Terraform module to create Amazon Cognito User Pools, configure its attributes and resources such as app clients, domain, resource servers. Amazon Cognito User Pools provide a secure user directory that scales to hundreds of millions of users.
License: Apache License 2.0
Hello,
I'm having an issue where Terraform fails randomly in this step:
│ Error: error creating Cognito User Pool Client (portals-dev): InvalidParameterException: The provider Salesforce does not exist for User Pool YYYYYYY.
│
│ with module.cognito.aws_cognito_user_pool_client.client[0],
│ on .terraform/modules/cognito/client.tf line 1, in resource "aws_cognito_user_pool_client" "client":
│ 1: resource "aws_cognito_user_pool_client" "client" {
│
All the configuration related to the identity providers is passed to the module, but sometimes it doesn't seem to create the provider on time and fails the deployment. It all goes well on the next retry.
lambda example configuration fails due to map (any) definitions.
"All must be the same type" see the link provided to see an explanation of the error. email_sender is an object, not a string, and as such will fail validation.
lambda_config = {
create_auth_challenge = "arn:aws:lambda:us-east-1:123456789012:function:create_auth_challenge"
custom_message = "arn:aws:lambda:us-east-1:123456789012:function:custom_message"
define_auth_challenge = "arn:aws:lambda:us-east-1:123456789012:function:define_auth_challenge"
post_authentication = "arn:aws:lambda:us-east-1:123456789012:function:post_authentication"
post_confirmation = "arn:aws:lambda:us-east-1:123456789012:function:post_confirmation"
pre_authentication = "arn:aws:lambda:us-east-1:123456789012:function:pre_authentication"
pre_sign_up = "arn:aws:lambda:us-east-1:123456789012:function:pre_sign_up"
pre_token_generation = "arn:aws:lambda:us-east-1:123456789012:function:pre_token_generation"
user_migration = "arn:aws:lambda:us-east-1:123456789012:function:user_migration"
verify_auth_challenge_response = "arn:aws:lambda:us-east-1:123456789012:function:verify_auth_challenge_response"
kms_key_id = ""
custom_email_sender = {
lambda_arn = "arn:aws:lambda:us-east-1:123456789012:function:custom_email_sender"
lambda_version = "V1_0"
}
custom_sms_sender = {
lambda_arn = "arn:aws:lambda:us-east-1:123456789012:function:custom_sms_sender"
lambda_version = "V1_0"
}
}
email_configuration is missing from_email_address declaration.
from_email_address = lookup(email_configuration.value, "from_email_address")
Hi guys,
I just want to custom SMS and Email senders with the 3rd-parties provider.
How can I add it?
Thanks you so much!
Ref:
The current output client_ids and client_secrets contains a list of ids and secrets. When I need to pass client id and client secret to other resources like lambda, I have to use index like module.cognito-user-pool.client_ids[1] module.cognito-user-pool.client_secrets[1]. The index could be changed when you create new app clients, so it's hard to be sure that it always points to correct one. I'd suggest to add to output:
output "client_ids_map" { description = "The ids of the user pool clients" value = { for k, v in aws_cognito_user_pool_client.client : v.name => v.id } }
output "client_secrets_map" { description = " The client secrets of the user pool clients" value = { for k, v in aws_cognito_user_pool_client.client : v.name => v.client_secret } }
In that case it would be easier to find proper app client with corresponding app secret with
lookup(module.cognito-user-pool.client_ids_map, "admin-client")
The following error message is caused by the latest version of the Terraform AWS Provider.
