Allow users to specify a Cognito user group when creating a Cognit identity provider.

dgard1981 commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When creating a Cognito identity provider, a user group is automatically created with some default options. This means that if I want to change the user group, I have to take the following actions -

Put the aws_cognito_identity_provider in one module and the aws_cognito_user_group in another.
Deploy all resources except for the user group - terraform apply -target module.elasticsearch -target module.coginto-idp. Ensure that the user pool ID and the group name are output.
Import the user group - terraform import module.cognito-idp[0].aws_cognito_user_group.kibana {user_pool_id}/{group_name}.
Deploy the user group resource - terraform apply -target module.cognito-user-group.

In this case, I need to update the role_arn argument. When the user group is automatically created, this argument is omitted.

New or Affected Resource(s)

aws_cognito_identity_provider

Potential Terraform Configuration

My request is that we be allowed to create one or more user groups and then reference those groups when creating an identity provider. This would mean that a single terraform apply would be able to do everything.

resource "aws_cognito_user_group" "kibana" {
  description  = "Autogenerated group for users who sign in using Keycloak"
  name         = "${aws_cognito_user_pool.kibana.id}_Keycloak"
  user_pool_id = aws_cognito_user_pool.kibana.id
  role_arn     = aws_iam_role.kibana_master.arn
}

resource "aws_cognito_identity_provider" "keycloak" {
  user_pool_id  = aws_cognito_user_pool.kibana.id
  provider_name = "Keycloak"
  provider_type = "OIDC"

  provider_details = {
    ...
  }

  attribute_mapping = {
    ...
  }

  user_groups = [
    aws_cognito_user_group.kibana.id
  ]
}

References

I don't believe there are any open issues or PR's in relation to this issue.

github-actions[bot] commented 5 months ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] commented 3 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-aws