No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Are you setting the policy inside an `apply`? `apply` isn't deterministic so _pulumi preview_ can't tell what the value will be; it may be reporting a potential change to be on the safe side.

You could either change the code to allow Pulumi to figure out the value during _preview_, or you could add an _ignoreChanges_ opt.

Thanks but I think no? I am simply use `new aws.cognito.UserPool()` to declare the resource.

And that's not inside a call to `apply()`? In that case  I don't know. You could set the actual value in the args so that it's not relying on the default.
```const userPool = new aws.cognito.UserPool("guests", {
  passwordPolicy: {
    minimumLength: 20,
    requireLowercase: false,
    requireNumbers: false,
    requireSymbols: false,
    requireUppsercase: false,
    temporaryPasswordValidity: -1
  }
});```

No it’s not. And yeah it’s all explicit declared…that’s odd.
```export const userPool = new aws.cognito.UserPool(
  resourceName(stack, "user-pool", "cognito"),
  {
    ...
    passwordPolicy: {
      minimumLength: 8,
      requireLowercase: true,
      requireNumbers: true,
      requireSymbols: true,
      requireUppercase: true,
    },
    ...
  }
);```

image.png

Have a look at the detailed difference, maybe there's more info there.