Add 'aws_cognito_user_pool_client' resource

[psyvision]

Description

The following pull request builds upon the work of @Ninir implementing Cognito User Pools (not yet merged) by adding support for Cognito User Pool Clients.

I've added some documentation on using the new resource.

Note: This doesn't provide full API support at current but does allow a client to be created and the ClientId returned.

API Documentation

• https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html

Test

make testacc TEST=./aws TESTARGS='-run=TestAccAWSCognitoUserPoolClient_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSCognitoUserPoolClient_ -timeout 120m
=== RUN   TestAccAWSCognitoUserPoolClient_basic
--- PASS: TestAccAWSCognitoUserPoolClient_basic (19.11s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       19.126s

Resources

resource "aws_cognito_user_pool_client" "client" {
}

[psyvision]

@radeksimko do you have any pointers on how I should implement the custom user pool client attributes that belong to the user pool client?

See the AWS API reference below:
http://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AddCustomAttributes.html

These are different to the typical "attributes" that belong to resources (i.e. attributes are an entity in themselves to some extent).

I could add a further resource "aws_cognito_user_pool_client_attribute" or have them as a set on the client_pool resource I've already added, similar to ingress/egress rules on a security group...

[radeksimko]

We will take a look at this PR 🔜 after merging #1419 which should be either today or tomorrow, but given the tight schedule for 1.3.0 we intend to ship tomorrow I reckon we'll leave this PR for the next release.

[Ninir]

Hi @psyvision

User Pools have just been merged and it's all available in AWS 1.3.0!
Could you rebase your PR against master so that we can go on on this one?

Thanks!

[psyvision]

Hi @Ninir,

I saw that, I'll merge in this evening for you :)

Cheers

[psyvision]

@Ninir I got there one way or another, all merged now!

[et304383]

So excited to see this coming in soon!

[psyvision]

@et304383 am I correct in thinking you want custom attribute support too? We need that but I'm not sure how to code it. Once @Ninir gets started on this PR I'll see what I can sort out.

[et304383]

@psyvision that would be nice to have long term but in the short term what we need is the ability to create them and specify the refresh token validity.

We need React frontends to be able to interact with Cognito as a priority. We've resorted to adding the client creation through a python script in the short term.

[CalebMacdonaldBlack]

@psyvision @Ninir Great to see cognito user pools! Just waiting on app clients and custom attributes before we can use it

[psyvision]

@CalebMacdonaldBlack app clients are in, I can't remember if I covered off all functionality (I think maybe so...) I don't know how to go about implementing custom attributes, otherwise I would have done so. Once @Ninir gets on to this or gives me some pointers I'll do it :)

[radeksimko]

Hi @psyvision
thanks for the PR. I left you some comments.

Regarding custom attributes I think we should model that as a separate resource, e.g. aws_cognito_user_attribute - which is outside of scope of this PR. We'll also need to find out whether/how it conflicts with existing resources.

[radeksimko]

I see there are some fields missing in the schema:

	AllowedOAuthFlows []*string `type:"list"`

	// Set to True if the client is allowed to follow the OAuth protocol when interacting
	// with Cognito user pools.
	AllowedOAuthFlowsUserPoolClient *bool `type:"boolean"`

	// A list of allowed OAuth scopes. Currently supported values are "phone", "email",
	// "openid", and "Cognito".
	AllowedOAuthScopes []*string `type:"list"`

	// A list of allowed callback URLs for the identity providers.
	CallbackURLs []*string `type:"list"`

	// The default redirect URI. Must be in the CallbackURLs list.
	DefaultRedirectURI *string `min:"1" type:"string"`

	// A list of allowed logout URLs for the identity providers.
	LogoutURLs []*string `type:"list"`

	// A list of provider names for the identity providers that are supported on
	// this client.
	SupportedIdentityProviders []*string `type:"list"`

Do you plan on adding those?

[psyvision]

I haven't used these so I'm not sure exactly what's best / what's expected or to be able to test them for real. I can have a go though :D

[radeksimko]

Yeah - I think the best we can do is to read the relevant docs and try to build a few simple examples with those fields in a test based on that. If you want to test it for real (i.e. login in the browser) then I take that as a bonus, but I'd just assume it works as long as the API accepts our request. 🤷‍♂️

[radeksimko]

The default validity seems to be set to 30 by the API which is why the acceptance test is failing:

=== RUN   TestAccAWSCognitoUserPoolClient_basic
--- FAIL: TestAccAWSCognitoUserPoolClient_basic (34.36s)
	testing.go:503: Step 0 error: After applying this step, the plan was not empty:

		DIFF:

		UPDATE: aws_cognito_user_pool_client.client
		  refresh_token_validity: "30" => "0"

Do you mind setting Default: 30 here too?

[psyvision]

No issues with that

[radeksimko]

We get int, not int64 from the ResourceData, so this would cause a crash due to invalid cast. I think we'll need to change it to something like this:

params.RefreshTokenValidity = aws.Int64(int64(v.(int)))

[psyvision]

I hadn't actually tested this in AWS and was just going on what VS Code was telling me so I'll take your call.

[radeksimko]

Nitpick: this error handling here can be simplified to

if isAWSErr(err, "ResourceNotFoundException", "") {

[radeksimko]

I think the list of fields here is incomplete - do you mind updating it?

[psyvision]

Will do

[radeksimko]

It looks like this field is updatable (at least it's present in UpdateUserPoolClientInput) - is there any reason for making it ForceNew?

[psyvision]

Nope, just me not knowing what's what :)

[radeksimko]

It looks like this field is updatable (at least it's present in UpdateUserPoolClientInput) - is there any reason for making it ForceNew?

[psyvision]

Not sure which field this refers to? If explicit_auth_flows then it's false

[radeksimko]

Ah, sorry - I missed that - so in that case it's practically correct, but it's false by default so we can just omit it.

[radeksimko]

Likewise - ^

[psyvision]

read_attributes is ForceNew: false but I guess the redundant code can be removed

[radeksimko]

Yes, it can be removed - there's no point of having ForceNew: false anywhere as that's default. 😉

[radeksimko]

Likewise - ^

[psyvision]

write_attributes is ForceNew: false but I guess the redundant code can be removed

[radeksimko]

Correct.

[radeksimko]

Likewise - ^

[radeksimko]

It's just redundant - that's all 😉

[psyvision]

@radeksimko Thank you for reviewing these. I'll go through and make some changes where required. I don't think the attributes are needed. I looked into it and they actually fall under the aws_cognito_user_pool implemented in 1.3.0 (I think) and not in the client.

[radeksimko]

d.Set() will perform safe dereferencing (and deal with nil without crashing), so all of the above 5 checks are redundant. 😉

[psyvision]

Ah thanks. I've been copying code from elsewhere rather than looking into the intracacies. I'll add that to my changes. Just had to rebuild my dev VM

[psyvision]

ok @radeksimko I've covered off the items in your review I think. Just need to add in those final attributes which I'll do shortly.

[radeksimko]

The two d.Set()s are IMO unnecessary unless we believe the API would return something that differs from the original query - in which case we'd probably have much bigger problem.

[radeksimko]

I think this should be cognitoidentityprovider.ExplicitAuthFlowsTypeCustomAuthFlowOnly per API docs.

[radeksimko]

I think we'll need at least one more test to exercise as many fields as we can. I'd usually call such test TestAccAWSCognitoUserPoolClient_allFields.

[radeksimko]

AFAIK (correct me if I'm wrong) ordering is not significant in this case, so we should make this field TypeSet.

[radeksimko]

AFAIK (correct me if I'm wrong) ordering is not significant in this case, so we should make this field TypeSet.

[radeksimko]

AFAIK (correct me if I'm wrong) ordering is not significant in this case, so we should make this field TypeSet.

[radeksimko]

AFAIK (correct me if I'm wrong) ordering is not significant in this case, so we should make this field TypeSet.

[radeksimko]

AFAIK (correct me if I'm wrong) ordering is not significant in this case, so we should make this field TypeSet.

[psyvision]

@radeksimko changes made. I'll make up some tests tonight :)

[radeksimko]

I think you're referencing wrong config here 😉

Let me know when it's ready for another round of review.

[psyvision]

@radeksimko I've changed the test, I was going to run the acceptance test but wanted to run just the user pool client ones if possible. I can't remember how to do this.... ?

Edit: Got it !

[psyvision]

@radeksimko Tests corrected and working:

make testacc TESTARGS="-run=TestAccAWSCognitoUserPoolClient_*"
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v -run=TestAccAWSCognitoUserPoolClient_* -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAWSCognitoUserPoolClient_basic
--- PASS: TestAccAWSCognitoUserPoolClient_basic (21.63s)
=== RUN   TestAccAWSCognitoUserPoolClient_allFields
--- PASS: TestAccAWSCognitoUserPoolClient_allFields (19.32s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	40.966s

[radeksimko]

Hi @psyvision
it looks like this is almost ready for the final review & merge, there are just some conflicts as it seems there are some unrelated commits in your branch, possibly as a result of earlier conflict resolution?

