aws_cognito_user_pool is missing arn attribute

[serialseb]

Terraform Version

Terraform v0.11.1
+ provider.acme v0.4.0
+ provider.aws v1.5.0
+ provider.null v1.0.0
+ provider.template v1.0.0
+ provider.tls v1.0.1

Affected Resource(s)

• aws_cognito_user_pool

Expected Behavior

Creating a user pool using a cloudformation stack returns the id and the arn for the resource, which is needed for creating user pool clients. That arn is not exposed on the resource.

Workaround

I can rebuild the arn manually using the following snippet.

data "aws_caller_identity" "current" {}
data "aws_region" "current" { current = true }

output "arn" {
  value = "arn:aws:cognito-idp:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:userpool/${aws_cognito_user_pool.user_pool.id}"
}

[loivis]

Arn doesn't seem like a native attribute from go-sdk and aws api.
http://docs.aws.amazon.com/sdk-for-go/api/service/cognitoidentityprovider/#UserPoolType
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html
CloudFormation is quite likely doing some extra work.
I think we need to populate from resource and output arn?

[apparentlymart]

Hi all!

We generally prefer it when the underlying API produces an ARN for us which we can just return, but there have been a few cases already where the ARN format has existed only in documentation but yet a full ARN is required for some other API, so there is precedent for Terraform resource code to produce synthetic arn attributes where they are useful.

I'm not personally familiar with Cognito enough to know what ARN format is expected, but if there's a well-documented ARN format in the docs somewhere then some logic to construct a string consistent with that format would be welcomed.

The Terraform team at HashiCorp won't be able to work on this in the near future due to our focus being elsewhere, but we'd be happy to review a pull request if you or someone else has the time and motivation to implement it. Alternatively, if others would also like to see this implemented I'd encourage adding a 👍 upvote reaction to the original issue comment (not to this comment), which we use as one of the inputs to prioritize work for the Terraform team.

[bflad]

@apparentlymart FYI this AWS documentation has most of the available ARN formats, here specifically is Cognito user pools: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-aws-cognito-idp

Syntax:
arn:aws:cognito-idp:region:account-id:userpool/user-pool-id

I can submit a quick PR to synthesize this in the resource for now.

[bflad]

PR submitted: #2723

[tomelliff]

@serialseb Out of curiosity why do you think that the user pool apps/clients need the ARN of the user pool? Looking at the docs it needs the user pool id and the client name only as required fields. I'm currently working on adding a Terraform resource for user pool app clients right now so this request surprises me a little.

[serialseb]

From memory, apply when creating the domain was failing if passed the id, although this is using a null_resource with the aws cli.

[bflad]

This has been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!