-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: adding ["COGNITO"]
as supported_identity_providers
triggers deletion of token_validity_units
#34285
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
I can take a look at this |
Not able to reproduce and my state file (with or without Looks like there was a change in 5.24.0 for this, but I wasn't able to reproduce using 5.23.0. Are you updating existing user pool clients made a while ago? Can probably make this backwards compatible.
|
This is my current configuration: resource "aws_cognito_user_pool_client" "grafana" {
name = "grafana-client"
user_pool_id = aws_cognito_user_pool.grafana.id
generate_secret = false
explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_USER_PASSWORD_AUTH"]
token_validity_units {
refresh_token = "days"
access_token = "minutes"
id_token = "minutes"
}
callback_urls = ["http://localhost:3000/login/generic_oauth"]
logout_urls = ["http://localhost:3000/login/generic_oauth"]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_flows = ["code"]
allowed_oauth_scopes = ["openid", "email", "profile"]
supported_identity_providers = ["COGNITO"]
} And if I remove |
Ahh got it I see the issue. I was able to reproduce the error using. token_validity_units {
refresh_token = "days"
access_token = "minutes"
id_token = "minutes"
} The issue is the default units for access_token_validity = 5
id_token_validity = 5
token_validity_units {
refresh_token = "days"
access_token = "minutes"
id_token = "minutes"
} Or use days, hours, hours which is the default.. Not sure this warrants a change since you're editing 1 half of default behavior and the docs do specify the minimum is 5 minutes. |
@jtyrus But I didn't even want to set it in the first place... Since I'm using the defaults, I shouldn't be forced to put that in my Terraform code. |
I wasn't getting an error when I didn't include it. But I'm testing more and it looks like if I remove everything after first defining the units and validity errors still pop up. Which leads me to believe it's a state issue around the validity. |
@garysassano Have a fix I think will work, adding/updating tests now. If you're pressed for time manually adding those fields should work for now, default is. refresh_token_validity = 1
access_token_validity = 24
id_token_validity = 24
token_validity_units {
refresh_token = "days"
access_token = "hours"
id_token = "hours"
} Still wasn't able to repro your original scenario, but if you're creating new user pool clients you don't have to include those. |
Hi. I'm also hitting this issue with terraform 1.7.5 and the aws provider version 5.42.0. I also created the user pool client initially without Subsequent plans or applys show that it wants to remove the
If I apply this, I get an error from AWS:
I hope this can help. |
Terraform Core Version
1.5.0
AWS Provider Version
5.23.0
Affected Resource(s)
aws_cognito_user_pool_client
Expected Behavior
Before:
After:
I expected nothing to happen when executing
terraform apply
.Actual Behavior
Terraform asks me to delete
token_validity_units
, and throws error if I approve.Workaround: add
token_validity_units
to the resource configuration even if you don't need to change default values.Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
see above
Steps to Reproduce
see above
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: