How to fix cognito user pool domain destruction with terraform so the user pool could be re-created?

4
votes

I am creating Cognito User Pool, User Pool client and domain with terraform. If there is a update to cognito user pool (e.g. attributes), terraform needs to destroy and re-create the three resources, however terraform apply fails with error during destroy of aws_cognito_user_pool_domain:
InvalidParameter: 1 validation error(s) found. - minimum field size of 1, DeleteUserPoolDomainInput.UserPoolId.

Terraform version: 0.11.11
aws provider version: 1.52.0

I have tried manually deleting the domain and running terraform plan/apply but then it fails with 'InvalidParameterException: No such domain or user pool exists.'

resource "aws_cognito_user_pool" "admin_cognito_pool" {
  name = "dev-admin-pool"
  alias_attributes    = ["email"]
  auto_verified_attributes = ["email"]
  admin_create_user_config = {
    allow_admin_create_user_only = true
  }
}

resource "aws_cognito_user_pool_client" "admin_cognito_pool_client" {
  name = "dev-admin-pool-client"
  user_pool_id = "${aws_cognito_user_pool.admin_cognito_pool.id}"
  generate_secret     = false
...
}

resource "aws_cognito_user_pool_domain" "admin_cognito_domain" { 
  domain       = "demo-dev"
  user_pool_id = "${aws_cognito_user_pool.admin_cognito_pool.id}" 
}

Above code will create user pool, user pool client, user pool domain successfully.

Next, modify aws_cognito_user_pool in the above code and run terraform plan/apply

resource "aws_cognito_user_pool" "admin_cognito_pool" {
  name = "dev-admin-pool"
  alias_attributes    = ["email"]
  auto_verified_attributes = ["email"]
  admin_create_user_config = {
    allow_admin_create_user_only = true
  }
  schema  = [
    {
      attribute_data_type = "String",
      name                = "family_name",
      required            = true,
      mutable             = true,
      string_attribute_constraints {
          min_length = 6
          max_length = 32
      }
    },            
  ]
}

Terraform plan: 

-/+ module.aws-383.aws_cognito_user_pool.admin_cognito_pool (new resource required)
      id:                                                      "ap-southeast-2_CFPLxLl5A" => <computed> (forces new resource)
      admin_create_user_config.#:                              "1" => "1"
      admin_create_user_config.0.allow_admin_create_user_only: "true" => "true"
      admin_create_user_config.0.unused_account_validity_days: "7" => "7"
      alias_attributes.#:                                      "" => "1" (forces new resource)
      alias_attributes.881205744:                              "" => "email" (forces new resource)
      arn:                                                     "arn:aws:cognito-idp:ap-southeast-2:xxxxxxxx:userpool/ap-southeast-2_CFPLxLl5A" => <computed>
      auto_verified_attributes.#:                              "1" => "1"
      auto_verified_attributes.881205744:                      "email" => "email"
      creation_date:                                           "2018-12-19T04:49:06Z" => <computed>
      email_verification_message:                              "" => <computed>
      email_verification_subject:                              "" => <computed>
      endpoint:                                                "cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_CFPLxLl5A" => <computed>
      lambda_config.#:                                         "0" => <computed>
      last_modified_date:                                      "2018-12-19T04:49:06Z" => <computed>
      mfa_configuration:                                       "OFF" => "OFF"
      name:                                                    "dev-admin-pool" => "dev-admin-pool"
      password_policy.#:                                       "1" => <computed>
      schema.#:                                                "0" => "1" (forces new resource)
      schema.893014206.attribute_data_type:                    "" => "String" (forces new resource)
      schema.893014206.developer_only_attribute:               "" => ""
      schema.893014206.mutable:                                "" => "true" (forces new resource)
      schema.893014206.name:                                   "" => "family_name" (forces new resource)
      schema.893014206.number_attribute_constraints.#:         "" => "0"
      schema.893014206.required:                               "" => "true" (forces new resource)
      schema.893014206.string_attribute_constraints.#:         "" => "0"
      verification_message_template.#:                         "1" => <computed>

