From f8e23ac8311d8d3b2311cc255995d5ff39e34d34 Mon Sep 17 00:00:00 2001
From: Michal Schott <schott.michal@gmail.com>
Date: Sat, 11 Jan 2020 17:50:09 +0100
Subject: [PATCH] Adding support for
 password_policy.temporary_password_validity_days

---
 aws/resource_aws_cognito_user_pool.go      | 16 ++++++++++
 aws/resource_aws_cognito_user_pool_test.go | 34 +++++++++++++++-------
 aws/structure.go                           |  8 +++++
 website/docs/r/cognito_user_pool.markdown  |  3 +-
 4 files changed, 50 insertions(+), 11 deletions(-)

diff --git a/aws/resource_aws_cognito_user_pool.go b/aws/resource_aws_cognito_user_pool.go
index 5ff1ac273ab..b9281466d74 100644
--- a/aws/resource_aws_cognito_user_pool.go
+++ b/aws/resource_aws_cognito_user_pool.go
@@ -68,6 +68,7 @@ func resourceAwsCognitoUserPool() *schema.Resource {
 							Type:         schema.TypeInt,
 							Optional:     true,
 							Default:      7,
+							Deprecated:   "Use password_policy.temporary_password_validity_days instead",
 							ValidateFunc: validation.IntBetween(0, 90),
 						},
 					},
@@ -295,6 +296,11 @@ func resourceAwsCognitoUserPool() *schema.Resource {
 							Type:     schema.TypeBool,
 							Optional: true,
 						},
+						"temporary_password_validity_days": {
+							Type:         schema.TypeInt,
+							Optional:     true,
+							ValidateFunc: validation.IntBetween(0, 365),
+						},
 					},
 				},
 			},
@@ -672,6 +678,11 @@ func resourceAwsCognitoUserPoolCreate(d *schema.ResourceData, meta interface{})
 			log.Printf("[DEBUG] Received %s, retrying CreateUserPool", err)
 			return resource.RetryableError(err)
 		}
+		if isAWSErr(err, cognitoidentityprovider.ErrCodeInvalidParameterException, "Please use TemporaryPasswordValidityDays in PasswordPolicy instead of UnusedAccountValidityDays") {
+			log.Printf("[DEBUG] Received %s, retrying UpdateUserPool without UnusedAccountValidityDays", err)
+			params.AdminCreateUserConfig.UnusedAccountValidityDays = nil
+			return resource.RetryableError(err)
+		}
 
 		return resource.NonRetryableError(err)
 	})
@@ -948,6 +959,11 @@ func resourceAwsCognitoUserPoolUpdate(d *schema.ResourceData, meta interface{})
 			log.Printf("[DEBUG] Received %s, retrying UpdateUserPool", err)
 			return resource.RetryableError(err)
 		}
+		if isAWSErr(err, cognitoidentityprovider.ErrCodeInvalidParameterException, "Please use TemporaryPasswordValidityDays in PasswordPolicy instead of UnusedAccountValidityDays") {
+			log.Printf("[DEBUG] Received %s, retrying UpdateUserPool without UnusedAccountValidityDays", err)
+			params.AdminCreateUserConfig.UnusedAccountValidityDays = nil
+			return resource.RetryableError(err)
+		}
 
 		return resource.NonRetryableError(err)
 	})
diff --git a/aws/resource_aws_cognito_user_pool_test.go b/aws/resource_aws_cognito_user_pool_test.go
index c4224b25083..ba0f8f20c14 100644
--- a/aws/resource_aws_cognito_user_pool_test.go
+++ b/aws/resource_aws_cognito_user_pool_test.go
@@ -484,6 +484,7 @@ func TestAccAWSCognitoUserPool_withPasswordPolicy(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_numbers", "false"),
 					resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_symbols", "true"),
 					resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_uppercase", "false"),
+					resource.TestCheckResourceAttr(resourceName, "password_policy.0.temporary_password_validity_days", "7"),
 				),
 			},
 			{
@@ -500,6 +501,7 @@ func TestAccAWSCognitoUserPool_withPasswordPolicy(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_numbers", "true"),
 					resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_symbols", "false"),
 					resource.TestCheckResourceAttr(resourceName, "password_policy.0.require_uppercase", "true"),
+					resource.TestCheckResourceAttr(resourceName, "password_policy.0.temporary_password_validity_days", "14"),
 				),
 			},
 		},
@@ -872,6 +874,11 @@ resource "aws_cognito_user_pool" "test" {
       sms_message   = "Your username is {username} and temporary password is {####}."
     }
   }
+
+  password_policy {
+    minimum_length                   = 6
+    temporary_password_validity_days = 6
+  }
 }
 `, name)
 }
@@ -891,6 +898,11 @@ resource "aws_cognito_user_pool" "test" {
       sms_message   = "Your username is {username} and constant password is {####}."
     }
   }
+
+  password_policy {
+    minimum_length                   = 6
+    temporary_password_validity_days = 7
+  }
 }
 `, name)
 }
@@ -1086,11 +1098,12 @@ resource "aws_cognito_user_pool" "test" {
   name = "terraform-test-pool-%s"
 
