hashicorp · austinvalle · Jun 10, 2022 · Jun 10, 2022 · Jun 10, 2022 · Sep 15, 2022
@@ -0,0 +1,3 @@
+```release-note:enhancement
+aws_cognito_user_pool_domain: Allow update of certificate_arn argument
+```
@@ -1,6 +1,7 @@
 package cognitoidp
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"log"
@@ -9,6 +10,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/cognitoidentityprovider"
 	"github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
@@ -20,6 +22,7 @@ func ResourceUserPoolDomain() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceUserPoolDomainCreate,
 		Read:   resourceUserPoolDomainRead,
+		Update: resourceUserPoolDomainUpdate,
 		Delete: resourceUserPoolDomainDelete,
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
@@ -35,7 +38,6 @@ func ResourceUserPoolDomain() *schema.Resource {
 			"certificate_arn": {
 				Type:         schema.TypeString,
 				Optional:     true,
-				ForceNew:     true,
 				ValidateFunc: verify.ValidARN,
 			},
 			"user_pool_id": {
@@ -60,6 +62,10 @@ func ResourceUserPoolDomain() *schema.Resource {
 				Computed: true,
 			},
 		},
+		CustomizeDiff: customdiff.ForceNewIfChange("certificate_arn", func(_ context.Context, old, new, meta interface{}) bool {
+			// If the cert arn is being changed to a new arn, don't force new
+			return !(old.(string) != "" && new.(string) != "")
+		}),
 	}
 }
 
@@ -142,6 +148,38 @@ func resourceUserPoolDomainRead(d *schema.ResourceData, meta interface{}) error
 	return nil
 }
 
+func resourceUserPoolDomainUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*conns.AWSClient).CognitoIDPConn
+
+	domain := d.Get("domain").(string)
+	timeout := 60 * time.Minute // Update is only for cert arns on custom domains, which take more time to become active
+
+	params := &cognitoidentityprovider.UpdateUserPoolDomainInput{
+		Domain:     aws.String(domain),
+		UserPoolId: aws.String(d.Get("user_pool_id").(string)),
+	}
+
+	if v, ok := d.GetOk("certificate_arn"); ok {
+		customDomainConfig := &cognitoidentityprovider.CustomDomainConfigType{
+			CertificateArn: aws.String(v.(string)),
+		}
+		params.CustomDomainConfig = customDomainConfig
+	}
+
+	log.Printf("[DEBUG] Updating Cognito User Pool Domain: %s", params)
+
+	_, err := conn.UpdateUserPoolDomain(params)
+	if err != nil {
+		return fmt.Errorf("error updating User Pool Domain (%s): %w", d.Id(), err)
+	}
+
+	if _, err := waitUserPoolDomainUpdated(conn, d.Id(), timeout); err != nil {
+		return fmt.Errorf("error waiting for User Pool Domain (%s) update: %w", d.Id(), err)
+	}
+
+	return resourceUserPoolDomainRead(d, meta)
+}
+
 func resourceUserPoolDomainDelete(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*conns.AWSClient).CognitoIDPConn
 	log.Printf("[DEBUG] Deleting Cognito User Pool Domain: %s", d.Id())

@@ -86,6 +86,44 @@ func TestAccCognitoIDPUserPoolDomain_custom(t *testing.T) {
 	})
 }
 
+func TestAccCognitoIDPUserPoolDomain_customCertUpdate(t *testing.T) {
+	rootDomain := acctest.ACMCertificateDomainFromEnv(t)
+	domain := acctest.ACMCertificateRandomSubDomain(rootDomain)
+	poolName := fmt.Sprintf("tf-acc-test-pool-%s", sdkacctest.RandString(10))
+
+	acmInitialValidationResourceName := "aws_acm_certificate_validation.initial_test"
+	acmUpdatedValidationResourceName := "aws_acm_certificate_validation.updated_test"
+
+	acmInitialCertResourceName := "aws_acm_certificate.initial"
+	acmUpdatedCertResourceName := "aws_acm_certificate.updated"
+
+	cognitoPoolResourceName := "aws_cognito_user_pool_domain.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.PreCheck(t); testAccPreCheckUserPoolCustomDomain(t) },
+		ErrorCheck:        acctest.ErrorCheck(t, cognitoidentityprovider.EndpointsID),
+		ProviderFactories: acctest.ProviderFactories,
+		CheckDestroy:      testAccCheckUserPoolDomainDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccUserPoolDomainConfig_customCertUpdate(rootDomain, domain, poolName, acmInitialValidationResourceName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckUserPoolDomainExists(cognitoPoolResourceName),
+					testAccCheckUserPoolDomainCertMatches(cognitoPoolResourceName, acmInitialCertResourceName),
+					resource.TestCheckResourceAttrPair(cognitoPoolResourceName, "certificate_arn", acmInitialCertResourceName, "arn"),
+				),
+			},
+			{
+				Config: testAccUserPoolDomainConfig_customCertUpdate(rootDomain, domain, poolName, acmUpdatedValidationResourceName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckUserPoolDomainCertMatches(cognitoPoolResourceName, acmUpdatedCertResourceName),
+					resource.TestCheckResourceAttrPair(cognitoPoolResourceName, "certificate_arn", acmUpdatedCertResourceName, "arn"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccCognitoIDPUserPoolDomain_disappears(t *testing.T) {
 	domainName := fmt.Sprintf("tf-acc-test-domain-%d", sdkacctest.RandInt())
 	poolName := fmt.Sprintf("tf-acc-test-pool-%s", sdkacctest.RandString(10))
@@ -130,6 +168,49 @@ func testAccCheckUserPoolDomainExists(n string) resource.TestCheckFunc {
 	}
 }
 