Terraform will perform the following actions:
# aws_cognito_identity_provider.identity_provider[0] will be updated in-place
~ resource "aws_cognito_identity_provider" "identity_provider" {
id = "eu-west-1_w5o31Ioby:auth0-dev"
~ provider_details = (sensitive value)
# (5 unchanged attributes hidden)
}
# aws_cognito_identity_provider.identity_provider[1] will be updated in-place
~ resource "aws_cognito_identity_provider" "identity_provider" {
id = "eu-west-1_w5o31Ioby:pingid-dev"
~ provider_details = (sensitive value)
# (5 unchanged attributes hidden)
}
# aws_cognito_user_pool.pool[0] will be updated in-place
~ resource "aws_cognito_user_pool" "pool" {
id = "eu-west-1_w5o31Ioby"
name = "confluence-dev"
tags = {
"Contact" = "Dennis Hoppe"
"Environment" = "dev"
"Owner" = "SICO"
"Project" = "Atlassian"
}
# (13 unchanged attributes hidden)
~ account_recovery_setting {
- recovery_mechanism {
- name = "verified_email" -> null
- priority = 1 -> null
}
- recovery_mechanism {
- name = "verified_phone_number" -> null
- priority = 2 -> null
}
}
# (16 unchanged blocks hidden)
}
Plan: 0 to add, 3 to change, 0 to destroy.
aws_cognito_user_pool.pool[0]: Modifying... [id=eu-west-1_w5o31Ioby]
╷
│ Error: updating Cognito User pool (eu-west-1_w5o31Ioby): InvalidParameter: 1 validation error(s) found.
│ - minimum field size of 1, UpdateUserPoolInput.AccountRecoverySetting.RecoveryMechanisms.
│
│
│ with aws_cognito_user_pool.pool[0],
│ on main.tf line 1, in resource "aws_cognito_user_pool" "pool":
│ 1: resource "aws_cognito_user_pool" "pool" {
│
╵
ERRO[0070] Terraform invocation failed in /Users/dhoppe/Customers/_REDACTED_/terragrunt-aws-atlassian/stacks/dev/eu-west-1/confluence/cognito/.terragrunt-cache/xHv5-BJMHVQytE_vi51vNgSP5cU/c_2QZ4BzEhEbpfllRPzfL-I6xic prefix=[/Users/dhoppe/Customers/_REDACTED_/terragrunt-aws-atlassian/stacks/dev/eu-west-1/confluence/cognito]
ERRO[0070] Module /Users/dhoppe/Customers/_REDACTED_/terragrunt-aws-atlassian/stacks/dev/eu-west-1/confluence/cognito has finished with an error: 1 error occurred:
* exit status 1
prefix=[/Users/dhoppe/Customers/_REDACTED_/terragrunt-aws-atlassian/stacks/dev/eu-west-1/confluence/cognito]
ERRO[0070] 1 error occurred:
* exit status 1
This issue has already been solved by a pull request:
Until a new version of the Terraform AWS Provider has been released, you can solve this issue by adding these lines to your config:
recovery_mechanisms = [
{
name = "verified_email"
priority = 1
},
{
name = "verified_phone_number"
priority = 2
}
]
Please support the account_recovery_setting in the module. It is not a valid input for the module, but even when left at the defaults, Terraform detects a change:
Terraform 0.14.3
hashicorp/aws v3.22.0
[output]
Terraform will perform the following actions:
~ resource "aws_cognito_user_pool" "pool" {
id = "XXXXXXX"
name = "XXXXXXX"
tags = {
"Terraform" = "1"
}
# (10 unchanged attributes hidden)
- account_recovery_setting {
}
We are having issues having our devices remembered in our device configuration but not forcing MFA to be required on every sign in. This because both device_configuration_device_only_remembered_on_user_prompt and device_configuration_challenge_required_on_new_device cannot be false if they are it defaults to an empty list and no device configuration is set. This is on line https://github.com/lgallard/terraform-aws-cognito-user-pool/blob/master/main.tf#L257
Picture attached of what I would like to have set in the UI.
I've made a PR that has fixed it for our use case I'm not sure if this will have repercussions on other cases I haven't checked but I don't think so.
In my config, i have no lambda_config variable, also tried with lambda_config = {}
Every apply/plan i get a change
# module.cognito_user_pool.aws_cognito_user_pool.pool[0] will be updated in-place
~ resource "aws_cognito_user_pool" "pool" {
...
...
