Terraform-provider-aws: "aws_cognito_identity_provider" always have some changes on "provider_details" when "provider_type" is "Google" or "Facebook"

Created on 13 Jun 2018  ·  4Comments  ·  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7
└── provider.aws ~> 1.22

Affected Resource(s)

  • aws_cognito_identity_provider

Terraform Configuration Files

resource "aws_cognito_user_pool" "user_pool" {
  name                     = "foo"
  username_attributes      = ["email"]
}

resource "aws_cognito_identity_provider" "facebook_provider" {
  count         = "${var.auth_facebook_client_id != "" ? 1 : 0}"
  provider_name = "Facebook"
  provider_type = "Facebook"
  user_pool_id  = "${aws_cognito_user_pool.user_pool.id}"

  provider_details {
    authorize_scopes = "email"
    client_id        = "${var.auth_facebook_client_id}"
    client_secret    = "${var.auth_facebook_client_secret}"
  }

  attribute_mapping {
    email    = "email"
    username = "id"
  }
}

resource "aws_cognito_identity_provider" "google_provider" {
  count         = "${var.auth_google_client_id != "" ? 1 : 0}"
  provider_name = "Google"
  provider_type = "Google"
  user_pool_id  = "${aws_cognito_user_pool.user_pool.id}"

  provider_details {
    authorize_scopes = "email"
    client_id        = "${var.auth_google_client_id}"
    client_secret    = "${var.auth_google_client_secret}"
  }

  attribute_mapping {
    email    = "email"
    username = "sub"
  }
}

Debug Output

  1. Facebook DescribeIdentityProvider response:
2018-06-13T13:26:37.936-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: 2018/06/13 13:26:37 [DEBUG] [aws-sdk-go] DEBUG: Response cognito-idp/DescribeIdentityProvider Details:
2018-06-13T13:26:37.936-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: ---[ RESPONSE ]--------------------------------------
2018-06-13T13:26:37.936-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: HTTP/2.0 200 OK
2018-06-13T13:26:37.936-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: Content-Length: 630
2018-06-13T13:26:37.936-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: Content-Type: application/x-amz-json-1.1
2018-06-13T13:26:37.936-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: Date: Wed, 13 Jun 2018 16:26:21 GMT
2018-06-13T13:26:37.936-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: 
2018-06-13T13:26:37.936-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: 
2018-06-13T13:26:37.936-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: -----------------------------------------------------
2018-06-13T13:26:37.936-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: 2018/06/13 13:26:37 [DEBUG] [aws-sdk-go] {"IdentityProvider":{"AttributeMapping":{"email":"email","username":"id"},"CreationDate":1.528901382053E9,"IdpIdentifiers":[],"LastModifiedDate":1.528906670572E9,"ProviderDetails":{"attributes_url":"https://graph.facebook.com/me?fields=","attributes_url_add_attributes":"true","authorize_scopes":"email","authorize_url":"https://www.facebook.com/v2.9/dialog/oauth","client_id":"XXX","client_secret":"XXX","token_request_method":"GET","token_url":"https://graph.facebook.com/v2.9/oauth/access_token"},"ProviderName":"Facebook","ProviderType":"Facebook","UserPoolId":"XXX"}}
  1. Google DescribeIdentityProvider response:
2018-06-13T13:26:36.794-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: 2018/06/13 13:26:36 [DEBUG] [aws-sdk-go] DEBUG: Response cognito-idp/DescribeIdentityProvider Details:
2018-06-13T13:26:36.794-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: ---[ RESPONSE ]--------------------------------------
2018-06-13T13:26:36.794-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: HTTP/2.0 200 OK
2018-06-13T13:26:36.794-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: Content-Length: 733
2018-06-13T13:26:36.794-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: Content-Type: application/x-amz-json-1.1
2018-06-13T13:26:36.794-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: Date: Wed, 13 Jun 2018 16:26:19 GMT
2018-06-13T13:26:36.794-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: 
2018-06-13T13:26:36.794-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: 
2018-06-13T13:26:36.794-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: -----------------------------------------------------
2018-06-13T13:26:36.794-0300 [DEBUG] plugin.terraform-provider-aws_v1.22.0_x4: 2018/06/13 13:26:36 [DEBUG] [aws-sdk-go] {"IdentityProvider":{"AttributeMapping":{"email":"email","username":"sub"},"CreationDate":1.528901271023E9,"IdpIdentifiers":[],"LastModifiedDate":1.528906670558E9,"ProviderDetails":{"attributes_url":"https://people.googleapis.com/v1/people/me?personFields=","attributes_url_add_attributes":"true","authorize_scopes":"email","authorize_url":"https://accounts.google.com/o/oauth2/v2/auth","client_id":"XXX","client_secret":"XXX","oidc_issuer":"https://accounts.google.com","token_request_method":"POST","token_url":"https://www.googleapis.com/oauth2/v4/token"},"ProviderName":"Google","ProviderType":"Google","UserPoolId":"XXX"}}

