[Bug]: Unable to update the email MFA configuration

[hanoj-budime]

Terraform Core Version

1.4

AWS Provider Version

5.84.0

Affected Resource(s)

Unable to update the email MFA configuration in the aws_cognito_user_pool resource.

Let's assume we already have an existing aws_cognito_user_pool resource that was created with enforced MFA configuration, account recovery settings set to email only, and an email configuration using the sender account cognito_default.

Of course, I am also aware of the prerequisites to enable email_mfa:

• Account_recovery_setting can't be set to only email or SMS; the recommended option is to set both to email_then_sms.
• The Email_configuration sender account can't be cognito_default; the recommended option is to set it to DEVELOPER with a verified SES identity.

Now, while updating on top of the previous configuration, I updated the prerequisites and email MFA configuration at the same time and encountered an error.

Expected Behavior

# aws_cognito_user_pool.user_pool will be updated in-place
~ resource "aws_cognito_user_pool" "user_pool" {
        id                         = "us-west-2_XXXXXXXX"
        name                       = "xxxx-scratch-test"
        tags                       = {}
        # (17 unchanged attributes hidden)
      ~ account_recovery_setting {
          + recovery_mechanism {
              + name     = "verified_phone_number"
              + priority = 2
            }
            # (1 unchanged block hidden)
        }
      ~ email_configuration {
          ~ email_sending_account = "COGNITO_DEFAULT" -> "DEVELOPER"
          + source_arn            = "arn:aws:ses:us-west-2:123456789012:identity/[email protected]"
        }
      + email_mfa_configuration {
          + message = "Your authentication code is {####}"
          + subject = "Test Sign In"
        }
        # (6 unchanged blocks hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.

Actual Behavior

~ resource "aws_cognito_user_pool" "user_pool" {
        id                         = "us-west-2_XXXXXXXX"
        name                       = "xxxx-scratch-test"
        tags                       = {}
        # (17 unchanged attributes hidden)
      ~ account_recovery_setting {
          + recovery_mechanism {
              + name     = "verified_phone_number"
              + priority = 2
            }
            # (1 unchanged block hidden)
        }
      ~ email_configuration {
          ~ email_sending_account = "COGNITO_DEFAULT" -> "DEVELOPER"
          + source_arn            = "arn:aws:ses:us-west-2:123456789012:identity/[email protected]"
        }
      + email_mfa_configuration {
          + message = "Your authentication code is {####}"
          + subject = "Test Sign In"
        }
        # (6 unchanged blocks hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.
aws_cognito_user_pool.user_pool: Modifying... [id=us-west-2_XXXXXXXX]

Error: setting Cognito User Pool (us-west-2_XXXXXXXX) MFA configuration: operation error Cognito Identity Provider: SetUserPoolMfaConfig, https response error StatusCode: 400, RequestID: XXXXXX-XXXX-XXXX-XXX-XXXXXXX, InvalidParameterException: Cannot set EmailMfaConfiguration when user pool AccountRecoverySetting is not set or contains only verified_email in RecoveryMechanisms. At least one recovery mechanism other than verified_email should be present.

    with aws_cognito_user_pool.user_pool,
    on user-pool.tf line 1, in resource "aws_cognito_user_pool" "user_pool":
    1: resource "aws_cognito_user_pool" "user_pool" {

Relevant Error/Panic Output Snippet

Error: setting Cognito User Pool (us-west-2_XXXXXXXX) MFA configuration: operation error Cognito Identity Provider: SetUserPoolMfaConfig, https response error StatusCode: 400, RequestID: XXXXXX-XXXX-XXXX-XXX-XXXXXXX, InvalidParameterException: Cannot set EmailMfaConfiguration when user pool AccountRecoverySetting is not set or contains only verified_email in RecoveryMechanisms. At least one recovery mechanism other than verified_email should be present.

    with aws_cognito_user_pool.user_pool,
    on user-pool.tf line 1, in resource "aws_cognito_user_pool" "user_pool":
    1: resource "aws_cognito_user_pool" "user_pool" {

Terraform Configuration Files

Existing resource's code

resource "aws_cognito_user_pool" "user_pool" {
 name = local.pool_name

  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
  }

  email_configuration {
    email_sending_account = "COGNITO_DEFAULT"
  }

  mfa_configuration          = "ON"
  
  sms_authentication_message = "Your code is {####}"
  sms_configuration {
    external_id    = local.pool_name
    sns_caller_arn = local.sns_caller_arn
    sns_region     = var.aws_region
  }
  
  software_token_mfa_configuration {
    enabled = true
  }
}

---

Updating - Existing Resource's Code

resource "aws_cognito_user_pool" "user_pool" {
  name = local.pool_name

  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
    recovery_mechanism {
      name     = "verified_phone_number"
      priority = 2
    }
  }

  email_configuration {
    email_sending_account = "DEVELOPER"
    source_arn            = local.email_configuration_source_arn
  }

  email_mfa_configuration {
    message = var.authentication_body
    subject = local.authentication_subject
  }

  mfa_configuration          = "ON"
  
  sms_authentication_message = "Your code is {####}"
  sms_configuration {
    external_id    = local.pool_name
    sns_caller_arn = local.sns_caller_arn
    sns_region     = var.aws_region
  }

  software_token_mfa_configuration {
    enabled = true
  }
}

Steps to Reproduce

Deploy the initial code using the "existing resource's code" snippet.
Then, deploy again on top of the previous tf-state using the "updating existing resource's code" snippet
The referenced snippet code is available in the description above.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[hanoj-budime]

Can someone please urgently fix this issue? Our latest feature is not supporting a smooth update for existing resources.

@justinretzolk
@ewbankkit

Related PR, Issue
#40734