[Bug]: Cognito user pools recreated (ie: nuked) after using aws provider v5.33.0

[joshlang]

Terraform Core Version

1.6.6

AWS Provider Version

5.33.0

Affected Resource(s)

aws_cognito_user_pool

Expected Behavior

Behavior matched previous terraform versions... User pool is NOT deleted & recreated

Actual Behavior

We lost our cognito user pool when 5.33.0 came out and the next pipeline executed.

Every pipeline execution, the user pool is recreated (even with zero changes)

Relevant Error/Panic Output Snippet

# aws_cognito_user_pool.pool must be replaced
+/- resource "aws_cognito_user_pool" "pool" {
      ~ arn                        = "arn:aws:cognito-idp:ca-central-1:178543299566:userpool/ca-central-1_xxxxxxxx" -> (known after apply)
      - auto_verified_attributes   = [] -> null
      ~ creation_date              = "2024-01-19T15:41:41Z" -> (known after apply)
      + custom_domain              = (known after apply)
      + domain                     = (known after apply)
      ~ email_verification_message = <<-EOT
            <html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office">
            ...
            </html>
        EOT -> (known after apply)
      ~ email_verification_subject = "xxx" -> (known after apply)
      ~ endpoint                   = "cognito-idp.ca-central-1.amazonaws.com/ca-central-1_xxxxxxxx" -> (known after apply)
      ~ estimated_number_of_users  = 1 -> (known after apply)
      ~ id                         = "ca-central-1_xxxxxxxx" -> (known after apply)
      ~ last_modified_date         = "2024-01-19T15:41:41Z" -> (known after apply)
        name                       = "xxxxxxxx"
      ~ sms_verification_message   = "Your password reset code is {####}" -> (known after apply)
      - tags                       = {} -> null
      ~ tags_all                   = {} -> (known after apply)
      - username_attributes        = [] -> null
        # (2 unchanged attributes hidden)

      - account_recovery_setting {
          - recovery_mechanism {
              - name     = "verified_email" -> null
              - priority = 1 -> null
            }
          - recovery_mechanism {
              - name     = "verified_phone_number" -> null
              - priority = 2 -> null
            }
        }

      - email_configuration {
          - email_sending_account = "COGNITO_DEFAULT" -> null
        }

      - password_policy {
          - minimum_length                   = 8 -> null
          - require_lowercase                = true -> null
          - require_numbers                  = true -> null
          - require_symbols                  = true -> null
          - require_uppercase                = true -> null
          - temporary_password_validity_days = 7 -> null
        }

      - username_configuration {
          - case_sensitive = true -> null # forces replacement
        }

      ~ verification_message_template {
          + email_message_by_link = (known after apply)
          + email_subject_by_link = (known after apply)
            # (4 unchanged attributes hidden)
        }

        # (1 unchanged block hidden)
    }

Terraform Configuration Files

resource "aws_cognito_user_pool" "pool" {
  name = "${var.repo_name}-cognito-pool"
    admin_create_user_config {
    allow_admin_create_user_only = true
    invite_message_template {
      email_subject = "xxx"
      email_message = data.template_file.invitation_email.rendered
      sms_message   = "xxx"
    }
  }
  verification_message_template {
    email_message = data.template_file.verification_email.rendered
    sms_message   = "xxx"
    email_subject = "xxx"
  }
}

Steps to Reproduce

terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @joshlang 👋 Thank you for taking the time to raise this. I took a quick look and noted that this resource hasn't changed (at least directly) in a while. You mentioned that this didn't happen with previous versions. If you test with 5.32.0, do you see the same behavior now?

I noticed in the logs that you provided that the recreation is happening due to a change in username_configuration.case_sensitive, but that you're not defining that block in the same configuration you provided. Is there a possibility that the case_sensitive setting is being changed outside of Terraform?

If you're able to supply them, debug logging may help whoever ultimately picks up this issue to investigate it further.

[AdrienKuhn]

Hello,

We are noticing the exact same behaviour on the 4.25.0 version. We didn't do any change on our side. In our case, it's only happening in the ca-central-1 region. us-east-1 and ap-southeast-2 are not affected, for the exact same configuration.

[joshlang]

I’m away from computer but can assure you no changes are made outside terraform and the issue did not occur on any previous provider version

---

From: Justin Retzolk @.> Sent: Friday, January 19, 2024 9:52:51 AM To: hashicorp/terraform-provider-aws @.> Cc: Josh Lang @.>; Mention @.> Subject: Re: [hashicorp/terraform-provider-aws] [Bug]: Cognito user pools recreated (ie: nuked) after using aws provider v5.33.0 (Issue #35401)

Hey @joshlanghttps://github.com/joshlang 👋 Thank you for taking the time to raise this. I took a quick look and noted that this resource hasn't changed (at least directly) in a while. You mentioned that this didn't happen with previous versions. If you test with 5.32.0, do you see the same behavior now?

