Terraform AWS Cognito App Client

5
votes

Currently stuck in the mud with trying to to set up an 'app client' for an AWS Cognito User Pool through Terraform. Here is my resource as it stands:

resource "aws_cognito_user_pool" "notes-pool" {
  name = "notes-pool"
  username_attributes = ["email"]

  verification_message_template {
    default_email_option = "CONFIRM_WITH_CODE"
  }

  password_policy {
    minimum_length    = 10
    require_lowercase = false
    require_numbers   = true
    require_symbols   = false
    require_uppercase = true
  }

  tags {
    "Name"    = "notes-pool"
    "Environment" = "production"
  }
}

The above works just fine, and my user pool is created. If anybody has any ideas on how to create an app client in the same resource, I'm all ears. I'm beginning to suspect that this functionality doesn't exist!

3
amazon-web-servicesamazon-cognitodevopsterraform

3 Answers

6
votes

I believe this was just added to the most recent verison of terraform. You could do something like the following to add a client to your user pool:

 resource "aws_cognito_user_pool_client" "client" {
     name = "client"
     user_pool_id = "${aws_cognito_user_pool.pool.id}"
     generate_secret = true
     explicit_auth_flows = ["ADMIN_NO_SRP_AUTH"]
 }

See here for the docs:Terraform entry on aws_cognito_user_pool_client

3
votes

UPDATE - this is now supported by terraform. See @cyram's answer. This feature is not currently supported by Terraform.

There is an open issue on GitHub where this has been requested (give it a thumbs up if you would benefit from this feature).

Until support is added, the best option is to use the local-exec provisioner to create the user pool via the CLI once the resource is created:

resource "aws_cognito_user_pool" "notes-pool" {
  name = "notes-pool"

  username_attributes = ["email"]
  ...

  provisioner "local-exec" {
    command = <<EOF
aws cognito-idp create-user-pool-client \
  --user-pool-id ${aws_cognito_user_pool.notes-pool.id} \
  --client-name client-name \
  --no-generate-secret \
  --explicit-auth-flows ADMIN_NO_SRP_AUTH
EOF
  }
}

Please note that in order to use this you must have the AWS CLI installed and authenticated (I use environment variables to authenticate with both Terraform and the AWS CLI).

-1
votes

Once user pool is created, you can use create-user-pool-client API to create app-client within the userpool. Please refer the API documentation: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html