Looking for guidance with `aws_cognito_user` resource

Hey folks!

I’m looking at using the aws_cognito_user resource so that we can pre-populate environments with known users.

Whilst trying it out, I found a situation where, a declaration such as the one below gives me some fun behaviour with Terraform and our on-boarding process.

resource "aws_cognito_user" "example" {
  user_pool_id = <pool_id>
  username     = "ciaran.evans@email.com"

  attributes = {
    email = "ciaran.evans@email.com"
    email_verified = true
  desired_delivery_mediums = ["EMAIL"]

Our user pool also declares that a user has the given_name and family_name attributes. When creating the users, we let them change those on their initial login (whilst they change the temporary password).

When I created a user with the resource, then reset the password & attributes, then ran a terraform plan again, it wanted to clear the attributes the user had just set.

This is completely understandable, terraform stated those are empty, so why shouldn’t it put them to empty again. It’s just not great as any time we deploy again, we’ll cause a user to have to re-populate these fields.

Does anyone have suggestions as to how we could avoid this behaviour?

I’ve tried populating the attributes as blank strings, but I get a similar situation where a further deploy would wipe the user set ones.

Is there a nice way to mark a field as ‘if this has changed external to terraform, adopt the change’?

I have a suspicion the only real answer is to pre-populate these fields and hope they’re correct.

Thanks in advance!