pulumi
TemporaryPasswordValidityDays bug when updating Cognito user pool
What happened?
I created an aws-native.cognito.UserPool with the following policies:
cognito_user_pool = aws_native.cognito.UserPool(
"MyUserPool",
policies=aws_native.cognito.UserPoolPoliciesArgs(
password_policy=aws_native.cognito.UserPoolPasswordPolicyArgs(
minimum_length=16,
require_lowercase=True,
require_numbers=True,
require_uppercase=True,
require_symbols=False,
temporary_password_validity_days=7
)
),
[...]
)
Later when I attempt to make a trivial update to this user pool, I receive the following error:
aws-native:cognito:UserPool (MyUserPool):
error: operation UPDATE failed with "InvalidRequest": Please use TemporaryPasswordValidityDays in PasswordPolicy instead of UnusedAccountValidityDays (Service: CognitoIdentityProvider, Status Code: 400, Request ID: XXX
Since my password policy already uses TemporaryPasswordValidityDays, this is a bug.
Example
See above
Output of pulumi about
CLI
Version 3.99.0
Go Version go1.21.5
Go Compiler gc
Plugins
NAME VERSION
aws-native 0.92.0
python unknown
Host
OS debian
Version trixie/sid
Arch x86_64
This project is written in python: executable='/usr/bin/python3' version='3.11.7'
Current Stack: dappel/agileorca-cognito/testing
TYPE URN
pulumi:pulumi:Stack urn:pulumi:testing::agileorca-cognito::pulumi:pulumi:Stack::agileorca-cognito-testing
pulumi:providers:pulumi urn:pulumi:testing::agileorca-cognito::pulumi:providers:pulumi::default
pulumi:pulumi:StackReference urn:pulumi:testing::agileorca-cognito::pulumi:pulumi:StackReference::dappel/agileorca-ses/testing
pulumi:providers:aws-native urn:pulumi:testing::agileorca-cognito::pulumi:providers:aws-native::default_0_92_0
aws-native:cognito:UserPool urn:pulumi:testing::agileorca-cognito::aws-native:cognito:UserPool::DappelCognitoUserPool
Found no pending operations associated with testing
Backend
Name pulumi.com
URL https://app.pulumi.com/ghferrari
User ghferrari
Organizations ghferrari, dappel
Token type personal
Dependencies:
NAME VERSION
pip 23.3.2
pulumi-aws-native 0.92.0
setuptools 69.0.3
wheel 0.42.0
Pulumi locates its logs in /tmp by default
Additional context
None
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Thanks for filing this @ghferrari; My reading of the error message is actually that it's objecting to setting UnusedAccountValidityDays not complaining about missing TemporaryPasswordValidityDays. Is there any chance the update you made is modifying UnusedAccountValidityDays or AdminCreateUserConfig?
Hi Matt,
My password policy is defined exactly as above and doesn't include UnusedAccountValidityDays at all. So really, there are two mysteries here:
- Why is it complaining about
TemporaryPasswordValidityDaysbeing absent when it isn't? - Why is it complaining about
UnusedAccountValidityDayswhen I don't define that in my UserPool?
Many thanks for your help - much appreciated.
Thanks for the additional detail @ghferrari.
It's possible that we're sending in a default value somewhere for UnusedAccountValidityDays, it's also possible that that the API expects the client to send TemporaryPasswordValidityDays with the update even though it has not changed.
I think our next step to debug will be to try the update from the aws client: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudcontrol/update-resource.html and see if we can figure out what the API expects here.
It looks like this issue has been fixed, I can no longer reproduce the bug.