+ lambda_config {
+ custom_email_sender {
+ lambda_arn = (known after apply)
+ lambda_version = (known after apply)
}
+ custom_sms_sender {
+ lambda_arn = (known after apply)
+ lambda_version = (known after apply)
}
}
We already had a configuration in place, after the upgrade of terraform and this plugin I am getting the following error:
When applying changes to
│ module.user_pool.aws_cognito_user_pool_client.client[0], provider
│ "provider["registry.terraform.io/hashicorp/aws"]" produced an unexpected
│ new value: .write_attributes: was cty.SetValEmpty(cty.String), but now
│ null.
│
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
I am using:
hashicorp/aws v4.60.0
terraform: 1.4.0
lgallard/cognito-user-pool/aws: 0.20.1 (I tried the v0.21 but it fails with the error described here #112 )
The same configuration was working fine with terraform 0.15.2 and the plugin version 0.18.2
module "user_pool" {
source = "lgallard/cognito-user-pool/aws"
version = "0.20.1" # v0.21 fails with: attributes_require_verification_before_update = lookup(user_attribute_update_settings.value,...
user_pool_name = var.name
domain = local.stripped_domain_name
admin_create_user_config_allow_admin_create_user_only = true
username_attributes = ["email"]
email_verification_message = var.email_verification_message
password_policy = {
minimum_length = 8
require_lowercase = false
require_numbers = true
require_symbols = false
require_uppercase = true
temporary_password_validity_days = 1
}
email_configuration = {
email_sending_account = "DEVELOPER"
from_email_address = "noreply@${var.email_domain}"
source_arn = var.ses_domain_identity
}
recovery_mechanisms = [
{
name = "verified_email"
priority = 1
}
]
clients = [
{
allowed_oauth_flows = ["code"]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_scopes = ["email", "openid"]
callback_urls = ["https://${var.domain_name}/oauth2/callback"]
default_redirect_uri = "https://${var.domain_name}/oauth2/callback"
explicit_auth_flows = ["ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"]
generate_secret = true
logout_urls = ["https://${var.domain_name}", "https://${var.domain_name}/oauth2/sign_out"]
name = local.client_name
read_attributes = ["email"]
supported_identity_providers = ["COGNITO"]
write_attributes = []
access_token_validity = 1
id_token_validity = 1
refresh_token_validity = 1
token_validity_units = {
access_token = "hours"
id_token = "hours"
refresh_token = "days"
}
}
]
}
After a second attempt to apply to the terraform file, I got this; I can't figure out what properties are conflicting.
user_pool_name = "name"
alias_attributes = ["email"]
auto_verified_attributes = ["email"]
admin_create_user_config = {
allow_admin_create_user_only = false
}
string_schemas = [
{
attribute_data_type = "String"
developer_only_attribute = false
mutable = false
name = "email"
required = true
string_attribute_constraints = {
min_length = 5
max_length = 50
}
}
]
# sms_configuration = {}
email_configuration = {
from_email_address = "[email protected]"
email_sending_account = "DEVELOPER"
source_arn = "arn:aws:ses:us-east-1:${local.account_vars.locals.account_id}:identity/[email protected]"
}
lambda_config = {
custom_message = dependency.lambda.outputs.lambda_function_arn
}
password_policy = {
minimum_length = 8
require_lowercase = true
require_numbers = true
require_symbols = true
require_uppercase = true
}
clients = [
{
name = "name"
prevent_user_existence_errors = "ENABLED"
access_token_validity = 1
id_token_validity = 1
refresh_token_validity = 30
token_validity_units = {
access_token = "hours"
id_token = "hours"
refresh_token = "days"
}
},
}
]
recovery_mechanisms = [
{
name = "verified_email"
priority = 1
}
]
There are several references to "../modules/terraform-aws-cognito-user-pool". Would you possible be able to include that as well?
It would be good to enable support for software_token_mfa_configuration so MFA can be enabled for software TOTP generators (like google authenticator, or authy).
It only needs this adding https://www.terraform.io/docs/providers/aws/r/cognito_user_pool.html#software-token-mfa-configuration so I'll submit a PR shortly
Finally great module :) Thanks!
Hi there,
Great module, thanks for creating it!
