TemporaryPasswordValidityDays bug when updating Cognito user pool

[ghferrari]

What happened?

I created an aws-native.cognito.UserPool with the following policies:

cognito_user_pool = aws_native.cognito.UserPool(
    "MyUserPool",
    policies=aws_native.cognito.UserPoolPoliciesArgs(
        password_policy=aws_native.cognito.UserPoolPasswordPolicyArgs(
            minimum_length=16,
            require_lowercase=True,
            require_numbers=True,
            require_uppercase=True,
            require_symbols=False,
            temporary_password_validity_days=7
        )
    ), 
    [...]
)

Later when I attempt to make a trivial update to this user pool, I receive the following error:

aws-native:cognito:UserPool (MyUserPool):
    error: operation UPDATE failed with "InvalidRequest": Please use TemporaryPasswordValidityDays in PasswordPolicy instead of UnusedAccountValidityDays (Service: CognitoIdentityProvider, Status Code: 400, Request ID: XXX

Since my password policy already uses TemporaryPasswordValidityDays, this is a bug.

Example

See above

Output of pulumi about

CLI          
Version      3.99.0
Go Version   go1.21.5
Go Compiler  gc

Plugins
NAME        VERSION
aws-native  0.92.0
python      unknown

Host     
OS       debian
Version  trixie/sid
Arch     x86_64

This project is written in python: executable='/usr/bin/python3' version='3.11.7'

Current Stack: dappel/agileorca-cognito/testing

TYPE                          URN
pulumi:pulumi:Stack           urn:pulumi:testing::agileorca-cognito::pulumi:pulumi:Stack::agileorca-cognito-testing
pulumi:providers:pulumi       urn:pulumi:testing::agileorca-cognito::pulumi:providers:pulumi::default
pulumi:pulumi:StackReference  urn:pulumi:testing::agileorca-cognito::pulumi:pulumi:StackReference::dappel/agileorca-ses/testing
pulumi:providers:aws-native   urn:pulumi:testing::agileorca-cognito::pulumi:providers:aws-native::default_0_92_0
aws-native:cognito:UserPool   urn:pulumi:testing::agileorca-cognito::aws-native:cognito:UserPool::DappelCognitoUserPool

Found no pending operations associated with testing

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/ghferrari
User           ghferrari
Organizations  ghferrari, dappel
Token type     personal

Dependencies:
NAME               VERSION
pip                23.3.2
pulumi-aws-native  0.92.0
setuptools         69.0.3
wheel              0.42.0

Pulumi locates its logs in /tmp by default

Additional context

None

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[mjeffryes]

Thanks for filing this @ghferrari; My reading of the error message is actually that it's objecting to setting UnusedAccountValidityDays not complaining about missing TemporaryPasswordValidityDays. Is there any chance the update you made is modifying UnusedAccountValidityDays or AdminCreateUserConfig?

[ghferrari]

Hi Matt,

My password policy is defined exactly as above and doesn't include UnusedAccountValidityDays at all. So really, there are two mysteries here:

1. Why is it complaining about TemporaryPasswordValidityDays being absent when it isn't?
2. Why is it complaining about UnusedAccountValidityDays when I don't define that in my UserPool?

Many thanks for your help - much appreciated.

[mjeffryes]

Thanks for the additional detail @ghferrari.

It's possible that we're sending in a default value somewhere for UnusedAccountValidityDays, it's also possible that that the API expects the client to send TemporaryPasswordValidityDays with the update even though it has not changed.

I think our next step to debug will be to try the update from the aws client: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudcontrol/update-resource.html and see if we can figure out what the API expects here.

[johan-communify]

+1