Expected Behavior

Executing terraform plan or terraform apply should not detect modifications on aws_cognito_identity_provider resources

Actual Behavior

Executing terraform plan or terraform apply should detect some modifications on aws_cognito_identity_provider resources, depending on the provider_type that was configured

Steps to Reproduce

  1. terraform apply
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ aws_cognito_identity_provider.facebook_provider
      provider_details.%:                             "8" => "3"
      provider_details.attributes_url:                "https://graph.facebook.com/me?fields=" => ""
      provider_details.attributes_url_add_attributes: "true" => ""
      provider_details.authorize_url:                 "https://www.facebook.com/v2.9/dialog/oauth" => ""
      provider_details.token_request_method:          "GET" => ""
      provider_details.token_url:                     "https://graph.facebook.com/v2.9/oauth/access_token" => ""

  ~ aws_cognito_identity_provider.google_provider
      provider_details.%:                             "9" => "3"
      provider_details.attributes_url:                "https://people.googleapis.com/v1/people/me?personFields=" => ""
      provider_details.attributes_url_add_attributes: "true" => ""
      provider_details.authorize_url:                 "https://accounts.google.com/o/oauth2/v2/auth" => ""
      provider_details.oidc_issuer:                   "https://accounts.google.com" => ""
      provider_details.token_request_method:          "POST" => ""
      provider_details.token_url:                     "https://www.googleapis.com/oauth2/v4/token" => ""


Plan: 0 to add, 2 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_cognito_identity_provider.google_provider: Modifying... (ID: us-east-1_QIXULgsn4:Google)
  provider_details.%:                             "9" => "3"
  provider_details.attributes_url:                "https://people.googleapis.com/v1/people/me?personFields=" => ""
  provider_details.attributes_url_add_attributes: "true" => ""
  provider_details.authorize_url:                 "https://accounts.google.com/o/oauth2/v2/auth" => ""
  provider_details.oidc_issuer:                   "https://accounts.google.com" => ""
  provider_details.token_request_method:          "POST" => ""
  provider_details.token_url:                     "https://www.googleapis.com/oauth2/v4/token" => ""
aws_cognito_identity_provider.facebook_provider: Modifying... (ID: us-east-1_QIXULgsn4:Facebook)
  provider_details.%:                             "8" => "3"
  provider_details.attributes_url:                "https://graph.facebook.com/me?fields=" => ""
  provider_details.attributes_url_add_attributes: "true" => ""
  provider_details.authorize_url:                 "https://www.facebook.com/v2.9/dialog/oauth" => ""
  provider_details.token_request_method:          "GET" => ""
  provider_details.token_url:                     "https://graph.facebook.com/v2.9/oauth/access_token" => ""
aws_cognito_identity_provider.google_provider: Modifications complete after 2s (ID: us-east-1_QIXULgsn4:Google)
aws_cognito_identity_provider.facebook_provider: Modifications complete after 2s (ID: us-east-1_QIXULgsn4:Facebook)