Currently the module is using the paranoid operator for the version of the AWS provider, locking it to AWS provider versions 3.2 to 3.74.3 (at the time of writing). The AWS provider recently released version 4.
https://github.com/lgallard/terraform-aws-cognito-user-pool/blob/master/versions.tf#L5
Would it be possible to change this to allow versions on AWS provider 4.x, something like below?
terraform {
required_version = ">= 0.14.0"
required_providers {
aws = "~> 3.2, ~> 4.0"
}
}Team,
Just trying to get started here. I have a terraform policy where I have added cognito-idp:* to resource *. I have also tried explicity to add cognito-idp:CreateUserPool and still get this error.
╷
│ Error: creating Cognito User Pool: AccessDeniedException: User: arn:aws:iam::XXXXXXXXXXXXX:user/cc/admin/guy is not authorized to perform: cognito-idp:CreateUserPool on resource: * because no identity-based policy allows the cognito-idp:CreateUserPool action
│ status code: 400, request id: d4e241ba-3bf7-4b17-9888-4233d7f99ca4
│
│ with module.cognito-hash.aws_cognito_user_pool.pool[0],
│ on ../../terraform-aws-cognito-user-pool/main.tf line 1, in resource "aws_cognito_user_pool" "pool":
│ 1: resource "aws_cognito_user_pool" "pool" {
│
╵```
Hello!
So if I want to just mark this with terraform
i need to declare the schema block. Official module documentation says that standard attributes has some default values but in your code all values are mandatory. I've been trying to fix it by declaring some defaults without luck. Any hints?
Thanks!
-D
Currently there is only client_refresh_token_validity, but cognito also supports the validity for the access token (5min to 24h) and id token. Can you add client_access_token_validity and client_id_token_validity?
AccountRecoverySetting with the RecoveryMechanisms "admin_only" , "verified_email" and "verified_phone_number" is not supported. Should be able to set 1 or two with priority 1 & 2.
The deployment will default to the only "Not recommended" setting - Phone if available, otherwise email, and do allow a user to reset their password via phone if they are also using it for MFA.
ps. otherwise a very nice module, thanks for sharing it.
Can't figure out what's going on. Any idea why would it change to null after it successfully created one? Thank you.
# module.user_pool.aws_cognito_identity_provider.identity_provider[0] will be updated in-place
~ resource "aws_cognito_identity_provider" "identity_provider" {
~ attribute_mapping = {
- "username" = "sub" -> null
# (2 unchanged elements hidden)
}
id = "us-west-2_xxxxxxx:Google"
~ provider_details = {
- "attributes_url" = "https://people.googleapis.com/v1/people/me?personFields=" -> null
- "attributes_url_add_attributes" = "true" -> null
- "authorize_url" = "https://accounts.google.com/o/oauth2/v2/auth" -> null
- "oidc_issuer" = "https://accounts.google.com" -> null
- "token_request_method" = "POST" -> null
- "token_url" = "https://www.googleapis.com/oauth2/v4/token" -> null
# (3 unchanged elements hidden)
}
# (4 unchanged attributes hidden)
}
Update:
Removed the resource from the module (obviously it had dynamic values):
resource "aws_cognito_identity_provider" "identity_provider" {
count = 1
user_pool_id = "us-west-2_XXXXXXX"
provider_name = "Google"
provider_type = "Google"
# Optional arguments
attribute_mapping = {
email = "email"
email_verified = "email_verified"
username = "sub"
}
idp_identifiers = []
provider_details = {
authorize_scopes = "profile email"
client_id = "xxxxxxxxx-xxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"
client_secret = "111"
}
}
Plan/Apply 2x times, fully idempotent (no resource of course)
Added the resource to the root module (static values tho) - same issue as before. Changes provider_details ><
Unable to plan or apple because of prevent_destroy using a variable.
See hashicorp/terraform#22544
If you want to implement prevent_destroy you have to duplicate the entire resource. Suggest to revert until new implementation can be created.
