[Bug]: Cognito pool can't update SMS configuration when phone verification is enabled

[alnemo]

Terraform Core Version

1.2.8

AWS Provider Version

4.46.0

Affected Resource(s)

• aws_cognito_user_pool

Expected Behavior

Attempting to create a pool with SMS phone verification and rotate random external_id every time it's redeployed instead of hardcoding.

Each deploy after initial should change the external_id value on the pool and the policy allowing SMS sending. External_id is properly updated when a pool only has email as a verified attribute

Actual Behavior

Modifying the pool configuration fails when phone_number is a verified attribute, with the message stating SMS configuration is required. But SMS configuration exists in the file.

Relevant Error/Panic Output Snippet

aws_cognito_user_pool.pool: Modifying... [id=us-east-1_I2634F7rY]
╷
│ Error: error setting Cognito User Pool (us-east-1_I2634F7rY) MFA Configuration: InvalidParameterException: SMS configuration is required when phone_number is selected for auto verification
│
│   with aws_cognito_user_pool.pool,
│   on test.tf line 50, in resource "aws_cognito_user_pool" "pool":
│   50: resource "aws_cognito_user_pool" "pool" {
│

Terraform Configuration Files

provider "aws" {
  region = "us-east-1"
}

data "aws_secretsmanager_random_password" "external_id" {
  password_length = 30
  exclude_punctuation = true
  exclude_numbers = true
}

data "aws_iam_policy_document" "assume-role-policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["cognito-idp.amazonaws.com"]
    }
    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"

      values = [
        data.aws_secretsmanager_random_password.external_id.random_password
      ]
    }         
  }
}

resource "aws_iam_role" "cognito_send_sms" {
  name               = "cognito_pool_can_send_sms"
  assume_role_policy = data.aws_iam_policy_document.assume-role-policy.json

  inline_policy {
    name = "cognito_send_sms"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Action   = ["sns:Publish"]
          Effect   = "Allow"
          Resource = "*"
        },
      ]
    })
  }
}

resource "aws_cognito_user_pool" "pool" {
    name = "Test-Phone-Verification-TF"
    username_attributes = ["email"]
    auto_verified_attributes = ["phone_number","email"]

    sms_configuration {
        external_id    = data.aws_secretsmanager_random_password.external_id.random_password
        sns_caller_arn = aws_iam_role.cognito_send_sms.arn
    }
}

Steps to Reproduce

Apply the provided Terraform to create the resources, then apply it the second time to cause update of external_id

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[5t33]

Looks like you have to specify

    mfa_configuration          = "OPTIONAL"

for it to apply the change.

[raelga]

Looks like you have to specify

    mfa_configuration          = "OPTIONAL"

for it to apply the change.

Thanks!