[Bug]: cognito `pre_token_generation_config` reconciliation issue.

[michal-celniak-cko]

Terraform Core Version

1.5.7

AWS Provider Version

5.55.0, 5.60.0

Affected Resource(s)

aws_cognito_user_pool

Expected Behavior

when I remove the pre_token_generation_config block from inside the lambda_config block in the aws_cognito_user_pool resourdce I expect the Pre token generation Lambda trigger to be removed.

Actual Behavior

no changes are detected in the resource during reconciliation on tf plan.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

relevant parts of the aws_cognito_user_pool block

resource "aws_cognito_user_pool" "user_pool" {

 ...

  lambda_config {
    pre_sign_up          = var.enable_pre_signup_trigger ? data.terraform_remote_state.lambdas.outputs.pre_signup.arn : null
    post_authentication  = var.enable_post_authentication_trigger ? data.terraform_remote_state.lambdas.outputs.post_authentication.arn : null
    dynamic "pre_token_generation_config" {
      for_each = var.enable_pre_token_generation_trigger ? [1] : []
      content {
        lambda_arn     = data.terraform_remote_state.lambdas.outputs.pre_token_generation.arn
        lambda_version = "V2_0"
      }
    }
  }

  user_pool_add_ons {
    advanced_security_mode = var.enable_advanced_security_mode ? "ENFORCED" : "OFF"
  }
}

It doesn't look like the other parts of the user pool configuration are relevant to the issue, I believe the problem can be reproduced with any valid user pool configuration. the dynamic block is not required for reproduction, It can be achieved with just adding the block and then removing it/commenting it out.

Steps to Reproduce

1. create an user pool
2. create a valid pre_token_generation lambda
3. add valid pre_sign_up and post_authentication lambdas (we probably need just 1 so that the lambda_config block contains something more than the pre token generation config.
4. set advanced_security_mode to "ENFORCED"
5. set pre_token_generation_config to use the created lambda and set the lambda_version to V2_0
6. TF apply
7. Verify that the actual state matches the intention at this moment.
8. remove the pre_token_generation_config from the lambda_config block.
9. TF plan/apply results in No changes

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.