search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.7k stars 9.07k forks source link

[Bug]: aws_cognito_risk_configuration should require notify_configuration in account_takeover_risk_configuration #28784

Open dlaudams opened 1 year ago

dlaudams commented 1 year ago

Terraform Core Version

1.1.8

AWS Provider Version

4.49.0

Affected Resource(s)

The aws_cognito_risk_configuration requires a notify_configuration block in account_takeover_risk_configuration, event when notify is set to false for all actions. I believe this should be optional in these scenarios.

The CloudFormation documentation shows NotifyConfiguation as optional.

The AWS web console allows configure without notification configuration.

resource "aws_cognito_risk_configuration" "risk_configuration" {
  user_pool_id = aws_cognito_user_pool.my_user_pool.id

  account_takeover_risk_configuration {

    actions {
      high_action {
        event_action = "NO_ACTION"
        notify       = false
      }
      medium_action {
        event_action = "NO_ACTION"
        notify       = false
      }
      low_action {
        event_action = "NO_ACTION"
        notify       = false
      }
    }

#    notify_configuration {
#      source_arn = ??? # required even though notify is false for all actions
#    }
  }
}

Expected Behavior

The resource should validate without requiring notify_configuration

Actual Behavior

terraform validate fails with Error: Insufficient notify_configuration blocks

Relevant Error/Panic Output Snippet

│ Error: Insufficient notify_configuration blocks
│
│   on xxx.tf line 122, in resource "aws_cognito_risk_configuration" "risk_configuration":
│  122:   account_takeover_risk_configuration {
│
│ At least 1 "notify_configuration" blocks are required.

Terraform Configuration Files

I don't believe any configuration is needed to reproduce.

Steps to Reproduce

1) Create a terraform.tf template

terraform {
  required_providers {
    aws = {
      version = "4.49.0"
      source  = "hashicorp/aws"
    }
  }
  required_version = ">= 1.0"
}

resource "aws_cognito_user_pool" "pool" {
  name = "pool"
}

resource "aws_cognito_risk_configuration" "risk_configuration" {
  user_pool_id = aws_cognito_user_pool.pool.id

  account_takeover_risk_configuration {
    actions {
      high_action {
        event_action = "NO_ACTION"
        notify       = false
      }
      medium_action {
        event_action = "NO_ACTION"
        notify       = false
      }
      low_action {
        event_action = "NO_ACTION"
        notify       = false
      }
    }

    #    notify_configuration {
    #      source_arn = ??? # required even though notify is false for all actions
    #    }
  }
}

2) Run terraform init

3) Run terraform validate

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

AWS user guide defines this property as not required:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html

NotifyConfiguration
The notify configuration used to construct email notifications.

Required: No

Type: NotifyConfigurationType

Update requires: No interruption

Provider has notify_configuration set as required:

https://github.com/hashicorp/terraform-provider-aws/blob/1076f598ee88175e7409c5887edcf87e6cbeab20/internal/service/cognitoidp/risk_configuration.go#L112

Would you like to implement a fix?

None

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue