Resource: aws_cognito_managed_user_pool_client

Use the aws_cognito_user_pool_client resource to manage a Cognito User Pool Client.

This resource is advanced and has special caveats to consider before use. Please read this document completely before using the resource.

Use the aws_cognito_managed_user_pool_client resource to manage a Cognito User Pool Client that is automatically created by an AWS service. For instance, when configuring an OpenSearch Domain to use Cognito authentication, the OpenSearch service creates the User Pool Client during setup and removes it when it is no longer required. As a result, the aws_cognito_managed_user_pool_client resource does not create or delete this resource, but instead assumes management of it.

Use the aws_cognito_user_pool_client resource to manage Cognito User Pool Clients for normal use cases.

Example Usage

resource "aws_cognito_managed_user_pool_client" "example" {
  name_prefix  = "AmazonOpenSearchService-example"
  user_pool_id = aws_cognito_user_pool.example.id

  depends_on = [
    aws_opensearch_domain.example,
  ]
}

resource "aws_cognito_user_pool" "example" {
  name = "example"
}

resource "aws_cognito_identity_pool" "example" {
  identity_pool_name = "example"

  lifecycle {
    ignore_changes = [cognito_identity_providers]
  }
}

resource "aws_opensearch_domain" "example" {
  domain_name = "example"

  cognito_options {
    enabled          = true
    user_pool_id     = aws_cognito_user_pool.example.id
    identity_pool_id = aws_cognito_identity_pool.example.id
    role_arn         = aws_iam_role.example.arn
  }

  ebs_options {
    ebs_enabled = true
    volume_size = 10
  }

  depends_on = [
    aws_cognito_user_pool_domain.example,
    aws_iam_role_policy_attachment.example,
  ]
}

resource "aws_iam_role" "example" {
  name               = "example-role"
  path               = "/service-role/"
  assume_role_policy = data.aws_iam_policy_document.example.json
}

data "aws_iam_policy_document" "example" {
  statement {
    sid     = ""
    actions = ["sts:AssumeRole"]
    effect  = "Allow"

    principals {
      type = "Service"
      identifiers = [
        "es.${data.aws_partition.current.dns_suffix}",
      ]
    }
  }
}

resource "aws_iam_role_policy_attachment" "example" {
  role       = aws_iam_role.example.name
  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonESCognitoAccess"
}

data "aws_partition" "current" {}

Argument Reference

The following arguments are required:

The following arguments are optional:

analytics_configuration

Either application_arn or application_id is required for this configuration block.

token_validity_units

Valid values for the following arguments are: seconds, minutes, hours, or days.

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import Cognito User Pool Clients using the id of the Cognito User Pool and the id of the Cognito User Pool Client. For example:

import {
  to = aws_cognito_managed_user_pool_client.client
  id = "us-west-2_abc123/3ho4ek12345678909nh3fmhpko"
}

Using terraform import, import Cognito User Pool Clients using the id of the Cognito User Pool and the id of the Cognito User Pool Client. For example:

% terraform import aws_cognito_managed_user_pool_client.client us-west-2_abc123/3ho4ek12345678909nh3fmhpko