Question

I am stuck while trying to set up an 'app client' for an AWS Cognito User Pool through Terraform. Here is my resource as it stands:

resource "aws_cognito_user_pool" "notes-pool" {
  name = "notes-pool"
  username_attributes = ["email"]
  verification_message_template {
    default_email_option = "CONFIRM_WITH_CODE"
  }
  password_policy {
    minimum_length    = 10
    require_lowercase = false
    require_numbers   = true
    require_symbols   = false
    require_uppercase = true
  }
  tags {
    "Name"    = "notes-pool"
    "Environment" = "production"
  }
}

The above works just fine, and my user pool is created. If anybody has any ideas on how to create an app client in the same resource, I'm suspecting that this functionality doesn't exist so can anyone help me. Thank you

Answer 1

I think it has been just added to the most recent version of terraform. You can try something like this  to add a client to your user pool:

 resource "aws_cognito_user_pool_client" "client" {

     name = "client"

     user_pool_id = "${aws_cognito_user_pool.pool.id}"

     generate_secret = true

     explicit_auth_flows = ["ADMIN_NO_SRP_AUTH"]

 }

You can check out the docs here :Terraform entry on aws_cognito_user_pool_client

Hpe this helps!

Enroll for the AWS course and become certified today.

Answer 2

Once user pool is created, you can use create-user-pool-client API to create app-client within the userpool. Please refer the API documentation: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html

Answer 3

This feature is not currently supported by Terraform.

There is an open issue on GitHub where this has been requested (give it a thumbs up if you would benefit from this feature).

Until support is added, the best option is to use the local-exec provisioner to create the user pool via the CLI once the resource is created:

resource "aws_cognito_user_pool" "notes-pool" {
  name = "notes-pool"
  username_attributes = ["email"]
  ...

  provisioner "local-exec" {
    command = <<EOF
aws cognito-idp create-user-pool-client \
  --user-pool-id ${aws_cognito_user_pool.notes-pool.id} \
  --client-name client-name \
  --no-generate-secret \
  --explicit-auth-flows ADMIN_NO_SRP_AUTH
EOF
  }
}

Please note that in order to use this you must have the AWS CLI installed and authenticated (I use environment variables to authenticate with both Terraform and the AWS CLI).