I get this error on version 0.21.0 with config that works fine on version 0.20.1
│ Error: Error in function call
│
│ on .terraform/modules/cognito_user_pool/main.tf line 198, in resource "aws_cognito_user_pool" "pool":
│ 198: attributes_require_verification_before_update = lookup(user_attribute_update_settings.value, "attributes_require_verification_before_update")
│ ├────────────────
│ │ user_attribute_update_settings.value is empty map of list of string
│
│ Call to function "lookup" failed: lookup failed to find key "attributes_require_verification_before_update".My configuration is:
module "cognito_user_pool" {
source = "lgallard/cognito-user-pool/aws"
version = "0.20.1"
user_pool_name = "v3_${local.parsed_workspace}"
username_attributes = ["email"]
deletion_protection = var.deletion_protection[local.workspace]
mfa_configuration = var.mfa_configuration[local.workspace]
software_token_mfa_configuration = {
enabled = true
}
device_configuration = {
challenge_required_on_new_device = true
device_only_remembered_on_user_prompt = true
}
email_configuration = {
email_sending_account = "DEVELOPER"
source_arn = data.aws_ses_email_identity.this.arn
}
recovery_mechanisms = [
{
name = "verified_email"
priority = 1
},
]
lambda_config = {
user_migration = aws_lambda_function.auth_migrate_user.arn
}
password_policy = {
minimum_length = 10
require_lowercase = true
require_numbers = true
require_symbols = true
require_uppercase = true
temporary_password_validity_days = 7
}
user_pool_add_ons = {
advanced_security_mode = "ENFORCED"
}
verification_message_template = {
default_email_option = "CONFIRM_WITH_LINK"
}
schemas = [
{
name = "email_verified"
attribute_data_type = "Boolean"
developer_only_attribute = false
mutable = true
required = false
},
{
name = "phone_num_verified"
attribute_data_type = "Boolean"
developer_only_attribute = false
mutable = true
required = false
}
]
string_schemas = [
{
name = "sub"
attribute_data_type = "String"
developer_only_attribute = false
mutable = false
required = true
string_attribute_constraints = {
min_length = 1
max_length = 2048
}
},
{
name = "name"
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
required = false
string_attribute_constraints = {
min_length = 1
max_length = 2048
}
},
{
name = "email"
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
required = true
string_attribute_constraints = {
min_length = 1
max_length = 2048
}
},
{
name = "v2Permissions"
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
required = false
string_attribute_constraints = {
min_length = 1
max_length = 2048
}
},
{
name = "v3Permissions"
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
required = false
string_attribute_constraints = {
min_length = 1
max_length = 2048
}
},
]
number_schemas = [
{
name = "updated_at"
attribute_data_type = "Number"
developer_only_attribute = false
mutable = true
required = false
number_attribute_constraints = {
min_value = 10
max_value = 10
}
},
{
name = "Id"
attribute_data_type = "Number"
developer_only_attribute = false
mutable = true
required = false
number_attribute_constraints = {
min_value = 1
max_value = 2048
}
},
]
domain = "v3-${local.parsed_workspace}"
clients = [
{
name = "v3"
allowed_oauth_flows = ["code"]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_scopes = ["email", "openid", "phone", "profile"]
callback_urls = ["https://mydomain.com/callback"]
# default_redirect_uri = "https://mydomain.com/callback"
explicit_auth_flows = ["ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH"]
generate_secret = false
logout_urls = []
read_attributes = ["email", "email_verified", "custom:Id", "custom:v2Permissions", "custom:v3Permissions", ]
supported_identity_providers = ["COGNITO"]
write_attributes = ["email", "custom:v2Permissions", "custom:v3Permissions", ]
access_token_validity = 1
id_token_validity = 1
refresh_token_validity = 30
token_validity_units = {
access_token = "hours"
id_token = "hours"
refresh_token = "days"
}
},
{
name = "risk_manager"
allowed_oauth_flows = ["code"]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_scopes = ["email", "openid", "phone", "profile"]
callback_urls = ["https://mydomain.com/callback"]
# default_redirect_uri = "https://mydomain.com/callback"
explicit_auth_flows = ["ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH"]
generate_secret = false
logout_urls = []
read_attributes = ["email", "email_verified", "custom:Id", "custom:v2Permissions", "custom:v3Permissions", ]
supported_identity_providers = ["COGNITO"]
write_attributes = ["email", "custom:v2Permissions", "custom:v3Permissions", ]
access_token_validity = 1
id_token_validity = 1
refresh_token_validity = 30
token_validity_units = {
access_token = "hours"
id_token = "hours"
refresh_token = "days"
}
},
]
}Is there any reason to making enabled default to false ? This makes it an incompatible upgrade without changing the calling module, anyone upgrading from a previous version of this module on an existing Terraform state might be surprised when they lose their pool !
