[Bug]: aws_cognito_user_pool being created with non-standard birthdate schema

[wmhartl]

Terraform Core Version

1.9.0

AWS Provider Version

5.56.1

Affected Resource(s)

aws_cognito_user_pool

Expected Behavior

Up until some point recently, this worked fine, resulting in a user pool with the appropriate birthdate:

aws cognito-idp describe-user-pool --user-pool-id <redacted>

shows in SchemaAttributes:

            {
                "Name": "birthdate",
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Required": false,
                "StringAttributeConstraints": {
                    "MinLength": "10",
                    "MaxLength": "10"
                }
            },

Actual Behavior

Now what's happening when a new user pool is created, birthdate MinLength appears to be set incorrectly at 4, when it should be 10 per the spec:

            {
                "Name": "birthdate",
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Required": false,
                "StringAttributeConstraints": {
                    "MinLength": "4",
                    "MaxLength": "10"
                }
            },

Relevant Error/Panic Output Snippet

~ resource "aws_cognito_user_pool" "pool" {
        id                         = "<redacted>"
        name                       = "<redacted>"
        tags                       = {}
        # (16 unchanged attributes hidden)

      - schema {
          - attribute_data_type      = "String" -> null
          - developer_only_attribute = false -> null
          - mutable                  = true -> null
          - name                     = "birthdate" -> null
          - required                 = false -> null

          - string_attribute_constraints {
              - max_length = "10" -> null
              - min_length = "4" -> null
            }
        }

        # (10 unchanged blocks hidden)
    }
╷
│ Error: updating Cognito User Pool (<redacted>): cannot modify or remove schema items
│ 
│   with module.<redacted>,
│   on <redacted> line 19, in resource "aws_cognito_user_pool" "pool":
│   19: resource "aws_cognito_user_pool" "pool" {

Terraform Configuration Files

resource "aws_cognito_user_pool" "pool" {
  name = "<redacted>"
  auto_verified_attributes = [
    "email",
  ]

  mfa_configuration = "OPTIONAL"
  sms_authentication_message = "Your authentication code is {####}."

  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
    recovery_mechanism {
      name     = "verified_phone_number"
      priority = 2
    }
  }

  email_configuration {
    ...
  }

  lambda_config {
    custom_message = data.aws_lambda_function.custom_email_responses.arn
  }

  schema {
    attribute_data_type      = "String"
    developer_only_attribute = false
    mutable                  = true
    name                     = "email"
    required                 = true

    string_attribute_constraints {
      max_length = "2048"
      min_length = "0"
    }
  }

  sms_configuration {
    external_id    = data.aws_iam_role.cognito_sms.name
    sns_caller_arn = data.aws_iam_role.cognito_sms.arn
  }

  software_token_mfa_configuration {
    enabled = true
  }

  username_configuration {
    case_sensitive = false
  }

  password_policy {
    minimum_length                   = 16
    require_lowercase                = true
    require_numbers                  = true
    require_symbols                  = true
    require_uppercase                = true
    temporary_password_validity_days = 7
  }
}

Steps to Reproduce

terraform apply with no changes required

Deleting and recreating the pool does not solve the issue

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

Cognito Developer Guide references the OpenID Connect Spec which calls for a 10 digit birthdate "YYYY-MM-DD" per ISO 8601-1.

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[wmhartl]

This might be an AWS issue given I've replicated the issue via the console also. I've filed a support request with AWS and will follow-up here with the outcome.

[jamie1911]

This might be an AWS issue given I've replicated the issue via the console also. I've filed a support request with AWS and will follow-up here with the outcome.

This is still occurring, like you mentioned, creating it via AWS console yields the same results of the birthday schema getting set with min_length of 4.

Did AWS get back to you about this?

[wmhartl]

This is still occurring, like you mentioned, creating it via AWS console yields the same results of the birthday schema getting set with min_length of 4.

Did AWS get back to you about this?

Not yet

[wmhartl]

Support said there was already "an internal ticket to our service team requesting confirmation on this." No ETA at the moment.

[hanoj-budime]

@wmhartl, same issue for us.

Any update / solution you have, please let us know.

[dbaggott]

For the scenario in which you have previously created user pools and terraform tries to update the existing "birthdate" schema, you can stop this via ignore_changes:

lifecycle {
  // temporary workaround for https://github.com/hashicorp/terraform-provider-aws/issues/38197
  ignore_changes = [schema]
}

Given that the cognito schemas are immutable anyway, it's not even possible for terraform to apply any changes...

[hanoj-budime]

I really don't like that the AWS team is changing the Cognito SchemaAttributes for birthdate StringAttributeConstraints minimum length to 4, as it was previously 10, without considering the production impact.

[hanoj-budime]

Currently, Terraform is not aware of the recent changes from AWS regarding Cognito SchemaAttributes, particularly the birthdate attribute. This discrepancy will impact the Terraform plan and apply processes, as the schema attribute validation will not match.

For example, Terraform will try to match the schema here, but due to the recent changes in AWS Cognito SchemaAttributes, particularly the birthdate attribute, the validation will fail as the schema attributes will not align.

https://github.com/hashicorp/terraform-provider-aws/blob/a8bfcb31bceea157fcafc63c284ed7e3c62534ab/internal/service/cognitoidp/user_pool.go#L2038

https://github.com/hashicorp/terraform-provider-aws/blob/a8bfcb31bceea157fcafc63c284ed7e3c62534ab/internal/service/cognitoidp/user_pool.go#L2057-L2067

[wmhartl]

Heard from AWS:

---

Thank you for contacting AWS Customer Support regarding the failure to update the Amazon Cognito User pool via Terraform. We have identified the root cause of the issue, which was due to a code deployment on Monday, July 1, 2024, at 19:00:08 UTC. This code deployment was to support customers who provide only the year (YYYY) as birthdate, but it inadvertently affected customers using Terraform to update user pools.

In the meantime, we recommend creating a new Cognito User pool [1] by explicitly passing the birthdate in the User pool schema and setting the minimum length to 10. This will enable you to create a new User Pool with the default minimum length set to 10.

We are also investigating a permanent resolution to this issue and implementing additional controls to prevent its recurrence. We apologize for the impact this has had on your organization and appreciate your patience as we work to resolve the issue for you.

[hanoj-budime]

@wmhartl, 😅..

Basically, they fixed their own bug now and asking us to explicitly address birthdate attribute.. funny..

[hanoj-budime]

Once this changes are GA release from AWS. we have to explicitly tell our new user pools backward compatibility

schema: [{name="birthdate",attribute_data_type="String",mutable=true,required=false,min=10,max=10}]