[Bug]: Cognito is not applying a valid configurations after a manual change in a Cognito User Pool App Client.

[miguelconde91]

Terraform Core Version

1.3.7 & 1.4.4

AWS Provider Version

4.48 & 4.61

Affected Resource(s)

I updated manually 2 days ago the token durations in my App client in a Cognito User pool for a test. Today a new deployment with new features in other module raise this error in the app client (I just expected a restore to the previous value, the defined in terraform)

Error: updating Cognito User Pool Client (4q1snamhmllsorih1d6jetoum0)
with module.cognito.aws_cognito_user_pool_client.userpool_client_bt-app
on modules/cognito-module/cognito.tf line 165, in resource "aws_cognito_user_pool_client" "userpool_client_bt-app":
resource "aws_cognito_user_pool_client" "userpool_client_bt-app" {
InvalidParameterException: Invalid range for token validity.

This happen without any change in my cognito module. Initially I'm using Terraform Core 1.3.7 with AWS provider 4.58, I updated to Terraform Core 1.4.4 and AWS provider 4.61, the error persist.

Innitially the code was:

resource "aws_cognito_user_pool_client" "userpool_client_bt-app" {
  name                                 = "client-app-bt-app-${var.environment}"
  user_pool_id                         = aws_cognito_user_pool.bt-app.id
  supported_identity_providers         = ["COGNITO"]
  explicit_auth_flows                  = [ "ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_PASSWORD_AUTH" ]
  generate_secret                      = false
  read_attributes                      = [ "email", "phone_number" ]
  id_token_validity                    = 24
  access_token_validity                = 24
  refresh_token_validity               = 30
  enable_token_revocation              = true
}

Then I see in the terraform logs in terraform plan that the attribute will be update from 1 to 24 and I think, well maybe the unit time changed from hours to days, and 24 days is out of the range for id token and access token, so I updated the values:

resource "aws_cognito_user_pool_client" "userpool_client_bt-app" {
  name                                 = "client-app-bt-app-${var.environment}"
  user_pool_id                         = aws_cognito_user_pool.bt-app.id
  supported_identity_providers         = ["COGNITO"]
  explicit_auth_flows                  = [ "ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_PASSWORD_AUTH" ]
  generate_secret                      = false
  read_attributes                      = [ "email", "phone_number" ]
  id_token_validity                    = 5
  access_token_validity                = 5
  refresh_token_validity               = 30
  enable_token_revocation              = true
}

However now my error is:

Error: Provider produced inconsistent result after apply
When applying changes to module.cognito.aws_cognito_user_pool_client.userpool_client_bt-app, provider "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected new value: .token_validity_units: block count changed from 0 to 1.

This is a bug in the provider, which should be reported in the provider's own issue tracker.

Expected Behavior

Execute terraform apply and update my app client with the current values in my terraform files.

Actual Behavior

Fails with message

Error: Provider produced inconsistent result after apply
When applying changes to module.cognito.aws_cognito_user_pool_client.userpool_client_bt-app, provider "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected new value: .token_validity_units: block count changed from 0 to 1.

This is a bug in the provider, which should be reported in the provider's own issue tracker.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_cognito_user_pool" "bt-app" {
  name = "lolo-app-users-${var.environment}"
  username_attributes = [ "phone_number" ]
  auto_verified_attributes = [ "phone_number" ]
  mfa_configuration = "OPTIONAL"
  email_configuration {
    email_sending_account = "DEVELOPER"
    from_email_address = "lolo Notifications <notifications@lolo.lolo>"
    source_arn = "arn:aws:ses:us-east-1:111111111111:identity/lolo.lolo"
  }
  verification_message_template {
    default_email_option = "CONFIRM_WITH_CODE"
    email_subject = "Verification code from lolo"
    email_message = "Your verification code is {####}"
  }
  admin_create_user_config {
    allow_admin_create_user_only = false
    invite_message_template {
      email_message = "This is an invitation from lolo for you. Please login using {username} with password {####}"
      email_subject = "Invite notification"
      sms_message = "Please login in lolo using {username} with password {####}"
    }
  }
  sms_configuration {
    external_id = "f23111111-defd-4f18-bbc5-1j1j1j1j1j1j1j1j"
    sns_caller_arn = "arn:aws:iam::111111111111:role/service-role/sms-role-cognito"
  }
  sms_authentication_message = "This is your lolo code: {####}"
  #lambda_config {
  #  define_auth_challenge = var.otp_definition_arn
  #  create_auth_challenge = var.otp_creation_arn
  #  verify_auth_challenge_response = var.otp_verification_arn
  #}
  schema {
    attribute_data_type      = "Boolean"
    developer_only_attribute = false
    mutable                  = true
    name                     = "Auth_Completed"
    required                 = false
  }
  schema {
    attribute_data_type      = "Boolean"
    developer_only_attribute = false
    mutable                  = true
    name                     = "Email_2FA_Enabled"
    required                 = false
  }
  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    name                     = "DNS_Verification"
    required                 = false
    string_attribute_constraints {
      min_length = 0
      max_length = 2048
    }
  }  
  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    name                     = "Long_Time_Token1"
    required                 = false
    string_attribute_constraints {
      min_length = 0
      max_length = 2048
    }
  }
  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    name                     = "Long_Time_Token2"
    required                 = false
    string_attribute_constraints {
      min_length = 0
      max_length = 2048
    }
  }
  tags   = merge(var.tags_cognito)
}

resource "aws_cognito_user_pool_client" "userpool_client_bt-app" {
  name                                 = "client-app-bt-app-${var.environment}"
  user_pool_id                         = aws_cognito_user_pool.bt-app.id
  supported_identity_providers         = ["COGNITO"]
  explicit_auth_flows                  = [ "ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_PASSWORD_AUTH" ]
  generate_secret                      = false
  read_attributes                      = [ "email", "phone_number" ]
  id_token_validity                    = 5
  access_token_validity                = 5
  refresh_token_validity               = 30
  enable_token_revocation              = true
}

Steps to Reproduce

Update manually the token duration in Cognito, the try to restore with a simple terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

Relates https://github.com/hashicorp/terraform-provider-aws/issues/30268.

[miguelconde91]

Fixed adding this code section in my aws_cognito_user_pool_client definition:

  token_validity_units {
    id_token                           = "days"
    access_token                       = "days"
    refresh_token                      = "days"
  }

Using aws provider v4.48 and Terraform core v1.4.4

[github-actions[bot]]

This functionality has been released in v4.63.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.