aws_cognito_user_pool support temporary password validity days in password policy

[kradical]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Amazon has changed the way temporary password expiry is specified. See references.

Specifically

1. UnusedAccountValidityDays in AdminCreateUserConfigType

is being moved to

2. TemporaryPasswordValidityDays in PasswordPolicyType

The way it works is that you can continue to use the first option but as soon as you specify the second option for a user pool the first option is deprecated and unusable for that user pool.

I think we can either make a clean break and move to the second option or we have to make both fields optional with no default provided to support both use cases. I definitely prefer the first option but it definitely breaks terraform API BC and could have implications by "implicitly" deprecating the first option in anybody's user pool that runs terraform.

I am going to take a crack at implementing this myself, probably the optional way because that will make the most people happy. And then once the deprecated field is removed we can remove it from here too 🤷‍♂ .

New or Affected Resource(s)

• aws_cognito_user_pool

Potential Terraform Configuration

resource "aws_cognito_user_pool" "_" {
  # current
  admin_create_user_config {
    unused_account_validity_days: 7
  }
  # proposed
  password_policy {
    temporary_password_validity_days: 7
  }
}

References

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUserConfigType.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_PasswordPolicyType.html

[ghost]

I got redirected here from #21561 but getting this error:

Error: Unsupported argument

on main.tf line 38, in resource "aws_cognito_user_pool" "users":
38: temporary_password_validity_days = 7

An argument named "temporary_password_validity_days" is not expected here.

My config looks like this:

password_policy {
minimum_length = var.password_min_length
require_lowercase = "true"
require_numbers = "true"
require_symbols = "true"
require_uppercase = "true"
temporary_password_validity_days = 7
}

Terraform version 0.12, aws.provider version 2.13

Any ideas?

[kradical]

@omarelsaid The temporary_password_validity_days field isn't supported by terraform-provider-aws yet, I am planning on adding it and opening a PR! just hit a snag on friday because I am trying to do it in a somewhat backwards compatible way that still supports the deprecated field, I will probably try again today or tomorrow.

[derKrischan]

I can confirm that @kradical workaround works. We executed the following AWS CLI command and after that we were able to apply our terraform scripts again:
aws cognito-idp update-user-pool --user-pool-id yourPoolId --admin-create-user-config "AllowAdminCreateUserOnly=false" --region yourRegion --output json --profile yourProfile

[kradical]

Glad it worked for you! I randomly stumbled across it while desperately trying to get our builds going again 😂 .

Full comment they are referring to: #8845 (comment)

[mbogner]

Any updates on this one? I am getting

aws_cognito_user_pool.pool: Error updating Cognito User pool: InvalidParameterException: Please use TemporaryPasswordValidityDays instead of UnusedAccountValidityDays

not using unused_account_validity_days or temporary_password_validity_days in the config

[kradical]

Not using either? Ooh that's not good. You can try the CLI workaround in the PR to "reset" the cognito user pool to using the old parameter. Although I wouldn't recommend using it on anything production, only development things.

Trying to add the new field in a backwards compatible way is proving difficult. We might have to just add it and default to the new field. I am waiting to hear back from maintainers.

[mbogner]

Yeah. Recreating the whole environment (avoiding both fields) fixed it until today. Nobody touched them on purpose (knowing it will be bad) but they returned anyway.

[mbogner]

Found a way to fix my problem without recreating anything. I just had to run

aws cognito-idp update-user-pool --user-pool-id {poolId} --admin-create-user-config '{"AllowAdminCreateUserOnly": false}'

before doing a normal terraform apply

[thommaa]

I can confirm that @kradical workaround works. We executed the following AWS CLI command and after that we were able to apply our terraform scripts again:
aws cognito-idp update-user-pool --user-pool-id yourPoolId --admin-create-user-config "AllowAdminCreateUserOnly=false" --region yourRegion --output json --profile yourProfile

Be aware that any property of the cognito pool which is not default will be overwritten with this AWS CLI command eg. MFA on -> MFA off

[thommaa]

