» Resource: aws_cognito_user_pool
Provides a Cognito User Pool resource.
» Example Usage
» Basic configuration
resource "aws_cognito_user_pool" "pool" {
name = "mypool"
}
» Argument Reference
The following arguments are supported:
-
admin_create_user_config
(Optional) - The configuration for AdminCreateUser requests. -
alias_attributes
- (Optional) Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username. Conflicts withusername_attributes
. -
auto_verified_attributes
- (Optional) The attributes to be auto-verified. Possible values: email, phone_number. -
device_configuration
(Optional) - The configuration for the user pool's device tracking. -
email_configuration
(Optional) - The Email Configuration. -
name
- (Required) The name of the user pool. -
email_verification_subject
- (Optional) A string representing the email verification subject. Conflicts withverification_message_template
configuration blockemail_subject
argument. -
email_verification_message
- (Optional) A string representing the email verification message. Conflicts withverification_message_template
configuration blockemail_message
argument. -
lambda_config
(Optional) - A container for the AWS Lambda triggers associated with the user pool. -
mfa_configuration
- (Optional, Default: OFF) Set to enable multi-factor authentication. Must be one of the following values (ON, OFF, OPTIONAL) -
password_policy
(Optional) - A container for information about the user pool password policy. -
schema
(Optional) - A container with the schema attributes of a user pool. Maximum of 50 attributes. -
sms_authentication_message
- (Optional) A string representing the SMS authentication message. -
sms_configuration
(Optional) - The SMS Configuration. -
sms_verification_message
- (Optional) A string representing the SMS verification message. Conflicts withverification_message_template
configuration blocksms_message
argument. -
tags
- (Optional) A mapping of tags to assign to the User Pool. -
username_attributes
- (Optional) Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up. Conflicts withalias_attributes
. -
user_pool_add_ons
- (Optional) Configuration block for user pool add-ons to enable user pool advanced security mode features. -
verification_message_template
(Optional) - The verification message templates configuration.
» Admin Create User Config
-
allow_admin_create_user_only
(Optional) - Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app. -
invite_message_template
(Optional) - The invite message template structure. -
unused_account_validity_days
(Optional) - The user account expiration limit, in days, after which the account is no longer usable.
» Invite Message template
-
email_message
(Optional) - The message template for email messages. Must contain{username}
and{####}
placeholders, for username and temporary password, respectively. -
email_subject
(Optional) - The subject line for email messages. -
sms_message
(Optional) - The message template for SMS messages. Must contain{username}
and{####}
placeholders, for username and temporary password, respectively.
» Device Configuration
-
challenge_required_on_new_device
(Optional) - Indicates whether a challenge is required on a new device. Only applicable to a new device. -
device_only_remembered_on_user_prompt
(Optional) - If true, a device is only remembered on user prompt.
» Email Configuration
-
reply_to_email_address
(Optional) - The REPLY-TO email address. -
source_arn
(Optional) - The ARN of the email source.
» Lambda Configuration
-
create_auth_challenge
(Optional) - The ARN of the lambda creating an authentication challenge. -
custom_message
(Optional) - A custom Message AWS Lambda trigger. -
define_auth_challenge
(Optional) - Defines the authentication challenge. -
post_authentication
(Optional) - A post-authentication AWS Lambda trigger. -
post_confirmation
(Optional) - A post-confirmation AWS Lambda trigger. -
pre_authentication
(Optional) - A pre-authentication AWS Lambda trigger. -
pre_sign_up
(Optional) - A pre-registration AWS Lambda trigger. -
pre_token_generation
(Optional) - Allow to customize identity token claims before token generation. -
user_migration
(Optional) - The user migration Lambda config type. -
verify_auth_challenge_response
(Optional) - Verifies the authentication challenge response.
» Password Policy
-
minimum_length
(Optional) - The minimum length of the password policy that you have set. -
require_lowercase
(Optional) - Whether you have required users to use at least one lowercase letter in their password. -
require_numbers
(Optional) - Whether you have required users to use at least one number in their password. -
require_symbols
(Optional) - Whether you have required users to use at least one symbol in their password. -
require_uppercase
(Optional) - Whether you have required users to use at least one uppercase letter in their password.
» Schema Attributes
NOTE: When defining an attribute_data_type
of String
or Number
, the respective attribute constraints configuration block (e.g string_attribute_constraints
or number_attribute_contraints
) is required to prevent recreation of the Terraform resource. This requirement is true for both standard (e.g. name, email) and custom schema attributes.
-
attribute_data_type
(Required) - The attribute data type. Must be one ofBoolean
,Number
,String
,DateTime
. -
developer_only_attribute
(Optional) - Specifies whether the attribute type is developer only. -
mutable
(Optional) - Specifies whether the attribute can be changed once it has been created. -
name
(Required) - The name of the attribute. -
number_attribute_constraints
(Optional) - Specifies the constraints for an attribute of the number type. -
required
(Optional) - Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail. -
string_attribute_constraints
(Optional) -Specifies the constraints for an attribute of the string type.
» Number Attribute Constraints
-
max_value
(Optional) - The maximum value of an attribute that is of the number data type. -
min_value
(Optional) - The minimum value of an attribute that is of the number data type.
» String Attribute Constraints
-
max_length
(Optional) - The maximum length of an attribute value of the string type. -
min_length
(Optional) - The minimum length of an attribute value of the string type.
» SMS Configuration
-
external_id
(Required) - The external ID used in IAM role trust relationships. For more information about using external IDs, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party. -
sns_caller_arn
(Required) - The ARN of the Amazon SNS caller. This is usually the IAM role that you've given Cognito permission to assume.
» User Pool Add-ons
-
advanced_security_mode
(Required) - The mode for advanced security, must be one ofOFF
,AUDIT
orENFORCED
.
» Verification Message Template
-
default_email_option
(Optional) - The default email option. Must be eitherCONFIRM_WITH_CODE
orCONFIRM_WITH_LINK
. Defaults toCONFIRM_WITH_CODE
. -
email_message
(Optional) - The email message template. Must contain the{####}
placeholder. Conflicts withemail_verification_message
argument. -
email_message_by_link
(Optional) - The email message template for sending a confirmation link to the user, it must contain the{##Click Here##}
placeholder. -
email_subject
(Optional) - The subject line for the email message template. Conflicts withemail_verification_subject
argument. -
email_subject_by_link
(Optional) - The subject line for the email message template for sending a confirmation link to the user. -
sms_message
(Optional) - The SMS message template. Must contain the{####}
placeholder. Conflicts withsms_verification_message
argument.
» Attribute Reference
In addition to all arguments above, the following attributes are exported:
-
id
- The id of the user pool. -
arn
- The ARN of the user pool. -
endpoint
- The endpoint name of the user pool. Example format: cognito-idp.REGION.amazonaws.com/xxxx_yyyyy -
creation_date
- The date the user pool was created. -
last_modified_date
- The date the user pool was last modified.
» Import
Cognito User Pools can be imported using the id
, e.g.
$ terraform import aws_cognito_user_pool.pool <id>