Terraform support for Add Permission API when creating a Cognito Userpool

[ghost]

This issue was originally opened by @EltonPaka as hashicorp/terraform#21046. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Current Terraform Version

0.11.11

Use-cases

When creating a Cognito userpool with terraform and adding the Lambda triggers, the operation completes successfully however when checking the Cognito console, the triggers seem to not be associated with the userpool. Upon investigation, realized that Cognito needs permission to invoke function and just adding it in the lambda config in the terraform script is not enough. According to Cognito's documentation You'll need to make an additional call to add permission for Cognito to invoke your Lambda function. Looking at the terraform logs, this call is not performed at all although the response suggests that the call was successful.

Attempted Solutions

The explored solution at this time is to manually associate the triggers on the conginto console or making the add permissions calls separately after the userpool has been created.

Proposal

When making the creating the userpool through terraform, it should have logic to add those permissions within this operation instead of making the separate call or manually associating the triggers.

References

https://www.terraform.io/docs/providers/aws/r/cognito_user_pool.html
https://www.terraform.io/docs/providers/aws/r/lambda_permission.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request-LambdaConfig

[bdellegrazie]

Hi,
Just for context, I know this is a very old ticket but the issue still exists in Terraform 0.14.11 - that is, the initial assignment of triggers to the Cognito user pool seems to fail and they must be manually assigned in the AWS Console for the lambda to be actually triggered on the relevant event.

[sergei-ivanov]

We updated our module that creates the lambda to create lambda permission at the same time. Something like this:

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

locals {
  current_account = data.aws_caller_identity.current.account_id
  current_region  = data.aws_region.current.name
}

resource "aws_lambda_permission" "this" {
  statement_id  = "AllowExecutionFromCognito"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.this.function_name
  principal     = "cognito-idp.amazonaws.com"
  source_arn    = "arn:aws:cognito-idp:${local.current_region}:${local.current_account}:userpool/*"
}

We tried using a wildcard for the region in source_arn, but it was rejected. Looks like one needs to specify both region and account explicitly.

I am still not sure if aws_cognito_user_pool resource should be responsible for creating lambda permissions automatically. That looks like a major complication in the lifecycle logic of the resource.

I propose that instead a prominent note is added to the documentation of aws_cognito_user_pool with a code fragment like above.

[jeffreymlewis]

FYI, this is still an issue in terraform 1.0.11. That is...

the initial assignment of triggers to the Cognito user pool seems to fail and they must be manually assigned in the AWS Console for the lambda to be actually triggered on the relevant event.