[Bug]: Error: reading Amazon Cognito IDP (Identity Provider) User Group (cognito_dr_admin): ResourceNotFoundException: User pool us-west-2_xxxxxx does not exist.

[hanoj-budime]

Terraform Core Version

1.4.6

AWS Provider Version

4.67.0

Affected Resource(s)

Error: reading Amazon Cognito IDP (Identity Provider) User Group (cognito_dr_admin): ResourceNotFoundException: User pool us-west-2_a1b2c3 does not exist.

Expected Behavior

Not supporting update-in-place. Why?

The aws_cognito_user_group initially created inside the user pool, let's assume 'us-west-2_a1b2c3,' and the group name is 'test_group_1.'

Later, if the same aws_cognito_user_group is updating with an updated/changed user pool Id us-west-2_x1y2z3, the resource is not able to understand that the user pool ID has been updated already. It still refers to the older one like us-west-2_a1b2c3.

Actual Behavior

My point here is that the aws_cognito_user_group resource must be updated in place, regardless of the user pool ID we pass, right?

Relevant Error/Panic Output Snippet

Error: reading Amazon Cognito IDP (Identity Provider) User Group (cognito_dr_admin): ResourceNotFoundException: User pool `us-west-2_a1b2c3` does not exist.

Terraform Configuration Files

....

Steps to Reproduce

1. Create a group within a user pool using a specific user-pool-id.
2. Later, attempt to refresh the group creation. However, this time, assume that the user-pool-id has been updated.
3. Note that the aws_cognito_user_group will not update in place; it retains the original user-pool-id and does not automatically update to the new one.

Debug Output

Error: reading Amazon Cognito IDP (Identity Provider) User Group (cognito_dr_admin): ResourceNotFoundException: User pool us-west-2_a1b2c3 does not exist.

Panic Output

Error: reading Amazon Cognito IDP (Identity Provider) User Group (cognito_dr_admin): ResourceNotFoundException: User pool us-west-2_a1b2c3 does not exist.

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @HanojHanu 👋 Thank you for taking the time to raise this! In this scenario, is the user pool ID updated outside of Terraform? Can you supply a sample Terraform configuration that demonstrates the behavior and, if possible, debug logging (redacted as needed)?

[hanoj-budime]

"Why is the group not able to update in place? Even when we pass the latest pool ID, the group still retains the older value. Why is this happening?"

[justinretzolk]

Hey @hanoj-budime 👋 Thank you for providing that graphic, however, I think we're still missing a bit of detail that could be key here. Are you able to provide a sample configuration that can be used to reproduce this and, if possible, debug logging (redacted as needed)?

[hanoj-budime]

Code A

# * Steps - "Reproduce issue"
# ? Create any complax pool and save pool-id in SSM.

# * basic-configuration ( for testing.. )
resource "aws_cognito_user_pool" "pool" {
  name = "mypool"
}

# * Save pool-id ( for testing.. )
resource "aws_ssm_parameter" "pool_id" {
  name  = "/reproduce/issue/pool_id"
  type  = "String"
  value = aws_cognito_user_pool.pool.id
}

---

Code B

# * Steps - "Reproduce issue"
# ? Create any group and in pool-id, to get pool-id from ssm.

# * get pool-id ( for testing.. )
data "aws_ssm_parameter" "pool_id" {
  name = "/reproduce/issue/pool_id"
}

# * create group
resource "aws_cognito_user_group" "group" {
  user_pool_id = data.aws_ssm_parameter.pool_id.value
  name         = "mygroup"
  description  = "Reproduce issue"
}

---

flowchart TD
    A[Code A] -->| Plan and Apply | B( Installing Code A )
    B -->| Creating Pool id | C( Cognito pool )
    C -->| Creating SSM | D( SSM value with pool-id)
    X[Code B] -->| Plan and Apply | Y(  Installing Code B )
    Y -->| Getting Pool-id from SSM | Z( Read SSM value )
    Z -->| Creating Group | W( Cognito group )
    G[Code A] -->| Destory and Apply | H( Re-Installing Code A )
    H -->| Re-Creating Pool id | I( Cognito pool )
    I -->| Updated SSM | J( SSM value with new pool-id)
    K[Code B] -->| Plan and Apply | L(   )
    L[  
        Refreshing state.. Code B
        ResourceNotFoundException: User pool us-west-2_xxxxxx does not exist.
    ]

[hanoj-budime]

at least, now can you able to understand @justinretzolk

[tbumke]

I experience the same problem. Created a Cognito user pool and user groups with terraform, later removed the entire user pool outside of Terraform. Now trying to redeploy the user pool and groups with terraform fails with ResourceNotFoundException.

The user pool ID should be updated for depending resources (e.g., user groups) during redeployment IMHO.

[hanoj-budime]

we're doing some thing user-pool create separately in "Code A" and group created separately in "Code B".

Terrafrom even through an error while refreshing "Code B" state.. ResourceNotFoundException

expected is

"Code B" must get latest user-pool-id and then update this group in that latest pool.

[rmccarthy-ellevation]

Any update on this?

[hanoj-budime]

Error: reading Amazon Cognito IDP (Identity Provider) User Group (my_group): ResourceNotFoundException: User pool us-east-xxxx does not exist.

If the Terraform state file is unable to find the user-pool-id, it means it was deleted. There is no point in enforcing this error in Terraform. We can't move back and forth.

[hanoj-budime]

@justinretzolk, any updates ?

[hanoj-budime]

@justinretzolk, Any updates on fixing this issue ?