-/+ module.aws-383.aws_cognito_user_pool_client.admin_cognito_pool_client (new resource required)
      id:                                                      "2tsed339bl6ds4437n1h0hasr4" => <computed> (forces new resource)
      allowed_oauth_flows.#:                                   "2" => "2"
      allowed_oauth_flows.2645166319:                          "code" => "code"
      allowed_oauth_flows.3465961881:                          "implicit" => "implicit"
      allowed_oauth_flows_user_pool_client:                    "true" => "true"
      allowed_oauth_scopes.#:                                  "2" => "2"
      allowed_oauth_scopes.2517049750:                         "openid" => "openid"
      allowed_oauth_scopes.881205744:                          "email" => "email"
      callback_urls.#:                                         "1" => "1"
      callback_urls.0:                                         "https://qnq2ds22xg.execute-api.ap-southeast-2.amazonaws.com/staging/admin-portal/redirectUrl/" => "https://qnq2ds22xg.execute-api.ap-southeast-2.amazonaws.com/staging/admin-portal/redirectUrl/"
      client_secret:                                           "" => <computed>
      explicit_auth_flows.#:                                   "2" => "2"
      explicit_auth_flows.1860959087:                          "USER_PASSWORD_AUTH" => "USER_PASSWORD_AUTH"
      explicit_auth_flows.245201344:                           "ADMIN_NO_SRP_AUTH" => "ADMIN_NO_SRP_AUTH"
      generate_secret:                                         "false" => "false"
      name:                                                    "dev-admin-pool-client" => "dev-admin-pool-client"
      refresh_token_validity:                                  "30" => "30"
      supported_identity_providers.#:                          "1" => "1"
      supported_identity_providers.0:                          "COGNITO" => "COGNITO"
      user_pool_id:                                            "ap-southeast-2_CFPLxLl5A" => "${aws_cognito_user_pool.admin_cognito_pool.id}" (forces new resource)

-/+ module.aws-383.aws_cognito_user_pool_domain.admin_cognito_domain (new resource required)
      id:                                                      "demo-dev" => <computed> (forces new resource)
      aws_account_id:                                          "" => <computed>
      cloudfront_distribution_arn:                             "" => <computed>
      domain:                                                  "demo-dev" => "demo-dev"
      s3_bucket:                                               "" => <computed>
      user_pool_id:                                            "" => "${aws_cognito_user_pool.admin_cognito_pool.id}" (forces new resource)
      version:                                                 "" => <computed>

Exact error with terraform apply - 

[...]
module.aws-383.aws_cognito_user_pool_client.admin_cognito_pool_client: Destroying... (ID: 2tsed339bl6ds4437n1h0hasr4)
module.aws-383.aws_cognito_user_pool_domain.admin_cognito_domain: Destroying... (ID: demo-dev)
module.aws-383.aws_cognito_user_pool_client.admin_cognito_pool_client: Destruction complete after 0s

Error: Error applying plan:

1 error(s) occurred:

* module.aws-383.aws_cognito_user_pool_domain.admin_cognito_domain (destroy): 1 error(s) occurred:

* aws_cognito_user_pool_domain.admin_cognito_domain: InvalidParameter: 1 validation error(s) found.
- minimum field size of 1, DeleteUserPoolDomainInput.UserPoolId.

Terraform should be able to destroy cognito user pool domain which will allow the resources to be re-created.

3
amazon-cognitoterraformterraform-provider-aws
Can you share the exact error messages you get after the set of steps you perform?ydaetskcoR
@ydaetskcoR thanks for replying. I have updated the description with the steps I am taking and exact error message returned. Please let me know your thoughts.nishant

3 Answers

5
votes

There's currently a bug in terraform that prevents this: https://github.com/terraform-providers/terraform-provider-aws/issues/5313

The solution is to delete it manually (aws cli or console) and then manually remove it from the terraform state using the state command.

2
votes

Apparently, I had to manage deletion of user pool domain outside of terraform via aws cli and update terraform template to create user pool domain.

1
votes

First use the following command line to find the tfstate ID of the resources/module that causes this issue:

 terraform state list

Then use the next command line to destroy it properly from the tfstate:

terraform state rm '{the_id_from_tf_state_list}'

If you've a locked tfstate use :

terraform force-unlock LOCK_ID