[Enhancement]: Send email instructions when creating new aws_identitystore_user

[luislhl]

Description

When creating a user in AWS Identity Center through the AWS console, I'm shown an option to send an email with sign up instructions for the new user:

However, when creating a user through the aws_identitystore_user resource there is no such option, and no email is sent by default either.

Affected Resource(s) and/or Data Source(s)

• aws_identitystore_user

Potential Terraform Configuration

No response

References

No response

Would you like to implement a fix?

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[luislhl]

I just found out that there is an option that should be configured in the SSO Instance to solve this: https://docs.aws.amazon.com/console/singlesignon/directory/users-without-pwd

I'm not sure there is a way to set this through Terraform in some resource, though.

But at least there is a way even though this option lies outside the aws_identitystore_user.

[selfisch]

Thanks for the tip @luislhl . Thats some kind of workaround, but will not full fill the wished behavior.

When creating a user by aws_identitystore_user, there is no invitation email auto send. The user has to try actively to sign in once and is then lead to an initial account config wizard.

Better then nothing, but an invitation mail on creation by the terraform resource would be nice :-).

[tonirvega]

Hello,

we are building a module that provides an easy way to manage users, groups, permission sets... and we are facing this problem. It would be nice the terraform module could send the invitation like console provisioning does.

[tonirvega]

I just found out that there is an option that should be configured in the SSO Instance to solve this: https://docs.aws.amazon.com/console/singlesignon/directory/users-without-pwd

I'm not sure there is a way to set this through Terraform in some resource, though.

But at least there is a way even though this option lies outside the aws_identitystore_user.

I tried this too, but it doesn't work. I have to send the verification email by clicking in the AWS console, which is not the ideal way to automate this kind of provisioning.

[luislhl]

It seems this is a limitation of AWS API itself: https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html

There is no such option on their API for Terraform to implement in the aws_identitystore_user resource.

[MB-MuratBayraktar]

Hello, any new updates regarding this situation?

[hynespm]

Hi, just following up on this here too, is there any update ?

[Brave-Robin]

Hello all, as I see this property is really obligatory for IAM IC. Could you add implementations of this to your plans?

[Bubjas]

Hello! Waiting for changes. Stayin online to observe this situation

[quansang]

Waiting for any updates on this.My trick now is creating all users by Terraform. After that, go to AWS Console and click Reset password(also verify) button for each user because only Send email verification link doesn't give them password

[Poupiman]

Hi everyone! Do you have some news about this feature? Some tricks to automate this process?

[be-aws-architect]

Chiming in, could really use this feature too. Built a clean automatic deploy flow.. only to have to go in the console and manually click a button..

[dsantanu]

Hi there, doesn't look like there is any update on that yet; done anyone know any workaround to send auto-email the instruction to the users?

[dsantanu]

I just found out that there is an option that should be configured in the SSO Instance to solve this: https://docs.aws.amazon.com/console/singlesignon/directory/users-without-pwd

I'm not sure there is a way to set this through Terraform in some resource, though.

But at least there is a way even though this option lies outside the aws_identitystore_user.

it definitely doesn't work when users are created by TF, even though it uses the underlaying AWS API

[Desh-Deepak-Dhobi]

It seems it's still not solved.

When the AWS Identity Center (SSO) user is created using the terraform "aws_identitystore_user", it shows "Users must first verify their email address before they can begin to use certain features such as completing email-based two-step verification during sign-in.".

And to solve this I have to use the username manually and the "Forget Password" option to set up a new password and start using the created AWS SSO user.

Is there any solution found?