Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: cognito pre_token_generation_config reconciliation issue. #38617

Open
michal-celniak-cko opened this issue Jul 31, 2024 · 1 comment
Open

[Bug]: cognito pre_token_generation_config reconciliation issue. #38617

michal-celniak-cko opened this issue Jul 31, 2024 · 1 comment
Labels
bug Addresses a defect in current functionality. service/cognitoidp Issues and PRs that pertain to the cognitoidp service.

Comments

@michal-celniak-cko
Copy link

Terraform Core Version

1.5.7

AWS Provider Version

5.55.0, 5.60.0

Affected Resource(s)

aws_cognito_user_pool

Expected Behavior

when I remove the pre_token_generation_config block from inside the lambda_config block in the aws_cognito_user_pool resourdce I expect the Pre token generation Lambda trigger to be removed.

Actual Behavior

no changes are detected in the resource during reconciliation on tf plan.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

relevant parts of the aws_cognito_user_pool block

resource "aws_cognito_user_pool" "user_pool" {

 ...

  lambda_config {
    pre_sign_up          = var.enable_pre_signup_trigger ? data.terraform_remote_state.lambdas.outputs.pre_signup.arn : null
    post_authentication  = var.enable_post_authentication_trigger ? data.terraform_remote_state.lambdas.outputs.post_authentication.arn : null
    dynamic "pre_token_generation_config" {
      for_each = var.enable_pre_token_generation_trigger ? [1] : []
      content {
        lambda_arn     = data.terraform_remote_state.lambdas.outputs.pre_token_generation.arn
        lambda_version = "V2_0"
      }
    }
  }

  user_pool_add_ons {
    advanced_security_mode = var.enable_advanced_security_mode ? "ENFORCED" : "OFF"
  }
}

It doesn't look like the other parts of the user pool configuration are relevant to the issue, I believe the problem can be reproduced with any valid user pool configuration. the dynamic block is not required for reproduction, It can be achieved with just adding the block and then removing it/commenting it out.

Steps to Reproduce

  1. create an user pool
  2. create a valid pre_token_generation lambda
  3. add valid pre_sign_up and post_authentication lambdas (we probably need just 1 so that the lambda_config block contains something more than the pre token generation config.
  4. set advanced_security_mode to "ENFORCED"
  5. set pre_token_generation_config to use the created lambda and set the lambda_version to V2_0
  6. TF apply
  7. Verify that the actual state matches the intention at this moment.
  8. remove the pre_token_generation_config from the lambda_config block.
  9. TF plan/apply results in No changes

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@michal-celniak-cko michal-celniak-cko added the bug Addresses a defect in current functionality. label Jul 31, 2024
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/cognitoidp Issues and PRs that pertain to the cognitoidp service. label Jul 31, 2024
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Jul 31, 2024
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/cognitoidp Issues and PRs that pertain to the cognitoidp service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@justinretzolk @michal-celniak-cko