resource/cognito_user_pool change unexpected attributes every apply

[atsushi-ishibashi]

@Ninir @radeksimko @bflad (Sorry for mentioning, but we have a serious problem with this bug🙇)
Maybe Related: #3009

Problem

Everytime you apply, aws_cognito_user_pool.auto_verified_attributes was removed.

Reason

cognitoidentityprovider.UpdateUserPoolInput seems to require every param if it doesn't change. So the current updates with nil and aws updates user pool with default value.
(The below example is about MfaConfiguration )

upinput := &cognitoidentityprovider.UpdateUserPoolInput{
	UserPoolId:             aws.String("user_pool_id"),
	AutoVerifiedAttributes: []*string{aws.String("email")},
	MfaConfiguration:       aws.String("OPTIONAL"),
}
_, err := svc.UpdateUserPool(upinput)
if err != nil {
	fmt.Println(err)
}
descinput := &cognitoidentityprovider.DescribeUserPoolInput{
	UserPoolId: aws.String("user_pool_id"),
}
descresp, err := svc.DescribeUserPool(descinput)
fmt.Println("AutoVerifiedAttributes: ", *descresp.UserPool.AutoVerifiedAttributes[0])
fmt.Println("MfaConfiguration: ", *descresp.UserPool.MfaConfiguration)

//console log
AutoVerifiedAttributes:  email
MfaConfiguration:  OPTIONAL

next update the same user pool

upinput := &cognitoidentityprovider.UpdateUserPoolInput{
	UserPoolId:             aws.String("user_pool_id"),
	AutoVerifiedAttributes: []*string{aws.String("email")},
}
_, err := svc.UpdateUserPool(upinput)
if err != nil {
	fmt.Println(err)
}
descinput := &cognitoidentityprovider.DescribeUserPoolInput{
	UserPoolId: aws.String("user_pool_id"),
}
descresp, err := svc.DescribeUserPool(descinput)
fmt.Println("AutoVerifiedAttributes: ", *descresp.UserPool.AutoVerifiedAttributes[0])
fmt.Println("MfaConfiguration: ", *descresp.UserPool.MfaConfiguration)

//console log
AutoVerifiedAttributes:  email
MfaConfiguration:  OFF

By filtering HasChange, every apply change the real resource.
So far I couldn't confirm which params work in the same way...

And I couldn't understand why acceptance test catch this one 🤔 The behavior of aws has changed??

The cause may be go-sdk?

PS:

The cause may be go-sdk?

cli works the same.

And I couldn't understand why acceptance test catch this one

Because only attributes which changed were checked.

[atsushi-ishibashi]

auto_verified_attributes example

upinput := &cognitoidentityprovider.UpdateUserPoolInput{
	UserPoolId:             aws.String("user_pool_id"),
	AutoVerifiedAttributes: []*string{aws.String("email")},
	MfaConfiguration:       aws.String("OPTIONAL"),
}
_, err := svc.UpdateUserPool(upinput)
if err != nil {
	fmt.Println(err)
}
descinput := &cognitoidentityprovider.DescribeUserPoolInput{
	UserPoolId: aws.String("user_pool_id"),
}
descresp, err := svc.DescribeUserPool(descinput)
if len(descresp.UserPool.AutoVerifiedAttributes) > 0 {
	fmt.Println("AutoVerifiedAttributes: ", *descresp.UserPool.AutoVerifiedAttributes[0])
} else {
	fmt.Println("AutoVerifiedAttributes: null")
}
fmt.Println("MfaConfiguration: ", *descresp.UserPool.MfaConfiguration)

//log
AutoVerifiedAttributes:  email
MfaConfiguration:  OPTIONAL

next

upinput := &cognitoidentityprovider.UpdateUserPoolInput{
	UserPoolId:             aws.String("user_pool_id"),
	MfaConfiguration:       aws.String("OPTIONAL"),
}
_, err := svc.UpdateUserPool(upinput)
if err != nil {
	fmt.Println(err)
}
descinput := &cognitoidentityprovider.DescribeUserPoolInput{
	UserPoolId: aws.String("user_pool_id"),
}
descresp, err := svc.DescribeUserPool(descinput)
if len(descresp.UserPool.AutoVerifiedAttributes) > 0 {
	fmt.Println("AutoVerifiedAttributes: ", *descresp.UserPool.AutoVerifiedAttributes[0])
} else {
	fmt.Println("AutoVerifiedAttributes: null")
}
fmt.Println("MfaConfiguration: ", *descresp.UserPool.MfaConfiguration)

//log
AutoVerifiedAttributes:  null
MfaConfiguration:  OPTIONAL

[atsushi-ishibashi]

According to aws, the behaviour of update-user-pool is a specification.

[radeksimko]

Hey @atsushi-ishibashi
can you provide a repro case with config attached and expected/actual output/outcome?

Thanks.

[atsushi-ishibashi]

@radeksimko Sure👍
At the beginning

resource "aws_cognito_user_pool" "pool" {
  name                     = "mypool"
  auto_verified_attributes = ["email"]
  mfa_configuration        = "OFF"
}

cli output

$ aws cognito-idp describe-user-pool --user-pool-id hogehoge --query 'UserPool.MfaConfiguration' 
"OFF"
$ aws cognito-idp describe-user-pool --user-pool-id hogehoge --query 'UserPool.AutoVerifiedAttributes'
[
    "email"
]

Next update tf and apply.

resource "aws_cognito_user_pool" "pool" {
  name                     = "mypool"
  auto_verified_attributes = ["email"]
  mfa_configuration        = "OPTIONAL"
}

cli output

$ aws cognito-idp describe-user-pool --user-pool-id hogehoge --query 'UserPool.MfaConfiguration' 
"OFF"
$ aws cognito-idp describe-user-pool --user-pool-id hogehoge --query 'UserPool.AutoVerifiedAttributes'
null

Expected Outcome

Only MfaConfiguration changed.
AutoVerifiedAttributes remained ["email"]

Actual

AutoVerifiedAttributes changed

[bflad]

The fix to properly pass all defined attributes during update of aws_cognito_user_pool has been merged and will release with version 1.32.0 of the AWS provider, likely middle of next week.

[bflad]

This has been released in version 1.32.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!