Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resource/cognito_user_pool_client: support USER_PASSWORD_AUTH for explicit_auth_flows #3417

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions aws/resource_aws_cognito_user_pool_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ func resourceAwsCognitoUserPoolClient() *schema.Resource {
ValidateFunc: validation.StringInSlice([]string{
cognitoidentityprovider.ExplicitAuthFlowsTypeAdminNoSrpAuth,
cognitoidentityprovider.ExplicitAuthFlowsTypeCustomAuthFlowOnly,
cognitoidentityprovider.ExplicitAuthFlowsTypeUserPasswordAuth,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add an acctest for that so that we ensure there won't be regression in the future?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about acctest before committing the change but not sure what to test actually. USER_PASSWORD_AUTH is a new type of ExplicitAuthFlows.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My general opinion is if the SDK is providing the constant, that means AWS has added it to their acceptable values in their generated API model, and we don't need to provide any acceptance testing if its just updating a validation check. 😄

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recall, when working on multiple Cognito ressources, that there was a specificity when using USER_PASSWORD_AUTH... hence my request :)
Adding the value in testAccAWSCognitoUserPoolClientConfig_allFields is fine as it covers the use-case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added all values of explicit_auth_flows in acctest. I'm not clear about the user-case but hope to get your point of change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cannot recall of the need for it right now... it was not that important, but will keep you updated if it appears to me again.

}, false),
},
},
Expand Down
8 changes: 5 additions & 3 deletions aws/resource_aws_cognito_user_pool_client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,9 @@ func TestAccAWSCognitoUserPoolClient_allFields(t *testing.T) {
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckAWSCognitoUserPoolClientExists("aws_cognito_user_pool_client.client"),
resource.TestCheckResourceAttr("aws_cognito_user_pool_client.client", "name", name),
resource.TestCheckResourceAttr("aws_cognito_user_pool_client.client", "explicit_auth_flows.#", "1"),
resource.TestCheckResourceAttr("aws_cognito_user_pool_client.client", "explicit_auth_flows.#", "3"),
resource.TestCheckResourceAttr("aws_cognito_user_pool_client.client", "explicit_auth_flows.1728632605", "CUSTOM_AUTH_FLOW_ONLY"),
resource.TestCheckResourceAttr("aws_cognito_user_pool_client.client", "explicit_auth_flows.1860959087", "USER_PASSWORD_AUTH"),
resource.TestCheckResourceAttr("aws_cognito_user_pool_client.client", "explicit_auth_flows.245201344", "ADMIN_NO_SRP_AUTH"),
resource.TestCheckResourceAttr("aws_cognito_user_pool_client.client", "generate_secret", "true"),
resource.TestCheckResourceAttr("aws_cognito_user_pool_client.client", "read_attributes.#", "1"),
Expand Down Expand Up @@ -149,7 +151,7 @@ resource "aws_cognito_user_pool_client" "client" {
name = "%s"

user_pool_id = "${aws_cognito_user_pool.pool.id}"
explicit_auth_flows = [ "ADMIN_NO_SRP_AUTH" ]
explicit_auth_flows = ["ADMIN_NO_SRP_AUTH", "CUSTOM_AUTH_FLOW_ONLY", "USER_PASSWORD_AUTH"]

generate_secret = "true"

Expand All @@ -161,7 +163,7 @@ resource "aws_cognito_user_pool_client" "client" {
allowed_oauth_flows = ["code", "implicit"]
allowed_oauth_flows_user_pool_client = "true"
allowed_oauth_scopes = ["openid", "email"]

callback_urls = ["https://www.example.com/callback", "https://www.example.com/redirect"]
default_redirect_uri = "https://www.example.com/redirect"
logout_urls = ["https://www.example.com/login"]
Expand Down
6 changes: 3 additions & 3 deletions website/docs/r/cognito_user_pool_client.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ resource "aws_cognito_user_pool" "pool" {

resource "aws_cognito_user_pool_client" "client" {
name = "client"

user_pool_id = "${aws_cognito_user_pool.pool.id}"
}
```
Expand Down Expand Up @@ -51,15 +51,15 @@ The following arguments are supported:
* `allowed_oauth_scopes` - (Optional) List of allowed OAuth scopes (phone, email, openid, Cognito).
* `callback_urls` - (Optional) List of allowed callback URLs for the identity providers.
* `default_redirect_uri` - (Optional) The default redirect URI. Must be in the list of callback URLs.
* `explicit_auth_flows` - (Optional) List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY).
* `explicit_auth_flows` - (Optional) List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH).
* `generate_secret` - (Optional) Should an application secret be generated. AWS JavaScript SDK requires this to be false.
* `logout_urls` - (Optional) List of allowed logout URLs for the identity providers.
* `name` - (Required) The name of the application client.
* `read_attributes` - (Optional) List of user pool attributes the application client can read from.
* `refresh_token_validity` - (Optional) The time limit in days refresh tokens are valid for.
* `supported_identity_providers` - (Optional) List of provider names for the identity providers that are supported on this client.
* `user_pool_id` - (Required) The user pool the client belongs to.
* `write_attributes` - (Optional) List of user pool attributes the application client can write to.
* `write_attributes` - (Optional) List of user pool attributes the application client can write to.

## Attribute Reference

Expand Down