+func testAccCheckUserPoolDomainCertMatches(cognitoResourceName string, certResourceName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		cognitoResource, ok := s.RootModule().Resources[cognitoResourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", cognitoResourceName)
+		}
+
+		if cognitoResource.Primary.ID == "" {
+			return errors.New("No Cognito User Pool Domain ID is set")
+		}
+
+		certResource, ok := s.RootModule().Resources[certResourceName]
+		if !ok {
+			return fmt.Errorf("Not found: %s", cognitoResourceName)
+		}
+
+		if certResource.Primary.ID == "" {
+			return errors.New("No ACM Certificate ID is set")
+		}
+
+		conn := acctest.Provider.Meta().(*conns.AWSClient).CognitoIDPConn
+
+		domain, err := conn.DescribeUserPoolDomain(&cognitoidentityprovider.DescribeUserPoolDomainInput{
+			Domain: aws.String(cognitoResource.Primary.ID),
+		})
+
+		if err != nil {
+			return err
+		}
+		desc := domain.DomainDescription
+
+		if desc.CustomDomainConfig == nil {
+			return fmt.Errorf("No Custom Domain set on User pool: %s", *desc.UserPoolId)
+		}
+
+		if *desc.CustomDomainConfig.CertificateArn != certResource.Primary.ID {
+			return fmt.Errorf("Certificate ARN on Custom Domain does not match, expected: %s, got: %s", certResource.Primary.ID, *desc.CustomDomainConfig.CertificateArn)
+		}
+
+		return nil
+	}
+}
+
 func testAccCheckUserPoolDomainDestroy(s *terraform.State) error {
 	conn := acctest.Provider.Meta().(*conns.AWSClient).CognitoIDPConn
 
@@ -226,3 +307,62 @@ resource "aws_cognito_user_pool_domain" "test" {
 }
 `, rootDomain, domain, poolName))
 }
+
+func testAccUserPoolDomainConfig_customCertUpdate(rootDomain string, domain string, poolName string, appliedCertValidation string) string {
+	return acctest.ConfigCompose(
+		testAccUserPoolCustomDomainRegionProviderConfig(),
+		fmt.Sprintf(`
+data "aws_route53_zone" "test" {
+  name         = %[1]q
+  private_zone = false
+}
+
+resource "aws_acm_certificate" "initial" {
+  domain_name       = %[2]q
+  validation_method = "DNS"
+}
+
+resource "aws_acm_certificate" "updated" {
+  domain_name       = %[2]q
+  validation_method = "DNS"
+}
+
+resource "aws_route53_record" "initial_test" {
+  allow_overwrite = true
+  name            = tolist(aws_acm_certificate.initial.domain_validation_options)[0].resource_record_name
+  records         = [tolist(aws_acm_certificate.initial.domain_validation_options)[0].resource_record_value]
+  ttl             = 60
+  type            = tolist(aws_acm_certificate.initial.domain_validation_options)[0].resource_record_type
+  zone_id         = data.aws_route53_zone.test.zone_id
+}
+
+resource "aws_route53_record" "updated_test" {
+  allow_overwrite = true
+  name            = tolist(aws_acm_certificate.updated.domain_validation_options)[0].resource_record_name
+  records         = [tolist(aws_acm_certificate.updated.domain_validation_options)[0].resource_record_value]
+  ttl             = 60
+  type            = tolist(aws_acm_certificate.updated.domain_validation_options)[0].resource_record_type
+  zone_id         = data.aws_route53_zone.test.zone_id
+}
+
+resource "aws_acm_certificate_validation" "initial_test" {
+  certificate_arn         = aws_acm_certificate.initial.arn
+  validation_record_fqdns = [aws_route53_record.initial_test.fqdn]
+}
+
+resource "aws_acm_certificate_validation" "updated_test" {
+  certificate_arn         = aws_acm_certificate.updated.arn
+  validation_record_fqdns = [aws_route53_record.updated_test.fqdn]
+}
+
+resource "aws_cognito_user_pool" "test" {
+  name = %[3]q
+}
+
+resource "aws_cognito_user_pool_domain" "test" {
+  certificate_arn = %[4]s.certificate_arn
+  domain          = aws_acm_certificate.initial.domain_name
+  user_pool_id    = aws_cognito_user_pool.test.id
+}
+`, rootDomain, domain, poolName, appliedCertValidation))
+}
@@ -48,6 +48,31 @@ func waitUserPoolDomainCreated(conn *cognitoidentityprovider.CognitoIdentityProv
 
 	outputRaw, err := stateConf.WaitForState()
 
+	if err != nil {
+		return nil, err
+	}
+
+	if output, ok := outputRaw.(*cognitoidentityprovider.DescribeUserPoolDomainOutput); ok {
+		return output, err
+	}
+
+	return nil, err
+}
+
+func waitUserPoolDomainUpdated(conn *cognitoidentityprovider.CognitoIdentityProvider, domain string, timeout time.Duration) (*cognitoidentityprovider.DescribeUserPoolDomainOutput, error) {
+	stateConf := &resource.StateChangeConf{
+		Pending: []string{
+			cognitoidentityprovider.DomainStatusTypeUpdating,
+		},
+		Target: []string{
+			cognitoidentityprovider.DomainStatusTypeActive,
+		},
+		Refresh: statusUserPoolDomain(conn, domain),
+		Timeout: timeout,
+	}
+
+	outputRaw, err := stateConf.WaitForState()
+
 	if output, ok := outputRaw.(*cognitoidentityprovider.DescribeUserPoolDomainOutput); ok {
 		return output, err
 	}