resource/aws_cognito_user_pool_client: Add support for `application_a…

…rn` in the `analytics_configuration` block (#16734) Reference: #16481 Output from acceptance testing in AWS Commercial: ``` --- PASS: TestAccAWSCognitoUserPoolClient_allFields (27.33s) --- PASS: TestAccAWSCognitoUserPoolClient_allFieldsUpdatingOneField (38.51s) --- PASS: TestAccAWSCognitoUserPoolClient_analyticsConfig (51.18s) --- PASS: TestAccAWSCognitoUserPoolClient_analyticsConfigWithArn (29.25s) --- PASS: TestAccAWSCognitoUserPoolClient_basic (28.54s) --- PASS: TestAccAWSCognitoUserPoolClient_disappears (24.96s) --- PASS: TestAccAWSCognitoUserPoolClient_Name (38.85s) --- PASS: TestAccAWSCognitoUserPoolClient_RefreshTokenValidity (38.14s) ``` Output from acceptance testing in AWS GovCloud (US): ``` --- FAIL: TestAccAWSCognitoUserPoolClient_analyticsConfig (20.37s) # #15722 --- FAIL: TestAccAWSCognitoUserPoolClient_analyticsConfigWithArn (20.33s) # #15722 --- PASS: TestAccAWSCognitoUserPoolClient_allFields (31.97s) --- PASS: TestAccAWSCognitoUserPoolClient_allFieldsUpdatingOneField (43.43s) --- PASS: TestAccAWSCognitoUserPoolClient_basic (31.46s) --- PASS: TestAccAWSCognitoUserPoolClient_disappears (27.90s) --- PASS: TestAccAWSCognitoUserPoolClient_Name (43.75s) --- PASS: TestAccAWSCognitoUserPoolClient_RefreshTokenValidity (45.01s) ```
hashicorp · Feb 18, 2021 · b641c40 · b641c40
1 parent bf4f55c
commit b641c40
Showing 4 changed files with 111 additions and 34 deletions.
diff --git a/.changelog/16734.txt b/.changelog/16734.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_cognito_user_pool_client: Add support for `application_arn` in the `analytics_configuration` block.
+```
diff --git a/aws/resource_aws_cognito_user_pool_client.go b/aws/resource_aws_cognito_user_pool_client.go
@@ -51,17 +51,8 @@ func resourceAwsCognitoUserPoolClient() *schema.Resource {
 				Type:     schema.TypeSet,
 				Optional: true,
 				Elem: &schema.Schema{
-					Type: schema.TypeString,
-					ValidateFunc: validation.StringInSlice([]string{
-						cognitoidentityprovider.ExplicitAuthFlowsTypeAdminNoSrpAuth,
-						cognitoidentityprovider.ExplicitAuthFlowsTypeCustomAuthFlowOnly,
-						cognitoidentityprovider.ExplicitAuthFlowsTypeUserPasswordAuth,
-						cognitoidentityprovider.ExplicitAuthFlowsTypeAllowAdminUserPasswordAuth,
-						cognitoidentityprovider.ExplicitAuthFlowsTypeAllowCustomAuth,
-						cognitoidentityprovider.ExplicitAuthFlowsTypeAllowUserPasswordAuth,
-						cognitoidentityprovider.ExplicitAuthFlowsTypeAllowUserSrpAuth,
-						cognitoidentityprovider.ExplicitAuthFlowsTypeAllowRefreshTokenAuth,
-					}, false),
+					Type:         schema.TypeString,
+					ValidateFunc: validation.StringInSlice(cognitoidentityprovider.ExplicitAuthFlowsType_Values(), false),
 				},
 			},
 
@@ -93,12 +84,8 @@ func resourceAwsCognitoUserPoolClient() *schema.Resource {
 				Optional: true,
 				MaxItems: 3,
 				Elem: &schema.Schema{
-					Type: schema.TypeString,
-					ValidateFunc: validation.StringInSlice([]string{
-						cognitoidentityprovider.OAuthFlowTypeCode,
-						cognitoidentityprovider.OAuthFlowTypeImplicit,
-						cognitoidentityprovider.OAuthFlowTypeClientCredentials,
-					}, false),
+					Type:         schema.TypeString,
+					ValidateFunc: validation.StringInSlice(cognitoidentityprovider.OAuthFlowType_Values(), false),
 				},
 			},
 
@@ -166,17 +153,28 @@ func resourceAwsCognitoUserPoolClient() *schema.Resource {
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"application_id": {
-							Type:     schema.TypeString,
-							Required: true,
+							Type:         schema.TypeString,
+							Optional:     true,
+							ExactlyOneOf: []string{"analytics_configuration.0.application_id", "analytics_configuration.0.application_arn"},
+						},
+						"application_arn": {
+							Type:          schema.TypeString,
+							Optional:      true,
+							ExactlyOneOf:  []string{"analytics_configuration.0.application_id", "analytics_configuration.0.application_arn"},
+							ConflictsWith: []string{"analytics_configuration.0.external_id", "analytics_configuration.0.role_arn"},
+							ValidateFunc:  validateArn,
 						},
 						"external_id": {
-							Type:     schema.TypeString,
-							Required: true,
+							Type:          schema.TypeString,
+							ConflictsWith: []string{"analytics_configuration.0.application_arn"},
+							Optional:      true,
 						},
 						"role_arn": {
-							Type:         schema.TypeString,
-							Required:     true,
-							ValidateFunc: validateArn,
+							Type:          schema.TypeString,
+							Optional:      true,
+							Computed:      true,
+							ConflictsWith: []string{"analytics_configuration.0.application_arn"},
+							ValidateFunc:  validateArn,
 						},
 						"user_data_shared": {
 							Type:     schema.TypeBool,
@@ -424,10 +422,22 @@ func expandAwsCognitoUserPoolClientAnalyticsConfig(l []interface{}) *cognitoiden
 
 	m := l[0].(map[string]interface{})
 
