Terraform-provider-aws: Every-time terraform apply invokes updating aws_cognito_identity_provider

Created on 28 Aug 2018  路  11Comments  路  Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @engharb as hashicorp/terraform#18745. It was migrated here as a result of the provider split. The original body of the issue is below._

Terraform Version

Terraform v0.11.8
+ provider.archive v1.0.3
+ provider.aws v1.33.0

Terraform Configuration Files

# default AWS
provider "aws" {
  version = "~> 1.21"
  access_key = "${var.access_key}"
  secret_key = "${var.secret_key}"
  region     = "${var.aws_region}"
}

## user pool
resource "aws_cognito_user_pool" "abc" {
  name = "abc"
  alias_attributes = ["email"]

  admin_create_user_config {
    allow_admin_create_user_only = false
  }
  schema {
    attribute_data_type = "String"
    developer_only_attribute = false
    mutable = false
    name = "email"
    required = true
    string_attribute_constraints {
      min_length = 1
      max_length = 256
    }
  }

  password_policy {
    minimum_length = 8
    require_lowercase = true
    require_numbers = false
    require_symbols = false
    require_uppercase  = false
  }

  lambda_config {
    post_authentication = "${aws_lambda_function.lambda.arn}"
  }

}

## aws_cognito_identity_provider
resource "aws_cognito_identity_provider" "abc_provider_google" {
  user_pool_id = "${aws_cognito_user_pool.abc.id}"
  provider_name = "Google"
  provider_type = "Google"

  provider_details {
    authorize_scopes  = "${var.google_app_authorize_scope}"
    client_id         = "${var.google_client_id}"
    client_secret     = "${var.google_client_secret}"
  }

  attribute_mapping {
    email    = "email"
    username = "sub"
  }

}

## user pool client app
resource "aws_cognito_user_pool_client" "clientapp" {
  name                          = "poolClientApp"

  # implicit dependency
  user_pool_id                  = "${aws_cognito_user_pool.abc.id}"

  #depends_on           = ["aws_cognito_identity_pool.identitypool"]

  generate_secret               = true
  refresh_token_validity        = 30
  explicit_auth_flows           = ["ADMIN_NO_SRP_AUTH"]
  callback_urls                 = "${var.pool_client_callback_urls}"

  allowed_oauth_flows           = ["code","implicit"]
  allowed_oauth_scopes          = ["phone","email","openid","profile","aws.cognito.signin.user.admin"]
  supported_identity_providers  = ["Facebook", "Google", "COGNITO"]

 read_attributes = ["address", "birthdate", "email", "email_verified", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "phone_number_verified", "picture", "preferred_username", "profile", "zoneinfo", "updated_at", "website"]
  write_attributes = ["email", "picture"]

}

## user pool client domain
resource "aws_cognito_user_pool_domain" "pooldomain" {
  domain = "abcapp"
  user_pool_id = "${aws_cognito_user_pool.abc.id}"
}



## identity pool
resource "aws_cognito_identity_pool" "identitypool" {
  identity_pool_name               = "abc_identity_pool"

  #depends_on = ["aws_cognito_user_pool.abc"]

  allow_unauthenticated_identities = true

  supported_login_providers {
    "graph.facebook.com"  = "${var.fb_app_id}"
    "accounts.google.com" = "${var.google_client_id}"
  }

  cognito_identity_providers {
    client_id = "${aws_cognito_user_pool_client.clientapp.id}"
    provider_name = "cognito-idp.${var.aws_region}.amazonaws.com/${aws_cognito_user_pool.abc.id}"
    server_side_token_check = false
  }
}

Debug Output

Terraform will perform the following actions:

  ~ aws_cognito_identity_pool.identitypool
      supported_login_providers.%:                    "0" => "2"
      supported_login_providers.accounts.google.com:  "" => "1111111-dddddddddd.apps.googleusercontent.com"
      supported_login_providers.graph.facebook.com:   "" => "555555555"

  ~ aws_cognito_identity_provider.abc_provider_fb
      provider_details.%:                             "8" => "3"
      provider_details.attributes_url:                "https://graph.facebook.com/me?fields=" => ""
      provider_details.attributes_url_add_attributes: "true" => ""
      provider_details.authorize_url:                 "https://www.facebook.com/v2.9/dialog/oauth" => ""
      provider_details.token_request_method:          "GET" => ""
      provider_details.token_url:                     "https://graph.facebook.com/v2.9/oauth/access_token" => ""

  ~ aws_cognito_identity_provider.abc_provider_google
      provider_details.%:                             "9" => "3"
      provider_details.attributes_url:                "https://people.googleapis.com/v1/people/me?personFields=" => ""
      provider_details.attributes_url_add_attributes: "true" => ""
      provider_details.authorize_url:                 "https://accounts.google.com/o/oauth2/v2/auth" => ""
      provider_details.oidc_issuer:                   "https://accounts.google.com" => ""
      provider_details.token_request_method:          "POST" => ""
      provider_details.token_url:                     "https://www.googleapis.com/oauth2/v4/token" => ""

  ~ aws_cognito_user_pool_client.clientapp
      supported_identity_providers.0:                 "COGNITO" => "Facebook"
      supported_identity_providers.1:                 "Facebook" => "Google"
      supported_identity_providers.2:                 "Google" => "COGNITO"

  ~ aws_lambda_function.lambda

Crash Output

Expected Behavior

Terraform should not update the provider of User_pool every time.

Actual Behavior

Terraform updates the providers of User_pool every time!!

