Fix Cognito configuration for OpenSearch

[jeffsw]

Currently, our OpenSearch configuration with respect to Cognito is not correct. The master user isn't working. That's because I was having trouble mapping users to roles by any means other than just dividing between authenticated & unauthenticated.

I wonder if this may be a bug in the terraform AWS provider aws_cognito_identity_pool_roles_attachment resource. It doesn't appear role_mapping type = Token is effective.

In the AWS Console, here's how it would be configured:

• Console -> Cognito -> Identity Pool -> Edit
• expand Authentication providers
• select the Cognito tab
• scroll down to Authenticated role selection
• select Choose role from token from the drop-down
• make a selection for If no roles are specified in the token... in drop-down labeled Role resolution

I have that set in Terraform but it doesn't show up that way in the UI. Instead, it says User default role. Seems buggy.

Related: Spurious User Pool Clients

There are three User Pool Clients presently configured (tf resource aws_cognito_user_pool_client) but only one of them is in use. The others appear to be the result of OpenSearch upgrade operations; AWS had to create a new UP-Client to change the login URL(s) to /_dashboards instead of kibana 😵 but it didn't clean up the old ones 😮‍💨. The unused UP-Clients should be deleted:

• 1a30pmm active in-use!
• 2rqq72 delete it
• 4518b delete it

User Pool Clients don't have tags so it's hard to detect when they've been created unintentionally. 😠

[jeffsw]

This may be easier with https://github.com/hashicorp/terraform-provider-aws/pull/30140 creating the new resource-type aws_cognito_managed_user_pool_client.

[jeffsw]

Some of this was related to the user_pool_client problem. Re-check the above problems before troubleshooting further. Might still need some permission/role adjustments.

[jeffsw]

May still be some outstanding work to do. Didn't intend to close this issue.