Search code examples
amazon-web-servicesterraformamazon-cognitoterraform-provider-aws

How can I enable Cognito 'Email address or phone number' login using Terraform?

I'm trying to create a new AWS Cognito user pool using Terraform, and currently have the following problem:

I've been trying to get Email address or phone number -> Allow email addresses (shown below in red) selected, instead of what is currently selected (Username -> Also allow sign in with verified email address)

Screenshot of AWS Cognito

The relevant section of my main.tf file looks like this:

resource "aws_cognito_user_pool" "app_cognito_user_pool" {
  name = "app_cognito_user_pool"

  alias_attributes         = ["email"]
  auto_verified_attributes = ["email"]
  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
  }
}

resource "aws_cognito_user_pool_client" "app_cognito_user_pool_client" {
  name         = "app_cognito_user_pool_client"
  user_pool_id = aws_cognito_user_pool.app_cognito_user_pool.id

  prevent_user_existence_errors = "ENABLED"
  supported_identity_providers  = ["COGNITO"]
}


resource "aws_cognito_user_pool_domain" "app_cognito_user_pool_domain" {
  domain       = "app"
  user_pool_id = aws_cognito_user_pool.app_cognito_user_pool.id
}

No matter what I try, I always get Username, instead of Email address or phone number selected. I want the user pool not to use a username, but use an email address instead.

What Terraform argument(s) or value(s) am I missing?

Solution

  • Only set username_attributes - and not alias_attributes - to ["email"].

    Setting alias_attributes specifies the 'top part' i.e. Also sign in with verified email address / phone number.

    It specifies the extra (alias) ways you can sign in, in addition to the username.

    Setting username_attributes specifies the 'bottom part' i.e. Allow email addresses / phone numbers / both email addresses and phone numbers ...

    It specifies what to use instead of the username.

    Unset alias_attributes (as it conflicts with username_attributes) & then set `username_attributes' to one of the following:

    1. [“email”] - Allow email addresses
    2. [“phone_number”] - Allow phone numbers
    3. [“email”, “phone_number”] - Allow both email addresses and phone numbers (users can choose one

    In your case, you need to set username_attributes to ["email"].

    This should work:

    resource "aws_cognito_user_pool" "app_cognito_user_pool" {
  name = "app_cognito_user_pool"

  username_attributes      = ["email"]
  auto_verified_attributes = ["email"]
  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
  }
}
...