributes.

I faced an issue where I had already created a custom attribute, but I needed to add a standard attribute with the 'required' parameter set to true. Terraform automatically attempted to recreate the existing custom attribute and add the new standard attribute, but this was not possible as attributes cannot be deleted or modified once they have been created for the first time.

To solve this issue, I needed to delete the 'aws_cognito_user_pool' resource and then apply both schema blocks together. After doing this, the standard attribute was successfully added with the 'require' parameter set to true.

It's inconvenient to add attributes in Terraform without deleting the entire resource. A future feature can be a good idea to do here.

I hope this information will be useful to you :)

[gsi-eric]

Hello, I had the same issue. My problem was I had an inconsistency with the values and terraform state. The current values were changed manually and were inconsistent with the measurement of time for that value. I changed the value manually to short values and checked the measure for these values. I edit the terraform and change the values to

  token_validity_units {
		   refresh_token = "days"
		   access_token  = "minutes"
		   id_token      = "minutes"
           
		}

  refresh_token_validity = 60
  access_token_validity  = 5
  id_token_validity      = 5
}

I ran the terraform pipeline and got the measure values changed successfully.