In addition in this state the documentation is wrong, the enable flag is marked as optional but this is incorrect, it must be supplied to create the pool, also the examples (simple & complex) need to have the enabled = true added.
Can I suggest the default be true, that way nothing needs to change.
Thanks
When creating user pools with a client and resource servers and adding the resource server to the client as a custom scope, e.g:
module "cognito_user_pool" {
source = "lgallard/cognito-user-pool/aws"
...
resource_servers = [
{
identifier = "https://foo.bar"
scope = [
{
scope_name = "api"
}
]
}
]
clients = [
{
allowed_oauth_scopes = ["openid", "profile", "https://foo.bar/api"]
}
}
Then, if aws_cognito_user_pool_client.client is created before aws_cognito_resource_server.resource, it will fail because the custom scope https://foo.bar/api is unknown.
I worked-around the issue with a depends_on in aws_cognito_user_pool_client.client like this:
resource "aws_cognito_user_pool_client" "client" {
...
depends_on = [ aws_cognito_resource_server.resource ]
}
Terraform v1.0.6
AWS provider 3.63.0
aws_cognito_user_pool
string_schemas
number_schemas
module "cognito_user_pool" {
source = "lgallard/cognito-user-pool/aws"
version = "0.20.1"
user_pool_name = "Default"
username_attributes = ["email"]
....
string_schemas = [
{
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "groups"
required = false
string_attribute_constraints = {}
},
{
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "email"
required = true
string_attribute_constraints = {
max_length = "2048"
min_length = "0"
}
}
]
}
Pool is created with string schemas and terraform does not try to update them on the following terrafrom execution.
# module.cognito_user_pool.aws_cognito_user_pool.pool[0] will be updated in-place
~ resource "aws_cognito_user_pool" "pool" {
id = "us-east-1_ABCDE1234"
name = "Default"
tags = {
"Terraform" = "true"
}
# (14 unchanged attributes hidden)
- schema {
- attribute_data_type = "String" -> null
- developer_only_attribute = false -> null
- mutable = true -> null
- name = "groups" -> null
- required = false -> null
- string_attribute_constraints {}
}
+ schema {
+ attribute_data_type = "String"
+ developer_only_attribute = false
+ mutable = true
+ name = "groups"
+ required = false
}
+ schema {
}
# (11 unchanged blocks hidden)
}
Any kind of string schema is not creating, its showing in tfstate, but not in aws console.
string_schemas = [
{
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "name"
required = false
string_attribute_constraints = {
min_length = 3
max_length = 50
}
},
]
schemas & number_schemas are working as expected. but string schema is not working.
The AWS provider since at least 4.38.0 supports customising to amount of minutes for the auth session validity. This is useful when resetting passwords and to extend the amount of time the token sent by email is valid.
My company needs to implement it, so I'm going to prepare a MR.
I just need what to input for this in the terraform script: client_supported_identity_providers so that the end result is the cognito user pool selected for the client.
deletion_protection to the aws_cognito_user_pool resource was released in V4.38, so the aws provider version needs to be set to '>= 4.38' or deletion_protection should be removed removed to remain compatible with '>= 3.2'.
