Spurious "AutoFlex Flatten; incompatible types" error when reading `aws_verifiedpermissions_identity_source` with `cognito_user_pool_configuration`

[mlorenc227]

Terraform and AWS Provider Version

Terraform v1.14.1
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v6.25.0

Affected Resource(s) or Data Source(s)

• aws_verifiedpermissions_identity_source

Expected Behavior

When running terraform plan or apply on an existing aws_verifiedpermissions_identity_source configured with cognito_user_pool_configuration, the provider should refresh the state silently and successfully without logging errors to stderr.

Actual Behavior

When running terraform plan or apply on an existing aws_verifiedpermissions_identity_source configured with cognito_user_pool_configuration, the plan / apply operation succeeds, however, the provider logs a severe ERROR to stderr indicating a type mismatch in the AutoFlex engine. This creates significant log noise and false alarms in CI/CD pipelines.

Relevant Error/Panic Output

aws_verifiedpermissions_policy_store.test_policy_store: Refreshing state... [id=FHbC7b2yC37DqL7UR8nkE1]
aws_cognito_user_pool.test_pool: Refreshing state... [id=eu-central-1_OVnAsmn2W]
aws_cognito_user_pool_client.test_client: Refreshing state... [id=4ukuf281541mj203vln8bqf5me]
aws_verifiedpermissions_identity_source.test_identity_source: Refreshing state... [id=97zb1Ebi6q9BK7Y5pi1UZN]
2025-12-05T15:38:46.571+0100 [ERROR] provider.terraform-provider-aws_v6.25.0_x5: AutoFlex Flatten; incompatible types: autoflex.target.path=Configuration to="map[ElemType:map[AttrTypes:map[cognito_user_pool_configuration:map[ElemType:map[AttrTypes:map[client_ids:map[ElemType:map[]] group_configuration:map[ElemType:map[AttrTypes:map[group_entity_type:map[]]]] user_pool_arn:map[]]]] open_id_connect_configuration:map[ElemType:map[AttrTypes:map[entity_id_prefix:map[] group_configuration:map[ElemType:map[AttrTypes:map[group_claim:map[] group_entity_type:map[]]]] issuer:map[] token_selection:map[ElemType:map[AttrTypes:map[access_token_only:map[ElemType:map[AttrTypes:map[audiences:map[ElemType:map[]] principal_id_claim:map[]]]] identity_token_only:map[ElemType:map[AttrTypes:map[client_ids:map[ElemType:map[]] principal_id_claim:map[]]]]]]]]]]]]]" @module=aws.autoflex tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=0ddadf7a-ffcb-ca45-c7d5-9a6e73a1663b @caller=github.com/hashicorp/terraform-provider-aws/internal/framework/flex/autoflex_flatten.go:1248 autoflex.source.path=Configuration autoflex.source.type=github.com/aws/aws-sdk-go-v2/service/verifiedpermissions/types.ConfigurationDetail tf_rpc=ReadResource tf_resource_type=aws_verifiedpermissions_identity_source autoflex.target.type=github.com/hashicorp/terraform-provider-aws/internal/framework/types.ListNestedObjectValueOf[github.com/hashicorp/terraform-provider-aws/internal/service/verifiedpermissions.configuration] from=20 tf_mux_provider="*proto5server.Server" timestamp="2025-12-05T15:38:46.571+0100"

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Sample Terraform Configuration

Click to expand configuration

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "6.25.0"
    }
  }
}

provider "aws" {
  region = "eu-central-1"
}

resource "aws_cognito_user_pool" "test_pool" {
  name = "avp-repro-pool"
}

resource "aws_cognito_user_pool_client" "test_client" {
  name         = "avp-repro-client"
  user_pool_id = aws_cognito_user_pool.test_pool.id
}

resource "aws_verifiedpermissions_policy_store" "test_policy_store" {
  validation_settings {
    mode = "OFF"
  }
}

resource "aws_verifiedpermissions_identity_source" "test_identity_source" {
  policy_store_id       = aws_verifiedpermissions_policy_store.test_policy_store.id
  principal_entity_type = "Test::User"

  configuration {
    cognito_user_pool_configuration {
      user_pool_arn = aws_cognito_user_pool.test_pool.arn
      client_ids    = [aws_cognito_user_pool_client.test_client.id]
    }
  }
}

Steps to Reproduce

1. Apply the configuration.
2. Run TF_LOG=ERROR terraform plan.
3. Observe the AutoFlex error logged to stderr, despite the run succeeding.

Debug Logging

Click to expand log output

GenAI / LLM Assisted Development

n/a

Important Facts and References

Based on the AWS CLI output for the resource (provided below) and the AWS docs, it looks like AWS returns OIDC-specific fields alongside Cognito-specific fields in the details block.

aws verifiedpermissions get-identity-source --policy-store-id FHbC7b2yC37DqL7UR8nkE1 --identity-source-id 97zb1Ebi6q9BK7Y5pi1UZN
{
    "createdDate": "2025-12-05T13:45:05.630356+00:00",
    "details": {
        "clientIds": [
            "4ukuf281541mj203vln8bqf5me"
        ],
        "userPoolArn": "arn:aws:cognito-idp:eu-central-1:REDACTED:userpool/eu-central-1_OVnAsmn2W",
        "discoveryUrl": "https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1_OVnAsmn2W",
        "openIdIssuer": "COGNITO"
    },
    "identitySourceId": "97zb1Ebi6q9BK7Y5pi1UZN",
    "lastUpdatedDate": "2025-12-05T13:45:05.630356+00:00",
    "policyStoreId": "FHbC7b2yC37DqL7UR8nkE1",
    "principalEntityType": "Test::User"
}

The formatted schema from AutoFlex error log:

map[
    ElemType:map[
        AttrTypes:map[
            cognito_user_pool_configuration:map[
                ElemType:map[
                    AttrTypes:map[
                        client_ids:map[ElemType:map[]]
                        group_configuration:map[ElemType:map[AttrTypes:map[group_entity_type:map[]]]]
                        user_pool_arn:map[]
                    ]
                ]
            ]
            open_id_connect_configuration:map[
                ElemType:map[
                    AttrTypes:map[
                        entity_id_prefix:map[]
                        group_configuration:map[ElemType:map[AttrTypes:map[group_claim:map[] group_entity_type:map[]]]] issuer:map[]
                        token_selection:map[
                            ElemType:map[
                                AttrTypes:map[
                                    access_token_only:map[ElemType:map[AttrTypes:map[audiences:map[ElemType:map[]]
                                    principal_id_claim:map[]]]]
                                    identity_token_only:map[ElemType:map[AttrTypes:map[client_ids:map[ElemType:map[]] principal_id_claim:map[]]]]
                                ]
                            ]
                        ]
                    ]
                ]
            ]
        ]
    ]
]

Hypothesis

I have a very limited understanding of what is going on here, but from the observed behavior and logs it appears that AutoFlex reads the API response and attempts to match it to the open_id_connect_configuration schema block, which fails and produces the error log. It does not crash the run, likely because it subsequently attempts to match the cognito_user_pool_configuration schema, which succeeds.

Would you like to implement a fix?

No

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.