Search code examples
amazon-web-servicesterraformamazon-cognitoterraform-provider-awsinfrastructure-as-code

Set account recovery preference for AWS Cognito User Pool with Terraform

In the spirit of infrastructure as code, I've configured an AWS Cognito User Pool via Terraform with the helpful aws_cognito_user_pool resource.

However, I can't seem to locate the argument/config mapping for the account recovery preference under the MFA and verification section.

Without specification, it appears that this is my default selection:

(Not Recommended) Phone if available, otherwise email, and do allow a user to reset their password via phone if they are also using it for MFA.

Goal

I'd like to set this to Email only instead, as annotated by the red rectangle in the image below:

aws cognito user pool settings

Does anyone know what Terraform argument I need to use to achieve this please? None of the options documented in the aws_cognito_user_pool resource seem to map to this.

Solution

  • 1 year on, I can now answer my own question, due to the newly introduced setting, account_recovery_setting, of the aws_cognito_user_pool resource.

    For example, to set the account recovery preference to email only, we can do the following:

    resource "aws_cognito_user_pool" "mypool" {
  name = "mypool"

  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
  }
}

    This is available since v3.19.0 of the AWS provider, as part of this merged PR.