aws-cloudformation/cloudformation-coverage-roadmap#448 (comment)
terraform-aws-cognito-user-pool/main.tf
Line 257 in 8130dae
### Due to the above statement assuming that both attributes are false, it is set to both attributes as null.
### So the option was forced to be set as a "Don’t remember" Option.
### However, the following configuration should be "Always remember", Allow users to bypass MFA for trusted devices "NO"
device_configuration = {
challenge_required_on_new_device = false
device_only_remembered_on_user_prompt = false
}
### These are the following combinations for device configuration:
### 1) "Don’t remember" Option
device_configuration = {
challenge_required_on_new_device = null
device_only_remembered_on_user_prompt = null
}
### 2) "User opt-in", Allows users to bypass MFA for trusted devices "YES" Option
device_configuration = {
challenge_required_on_new_device = true
device_only_remembered_on_user_prompt = true
}
### 3) "User opt-in", Allows users to bypass MFA for trusted devices "NO" Option
device_configuration = {
challenge_required_on_new_device = false
device_only_remembered_on_user_prompt = true
}
### 4) "Always remember", Allow users to bypass MFA for trusted devices "NO" Option
device_configuration = {
challenge_required_on_new_device = false
device_only_remembered_on_user_prompt = false
}
### 5) "Always remember", Allow users to bypass MFA for trusted devices "YES" Option
device_configuration = {
challenge_required_on_new_device = true
device_only_remembered_on_user_prompt = false
}
### Modify "main.tf" file
### Commented the Line 40 device_configuration
# device_configuration
# dynamic "device_configuration" {
# for_each = local.device_configuration
# content {
# challenge_required_on_new_device = lookup(device_configuration.value, "challenge_required_on_new_device")
# device_only_remembered_on_user_prompt = lookup(device_configuration.value, "device_only_remembered_on_user_prompt")
# }
# }
### Replaced with the following as Hotfix
device_configuration {
challenge_required_on_new_device = try(var.device_configuration.challenge_required_on_new_device, null)
device_only_remembered_on_user_prompt = try(var.device_configuration.device_only_remembered_on_user_prompt, null)
}
.\terraform.exe destroy
Error: Instance cannot be destroyed
1: resource "aws_cognito_user_pool" "pool" {
Resource module.aws_cognito_user_pool_complete.aws_cognito_user_pool.pool has
lifecycle.prevent_destroy set, but the plan calls for this resource to be
destroyed. To avoid this error and continue with the plan, either disable
lifecycle.prevent_destroy or reduce the scope of the plan using the -target
flag.
Hi, can i please know how do i enable the above option using this TF module?
Thanks!
The default values used for client access and id token validity periods are set to 60 hours. Looking at the values
variable "client_access_token_validity" {
description = "Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. This value will be overridden if you have entered a value in `token_validity_units`."
type = number
default = 60
}
variable "client_id_token_validity" {
description = "Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. Must be between 5 minutes and 1 day. Cannot be greater than refresh token expiration. This value will be overridden if you have entered a value in `token_validity_units`."
type = number
default = 60
}
and the units:
variable "client_token_validity_units" {
description = "Configuration block for units in which the validity times are represented in. Valid values for the following arguments are: `seconds`, `minutes`, `hours` or `days`."
type = any
default = {
access_token = "hours"
id_token = "hours"
refresh_token = "days"
}
}
60 hours is more than a day, but the documentation (also repeated in the comment) says
Must be between 5 minutes and 1 day. Cannot be greater than refresh token expiration
I suspect the intention was to make this 60 minutes.
App clients > Security configuration > Prevent User Existence Errors:
I set client_prevent_user_existence_errors = "ENABLED"
But the setting is still Legacy. How to make it as Enabled (Recommended)
clients = [
{
allowed_oauth_flows = []
allowed_oauth_flows_user_pool_client = false
allowed_oauth_scopes = []
callback_urls = ["https://portal-test-oregon/callback"]
default_redirect_uri = "https://portal-test-oregon/callback"
explicit_auth_flows = ["ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_CUSTOM_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"]
generate_secret = true
client_prevent_user_existence_errors = "ENABLED"
logout_urls = ["https://portal-test.oregon"]
client_allowed_oauth_scopes = ["email", "openid", "profile", "aws.cognito.signin.user.admin"]
client_allowed_oauth_flows = ["code", "implicit"]
name = "nebula"
read_attributes = ["email"]
supported_identity_providers = ["COGNITO"]
write_attributes = []
access_token_validity = 1
id_token_validity = 1
refresh_token_validity = 30
token_validity_units = {
access_token = "days"
id_token = "days"
refresh_token = "days"
}
}
Cannot use terraform import with module it always forces replacement.
