Open nikvaessen opened 5 years ago
I have run into a second use case that requires the lambdas to be configured after the pool is initially created:
I can't achieve the above because it creates a dependency cycle (see also: https://github.com/hashicorp/terraform/issues/27188).
This cycle issue would be solved using the option 2 design proposed by @nikvaessen.
Option 2 would also fix our use case. We have the following three resources:
aws_cognito_user_pool
- the pool itselfaws_lambda_function
- a token generation Lambda which is passed to the aws_cognito_user_pool
as: lambda_config {
pre_token_generation = aws_lambda_function.token_generation_lambda.arn
}
aws_iam_role
- a role that grants the cognito-idp:AdminAddUserToGroup
to the Lambda. We dynamically add users to groups if they're not part of one yet, so the Lambda needs this permission. This role is passed to the aws_lambda_function
resource
Community Note
Description
I'm struggling with finding a good way to add users to a (newly created) cognito user pool.
The only way right now (as far as I'm aware) is to add a provision block which executes a script using one of the cognito SDK's.
However, if you have added a
pre_sign_up
lambda which restricts users from signing up, the provisioning script method could fail. If the lambda's would be added after provisioning, this would not be the case.One solution would be to have the option to explicitly add users to a user pool, as requested in #4542.
Another solution would be to have an
aws_cognito_user_pool_lambda
resource, similar toaws_cognito_user_group
. As this would (implicitly) depend on theaws_cognito_user_pool
the provisioning step would execute before the lambda is added.A third solution would be to have an optional argument to the
aws_cognito_user_pool
which delays adding the lambda until after provisioning has run. Not sure if this is possible the way terraform works internally.New or Affected Resource(s)
Potential Terraform Configuration
option 1
option 2
option 3
References