I noticed in the logs that you provided that the recreation is happening due to a change in username_configuration.case_sensitive, but that you're not defining that block in the same configuration you provided. Is there a possibility that the case_sensitive setting is being changed outside of Terraform?

If you're able to supply them, debug logging may help whoever ultimately picks up this issue to investigate it further.

— Reply to this email directly, view it on GitHubhttps://github.com/hashicorp/terraform-provider-aws/issues/35401#issuecomment-1900844021, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJPOJSDM3IGRY3BAVWC2DDLYPKXHHAVCNFSM6AAAAABCCIPSYKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBQHA2DIMBSGE. You are receiving this because you were mentioned.Message ID: @.***>

[joshlang]

We are using ca central 1 as well

---

From: Adrien Kühn @.> Sent: Friday, January 19, 2024 9:57:20 AM To: hashicorp/terraform-provider-aws @.> Cc: Josh Lang @.>; Mention @.> Subject: Re: [hashicorp/terraform-provider-aws] [Bug]: Cognito user pools recreated (ie: nuked) after using aws provider v5.33.0 (Issue #35401)

Hello,

We are noticing the exact same behaviour on the 4.25.0 version. We didn't do any change on our side. In our case, it's only happening in the ca-central-1 region, us-east-1 and ap-southeast-2 are not affected, for the exact same configuration.

— Reply to this email directly, view it on GitHubhttps://github.com/hashicorp/terraform-provider-aws/issues/35401#issuecomment-1900849545, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJPOJSDEVB27XVRXQWHYZ6LYPKXYBAVCNFSM6AAAAABCCIPSYKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBQHA2DSNJUGU. You are receiving this because you were mentioned.Message ID: @.***>

[joshlang]

Also, this problem also occurs on a repo with a cognito user pool block that’s completely empty other than providing a name.

---

From: Justin Retzolk @.> Sent: Friday, January 19, 2024 9:52:51 AM To: hashicorp/terraform-provider-aws @.> Cc: Josh Lang @.>; Mention @.> Subject: Re: [hashicorp/terraform-provider-aws] [Bug]: Cognito user pools recreated (ie: nuked) after using aws provider v5.33.0 (Issue #35401)

Hey @joshlanghttps://github.com/joshlang 👋 Thank you for taking the time to raise this. I took a quick look and noted that this resource hasn't changed (at least directly) in a while. You mentioned that this didn't happen with previous versions. If you test with 5.32.0, do you see the same behavior now?

I noticed in the logs that you provided that the recreation is happening due to a change in username_configuration.case_sensitive, but that you're not defining that block in the same configuration you provided. Is there a possibility that the case_sensitive setting is being changed outside of Terraform?

If you're able to supply them, debug logging may help whoever ultimately picks up this issue to investigate it further.

— Reply to this email directly, view it on GitHubhttps://github.com/hashicorp/terraform-provider-aws/issues/35401#issuecomment-1900844021, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJPOJSDM3IGRY3BAVWC2DDLYPKXHHAVCNFSM6AAAAABCCIPSYKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBQHA2DIMBSGE. You are receiving this because you were mentioned.Message ID: @.***>

[thebigbluebox]

Had this problem yesterday,

Terraform version was 1.4.6, but we had deletion protection enabled, but the logs showed nothing under planned except for cognito user pool had to be deleted.

We updated our Terraform version to 1.7.0 suddenly the output of the plan was more detailed and contained the reasoning of why the deletion was planned. And showed a discrepancy of needing the user_name_configuration. And this missing configuration was what was prompting TF to plan a recreation event.

Updating our original resource to include username_configuration{ case_sensitive = true }

Resolved the issue.

