Resource: aws_cognito_user_pool_client

Provides a Cognito User Pool Client resource.

To manage a User Pool Client created by another service, such as when configuring an OpenSearch Domain to use Cognito authentication, use the aws_cognito_managed_user_pool_client resource instead.

Example Usage

Create a basic user pool client

resource "aws_cognito_user_pool_client" "client" {
  name = "client"

  user_pool_id = aws_cognito_user_pool.pool.id
}

resource "aws_cognito_user_pool" "pool" {
  name = "pool"
}

Create a user pool client with no SRP authentication

resource "aws_cognito_user_pool_client" "client" {
  name = "client"

  user_pool_id = aws_cognito_user_pool.pool.id

  generate_secret     = true
  explicit_auth_flows = ["ADMIN_NO_SRP_AUTH"]
}

resource "aws_cognito_user_pool" "pool" {
  name = "pool"
}

Create a user pool client with pinpoint analytics

resource "aws_cognito_user_pool_client" "test" {
  name         = "pool_client"
  user_pool_id = aws_cognito_user_pool.test.id

  analytics_configuration {
    application_id   = aws_pinpoint_app.test.application_id
    external_id      = "some_id"
    role_arn         = aws_iam_role.test.arn
    user_data_shared = true
  }
}

resource "aws_cognito_user_pool" "test" {
  name = "pool"
}

data "aws_caller_identity" "current" {}

resource "aws_pinpoint_app" "test" {
  name = "pinpoint"
}

data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["cognito-idp.amazonaws.com"]
    }

    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role" "test" {
  name               = "role"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

data "aws_iam_policy_document" "test" {
  statement {
    effect = "Allow"

    actions = [
      "mobiletargeting:UpdateEndpoint",
      "mobiletargeting:PutEvents",
    ]

    resources = ["arn:aws:mobiletargeting:*:${data.aws_caller_identity.current.account_id}:apps/${aws_pinpoint_app.test.application_id}*"]
  }
}

resource "aws_iam_role_policy" "test" {
  name   = "role_policy"
  role   = aws_iam_role.test.id
  policy = data.aws_iam_policy_document.test.json
}

Create a user pool client with Cognito as the identity provider

resource "aws_cognito_user_pool_client" "userpool_client" {
  name                                 = "client"
  user_pool_id                         = aws_cognito_user_pool.pool.id
  callback_urls                        = ["https://example.com"]
  allowed_oauth_flows_user_pool_client = true
  allowed_oauth_flows                  = ["code", "implicit"]
  allowed_oauth_scopes                 = ["email", "openid"]
  supported_identity_providers         = ["COGNITO"]
}

resource "aws_cognito_user_pool" "pool" {
  name = "pool"
}

Argument Reference

The following arguments are required:

The following arguments are optional:

analytics_configuration

Either application_arn or application_id is required.

token_validity_units

Valid values for the following arguments are: seconds, minutes, hours or days.

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import Cognito User Pool Clients using the id of the Cognito User Pool, and the id of the Cognito User Pool Client. For example:

import {
  to = aws_cognito_user_pool_client.client
  id = "us-west-2_abc123/3ho4ek12345678909nh3fmhpko"
}

Using terraform import, import Cognito User Pool Clients using the id of the Cognito User Pool, and the id of the Cognito User Pool Client. For example:

% terraform import aws_cognito_user_pool_client.client us-west-2_abc123/3ho4ek12345678909nh3fmhpko