Terraform Custom Attribute Destroying User Pool AWS

0
votes

I have a custom attribute that I am no longer using, and it is forcing terraform to destroy the user pool each time. Is there away to avoid the user pool's destruction?

My terraform:

resource "aws_cognito_user_pool" "my_pool" {
   name                          = "${var.la} Pool"

   alias_attributes              = [
      "email"
   ]

   /* Auto-verify these fields */
   auto_verified_attributes      = [
      "email"
   ]

   ...

   schema {
      attribute_data_type         = "String"
      name                        = "my_custom_attribute1"
      required                    = "false"
      mutable                     = "true"
   }
 }

terraform plan gives the following result:

  schema.xxx.attribute_data_type:                          "String" => "" (forces new resource)
  schema.xxx.developer_only_attribute:                          "false" => "false"
  schema.xxx.mutable:                                           "true" => "false" (forces new resource)
  schema.xxx.name:                                              "my_custom_attribute1" => "" (forces new resource)
  schema.xxx.number_attribute_constraints.#:                    "0" => "0"
  schema.xxx.required:                                          "false" => "false"
  schema.xxx.string_attribute_constraints.#:                    "1" => "0" (forces new resource)
  schema.xxx.string_attribute_constraints.0.max_length:         "" => ""
  schema.xxx.string_attribute_constraints.0.min_length:         "" => ""

I've not made changes to these, but every time I try to plan it says that there are changes and I need to destroy my user pool (which I don't want to do).

I've tried running terraform refresh, but it didn't seem to have an effect.

I found the following, but the suggestions don't seem to fix my issue: https://github.com/terraform-providers/terraform-provider-aws/issues/3891

I don't think it's a bug really. How do I avoid destroying my Cognito user pool?

terraform version: 0.11.5 aws version: 0.17 (also tried 0.15)

1
amazon-web-servicesterraform
When you say you have a custom attribute that you are no longer using are you saying you've removed it in Terraform and the plan then shows it needs to replace the user pool? If so then this is to be expected because AWS doesn't let you remove attributes from a user pool so Terraform would need to recreate the user pool to be able to remove the attribute.ydaetskcoR
No, I know removing it would destroy the pool. I've left the attribute in place, but I wanted to be clear that I am not using it currently. I just want my pool to not be destroyed when I'm applying changes to other services (e.g. dynamo).cyram
You might need to share more of your config and the plan to make this obvious to people trying to answer this. Maybe try creating an [mvce] that has a simple user pool configuration and work out what you need to do to get it to force a new resource as you are seeing there so you can show the full plan without having to censor things/share on a subset of things. From what it looks like there though Terraform thinks you are trying to remove that schema attribute and so it will recreate the user pool without it.ydaetskcoR
the only thing I left out really is the e-mail message. It's a pretty short config. What confuses me is how the custom attribute is set as mutable, but terraform seems to think that it needs to change it to false, and thereby destroy the pool. My terraform says 'true', the current sate says 'true', but for some reason it thinks it needs to change it to 'false'cyram
No, that plan is saying that the attribute is being removed for some reason (so all of the parameters are being set to the defaults such as empty string/0/false).ydaetskcoR

1 Answers

2
votes

I recently had the same problem and it seems that Terraform have updated their documentation to highlight this issue:

NOTE: When defining an attribute_data_type of String or Number, the respective attribute constraints configuration block (e.g string_attribute_constraints or number_attribute_contraints) is required to prevent recreation of the Terraform resource. This requirement is true for both standard (e.g. name, email) and custom schema attributes.

In short you likely need to add constraints to the attribute to stop it recreating each time, e.g.:

string_attribute_constraints = { # This is required to stop user pool being recreated
  max_length = 32
}

This may cause your resource to be updated (and thus destroyed) once, but should behave as expected subsequently. As always, I'd recommend testing first though!