search

lgallard / terraform-aws-cognito-user-pool

Terraform module to create Amazon Cognito User Pools, configure its attributes and resources such as app clients, domain, resource servers. Amazon Cognito User Pools provide a secure user directory that scales to hundreds of millions of users.
Apache License 2.0
89 stars 95 forks source link

device configuration Options are wrong #124

Open xronz opened 9 months ago

xronz commented 9 months ago

https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/448#issuecomment-673222930 https://github.com/lgallard/terraform-aws-cognito-user-pool/blob/8130daedce8faf3f20ae5f18a7f07dc8544f0f09/main.tf#L257


### Due to the above statement assuming that both attributes are false, it is set to both attributes as null. 
### So the option was forced to be set as a "Don’t remember" Option.
### However, the following configuration should be "Always remember", Allow users to bypass MFA for trusted devices "NO"
device_configuration = {
    challenge_required_on_new_device      = false
    device_only_remembered_on_user_prompt = false
}

### These are the following combinations for device configuration:
### 1) "Don’t remember" Option
device_configuration = {
    challenge_required_on_new_device      = null
    device_only_remembered_on_user_prompt = null
}

### 2) "User opt-in", Allows users to bypass MFA for trusted devices "YES"  Option
device_configuration = {
    challenge_required_on_new_device      = true
    device_only_remembered_on_user_prompt = true
}

### 3) "User opt-in", Allows users to bypass MFA for trusted devices "NO"  Option
device_configuration = {
    challenge_required_on_new_device      = false
    device_only_remembered_on_user_prompt = true
}

### 4) "Always remember", Allow users to bypass MFA for trusted devices "NO"  Option
device_configuration = {
    challenge_required_on_new_device      = false
    device_only_remembered_on_user_prompt = false
}

### 5) "Always remember", Allow users to bypass MFA for trusted devices "YES"  Option
device_configuration = {
    challenge_required_on_new_device      = true
    device_only_remembered_on_user_prompt = false
}

### Modify "main.tf" file
### Commented the Line 40 device_configuration
# device_configuration
# dynamic "device_configuration" {
#   for_each = local.device_configuration
#   content {
#     challenge_required_on_new_device      = lookup(device_configuration.value, "challenge_required_on_new_device")
#     device_only_remembered_on_user_prompt = lookup(device_configuration.value, "device_only_remembered_on_user_prompt")
#   }
# }

### Replaced with the following as Hotfix
device_configuration {
    challenge_required_on_new_device      = try(var.device_configuration.challenge_required_on_new_device, null)
    device_only_remembered_on_user_prompt = try(var.device_configuration.device_only_remembered_on_user_prompt, null)
}