I'd recommend using interactive rebase and remove all unrelated commits from the branch, see https://git-scm.com/book/id/v2/Git-Tools-Rewriting-History or let me know if you need help with that. Eventually I can try and resolve it for you.

[psyvision]

Well that's royally buggered it!

[psyvision]

@radeksimko was getting late last night and I kept messing up the rebase. I need to just drop commit 52143f4, the ses changes and then I think it's done properly.

[psyvision]

@radeksimko done!

[et304383]

Anything else holding this up folks? We are immediately dealing with an issue with creating the following:

• cognito user pool
• cognito user pool client
• cognito identity using the user pool client

Without the user pool client support we're going to have to hack something together with:

• terraform dir 1
• python script
• terraform dir 2 with numerous data source lookups

[serialseb]

if that helps, in the meantime, i use this:

resource "aws_cloudformation_stack" "user_pool_client" {
  name          = "${var.name}-user-pool-client"
  template_body = "${file("${path.module}/templates/stack.yml")}"
  on_failure    = "DELETE"

  parameters {
    UserPoolId = "${var.user_pool_id}"
    ClientName = "${var.name}"
  }
}

with a cloudformation yml

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  UserPoolId:
    Type: String
  ClientName:
    Type: String
Resources:
  UserPoolClient:
    Type: 'AWS::Cognito::UserPoolClient'
    Properties:
      UserPoolId: !Ref UserPoolId
      ClientName: !Ref ClientName
      GenerateSecret: False
      RefreshTokenValidity: xxx
      ExplicitAuthFlows:
        - xxx
Outputs:
  Id:
    Value:
      Ref: UserPoolClient

and for on top of that, for the stuff not in cloudformation

resource "null_resource" "user_pool_client_identities" {
  depends_on = ["aws_cloudformation_stack.user_pool_client"]
  triggers {
    client_id = "${aws_cloudformation_stack.user_pool_client.outputs["Id"]}"
    stack        = "${aws_cloudformation_stack.user_pool_client.template_body}"
    user_pool_id = "${var.user_pool_id}"
    oauth_flows = "${join("", var.allowed_oauth_flows)}"
    oauth_scopes = "${join("", var.allowed_oauth_scopes)}"
  }

  provisioner "local-exec" {
    when ="create"
    command = <<SCRIPT
aws cognito-idp update-user-pool-client \
      --profile wf \
      --user-pool-id ${var.user_pool_id} \
      --client-id ${aws_cloudformation_stack.user_pool_client.outputs["Id"]} \
      --supported-identity-providers ${join(" ", formatlist("\"%s\"", var.supported_identity_providers))} \
      --callback-urls '[${join(",", formatlist("\"%s\"", var.callback_urls))}]' \
      --logout-urls '[${join(",", formatlist("\"%s\"", var.logout_urls))}]' \
      --allowed-o-auth-flows ${join(" ", formatlist("\"%s\"", var.allowed_oauth_flows))} \
      --allowed-o-auth-scopes ${join(" ", formatlist("\"%s\"", var.allowed_oauth_scopes))}
SCRIPT
  }
}

I've built that as a module, until the resource is ready.

[et304383]

@serialseb this is amazing. Thanks so much. I didn't know you could write custom resources backed by shell commands. You rock.

[radeksimko]

LGTM now, thanks for the patience and all changes.

[radeksimko]

I believe that the removal of aws_autoscaling_lifecycle_hook was not intended here - I'll address that in a separate commit.

[radeksimko]

I'll add TODO here as a reminder and to make it clearer what the comment means.

[psyvision]

Thank you @radeksimko!

[radeksimko]

I didn't mean to close that... wanted to cleanup your git history and somehow managed to close it.
Anyways it's now in master under c583147b8c8b872c6c06dddee62ceb0a7b410646.

Just a friendly note for future PRs:
It can make everyone's life much easier if you open PR from a branch, not from master. It's easier for rebasing, resolving conflicts etc. 😉

[et304383]

I'm a little confused now. @radeksimko is user pool client now in master? Are we just waiting for a new terraform version?

[radeksimko]

it's in master, will be part of the next release.

[bflad]

This has been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!