   password_policy {
-    minimum_length    = 7
-    require_lowercase = true
-    require_numbers   = false
-    require_symbols   = true
-    require_uppercase = false
+    minimum_length                   = 7
+    require_lowercase                = true
+    require_numbers                  = false
+    require_symbols                  = true
+    require_uppercase                = false
+    temporary_password_validity_days = 7
   }
 }
 `, name)
@@ -1102,11 +1115,12 @@ resource "aws_cognito_user_pool" "test" {
   name = "terraform-test-pool-%s"
 
   password_policy {
-    minimum_length    = 9
-    require_lowercase = false
-    require_numbers   = true
-    require_symbols   = false
-    require_uppercase = true
+    minimum_length                   = 9
+    require_lowercase                = false
+    require_numbers                  = true
+    require_symbols                  = false
+    require_uppercase                = true
+    temporary_password_validity_days = 14
   }
 }
 `, name)
diff --git a/aws/structure.go b/aws/structure.go
index 69c32f9c069..2dd25a14623 100644
--- a/aws/structure.go
+++ b/aws/structure.go
@@ -2721,6 +2721,10 @@ func expandCognitoUserPoolPasswordPolicy(config map[string]interface{}) *cognito
 		configs.RequireUppercase = aws.Bool(v.(bool))
 	}
 
+	if v, ok := config["temporary_password_validity_days"]; ok {
+		configs.TemporaryPasswordValidityDays = aws.Int64(int64(v.(int)))
+	}
+
 	return configs
 }
 
@@ -2993,6 +2997,10 @@ func flattenCognitoUserPoolPasswordPolicy(s *cognitoidentityprovider.PasswordPol
 		m["require_uppercase"] = *s.RequireUppercase
 	}
 
+	if s.TemporaryPasswordValidityDays != nil {
+		m["temporary_password_validity_days"] = *s.TemporaryPasswordValidityDays
+	}
+
 	if len(m) > 0 {
 		return []map[string]interface{}{m}
 	}
diff --git a/website/docs/r/cognito_user_pool.markdown b/website/docs/r/cognito_user_pool.markdown
index 8fc7844945a..52d8a328775 100644
--- a/website/docs/r/cognito_user_pool.markdown
+++ b/website/docs/r/cognito_user_pool.markdown
@@ -48,7 +48,7 @@ The following arguments are supported:
 
   * `allow_admin_create_user_only` (Optional) - Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.
   * `invite_message_template` (Optional) - The [invite message template structure](#invite-message-template).
-  * `unused_account_validity_days` (Optional) - The user account expiration limit, in days, after which the account is no longer usable.
+  * `unused_account_validity_days` (Optional) - **DEPRECATED** Use password_policy.temporary_password_validity_days instead - The user account expiration limit, in days, after which the account is no longer usable.
 
 ##### Invite Message template
 
@@ -87,6 +87,7 @@ The following arguments are supported:
   * `require_numbers` (Optional) - Whether you have required users to use at least one number in their password.
   * `require_symbols` (Optional) - Whether you have required users to use at least one symbol in their password.
   * `require_uppercase` (Optional) - Whether you have required users to use at least one uppercase letter in their password.
+  * `temporary_password_validity_days` (Optional) - In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator.
 
 #### Schema Attributes