If i remove this line: username_configuration { case_sensitive = var.case_sensitive } from main.tf it works fine.
Hi there, I've been working with your module for over a month and am all of a sudden getting an 'unsupported attribute' error on admin_create_user_config.0.unused_account_validity_days
Does this have anything to do with AWS having deprecated that attribute?
Thanks!
User pools, like databases are a critical infrastructure resource. Because of that it would be only reasonable to have an option to prevent it from being accidentally destroyed by terraform (and uncautions users).
One way to achieve this would be to add the prevent_destroy lifecycle argument to the user pool:
resource "aws_cognito_user_pool" "pool" {
# ...
lifecycle {
prevent_destroy = var.prevent_destroy
}
}It would be great if this module could offer this feature.
Adding a new entry to schemas or string_schemas is not recognised. Output: No changes. Infrastructure is up-to-date.
If I rename the user_pool_name the changes list the new attributes.
module "aws_cognito_user_pool_qrcg_users" {
source = "lgallard/cognito-user-pool/aws"
user_pool_name = "qrcg-users"
auto_verified_attributes = ["email"]
username_attributes = ["email"]
admin_create_user_config_allow_admin_create_user_only = false
domain = "qrcg-auth-service"
email_configuration = {
email_sending_account = "DEVELOPER"
reply_to_email_address = var.cognito_sender_email_email
source_arn = var.cognito_sender_email_arn
from_email_address = "${var.cognito_sender_email_name} <${var.cognito_sender_email_email}>"
}
client_allowed_oauth_flows = ["code", "implicit"]
client_allowed_oauth_flows_user_pool_client = true
client_allowed_oauth_scopes = ["email", "openid", "profile"]
client_callback_urls = ["${module.app.app_url}/", "http://localhost:3000/"]
client_default_redirect_uri = "${module.app.app_url}/"
client_generate_secret = false
client_logout_urls = ["${module.app.app_url}/logout", "http://localhost:3000/"]
client_name = var.app_name
client_refresh_token_validity = 60
client_supported_identity_providers = ["Google"]
client_prevent_user_existence_errors = "ENABLED"
client_write_attributes = ["email"]
client_read_attributes = ["email"]
lambda_config_custom_message = module.lambda_cognito_custom_message_hook.this_lambda_function_arn
schemas = [
// This one is new
{
attribute_data_type = "Boolean"
developer_only_attribute = true
mutable = true
name = "xyz-abc"
required = false
}
]
string_schemas = [
{
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "email"
required = true
string_attribute_constraints = {
min_length = 4
max_length = 500
}
},
// This one is also new
{
attribute_data_type = "String"
developer_only_attribute = false
mutable = true
name = "industry"
required = false
string_attribute_constraints = {
min_length = 0
max_length = 10
}
}
]
recovery_mechanisms = [
{
name = "verified_email"
priority = 1
},
]
}
I am trying to include custom attributes in the main.tf file. But I am not able to do and it is not there in documentation. Is there any way to include custom attributes ?
Code:
module "userpool" {
source = "lgallard/cognito-user-pool/aws"
user_pool_name = "test"
domain = "test"
custom_attributes = "" <--- How to include custom_attributes?
admin_create_user_config = {
allow_admin_create_user_only = false
}
clients = [
{
"name" = "test-client"
}
]
}
I ran into this issue today, whereby cognito cannot execute lambda functions deployed only by terraform. Submitted this PR as a work-around. Let me know your thoughts.
The email configuration options for verification message customisation only accept email_message_by_link and email_subject_by_link. This means you cannot customise the email subject and message when using CONFIRM_BY_CODE type.
It would be good to also accept email_message and email_subject parameters so the verification message when using CONFIRM_BY_CODE could also be set.
Hi guys, I just want to switch the option to this one:
Email address or phone number - Users can use an email address or phone number as their "username" to sign up and sign in.
So, which set up in your code could do that?
Image: https://prnt.sc/xve7mq
Thanks,
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.