Open wmhartl opened 5 days ago
Voting for Prioritization
Volunteering to Work on This Issue
This might be an AWS issue given I've replicated the issue via the console also. I've filed a support request with AWS and will follow-up here with the outcome.
This might be an AWS issue given I've replicated the issue via the console also. I've filed a support request with AWS and will follow-up here with the outcome.
This is still occurring, like you mentioned, creating it via AWS console yields the same results of the birthday schema getting set with min_length
of 4.
Did AWS get back to you about this?
This is still occurring, like you mentioned, creating it via AWS console yields the same results of the birthday schema getting set with
min_length
of 4.Did AWS get back to you about this?
Not yet
Support said there was already "an internal ticket to our service team requesting confirmation on this." No ETA at the moment.
@wmhartl, same issue for us.
Any update / solution you have, please let us know.
For the scenario in which you have previously created user pools and terraform tries to update the existing "birthdate" schema, you can stop this via ignore_changes
:
lifecycle {
// temporary workaround for https://github.com/hashicorp/terraform-provider-aws/issues/38197
ignore_changes = [schema]
}
Given that the cognito schemas are immutable anyway, it's not even possible for terraform to apply any changes...
I really don't like that the AWS team is changing the Cognito SchemaAttributes
for birthdate
StringAttributeConstraints
minimum length to 4, as it was previously 10, without considering the production impact.
Currently, Terraform is not aware of the recent changes from AWS regarding Cognito SchemaAttributes
, particularly the birthdate
attribute. This discrepancy will impact the Terraform plan
and apply
processes, as the schema attribute validation will not match.
For example, Terraform will try to match the schema here, but due to the recent changes in AWS Cognito SchemaAttributes
, particularly the birthdate
attribute, the validation will fail as the schema attributes will not align.
Heard from AWS:
Thank you for contacting AWS Customer Support regarding the failure to update the Amazon Cognito User pool via Terraform. We have identified the root cause of the issue, which was due to a code deployment on Monday, July 1, 2024, at 19:00:08 UTC. This code deployment was to support customers who provide only the year (YYYY) as birthdate, but it inadvertently affected customers using Terraform to update user pools.
In the meantime, we recommend creating a new Cognito User pool [1] by explicitly passing the birthdate in the User pool schema and setting the minimum length to 10. This will enable you to create a new User Pool with the default minimum length set to 10.
We are also investigating a permanent resolution to this issue and implementing additional controls to prevent its recurrence. We apologize for the impact this has had on your organization and appreciate your patience as we work to resolve the issue for you.
@wmhartl, 😅..
Basically, they fixed their own bug now and asking us to explicitly address birthdate attribute.. funny..
Once this changes are GA release from AWS. we have to explicitly tell our new user pools backward compatibility
schema: [{name="birthdate",attribute_data_type="String",mutable=true,required=false,min=10,max=10}]
Terraform Core Version
1.9.0
AWS Provider Version
5.56.1
Affected Resource(s)
aws_cognito_user_pool
Expected Behavior
Up until some point recently, this worked fine, resulting in a user pool with the appropriate birthdate:
shows in SchemaAttributes:
Actual Behavior
Now what's happening when a new user pool is created, birthdate
MinLength
appears to be set incorrectly at 4, when it should be 10 per the spec:Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
terraform apply
with no changes requiredDeleting and recreating the pool does not solve the issue
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
Cognito Developer Guide references the OpenID Connect Spec which calls for a 10 digit birthdate "YYYY-MM-DD" per ISO 8601-1.
Would you like to implement a fix?
None