Comments (5)
I did more research on this topic, and i had the misconception that the Totp would be accessible via Cognito hosted UI, but seems i have to integrate an additional Auth flow on top of that (e.g. via Amplify). From your end, my issue is solved. Thanks a lot for the fast reply and the help!
from terraform-aws-cognito-user-pool.
hi @jaystary,
just checked and our documentation is a tiny bit misleading here (it is a copy&paste of the providers' documentation that missed adjustment)
to clarify:
allow_software_mfa_token = true
adds thesoftware_token_mfa_configuration
block and setsenabled=true
allow_software_mfa_token = false
does not add thesoftware_token_mfa_configuration
You do not set the software_token_mfa_configuration
block but use allow_software_mfa_token = true
instead in the module arguments.
please let me know if this helps you or let me know how I can help you better.
some background information: blocks are not (yet?) supported for modules so blocks are always represented as variables and rendered conditionally in the resource in the code of the module.
from terraform-aws-cognito-user-pool.
I tried this and despite Cognito setting being set to Required in MFA it still wouldnt trigger the software MFA, in fact it ignored it completly and just let me log in via Email/Password - please see the code snippet (some things are removed though). It works fine for SMS MFA though if i add the SMS configuration block.
module "cognito_user_pool" {
source = "mineiros-io/cognito-user-pool/aws"
version = "~> 0.4.0"
name = "${local.eks_cluster_name}-userpool"
allow_admin_create_user_only = true
enable_username_case_sensitivity = false
advanced_security_mode = "ENFORCED"
alias_attributes = [
"email",
"phone_number"
]
auto_verified_attributes = [
"email"
]
# If invited by an admin
invite_email_subject = "..."
invite_email_message = "...
invite_sms_message = "..."
default_email_option = "CONFIRM_WITH_LINK"
email_subject_by_link = "Your Verification Link"
email_message_by_link = "Please click the link below to verify your email address. {##Verify Email##}."
sms_message = "Your verification code is {####}."
challenge_required_on_new_device = true
user_device_tracking ="ALWAYS"
#MFA
mfa_configuration = "ON"
allow_software_mfa_token = true
sms_authentication_message = "..."
# Password
password_minimum_length = 8
password_require_lowercase = true
password_require_numbers = true
password_require_uppercase = true
password_require_symbols = true
temporary_password_validity_days = 3
# App Client
clients = [...]
}
from terraform-aws-cognito-user-pool.
looks like your code is correct:
when running terraform plan with your configuration I get the following (partial) plan:
# module.cognito_user_pool.aws_cognito_user_pool.user_pool[0] will be created
+ resource "aws_cognito_user_pool" "user_pool" {
[...REMOVED..]
+ mfa_configuration = "ON"
[...REMOVED..]
+ sms_authentication_message = "Your temporary password is {####}."
[...REMOVED..]
+ sms_configuration {
[...REMOVED..]
}
+ software_token_mfa_configuration {
+ enabled = true
}
[...REMOVED..]
which matches what is documented in the provider itself under:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool#enabling-sms-and-software-token-multi-factor-authentication
So let's just assume everything is correct on the terraform side... what does your userpool show? is MFA required or optional?
seems like you can't set it to required if the user pool was created initially with off or optional.
never tried to upgrade it and not sure if this will be a silent fail in the provider.. can validate tomorrow.
(just tested, you can upgrade via terraform but not via aws console)
can you check the following:
- what is the current state of the cognito pool (e.g. check in AWS console under mfa) is it optional or required?
- did you try to change it to required from being off/optional in the past? (first deploy optional, then changed to required?)
from terraform-aws-cognito-user-pool.
just validated with the settings provided and running aws-cli:
- set cognito pool to require MFA for users
- use TOTP (software token challenge) only
- created a user
- 1st challenge encountered: NEW _PASSWORD
- set a new password
- next challenge encountered: MFA_SETUP
"ChallengeName": "MFA_SETUP", "ChallengeParameters": { "USER_ID_FOR_SRP": "cafffbc3-ffff-ffff-ffff-7ba3fffc92a9", "MFAS_CAN_SETUP": "[\"SOFTWARE_TOKEN_MFA\"]" },
so on first login you are forced to set up MFA and can't just continue.
from terraform-aws-cognito-user-pool.
Related Issues (20)
- clients is a map, not a list HOT 3
- clients is a map, not a list HOT 2
- terraform state is not idempotent if device tracking is off HOT 7
- Could you guys please update this awesome source to working with Terraform version 0.14? HOT 2
- device_only_remembered_on_user_prompt fix in complete example HOT 2
- Support Account recovery settings HOT 2
- alias_attributes are handled incorrectly HOT 1
- Add token_validity_units or ability to set expire for each individual token (access/id) HOT 3
- email_message_by_link strange readme HOT 7
- token_validity_units is null HOT 3
- Support declaring resource servers for a user pool HOT 2
- Inconsistent Result Types HOT 2
- aws provider 4.0 HOT 2
- Refresh only fails on first run HOT 2
- custom sms sener HOT 1
- Cognito Custom Domain HOT 1
- Verifying attribute changes HOT 1
- Examples README labelling issue
- Update required_providers block in versions.tf HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-cognito-user-pool.