-	analyticsConfig := &cognitoidentityprovider.AnalyticsConfigurationType{
-		ApplicationId: aws.String(m["application_id"].(string)),
-		ExternalId:    aws.String(m["external_id"].(string)),
-		RoleArn:       aws.String(m["role_arn"].(string)),
+	analyticsConfig := &cognitoidentityprovider.AnalyticsConfigurationType{}
+
+	if v, ok := m["role_arn"]; ok && v != "" {
+		analyticsConfig.RoleArn = aws.String(v.(string))
+	}
+
+	if v, ok := m["external_id"]; ok && v != "" {
+		analyticsConfig.ExternalId = aws.String(v.(string))
+	}
+
+	if v, ok := m["application_id"]; ok && v != "" {
+		analyticsConfig.ApplicationId = aws.String(v.(string))
+	}
+
+	if v, ok := m["application_arn"]; ok && v != "" {
+		analyticsConfig.ApplicationArn = aws.String(v.(string))
 	}
 
 	if v, ok := m["user_data_shared"]; ok {
@@ -443,11 +453,24 @@ func flattenAwsCognitoUserPoolClientAnalyticsConfig(analyticsConfig *cognitoiden
 	}
 
 	m := map[string]interface{}{
-		"application_id":   aws.StringValue(analyticsConfig.ApplicationId),
-		"external_id":      aws.StringValue(analyticsConfig.ExternalId),
-		"role_arn":         aws.StringValue(analyticsConfig.RoleArn),
 		"user_data_shared": aws.BoolValue(analyticsConfig.UserDataShared),
 	}
 
+	if analyticsConfig.ExternalId != nil {
+		m["external_id"] = aws.StringValue(analyticsConfig.ExternalId)
+	}
+
+	if analyticsConfig.RoleArn != nil {
+		m["role_arn"] = aws.StringValue(analyticsConfig.RoleArn)
+	}
+
+	if analyticsConfig.ApplicationId != nil {
+		m["application_id"] = aws.StringValue(analyticsConfig.ApplicationId)
+	}
+
+	if analyticsConfig.ApplicationArn != nil {
+		m["application_arn"] = aws.StringValue(analyticsConfig.ApplicationArn)
+	}
+
 	return []interface{}{m}
 }
diff --git a/aws/resource_aws_cognito_user_pool_client_test.go b/aws/resource_aws_cognito_user_pool_client_test.go
@@ -275,6 +275,41 @@ func TestAccAWSCognitoUserPoolClient_analyticsConfig(t *testing.T) {
 	})
 }
 
+func TestAccAWSCognitoUserPoolClient_analyticsConfigWithArn(t *testing.T) {
+	var client cognitoidentityprovider.UserPoolClientType
+	userPoolName := acctest.RandString(10)
+	clientName := acctest.RandString(10)
+	resourceName := "aws_cognito_user_pool_client.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccPreCheckAWSCognitoIdentityProvider(t)
+			testAccPreCheckAWSPinpointApp(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSCognitoUserPoolClientDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSCognitoUserPoolClientConfigAnalyticsWithArnConfig(userPoolName, clientName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckAWSCognitoUserPoolClientExists(resourceName, &client),
+					resource.TestCheckResourceAttr(resourceName, "analytics_configuration.#", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "analytics_configuration.0.application_arn", "aws_pinpoint_app.test", "arn"),
+					testAccCheckResourceAttrGlobalARN(resourceName, "analytics_configuration.0.role_arn", "iam", "role/aws-service-role/cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdp"),
+					resource.TestCheckResourceAttr(resourceName, "analytics_configuration.0.user_data_shared", "false"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportStateIdFunc: testAccAWSCognitoUserPoolClientImportStateIDFunc(resourceName),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccAWSCognitoUserPoolClient_disappears(t *testing.T) {
 	var client cognitoidentityprovider.UserPoolClientType
 	userPoolName := fmt.Sprintf("tf-acc-cognito-user-pool-%s", acctest.RandString(7))
@@ -557,3 +592,16 @@ resource "aws_cognito_user_pool_client" "test" {
 }
 `, clientName)
 }
+
+func testAccAWSCognitoUserPoolClientConfigAnalyticsWithArnConfig(userPoolName, clientName string) string {
+	return testAccAWSCognitoUserPoolClientConfigAnalyticsConfigBase(userPoolName, clientName) + fmt.Sprintf(`
+resource "aws_cognito_user_pool_client" "test" {
+  name         = "%[1]s"
+  user_pool_id = aws_cognito_user_pool.test.id
+
+  analytics_configuration {
+    application_arn = aws_pinpoint_app.test.arn
+  }
+}
+`, clientName)
+}
diff --git a/website/docs/r/cognito_user_pool_client.markdown b/website/docs/r/cognito_user_pool_client.markdown
@@ -133,9 +133,12 @@ The following arguments are supported:
 
 ### Analytics Configuration
 
-* `application_id` - (Required) The application ID for an Amazon Pinpoint application.
-* `external_id`  - (Required) An ID for the Analytics Configuration.
-* `role_arn` - (Required) The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.
+Either `application_arn` or `application_id` is required.
+
+* `application_arn` - (Optional) The application ARN for an Amazon Pinpoint application. Conflicts with `external_id` and `role_arn`.
+* `application_id` - (Optional) The application ID for an Amazon Pinpoint application.
+* `external_id`  - (Optional) An ID for the Analytics Configuration. Conflicts with `application_arn`.
+* `role_arn` - (Optional) The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with `application_arn`.
 * `user_data_shared` (Optional) If set to `true`, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
 
 ## Attributes Reference