Steps to Reproduce

  1. terraform apply
  2. terraform apply // updating happens

Additional Context

References

bug serviccognito
Source
picture hashibot[bot]
👍4

Most helpful comment

@johnsabath thanks a lot.

picture engharb on 4 Sep 2018
👍2

All 11 comments

It seems as a dirty fix for now you can try changing it to:

supported_identity_providers = ["COGNITO","Facebook", "Google"]

blckct picture blckct on 29 Aug 2018
👍2

@blckct I have tried that but it does not help.

engharb picture engharb on 30 Aug 2018

@engharb Oh? How did it behave then? It seems like it tries to sort them so that should've worked.

blckct picture blckct on 30 Aug 2018

@blckct I get the same problem every time it updates the providers. and one thing more
I find the following strange 

~ aws_cognito_user_pool_client.clientapp
      supported_identity_providers.0:                 "COGNITO" => "Facebook"
      supported_identity_providers.1:                 "Facebook" => "Google"
      supported_identity_providers.2:                 "Google" => "COGNITO"
engharb picture engharb on 30 Aug 2018

@engharb Well, it looks like AWS API returns the those values sorted alphabetically so TF gets confused because it expected them in the specific order it asked for, but sorting them in your configuration should've fixed that. Please show how the output looks with that fix attempt.

blckct picture blckct on 30 Aug 2018

@blckct you are right regarding the alphabetical order but I still have the same problem

Terraform will perform the following actions:

  ~ aws_cognito_identity_provider.geheimness_provider_fb
      provider_details.%:                             "8" => "3"
      provider_details.attributes_url:                "https://graph.facebook.com/me?fields=" => ""
      provider_details.attributes_url_add_attributes: "true" => ""
      provider_details.authorize_url:                 "https://www.facebook.com/v2.9/dialog/oauth" => ""
      provider_details.token_request_method:          "GET" => ""
      provider_details.token_url:                     "https://graph.facebook.com/v2.9/oauth/access_token" => ""

  ~ aws_cognito_identity_provider.geheimness_provider_google
      provider_details.%:                             "9" => "3"
      provider_details.attributes_url:                "https://people.googleapis.com/v1/people/me?personFields=" => ""
      provider_details.attributes_url_add_attributes: "true" => ""
      provider_details.authorize_url:                 "https://accounts.google.com/o/oauth2/v2/auth" => ""
      provider_details.oidc_issuer:                   "https://accounts.google.com" => ""
      provider_details.token_request_method:          "POST" => ""
      provider_details.token_url:                     "https://www.googleapis.com/oauth2/v4/token" => ""
engharb picture engharb on 30 Aug 2018

@engharb I was able to work around that by adding ignore_changes to the identity providers.

Google identity provider

resource "aws_cognito_identity_provider" "google" {
  provider_type = "Google"

  # ...

  lifecycle {
    ignore_changes = [
      "provider_details.%",
      "provider_details.attributes_url",
      "provider_details.attributes_url_add_attributes",
      "provider_details.authorize_url",
      "provider_details.token_request_method",
      "provider_details.token_url",
      "provider_details.oidc_issuer",
    ]
  }
}

Facebook identity provider

resource "aws_cognito_identity_provider" "facebook" {
  provider_type = "Facebook"

  # ...

  lifecycle {
    ignore_changes = [
      "provider_details.%",
      "provider_details.attributes_url",
      "provider_details.attributes_url_add_attributes",
      "provider_details.authorize_url",
      "provider_details.token_request_method",
      "provider_details.token_url",
    ]
  }
}
johnsabath picture johnsabath on 4 Sep 2018
👍1

@johnsabath but if there are significant changes in providers attributes or whatever, this will skip the changes. Isn't true?

engharb picture engharb on 4 Sep 2018

If I were to set one of those attribute values explicitly through terraform, then yes, that update wouldn't apply.

But I believe that's acceptable in this case, since those attribute values are being implicitly set by AWS when the provider_type is Facebook or Google, and I can't think of a reason why those particular attributes would ever need to be controlled by terraform, as long as the provider_type hasn't changed.

That being said, another option would be to set each of the provider_details values explicitly, instead of relying on AWS to fill in the gaps.

resource "aws_cognito_identity_provider" "facebook" {
  provider_type = "Facebook"

  # ...

  provider_details {
    # ...
    attributes_url                = "https://graph.facebook.com/me?fields="
    attributes_url_add_attributes = true
    authorize_url                 = "https://www.facebook.com/v2.9/dialog/oauth"
    token_request_method          = "GET"
    token_url                     = "https://graph.facebook.com/v2.9/oauth/access_token"
  }
}

resource "aws_cognito_identity_provider" "google" {
  provider_type = "Google"

  # ...

  provider_details {
    # ...
    attributes_url                = "https://people.googleapis.com/v1/people/me?personFields="
    attributes_url_add_attributes = true
    authorize_url                 = "https://accounts.google.com/o/oauth2/v2/auth"
    oidc_issuer                   = "https://accounts.google.com"
    token_request_method          = "POST"
    token_url                     = "https://www.googleapis.com/oauth2/v4/token"
  }
}
johnsabath picture johnsabath on 4 Sep 2018

@johnsabath thanks a lot.

engharb picture engharb on 4 Sep 2018
👍2

Cross posting from the above linked issue that I've now closed as a duplicate but I'm seeing a constant diff where aws_cognito_identity_pool is being updated with new login/Cognito identity providers but not when being created the first time. It looks like we're probably sending a partial update through when the API relies on a full update (I think there was a similar issue with Cognito app clients a while back too).

Related PRs for fixing this in user pools and app clients: https://github.com/terraform-providers/terraform-provider-aws/pull/3458 and https://github.com/terraform-providers/terraform-provider-aws/pull/5478

tomelliff picture tomelliff on 12 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

modax picture modax  路  3Comments
joelittlejohn picture joelittlejohn  路  3Comments
hazmeister picture hazmeister  路  3Comments
gothrek22 picture gothrek22  路  3Comments
hashibot picture hashibot  路  3Comments