Found a way to fix my problem without recreating anything. I just had to run

aws cognito-idp update-user-pool --user-pool-id {poolId} --admin-create-user-config '{"AllowAdminCreateUserOnly": false}'

before doing a normal terraform apply

Be aware that any property of the cognito pool which is not default will be overwritten with this AWS CLI command eg. MFA on -> MFA off

[AAOUAD]

Found a way to fix my problem without recreating anything. I just had to run

aws cognito-idp update-user-pool --user-pool-id {poolId} --admin-create-user-config '{"AllowAdminCreateUserOnly": false}'

before doing a normal terraform apply

It worked for me with '{"AllowAdminCreateUserOnly": true}' instead of '{"AllowAdminCreateUserOnly": false}' (because it was already false)

[arne21a]

We built a preview of this fix, it worked for us.
If someone wants to try it out, feel free to download our binaries.
https://github.com/adesso-as-a-service/terraform-provider-aws/releases/tag/v2.27.1
Use it at your own risk ;)

[RishikeshDarandale]

When this will be released?

[nikitacr7]

Any updates?

[kradical]

@nikitacr7 Update:

I closed the original PR because it looks like AWS has started removing the old parameter in some regions. So instead of trying to accommodate the old parameter IMO there should be a new PR to just do the swap. I have too much on my plate to do it, but it should hopefully be relatively straightforward.

[nikitacr7]

@kradical It'd be very helpful if you will find some time to do it, because all my terraform stuff around cognito is blocked right now. Thanks!!!

[kradical]

TBH I don't even use this library anymore so I'm not going to do it. Maybe someone who's livelyhood depends on this bugfix should fix it 😂

[yannick-fernand]

Hello when will you fix this issue? It is very annoying. We are stuck at this moment and we could not go in production with that.

[cipsys]

This is a blocker for us as well. I'm very surprised such a critical issues has not been resolved in close to 6 months now.

[shadowfax-n]

work around for the unused_account_validity_days do not work anymore.. seems like eu-west-1 region does not allow this any longer. cant seem to find a way out of this issue :-(
please can this be updated..

[josemchen]

Still an issue. Right now I have to manually update anything that falls under admin_create_user_config to prevent Terraform from picking up differences to be able to apply additional changes.

This started happening after someone manually save some changes manually to our Email template through the Console.

[codyseibert]

Still an issue.

[revbingo]

Blocker for me too. Cognito support in eu-central-1 is fairly useless until this is fixed :(

I notice the issue has just an "enhancement" label - perhaps someone can add a more appropriate label? I presume breaking-change?

[MatthiasVervaet]

We have the same issue. It seems like AWS has deprecated some configuration in eu-west-1

[chrisbenincasa]

This has become an issue in us-west-2 as well.

[kartikrao]

Same issue in ap-northeast-1, is this going to be fixed ?

[michalschott]

eu-west-2 started to be affected too.

[michalschott]

Looks like adding missing field fixes the issue - #10890

[michalschott]

We found out that this might not be regional change, actually if you try to update certain configuration for your userpool using AWS Console the object is being "converted" newer version under the hood.

[sagagliardo]

Affected by the same issues. Only way to work around this, when possible, is to just to update via console any changes and then make sure terraform is up to parity with console changes.

[mpxr]

I solved this by setting the unused_account_validity_days parameter to 0, this way Terraform will reset this value and won't use its default value even if you don't explicitly use this variable.

[mubeta06]

@mpxr thanks I'm certain you just saved me at least an hour of messing about.

[yggie]

This is still an issue, best way I found to avoid the problem is to simply tell Terraform to ignore any changes:

 resource "aws_cognito_user_pool" "my_user_pool" {
  ...

  lifecycle {
    ignore_changes = [
      "admin_create_user_config.0.unused_account_validity_days"
    ]
  }
}

And do every change manually on the console. Not ideal but it works for the time bein

[michalschott]

If anyones interested in trying to make #10890 backwards compatible, feel free to. Doubt I'll have any more time for this.

[ghost]

This has been released in version 2.47.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!