terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Enhancement]: Send email instructions when creating new aws_identitystore_user

Open luislhl opened this issue 2 years ago • 15 comments

Description

When creating a user in AWS Identity Center through the AWS console, I'm shown an option to send an email with sign up instructions for the new user:

image

However, when creating a user through the aws_identitystore_user resource there is no such option, and no email is sent by default either.

Affected Resource(s) and/or Data Source(s)

  • aws_identitystore_user

Potential Terraform Configuration

No response

References

No response

Would you like to implement a fix?

No response

luislhl avatar Nov 30 '22 19:11 luislhl

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

github-actions[bot] avatar Nov 30 '22 19:11 github-actions[bot]

I just found out that there is an option that should be configured in the SSO Instance to solve this: https://docs.aws.amazon.com/console/singlesignon/directory/users-without-pwd

I'm not sure there is a way to set this through Terraform in some resource, though.

But at least there is a way even though this option lies outside the aws_identitystore_user.

luislhl avatar Dec 06 '22 21:12 luislhl

Thanks for the tip @luislhl . Thats some kind of workaround, but will not full fill the wished behavior.

When creating a user by aws_identitystore_user, there is no invitation email auto send. The user has to try actively to sign in once and is then lead to an initial account config wizard.

Better then nothing, but an invitation mail on creation by the terraform resource would be nice :-).

selfisch avatar Dec 07 '22 07:12 selfisch

Hello,

we are building a module that provides an easy way to manage users, groups, permission sets... and we are facing this problem. It would be nice the terraform module could send the invitation like console provisioning does.

tonirvega avatar Dec 09 '22 16:12 tonirvega

I just found out that there is an option that should be configured in the SSO Instance to solve this: https://docs.aws.amazon.com/console/singlesignon/directory/users-without-pwd

I'm not sure there is a way to set this through Terraform in some resource, though.

But at least there is a way even though this option lies outside the aws_identitystore_user.

I tried this too, but it doesn't work. I have to send the verification email by clicking in the AWS console, which is not the ideal way to automate this kind of provisioning.

tonirvega avatar Dec 09 '22 16:12 tonirvega

It seems this is a limitation of AWS API itself: https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html

There is no such option on their API for Terraform to implement in the aws_identitystore_user resource.

luislhl avatar Dec 14 '22 13:12 luislhl

Hello, any new updates regarding this situation?

MB-MuratBayraktar avatar Apr 21 '23 20:04 MB-MuratBayraktar

Hi, just following up on this here too, is there any update ?

hynespm avatar Jun 12 '23 18:06 hynespm

Hello all, as I see this property is really obligatory for IAM IC. Could you add implementations of this to your plans?

Brave-Robin avatar Jul 20 '23 08:07 Brave-Robin

Hello! Waiting for changes. Stayin online to observe this situation

Bubjas avatar Jul 20 '23 09:07 Bubjas

Waiting for any updates on this.My trick now is creating all users by Terraform. After that, go to AWS Console and click Reset password(also verify) button for each user because only Send email verification link doesn't give them password

quansang avatar Sep 28 '23 04:09 quansang

Hi everyone! Do you have some news about this feature? Some tricks to automate this process?

Poupiman avatar Nov 10 '23 19:11 Poupiman

Chiming in, could really use this feature too. Built a clean automatic deploy flow.. only to have to go in the console and manually click a button..

be-aws-architect avatar Feb 02 '24 14:02 be-aws-architect

Hi there, doesn't look like there is any update on that yet; done anyone know any workaround to send auto-email the instruction to the users?

dsantanu avatar Feb 21 '24 16:02 dsantanu

I just found out that there is an option that should be configured in the SSO Instance to solve this: https://docs.aws.amazon.com/console/singlesignon/directory/users-without-pwd

I'm not sure there is a way to set this through Terraform in some resource, though.

But at least there is a way even though this option lies outside the aws_identitystore_user.

it definitely doesn't work when users are created by TF, even though it uses the underlaying AWS API

dsantanu avatar Feb 21 '24 16:02 dsantanu

It seems it's still not solved.

When the AWS Identity Center (SSO) user is created using the terraform "aws_identitystore_user", it shows "Users must first verify their email address before they can begin to use certain features such as completing email-based two-step verification during sign-in.".

image

And to solve this I have to use the username manually and the "Forget Password" option to set up a new password and start using the created AWS SSO user.

Is there any solution found?

Desh-Deepak-Dhobi avatar Mar 28 '24 23:03 Desh-Deepak-Dhobi