Cognito Pinpoint Configuration application_arn in combination with user_data_shared = true

[mg98]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.15.0
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.36.0
+ provider registry.terraform.io/hashicorp/null v3.1.0

Affected Resource(s)

• aws_cognito_user_pool_client

Terraform Configuration Files

This configuration is actually copy pasted from the docs with a few changes:

In analytics_configuration I use the application_arn instead of application_id, role_arn and external_id. I did this actually because I had problems with the alternative, the same as have been referenced in https://github.com/hashicorp/terraform-provider-aws/issues/16481. In response to this, the application_arn field was introduced in https://github.com/hashicorp/terraform-provider-aws/pull/16734. I can validate that this works. It only does not work when combined with user_data_shared = true.

data "aws_caller_identity" "current" {}

resource "aws_cognito_user_pool" "test" {
  name = "pool"
}

resource "aws_pinpoint_app" "test" {
  name = "pinpoint"
}

resource "aws_iam_role" "test" {
  name = "role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "cognito-idp.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "test" {
  name = "role_policy"
  role = aws_iam_role.test.id

  policy = <<-EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "mobiletargeting:UpdateEndpoint",
        "mobiletargeting:PutItems"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:mobiletargeting:*:${data.aws_caller_identity.current.account_id}:apps/${aws_pinpoint_app.test.application_id}*"
    }
  ]
}
EOF
}

resource "aws_cognito_user_pool_client" "test" {
  name         = "pool_client"
  user_pool_id = aws_cognito_user_pool.test.id

  analytics_configuration {
    application_arn   = aws_pinpoint_app.test.arn
    user_data_shared = true
  }
}

Expected Behavior

No error/ The created cognito user pool should have been linked to the created pinpoint app.

Actual Behavior

Error: error updating Cognito User Pool Client (3utdsreesoo8p1m2k11b61uk9p): InvalidParameterException: Invalid analytics configuration given, either <application arn> or <application id, role arn, external id> are valid

Steps to Reproduce

1. terraform init
2. terraform apply in region eu-central-1

[YakDriver]

@mg98 Thank you for reporting this! I don't see any other reports of this yet. Hopefully we, or someone from the community, will be able to track down the cause of this problem.

[DrFaust92]

@mg98, I was able to reproduce this and found an interesting fact. user_data_shared cannot be updated when application_arn is used. i can add some logic to cause recreation under those circumstances but i would try to escalate to aws to see if this is an oversight on their part or works as intended with a wrong error. but there is no issue with creating a new user pool client with user_data_shared = true

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.