Cognito: Cannot create cfn user pool with only email MFA enabled

[dpetzev]

Describe the bug

Trying to create a Cognito user pool using the L1 construct and ONLY email MFA enabled leads to an error in CloudFormation.

This DOES work if I create the same user pool without any MFA enabled and then go to the AWS console and update it manually to have email only MFA.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

CloudFormation is able to create the requested resource without issues.

Current Behavior

Error in CloudFormation with this message:

Resource handler returned message: "SMS configuration and Auto verification for phone_number are required when MFA is required/optional (Service: CognitoIdentityProvider, Status Code: 400, Request ID: ..., HandlerErrorCode: InvalidRequest)

Reproduction Steps

Here is an example of a stack that yields the error in CloudFormation

import * as cognito from 'aws-cdk-lib/aws-cognito';
import { App, Stack, StackProps } from 'aws-cdk-lib/core';

export class AuthStack extends Stack {
  constructor(scope: App, id: string, props: StackProps) {
    super(scope, id, props);

    const userPool = new cognito.CfnUserPool(this, 'UserPool', {
      userPoolName: 'UserPool123',
      adminCreateUserConfig: {
        allowAdminCreateUserOnly: true,
        unusedAccountValidityDays: 1,
      },
      usernameAttributes: ['email'],
      usernameConfiguration: {
        caseSensitive: false,
      },
      enabledMfas: ['EMAIL_OTP'],
      mfaConfiguration: 'OPTIONAL',
    });
  }
}

Possible Solution

No response

Additional Information/Context

Very similar bug, but with OTP only MFA enabled #11478

CDK CLI Version

2.173.2

Framework Version

No response

Node.js Version

v18.19.1

OS

Mac OS

Language

TypeScript

Language Version

No response

Other information

No response

[khushail]

Hi @dpetzev , thanks for reporting this. I am able to repro the issue with the given code -

[khushail]

@dpetzev , I see that its mentioned in Cloudformation docs to provide EmailConfiguration as well. could you please try with including the config changes as mentioned and see if that works for you -

EnabledMfas

    Set enabled MFA options on a specified user pool. To disable all MFAs after it has been enabled, set MfaConfiguration to OFF and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. After you enable SMS_MFA, you can only disable it by setting MfaConfiguration to OFF. Can be one of the following values:

        SMS_MFA - Enables MFA with SMS for the user pool. To select this option, you must also provide values for SmsConfiguration.

        SOFTWARE_TOKEN_MFA - Enables software token MFA for the user pool.

        EMAIL_OTP - Enables MFA with email for the user pool. To select this option, you must provide values for EmailConfiguration and within those, set EmailSendingAccount to DEVELOPER.

    Allowed values: SMS_MFA | SOFTWARE_TOKEN_MFA | EMAIL_OTP

    Required: No

    Type: Array of String

[dpetzev]

Hey @khushail, thanks for looking into it. Yes, I had the EmailConfiguration defined as well in the user pool I just omitted it for brevity. Still the same error. It looks similar to:

 emailConfiguration: {
         emailSendingAccount: 'DEVELOPER',
         sourceArn: 'arn:aws:ses:eu-central-1:...',
       },

It seems to me like it's a bug on the CloudFormation part, since the same configuration (user pool with email sending account + only email MFA enabled) is possible through the AWS console, just not with using CloudFormation.

[khushail]

@dpetzev , thanks for confirming that. Since its a L1 construct that is causing error , this is definitely a cloudformation issue. I will be creating an issue with the coudformation team and you could follow the same for updates. Hope that would be helpful!

[khushail]

@dpetzev , Issue created with Cloudformation team - aws-cloudformation/cloudformation-coverage-roadmap#2221.

[dpetzev]

@khushail Thanks!