Delay adding the lambda to cognito user pool until after provisioners have run

[nikvaessen]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'm struggling with finding a good way to add users to a (newly created) cognito user pool.

The only way right now (as far as I'm aware) is to add a provision block which executes a script using one of the cognito SDK's.

However, if you have added a pre_sign_up lambda which restricts users from signing up, the provisioning script method could fail. If the lambda's would be added after provisioning, this would not be the case.

One solution would be to have the option to explicitly add users to a user pool, as requested in #4542.

Another solution would be to have an aws_cognito_user_pool_lambda resource, similar to aws_cognito_user_group. As this would (implicitly) depend on the aws_cognito_user_pool the provisioning step would execute before the lambda is added.

A third solution would be to have an optional argument to the aws_cognito_user_pool which delays adding the lambda until after provisioning has run. Not sure if this is possible the way terraform works internally.

New or Affected Resource(s)

• aws_cognito_user_pool
• aws_cognito_user_pool_lambda
• aws_cognito_user

Potential Terraform Configuration

option 1

resource "aws_cognito_user_pool" "example" {
  name = "userpool"

  lambda_config {
    pre_sign_up = aws_lambda_function.cognito_pre_signup_lambda.arn
  }
}

resource "aws_lambda_function" "cognito_pre_signup_lambda" {
  filename         = "pre-signup.zip"
  function_name    = "cognito-pre-signup"
  role             = aws_iam_role.iam_lambda.arn
  handler          = "index.handler"
  source_code_hash = filebase64sha256("pre-signup.zip")
  runtime          = "nodejs10.x"
}

resource "aws_cognito_user" "user1" {
  pool = aws_cognito_user_pool.main.id

  username = "xxx"
  password = "yyy"
  phone    = "+1 zzzzzzzzzzz"
}

option 2

resource "aws_cognito_user_pool" "example" {
  name = "userpool"
}

resource "aws_lambda_function" "cognito_pre_signup_lambda" {
  filename         = "pre-signup.zip"
  function_name    = "cognito-pre-signup"
  role             = aws_iam_role.iam_lambda.arn
  handler          = "index.handler"
  source_code_hash = filebase64sha256("pre-signup.zip")
  runtime          = "nodejs10.x"
}

resource "aws_cognito_user_pool_lambda" "user1" {
  pool = aws_cognito_user_pool.main.id

  trigger = "pre-signup"
  lambda  = aws_lambda_function.cognito_pre_signup_lambda.arn
}

option 3

resource "aws_cognito_user_pool" "example" {
  name = "userpool"

  lambda_config {
    pre_sign_up = aws_lambda_function.cognito_pre_signup_lambda.arn
    add_after_provisioning = true
  }
}

resource "aws_lambda_function" "cognito_pre_signup_lambda" {
  filename         = "pre-signup.zip"
  function_name    = "cognito-pre-signup"
  role             = aws_iam_role.iam_lambda.arn
  handler          = "index.handler"
  source_code_hash = filebase64sha256("pre-signup.zip")
  runtime          = "nodejs10.x"
}

References

• Add aws_cognito_user resource #4542

[dansimau]

I have run into a second use case that requires the lambdas to be configured after the pool is initially created:

• I create a aws_cognito_user_pool resource
• I create a presignup lambda that I want to be configured on the aws_cognito_user_pool resource
• I want to include the user pool ID as an environment variable to the lambda function

I can't achieve the above because it creates a dependency cycle (see also: hashicorp/terraform#27188).

This cycle issue would be solved using the option 2 design proposed by @nikvaessen.

[dennisameling]

Option 2 would also fix our use case. We have the following three resources:

• aws_cognito_user_pool - the pool itself
• aws_lambda_function - a token generation Lambda which is passed to the aws_cognito_user_pool as:

  lambda_config {
    pre_token_generation = aws_lambda_function.token_generation_lambda.arn
  }

• aws_iam_role - a role that grants the cognito-idp:AdminAddUserToGroup to the Lambda. We dynamically add users to groups if they're not part of one yet, so the Lambda needs this permission. This role is passed to the aws_lambda_function resource

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.