terraform state is not idempotent if device tracking is off

[wesnick]

I am unable to use device tracking currently because of the limitation it places on using refresh tokens.

I am able to successfully turn device tracking off by using this combination of parameters

  device_only_remembered_on_user_prompt = null
  challenge_required_on_new_device = null

but the result is that a change is always detected:

• Should I not be using this module if I don't need device tracking?
• is there a way to ignore these lifecycle changes (I don't think you can pass lifecycle blocks in modules, but I am not sure)

Alternatively I could open a PR? Maybe add an enable_device_tracking boolean parameter that would omit the device_configuration block if false?

[mariux]

hi @wesnick, thanks for reporting this.

Oh yes, this actually is bad behavior. let me shortly look into the code.

[mariux]

As device_only_remembered_on_user_prompt is a boolean value in the AWS provider, what do you think about a solution like this to make behavior clear to the user:

Replace device_only_remembered_on_user_prompt with a variable user_device_tracking of type string which can be OFF, USER_OPT_IN or ALWAYS. This would actually map the behavior of the AWS console. The block should only be rendered when the variable is USER_OPT_IN or ALWAYS (so any other value is considered OFF).

wdyt?

[wesnick]

This sounds like a good plan

[mariux]

We just released v0.3.0 can you test if this fixes your issue. Since this is a breaking change, I added a migration path in the CHANGELOG and release notes. Please reopen if this is not fixing your issue.

[wesnick]

thanks! I will test it out now and report back

[wesnick]

this works great. thanks!

[mariux]

happy to hear this... let us know if you have any suggestions on how to improve defaults even further in a new issue.. ;) happy terraforming..