Add aws_cognito_user resource

[posener]

Description

Currently the aws_cognito has an aws_cognito_user_group resource which represents a group of users. In the AWS IDP console there is an option to create a user, and assign it to groups. Currently terraform does not support it and it is needed to be created manually.

New or Affected Resource(s)

• aws_cognito_user

References

[SidneyNiccolson]

Hello,

I was wondering if there are any updates on this? I'm facing a similar issue and tried a null_resource with local-exec workaround. However I'm using Terraform Cloud and it seems that the aws-cli is not available. Code:

resource "null_resource" "cognito_user" {
  count   = length(var.users)
  triggers = {
    user_pool_id = aws_cognito_user_pool.pool.id
  }

  provisioner "local-exec" {
    command = "aws cognito-idp admin-create-user --user-pool-id ${aws_cognito_user_pool.pool.id} --username ${element(var.users, count.index)}"
  }
}

Error output: "module.cognito.null_resource.cognito_user[0] (local-exec): /bin/sh: 1: aws: not found"

On my local machine I verified that the AWS cli is installed, but I do prefer using Terraform Cloud.

[tomelliff]

You can install more software on the Terraform cloud workers although it is discouraged where you can avoid it. There's more information written up here.

[confiq]

yeah, good luck when you have to delete users...

[RustamGimadiev]

my two cents here, just used the workaround above with some changes

resource aws_cognito_user_group this {
  for_each = toset(distinct(values(
    {
      for k, v in var.cognito_users :
      k => lookup(v, "group", "read-only")
    }
  )))
  name         = each.value
  user_pool_id = module.cognito.pool_id
}

resource null_resource cognito_users {
  depends_on = [aws_cognito_user_group.this]
  for_each = {
    for k, v in var.cognito_users :
    v.username => v
  }
  provisioner local-exec {
    command = "aws --region ${var.aws_region} cognito-idp admin-create-user --user-pool-id ${module.cognito.pool_id} --username ${each.key} --user-attributes Name=email,Value=${each.value.email}"
  }
  provisioner local-exec {
    command = "aws --region ${var.aws_region} cognito-idp admin-add-user-to-group --user-pool-id ${module.cognito.pool_id} --username ${each.key} --group-name ${lookup(each.value, "group", "read-only")}"
  }
  provisioner local-exec {
    when    = "destroy"
    command = "aws --region ${var.aws_region} cognito-idp admin-delete-user --user-pool-id ${module.cognito.pool_id} --username ${each.key}"
  }
}

[vanschroeder]

yeah, good luck when you have to delete users...

That's a good point. A better solution might be to use an aws_s3_bucket_object containing the user settings which which can both create and destroy the user via a handy lambda s3 lifecycle trigger which performs the cognito-idp admin command

[TommasoBianchi]

Hi everyone, any updates on this? I see there's an open PR (#19919), but it seems to have gone stale (there's been no active development for a while now).

[rtim75]

@TommasoBianchi I'm the author of #19919. I'm waiting for the second review and answers to questions regarding resetting user's passwords.

[github-actions]

This functionality has been released in v4.0.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.