Open jeffsw opened 1 year ago
This may be easier with https://github.com/hashicorp/terraform-provider-aws/pull/30140 creating the new resource-type aws_cognito_managed_user_pool_client
.
Some of this was related to the user_pool_client problem. Re-check the above problems before troubleshooting further. Might still need some permission/role adjustments.
May still be some outstanding work to do. Didn't intend to close this issue.
Currently, our OpenSearch configuration with respect to Cognito is not correct. The master user isn't working. That's because I was having trouble mapping users to roles by any means other than just dividing between authenticated & unauthenticated.
I wonder if this may be a bug in the terraform AWS provider
aws_cognito_identity_pool_roles_attachment
resource. It doesn't appearrole_mapping type = Token
is effective.In the AWS Console, here's how it would be configured:
I have that set in Terraform but it doesn't show up that way in the UI. Instead, it says User default role. Seems buggy.
Related: Spurious User Pool Clients
There are three User Pool Clients presently configured (tf resource
aws_cognito_user_pool_client
) but only one of them is in use. The others appear to be the result of OpenSearch upgrade operations; AWS had to create a new UP-Client to change the login URL(s) to/_dashboards
instead ofkibana
😵 but it didn't clean up the old ones 😮💨. The unused UP-Clients should be deleted:User Pool Clients don't have tags so it's hard to detect when they've been created unintentionally. 😠