The logs were impossible to understand until we upgraded our terraform version

[AdrienKuhn]

We also tried to add

username_configuration {
  case_sensitive = true
}

to the user pool. While it fixes the issue in ca-central-1, it will cause user pools in other regions to be recreated with

+ username_configuration {
  + case_sensitive = true # forces replacement
}

Configuration to reproduce the issue.

resource "aws_cognito_user_pool" "pool_ca" {
    provider = aws.ca
    name = "mypool"
}

resource "aws_cognito_user_pool" "pool_us" {
    provider = aws.us
    name = "mypool"
}

provider "aws" {
    alias  = "ca"
    region = "ca-central-1"
}

provider "aws" {
    alias  = "us"
    region = "us-east-1"
}

terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_cognito_user_pool.pool_ca will be created
  + resource "aws_cognito_user_pool" "pool_ca" {
      + arn                        = (known after apply)
      + creation_date              = (known after apply)
      + custom_domain              = (known after apply)
      + deletion_protection        = "INACTIVE"
      + domain                     = (known after apply)
      + email_verification_message = (known after apply)
      + email_verification_subject = (known after apply)
      + endpoint                   = (known after apply)
      + estimated_number_of_users  = (known after apply)
      + id                         = (known after apply)
      + last_modified_date         = (known after apply)
      + mfa_configuration          = "OFF"
      + name                       = "mypool"
      + sms_verification_message   = (known after apply)
      + tags_all                   = (known after apply)
    }

  # aws_cognito_user_pool.pool_us will be created
  + resource "aws_cognito_user_pool" "pool_us" {
      + arn                        = (known after apply)
      + creation_date              = (known after apply)
      + custom_domain              = (known after apply)
      + deletion_protection        = "INACTIVE"
      + domain                     = (known after apply)
      + email_verification_message = (known after apply)
      + email_verification_subject = (known after apply)
      + endpoint                   = (known after apply)
      + estimated_number_of_users  = (known after apply)
      + id                         = (known after apply)
      + last_modified_date         = (known after apply)
      + mfa_configuration          = "OFF"
      + name                       = "mypool"
      + sms_verification_message   = (known after apply)
      + tags_all                   = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_cognito_user_pool.pool_ca: Creating...
aws_cognito_user_pool.pool_us: Creating...
aws_cognito_user_pool.pool_ca: Creation complete after 1s [id=ca-central-1_xxxxxxxxx]
aws_cognito_user_pool.pool_us: Creation complete after 1s [id=us-east-1_xxxxxxxxx]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

terraform plan
aws_cognito_user_pool.pool_ca: Refreshing state... [id=ca-central-1_xxxxxxxxx]
aws_cognito_user_pool.pool_us: Refreshing state... [id=us-east-1_xxxxxxxxx]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_cognito_user_pool.pool_ca must be replaced
-/+ resource "aws_cognito_user_pool" "pool_ca" {
      ~ arn                        = "arn:aws:cognito-idp:ca-central-1:123456789012:userpool/ca-central-1_xxxxxxxxx" -> (known after apply)
      # [...]

      - username_configuration {
          - case_sensitive = true -> null # forces replacement
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Adding

username_configuration {
  case_sensitive = true
}

to both pools

terraform plan
aws_cognito_user_pool.pool_ca: Refreshing state... [id=ca-central-1_xxxxxxxxx]
aws_cognito_user_pool.pool_us: Refreshing state... [id=us-east-1_xxxxxxxxx]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_cognito_user_pool.pool_us must be replaced
-/+ resource "aws_cognito_user_pool" "pool_us" {
      ~ arn                        = "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_xxxxxxxxx" -> (known after apply)
      # [...]

      + username_configuration {
          + case_sensitive = true # forces replacement
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

I also noticed the AWS API is returning different info in ca-central-1 and us-east-1

aws cognito-idp describe-user-pool \
  --user-pool-id ca-central-1_xxxxxxxxx \
  --region ca-central-1 | jq .UserPool.UsernameConfiguration
{
  "CaseSensitive": true
}

aws cognito-idp describe-user-pool \
  --user-pool-id us-east-1_xxxxxxxxx \
  --region us-east-1 | jq .UserPool.UsernameConfiguration
null

[joshlang]

Is a fix incoming?

Or do you require us to update all our terraforms to specify username_configuration etc?

If a fix is incoming, any ETA?

It seems to be that if username_configuration { case_sensitive = ... } is not specified in terraform, a solution might be to just "leave it alone"

[thebigbluebox]

I just executed a terraform plan, and I believe whatever they did for CA-CENTRAL-1 was reversed, because my plan is now showing me it requires replacement because of the additional username_configuration

[devintuinstra]

A problem still exists whereby if you didn't define a username_configuration { } definition in the past, if you add any definition now - (regardless of whether it matches the existing settings in AWS) - terraform will force the cognito pool to be recreated anew.

[maxfielb]

Ben from Cognito here. The behavior in ca-central-1 that has been described was from a bug fix we were attempting to apply to provide the username_configuration field in more API responses. We have since rolled the change back so behaviors across regions are now back to their previous state as has been noted. We are looking into resolving this issue with Terraform integration.

As for @devintuinstra's comment, yes this is currently the issue. Terraform does not recognize the "existing settings in AWS" when the default value is set.