[Bug]: Unable to remove email MFA configuration

[hanoj-budime]

Terraform Core Version

1.4

AWS Provider Version

5.84.0

Affected Resource(s)

Unable to remove the email MFA configuration in the aws_cognito_user_pool resource.
Using Terraform code, I am unable to deselect Email MFA from the MFA methods. For more details, check the screenshot below.

From this

To this

Expected Behavior

resource "aws_cognito_user_pool" "user_pool" {
  name = local.pool_name
  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
    recovery_mechanism {
      name     = "verified_phone_number"
      priority = 2
    }
  }
  email_configuration {
    email_sending_account = "DEVELOPER"
    source_arn            = local.email_configuration_source_arn
  }
 
  # Example check this
  # I'm commenting on this code configuration to remove the email MFA option from the user pool, but it's not removing the email MFA option.
  # email_mfa_configuration {
  #   message = var.authentication_body
  #   subject = local.authentication_subject
  # }

  mfa_configuration          = "ON"
  sms_authentication_message = "Your code is {####}"
  sms_configuration {
    external_id    = local.pool_name
    sns_caller_arn = local.sns_caller_arn
    sns_region     = var.aws_region
  }
  software_token_mfa_configuration {
    enabled = true
  }
}

Actual Behavior

 # aws_cognito_user_pool.user_pool will be updated in-place
  ~ resource "aws_cognito_user_pool" "user_pool" {
        id                         = "us-west-2_XXXXXXXX"
        name                       = "xxxx-scratch-test"
        tags                       = {}
        # (17 unchanged attributes hidden)
      ~ email_mfa_configuration {
          - message = "Your authentication code is {####}" -> null
          - subject = "Test Sign In" -> null
        }
        # (8 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
aws_cognito_user_pool.user_pool: Modifying... [id=us-west-2_XXXXXXXX]
aws_cognito_user_pool.user_pool: Modifications complete after 2s [id=us-west-2_XXXXXXXX]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Apply shows update in place, but the Cognito user pool is never updated. Please check the screenshot below

Relevant Error/Panic Output Snippet

Terraform Configuration Files

Check out the Expected Behavior section; I have provided the code.

Steps to Reproduce

Remove or disable Email MFA from a user pool

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

#40734

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[hanoj-budime]

Can someone please urgently fix this issue? Our latest feature is not supporting a smooth update for existing resources.

@justinretzolk
@ewbankkit

Related PR, Issue
#40734