Apply complete! Resources: 0 added, 2 changed, 0 destroyed.
  1. terraform plan
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ aws_cognito_identity_provider.facebook_provider
      provider_details.%:                             "8" => "3"
      provider_details.attributes_url:                "https://graph.facebook.com/me?fields=" => ""
      provider_details.attributes_url_add_attributes: "true" => ""
      provider_details.authorize_url:                 "https://www.facebook.com/v2.9/dialog/oauth" => ""
      provider_details.token_request_method:          "GET" => ""
      provider_details.token_url:                     "https://graph.facebook.com/v2.9/oauth/access_token" => ""

  ~ aws_cognito_identity_provider.google_provider
      provider_details.%:                             "9" => "3"
      provider_details.attributes_url:                "https://people.googleapis.com/v1/people/me?personFields=" => ""
      provider_details.attributes_url_add_attributes: "true" => ""
      provider_details.authorize_url:                 "https://accounts.google.com/o/oauth2/v2/auth" => ""
      provider_details.oidc_issuer:                   "https://accounts.google.com" => ""
      provider_details.token_request_method:          "POST" => ""
      provider_details.token_url:                     "https://www.googleapis.com/oauth2/v4/token" => ""


Plan: 0 to add, 2 to change, 0 to destroy.
bug serviccognito
Source
picture jkiyo
👍23

Most helpful comment

I was able to work around this by adding ignore_changes to the identity providers.

Google identity provider

resource "aws_cognito_identity_provider" "google" {
  provider_type = "Google"

  # ...

  lifecycle {
    ignore_changes = [
      "provider_details.%",
      "provider_details.attributes_url",
      "provider_details.attributes_url_add_attributes",
      "provider_details.authorize_url",
      "provider_details.token_request_method",
      "provider_details.token_url",
      "provider_details.oidc_issuer",
    ]
  }
}

Facebook identity provider

resource "aws_cognito_identity_provider" "facebook" {
  provider_type = "Facebook"

  # ...

  lifecycle {
    ignore_changes = [
      "provider_details.%",
      "provider_details.attributes_url",
      "provider_details.attributes_url_add_attributes",
      "provider_details.authorize_url",
      "provider_details.token_request_method",
      "provider_details.token_url",
    ]
  }
}
picture johnsabath on 4 Sep 2018
👍5

All 4 comments

I'm seeing the same issue when using SAML with a MetadataFile. The provider_details.SSORedirectBindingURI always updates on apply. A workaround for me is adding the value for SSORedirectBindingURI from the MetadataFile to provider_details.SSORedirectBindingURI.

eigilsagafos picture eigilsagafos on 29 Jun 2018

I was able to work around this by adding ignore_changes to the identity providers.

Google identity provider

resource "aws_cognito_identity_provider" "google" {
  provider_type = "Google"

  # ...

  lifecycle {
    ignore_changes = [
      "provider_details.%",
      "provider_details.attributes_url",
      "provider_details.attributes_url_add_attributes",
      "provider_details.authorize_url",
      "provider_details.token_request_method",
      "provider_details.token_url",
      "provider_details.oidc_issuer",
    ]
  }
}

Facebook identity provider

resource "aws_cognito_identity_provider" "facebook" {
  provider_type = "Facebook"

  # ...

  lifecycle {
    ignore_changes = [
      "provider_details.%",
      "provider_details.attributes_url",
      "provider_details.attributes_url_add_attributes",
      "provider_details.authorize_url",
      "provider_details.token_request_method",
      "provider_details.token_url",
    ]
  }
}
johnsabath picture johnsabath on 4 Sep 2018
👍5

we are having the same issues with the same code as @jkiyo described.
are we missing any settings?

aknysh picture aknysh on 8 Mar 2019

Same here, any updates on this?

jorenvh1 picture jorenvh1 on 27 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

blaltarriba picture blaltarriba  ·  3Comments
carmas picture carmas  ·  3Comments
modax picture modax  ·  3Comments
dvishniakov picture dvishniakov  ·  3Comments
EmmN picture EmmN  ·  3Comments