terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard
verified publisher icon hashicorp

[Bug]: aws_cognito_risk_configuration should require notify_configuration in account_takeover_risk_configuration

Open dlaudams opened this issue 3 years ago • 2 comments

Terraform Core Version

1.1.8

AWS Provider Version

4.49.0

Affected Resource(s)

The aws_cognito_risk_configuration requires a notify_configuration block in account_takeover_risk_configuration, event when notify is set to false for all actions. I believe this should be optional in these scenarios.

The CloudFormation documentation shows NotifyConfiguation as optional.

The AWS web console allows configure without notification configuration.

resource "aws_cognito_risk_configuration" "risk_configuration" {
  user_pool_id = aws_cognito_user_pool.my_user_pool.id

  account_takeover_risk_configuration {

    actions {
      high_action {
        event_action = "NO_ACTION"
        notify       = false
      }
      medium_action {
        event_action = "NO_ACTION"
        notify       = false
      }
      low_action {
        event_action = "NO_ACTION"
        notify       = false
      }
    }

#    notify_configuration {
#      source_arn = ??? # required even though notify is false for all actions
#    }
  }
}

Expected Behavior

The resource should validate without requiring notify_configuration

Actual Behavior

terraform validate fails with Error: Insufficient notify_configuration blocks

Relevant Error/Panic Output Snippet

│ Error: Insufficient notify_configuration blocks
│
│   on xxx.tf line 122, in resource "aws_cognito_risk_configuration" "risk_configuration":
│  122:   account_takeover_risk_configuration {
│
│ At least 1 "notify_configuration" blocks are required.

Terraform Configuration Files

I don't believe any configuration is needed to reproduce.

Steps to Reproduce

  1. Create a terraform.tf template
terraform {
  required_providers {
    aws = {
      version = "4.49.0"
      source  = "hashicorp/aws"
    }
  }
  required_version = ">= 1.0"
}

resource "aws_cognito_user_pool" "pool" {
  name = "pool"
}

resource "aws_cognito_risk_configuration" "risk_configuration" {
  user_pool_id = aws_cognito_user_pool.pool.id

  account_takeover_risk_configuration {
    actions {
      high_action {
        event_action = "NO_ACTION"
        notify       = false
      }
      medium_action {
        event_action = "NO_ACTION"
        notify       = false
      }
      low_action {
        event_action = "NO_ACTION"
        notify       = false
      }
    }

    #    notify_configuration {
    #      source_arn = ??? # required even though notify is false for all actions
    #    }
  }
}

  1. Run terraform init

  2. Run terraform validate

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

AWS user guide defines this property as not required:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html

NotifyConfiguration
The notify configuration used to construct email notifications.

Required: No

Type: NotifyConfigurationType

Update requires: No interruption

Provider has notify_configuration set as required:

https://github.com/hashicorp/terraform-provider-aws/blob/1076f598ee88175e7409c5887edcf87e6cbeab20/internal/service/cognitoidp/risk_configuration.go#L112

Would you like to implement a fix?

None

dlaudams avatar Jan 10 '23 06:01 dlaudams

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

github-actions[bot] avatar Jan 10 '23 06:01 github-actions[bot]

More than one year later, this is still an issue.

mims92 avatar Dec 05 '24 14:12 mims92

For anybody else struggling with this, you can use a piece of code like this to bypass the mandatory parameter: notify_configuration { source_arn = "" } and still configure account_takeover_risk_configuration actions

Sabo-kun avatar Feb 21 '25 14:02 Sabo-kun

[!WARNING] This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

github-actions[bot] avatar Aug 08 '25 19:08 github-actions[bot]

This functionality has been released in v6.9.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] avatar Aug 14 '25 18:08 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Sep 14 '25 02:09 github-actions[bot]