Querstion regarding MFA Token integration

[jaystary]

Hey,

i wanted to clarify regarding the usage of using Cognito with MFA token.

mfa_configuration        = "ON"
allow_software_mfa_token = true

Does this require the block for software_token_mfa_configuration?

software_token_mfa_configuration {
enabled = true
}

If i add this i keep running into:

Error: Unsupported block type Blocks of type "software_token_mfa_configuration" are not expected here.

Is this a version issue with my TF or where might i have to potentially look there to enable this feature?

[mariux]

hi @jaystary,

just checked and our documentation is a tiny bit misleading here (it is a copy&paste of the providers' documentation that missed adjustment)

to clarify:

• allow_software_mfa_token = true adds the software_token_mfa_configuration block and sets enabled=true
• allow_software_mfa_token = false does not add the software_token_mfa_configuration

You do not set the software_token_mfa_configuration block but use allow_software_mfa_token = true instead in the module arguments.

please let me know if this helps you or let me know how I can help you better.

some background information: blocks are not (yet?) supported for modules so blocks are always represented as variables and rendered conditionally in the resource in the code of the module.

[jaystary]

I tried this and despite Cognito setting being set to Required in MFA it still wouldnt trigger the software MFA, in fact it ignored it completly and just let me log in via Email/Password - please see the code snippet (some things are removed though). It works fine for SMS MFA though if i add the SMS configuration block.

module "cognito_user_pool" {
  source  = "mineiros-io/cognito-user-pool/aws"
  version = "~> 0.4.0"

  name = "${local.eks_cluster_name}-userpool"

  allow_admin_create_user_only = true 

  enable_username_case_sensitivity = false
  advanced_security_mode           = "ENFORCED"

  alias_attributes = [
    "email",
    "phone_number"
  ]

  auto_verified_attributes = [
    "email"
  ]

  # If invited by an admin
  invite_email_subject = "..."
  invite_email_message = "...
  invite_sms_message   = "..."

  default_email_option  = "CONFIRM_WITH_LINK"
  email_subject_by_link = "Your Verification Link"
  email_message_by_link = "Please click the link below to verify your email address. {##Verify Email##}."
  sms_message           = "Your verification code is {####}."

  challenge_required_on_new_device      = true
  user_device_tracking                  ="ALWAYS"

  #MFA
  mfa_configuration        = "ON"
  allow_software_mfa_token = true
  sms_authentication_message = "..."

  # Password
  password_minimum_length    = 8
  password_require_lowercase = true
  password_require_numbers   = true
  password_require_uppercase = true
  password_require_symbols   = true
  temporary_password_validity_days = 3

  # App Client
  clients = [...]

}

[mariux]

looks like your code is correct:

when running terraform plan with your configuration I get the following (partial) plan:

  # module.cognito_user_pool.aws_cognito_user_pool.user_pool[0] will be created
  + resource "aws_cognito_user_pool" "user_pool" {

      [...REMOVED..]

      + mfa_configuration          = "ON"

      [...REMOVED..]

      + sms_authentication_message = "Your temporary password is {####}."

      [...REMOVED..]

      + sms_configuration {
           [...REMOVED..]
        }

      + software_token_mfa_configuration {
          + enabled = true
        }

      [...REMOVED..]

which matches what is documented in the provider itself under: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool#enabling-sms-and-software-token-multi-factor-authentication

---

So let's just assume everything is correct on the terraform side... what does your userpool show? is MFA required or optional?

~seems like you can't set it to required if the user pool was created initially with off or optional.~ ~never tried to upgrade it and not sure if this will be a silent fail in the provider.. can validate tomorrow.~ (just tested, you can upgrade via terraform but not via aws console)

can you check the following:

• what is the current state of the cognito pool (e.g. check in AWS console under mfa) is it optional or required?
• did you try to change it to required from being off/optional in the past? (first deploy optional, then changed to required?)

[mariux]

just validated with the settings provided and running aws-cli:

• set cognito pool to require MFA for users
• use TOTP (software token challenge) only
• created a user
• 1st challenge encountered: NEW _PASSWORD
• set a new password
• next challenge encountered: MFA_SETUP

  "ChallengeName": "MFA_SETUP", 
  "ChallengeParameters": {
      "USER_ID_FOR_SRP": "cafffbc3-ffff-ffff-ffff-7ba3fffc92a9", 
      "MFAS_CAN_SETUP": "[\"SOFTWARE_TOKEN_MFA\"]"
  }, 

  so on first login you are forced to set up MFA and can't just continue.

[jaystary]

I did more research on this topic, and i had the misconception that the Totp would be accessible via Cognito hosted UI, but seems i have to integrate an additional Auth flow on top of that (e.g. via Amplify). From your end, my issue is solved. Thanks a lot for the fast reply and the help!