Set account recovery preference for AWS Cognito User Pool with Terraform

Asked 30/11, 2019 at 20:37 Answered 2/12, 2020 at 7:52

Solved amazon-web-services terraform amazon-cognito terraform-provider-aws infrastructure-as-code

In the spirit of infrastructure as code, I've configured an AWS Cognito User Pool via Terraform with the helpful aws_cognito_user_pool resource.

However, I can't seem to locate the argument/config mapping for the account recovery preference under the MFA and verification section.

Without specification, it appears that this is my default selection:

(Not Recommended) Phone if available, otherwise email, and do allow a user to reset their password via phone if they are also using it for MFA.

Goal

I'd like to set this to Email only instead, as annotated by the red rectangle in the image below:

Does anyone know what Terraform argument I need to use to achieve this please? None of the options documented in the aws_cognito_user_pool resource seem to map to this.

Incessant answered 30/11, 2019 at 20:37 Comment(0)

1 year on, I can now answer my own question, due to the newly introduced setting, account_recovery_setting, of the aws_cognito_user_pool resource.

For example, to set the account recovery preference to email only, we can do the following:

resource "aws_cognito_user_pool" "mypool" {
  name = "mypool"

  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
  }
}

This is available since v3.19.0 of the AWS provider, as part of this merged PR.

Incessant answered 2/12, 2020 at 7:52 Comment(0)

Hi Peter , I am using the CloudFormation template for creating the Cognito Configuartion.

With a little bit of modification and converting to YAML. We can have the Recovery Settings set to Email only option. Please find the below code snippet.

UserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: "test-pool"
      UsernameAttributes: [email]
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: "verified_email"
            Priority: 1
      AutoVerifiedAttributes:
        - email

This seems to be working for me :)

Note: while trying to incorporate the other option for "admin_only" ,AWS geneartes the error Invalid account recovery setting parameter. Account Recovery Setting cannot use admin_only setting with any other recovery mechanisms.

Melessa answered 15/4, 2020 at 16:29 Comment(2)

Hey @DHEERAJ. For my understanding: do you mean to say that you've had success with the aws_cloudformation_stack resource? If so, are you able to provide a more complete snippet please? – Incessant 16/4, 2020 at 18:37

Hi @Peter J Langley ,,Resources:UserPool:Type:"AWS::Cognito::UserPool"Properties:UserPoolName:"test"UsernameAttributes:[email]AccountRecoverySetting:RecoveryMechanisms:Name:"verified_email"Priority:1AutoVerifiedAttributes:-emailVerificationMessageTemplate:DefaultEmailOption:CONFIRM_WITH_LINKEmailVerificationSubject:SubjectEmailVerificationMessage:verifyemail {####}Schema:-Name:emailAttributeDataType:StringMutable:falseRequired:trueMfaConfiguration:"OFF"UserPoolTags:Tag:"x" ,,UserPoolClient:Type: "AWS::Cognito::UserPoolClient"Properties:ClientName:"x"GenerateSecret: falseUserPoolId:!RefUserPool – Melessa 16/4, 2020 at 19:18

Terraform doesn't support it yet. But you could use local exec instead:

resource "null_resource" "setup_account_recovery_settings" {
  triggers = {
    version = "${var.version_local_exec_account_recovery_settings}"
  }

  provisioner "local-exec" {
    command = "aws cognito-idp update-user-pool --user-pool-id ${aws_cognito_user_pool.userpool.id} --account-recovery-setting 'RecoveryMechanisms=[{Priority=1,Name=verified_email},{Priority=2,Name=verified_phone_number}]' --region ${var.region}"
  }
}

But it will wipe out your whole configuration. Instead you could provide full config as a json but why to use terraform than

Enrol answered 9/12, 2019 at 21:55 Comment(3)

Terraform doesn't support it yet - I thought this may have been the case. I'd prefer not to use this local exec escape hatch. I've now raised an issue on GitHub for this feature request. – Incessant 10/12, 2019 at 16:57

May i know, how to do it for option None - users will have to contact an administrator to reset their passwords – Husain 19/10, 2020 at 7:5

The Terraform AWS Provider now has support for this: see answer here. – Incessant 2/12, 2020 at 9:49

Following the David's idea, if you want to enable the "email only" option, you should to set

--account-recovery-setting 'RecoveryMechanisms=[{Priority=1,Name=verified_email}]'

Regards,

Chamblee answered 19/2, 2020 at 11:3 Comment(0)

Goal

Recommended topics

Hot tags