search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.74k stars 9.09k forks source link

[New]: Resource for GetOpenIdTokenForDeveloperIdentity #29673

Open tze-dev opened 1 year ago

tze-dev commented 1 year ago

Description

Request for a new resource for managing Cognito developer ID - https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html

The API GetOpenIdTokenForDeveloperIdentity not only provides the ability to obtain an OpenID token, it also creates a 'developer identity' in a Cognito Pool. This is useful for OIDC workflows, where third party system needs to match/filter JWT claims from Cognito - where the subject of the JWT claims is based on the Developer ID.

If GetOpenIdTokenForDeveloperIdentity is implemented as a Terraform Resource, it would make it much simpler to manage the workload identify federation workflows in general.

Requested Resource(s) and/or Data Source(s)

Potential Terraform Configuration

resource "aws_cognito_identity_pool" "this" {
  identity_pool_name               = "my-identity-pool"
  allow_unauthenticated_identities = false
  allow_classic_flow               = false
  developer_provider_name          = "my-dev-provider-name"
}

resource "aws_cognito_openid_developer_identity" "this" {
  identity_pool_id = aws_cognito_identity_pool.this.id
  logins = {
     developer_provider_name = aws_cognito_identity_pool.this.developer_provider_name
     developer_user_identifier = "dev-user-01" # Some user defined identifier
  }
  token_duration = 3600 # in seconds
}

# This will output the OpenID developer identity
# - This ID is the 'subject' of the JWT token claim.
#   With this string, we can configure the destination system to trust
#   a JWT claim through matching the 'subject'
output "identity_id" {
  value = aws_cognito_openid_developer_identity.this.identity_id
}

output "openid_token" { # this will output the JWT claim token
  value = aws_cognito_openid_developer_identity.this.token
}

References

https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html

Would you like to implement a fix?

None

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

AdamTylerLynch commented 10 months ago

Can you provide an overarching example of the Workflows you would like to support? I'd love to understand the peices involved here.

The Token has a limited lifetime (as specified by the duration). Tokens are ephemeral by design, and there is no way to update/delete them, so adding this to a resource would cause the resource to be recreated on every terraform refresh. The Cognito team has a request per second rate limit of 50 for this action, and you could potentially get throttled on refresh.

But let's say a refresh was desirable, every resource that leverages this Token would need to be recreated as the token changes, potentially causing an availability issue on resource recreation.

tze-dev commented 10 months ago

Hi @AdamTylerLynch, the main objective is to be able to use Terraform to create the OpenID Developer Identity in Cognito pool. Token generation/output is optional.

The ability to generate the token is not that important (though it can be useful). Once a Developer Identity is created, the abilty to generate a token can be done outside of Terraform as part of some workflow.

However, having the ability to output token can be useful - i.e., If within the same Terraform workspace, another resource was to be created using the token in the same workflow as the auth input. This is generally not a good idea, but in some corner cases it's convenient. Granted, that the token would need to be ignore by TF lifecycle state management.