New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_cognito_resource_server API does not match the AWS API #15443
Comments
Hi @pll 馃憢 Thank you for raising this. At first look, I was a little confused by this report because the To further understand how to help you, it would be helpful to understand the final configuration you are looking to achieve and how it does not work correctly today. Can you please show more details? Thanks. Aside: The Terraform configuration language specification cannot support the proposed configuration since blocks can only contain identifiers (arguments). An alternative implementation of the following may be possible (directly a list of maps), however this is not a pattern that is not well used in the Terraform ecosystem and it would require a lot of additional resource logic to attempt implementing validations, etc. since this is outside the standard definition of an open-ended key-value map: # Example configuration directly using a list of maps.
# This example is not a pattern recommended in Terraform Providers given
# schema handling complexities and untested behaviors in the Terraform
# plan difference handling. Instead, configuration blocks are recommended.
resource "aws_cognito_resource_server" "example" {
# ... other configuration ...
scope = [
{
scope_name = "SCOPE_ONE"
scope_description = "First Scope"
},
{
scope_name = "SCOPE_TWO"
scope_description = "Second Scope"
}
]
} |
Hi @bflad, The problem is, it's an unordered list, which to me, does not guarantee any kind of order. Therefore, let's take the following scenario:
Currently, I have no reliable means of doing that short of explicitly assigning each scope by name like this:
If you look at how the state file get set, it looks like this:
So, despite the fact that I defined
and reliably expect to get I'm forced to do this:
Make sense ? Thanks. |
馃憢 Just wanted to follow up on this as we've been having issues with this as well. As @pll says, the problem is I wonder if a map indexed by scope name would be a more sensible way of representing this? That would still allow iteration, but would also allow you to refer to a scope thus: |
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you! |
Community Note
Affected Resource(s)
Description
The current documentation for the resource aws_cognito_resource_server specifies that custom scopes should be defined using scope {} blocks, which are maps with the keys scope_name and scope_description.
However, both the Boto3 and the AWS API specify that scopes should be defined as a list of maps:
The problem with the current implementation in Terraform is that, when assigning custom scopes to a
aws_cognito_user_pool_client
resource, theallowed_oauth_scopes
takes a list of strings. Which means, if I know the order of the list the scopes were added to, I could simply index into the list.Unfortunately, the current implementation does not indicate any order to the resulting list
aws_cognito_resource_server.foo.scope_identifiers
, which makes indexing into the list unreliable. At present, the best alternative I have is to concoct the name of the specific scope I wish to add to my app client by using something like this:This is not ideal, since, if I need to change the name of the scope, I now have to do so in multiple places.
I think a better solution would be to define custom scopes according to the AWS API like this:
Presumably, this would then result in
aws_cognito_resource_server.foo.scope_identifiers
being a list of all scopes configured for this resource server in the format identifier/scope_name, and in the order defined by the scope list declaration.References
https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/create-resource-server.html
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp.html#CognitoIdentityProvider.Client.create_resource_server
Thanks,
Paul
The text was updated successfully, but these errors were encountered: