New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terraform support for Add Permission API when creating a Cognito Userpool #8373
Comments
Hi, |
We updated our module that creates the lambda to create lambda permission at the same time. Something like this: data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
locals {
current_account = data.aws_caller_identity.current.account_id
current_region = data.aws_region.current.name
}
resource "aws_lambda_permission" "this" {
statement_id = "AllowExecutionFromCognito"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.this.function_name
principal = "cognito-idp.amazonaws.com"
source_arn = "arn:aws:cognito-idp:${local.current_region}:${local.current_account}:userpool/*"
} We tried using a wildcard for the region in I am still not sure if I propose that instead a prominent note is added to the documentation of |
FYI, this is still an issue in terraform 1.0.11. That is...
|
Grant cognito lambda execution permission for each defined trigger. This is to work around a known bug in the AWS provider. hashicorp/terraform-provider-aws#8373
Grant cognito lambda execution permission for each defined trigger. This is to work around a known bug in the AWS provider. hashicorp/terraform-provider-aws#8373
Grant cognito lambda execution permission for each defined trigger. This is to work around a known bug in the AWS provider. hashicorp/terraform-provider-aws#8373
Grant cognito lambda execution permission for each defined trigger. This is to work around a known bug in the AWS provider. hashicorp/terraform-provider-aws#8373
This issue was originally opened by @EltonPaka as hashicorp/terraform#21046. It was migrated here as a result of the provider split. The original body of the issue is below.
Current Terraform Version
Use-cases
When creating a Cognito userpool with terraform and adding the Lambda triggers, the operation completes successfully however when checking the Cognito console, the triggers seem to not be associated with the userpool. Upon investigation, realized that Cognito needs permission to invoke function and just adding it in the lambda config in the terraform script is not enough. According to Cognito's documentation You'll need to make an additional call to add permission for Cognito to invoke your Lambda function. Looking at the terraform logs, this call is not performed at all although the response suggests that the call was successful.
Attempted Solutions
The explored solution at this time is to manually associate the triggers on the conginto console or making the add permissions calls separately after the userpool has been created.
Proposal
When making the creating the userpool through terraform, it should have logic to add those permissions within this operation instead of making the separate call or manually associating the triggers.
References
https://www.terraform.io/docs/providers/aws/r/cognito_user_pool.html
https://www.terraform.io/docs/providers/aws/r/lambda_permission.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request-LambdaConfig
The text was updated successfully, but these errors were encountered: