At the time of this write up, if you look at Terraform’s documentation for aws_userpool_client, you will notice that there is an attribute called “refresh_token_validity”. At the same time, you might also notice that there’s no attribute for “access_token_validity” or “id_token_validity”.
The reason is because AWS did not implement the ability to do so in their API until August 12, 2020.
Terraform has recently added this ability; You must ensure the version the AWS Terraform provider must be version 3.32.0 or above to use this feature.
Here’s an example of how to use it
By adding the
token_validity_units block, you specify the units for each token’s validity. Based on the updated Terraform documentation, these values and the block itself are optional. If you do not specify them, the default will be used.
Token Validity Units Defaults
- Access Token: Hours
- Id Token: Hours
- Refresh Token: Days
Once you’ve specified token validity units, the numbers you provide for access_token_validity, id_token_validity, and refresh_token_validity will be formatted accordingly.
Beware Of Gotchas
Thanks to this new powerful code block, you maybe tempted to provide fine grained numbers that specify down to 1 second. What Terraform’s documentation does not tell you is that AWS has hard limits for the token validity range of each token type. Terraform cannot escape the laws of AWS API limits. Failure to obey these limits will result in “InvalidParameterException: Invalid range for token validity”.
Here are the limits outlined by AWS:
- Refesh Token: 60 mins – 3650 days (10 years)
- Access Token: 5 mins – 1 day (Must be less than or equal to refresh token expiry)
- ID Token: 5 mins – 1 day (Must be less than or equal to refresh token expiry)
Happy Terraforming 🙂