search

lgallard / terraform-aws-cognito-user-pool

Terraform module to create Amazon Cognito User Pools, configure its attributes and resources such as app clients, domain, resource servers. Amazon Cognito User Pools provide a secure user directory that scales to hundreds of millions of users.
Apache License 2.0
92 stars 94 forks source link

Identity providers keep changing to null #98

Open AutomationD opened 2 years ago

AutomationD commented 2 years ago

Can't figure out what's going on. Any idea why would it change to null after it successfully created one? Thank you.

  # module.user_pool.aws_cognito_identity_provider.identity_provider[0] will be updated in-place
  ~ resource "aws_cognito_identity_provider" "identity_provider" {
      ~ attribute_mapping = {
          - "username" = "sub" -> null
            # (2 unchanged elements hidden)
        }
        id                = "us-west-2_xxxxxxx:Google"
      ~ provider_details  = {
          - "attributes_url"                = "https://people.googleapis.com/v1/people/me?personFields=" -> null
          - "attributes_url_add_attributes" = "true" -> null
          - "authorize_url"                 = "https://accounts.google.com/o/oauth2/v2/auth" -> null
          - "oidc_issuer"                   = "https://accounts.google.com" -> null
          - "token_request_method"          = "POST" -> null
          - "token_url"                     = "https://www.googleapis.com/oauth2/v4/token" -> null
            # (3 unchanged elements hidden)
        }
        # (4 unchanged attributes hidden)
    }

Update:

Removed the resource from the module (obviously it had dynamic values):

resource "aws_cognito_identity_provider" "identity_provider" {
  count         = 1
  user_pool_id  = "us-west-2_XXXXXXX"
  provider_name = "Google"
  provider_type = "Google"

  # Optional arguments
  attribute_mapping = {
    email          = "email"
    email_verified = "email_verified"
    username       = "sub"
  }
  idp_identifiers  = []
  provider_details = {
    authorize_scopes = "profile email"
    client_id        = "xxxxxxxxx-xxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"
    client_secret    = "111"
  }
}

Plan/Apply 2x times, fully idempotent (no resource of course)

Added the resource to the root module (static values tho) - same issue as before. Changes provider_details ><

AutomationD commented 2 years ago

Seems like this is a known issue https://github.com/hashicorp/terraform-provider-aws/issues/24620.

The workaround to set those values to null in the parameters {} section https://github.com/hashicorp/terraform-provider-aws/issues/24620#issuecomment-1222548252

or to the values like this:

attributes_url                = "https://people.googleapis.com/v1/people/me?personFields="
attributes_url_add_attributes = true
authorize_url                 = "https://accounts.google.com/o/oauth2/v2/auth"
oidc_issuer                   = "https://accounts.google.com"
token_request_method          = "POST"
token_url                     = "https://www.googleapis.com/oauth2/v4/token"

It sounds like we may add default values to the lookup via adding a merge in the module, but this up to you.