Comments (9)
@duanvnc issue hashicorp/terraform-provider-aws#16760 is the request for this feature, with a potential syntax example but it's not merged yet.
As soon as it's available in the AWS provider I can include it in the module.
Regards,
from terraform-aws-cognito-user-pool.
AFAIK currently the AWS Console and CloudWatch do still not support the CustomSender trigger/hook, as already mentioned. Your only option currently is setting it after terraform did run with the AWS CLI.
Here is how we do it in a post_apply_hook.sh running in our CI pipeline (adjust a little to make it more readable). We create the Lambda Functions with the terraform-aws-modules/lambda/aws serverless terraform module.
HINT: You most likely won't need all the other stuff, but the CustomSender needs a KMS key to decrypt the auth code. The problem is that this AWS CLI call does not update the triggers, but it does set the whole configuration. Which results in more effort.
#!/bin/bash
set -e
STAGE="${STAGE:-$1}"
echo "Running terraform post-apply-hook for stage '$STAGE' on region '$AWS_REGION'"
if [[ "$STAGE" != "development" ]] && [[ "$STAGE" != "production" ]]; then
echo "Unknown stage: $STAGE"
exit 1
fi
LAMBDA_CUSTOM_SENDER_NAME="AwsCognito_CustomSender"
LAMBDA_CUSTOM_SENDER_ARN=$(aws lambda get-function --function-name "$LAMBDA_CUSTOM_SENDER_NAME" | jq -r -c '.Configuration | .FunctionArn')
LAMBDA_PRE_SIGNUP_NAME="AwsCognito_PreSignUp"
LAMBDA_PRE_SIGNUP_ARN=$(aws lambda get-function --function-name "$LAMBDA_PRE_SIGNUP_NAME" | jq -r -c '.Configuration | .FunctionArn')
LAMBDA_POST_AUTHENTICATION_NAME="AwsCognito_PostAuthentication"
LAMBDA_POST_AUTHENTICATION_ARN=$(aws lambda get-function --function-name "$LAMBDA_POST_AUTHENTICATION_NAME" | jq -r -c '.Configuration | .FunctionArn')
LAMBDA_POST_CONFIRMATION_NAME="AwsCognito_PostConfirmation"
LAMBDA_POST_CONFIRMATION_ARN=$(aws lambda get-function --function-name "$LAMBDA_POST_CONFIRMATION_NAME" | jq -r -c '.Configuration | .FunctionArn')
LAMBDA_USER_MIGRATION_NAME="AwsCognito_UserMigration"
LAMBDA_USER_MIGRATION_ARN=$(aws lambda get-function --function-name "$LAMBDA_USER_MIGRATION_NAME" | jq -r -c '.Configuration | .FunctionArn')
LAMBDA_AUTH_CHALLENGE_CREATE_NAME="AwsCognito_AuthChallengeCreate"
LAMBDA_AUTH_CHALLENGE_CREATE_ARN=$(aws lambda get-function --function-name "$LAMBDA_AUTH_CHALLENGE_CREATE_NAME" | jq -r -c '.Configuration | .FunctionArn')
LAMBDA_AUTH_CHALLENGE_DEFINE_NAME="AwsCognito_AuthChallengeDefine"
LAMBDA_AUTH_CHALLENGE_DEFINE_ARN=$(aws lambda get-function --function-name "$LAMBDA_AUTH_CHALLENGE_DEFINE_NAME" | jq -r -c '.Configuration | .FunctionArn')
LAMBDA_AUTH_CHALLENGE_VERIFY_NAME="AwsCognito_AuthChallengeVerify"
LAMBDA_AUTH_CHALLENGE_VERIFY_ARN=$(aws lambda get-function --function-name "$LAMBDA_AUTH_CHALLENGE_VERIFY_NAME" | jq -r -c '.Configuration | .FunctionArn')
KMS_KEY_ALIAS="lambda-custom-email-sender"
KMS_KEY_ID=$(aws kms list-aliases | jq -r -c '.Aliases[] | select(.AliasName | contains("'$KMS_KEY_ALIAS'")) | .TargetKeyId')
KMS_KEY_ARN=$(aws kms describe-key --key-id $KMS_KEY_ID | jq -r -c '.KeyMetadata | .Arn')
LAMBDA_CONFIG="CustomEmailSender={LambdaVersion=V1_0,LambdaArn=$LAMBDA_CUSTOM_SENDER_ARN},PreSignUp=$LAMBDA_PRE_SIGNUP_ARN,PostAuthentication=$LAMBDA_POST_AUTHENTICATION_ARN,PostConfirmation=$LAMBDA_POST_CONFIRMATION_ARN,UserMigration=$LAMBDA_USER_MIGRATION_ARN,CreateAuthChallenge=$LAMBDA_AUTH_CHALLENGE_CREATE_ARN,DefineAuthChallenge=$LAMBDA_AUTH_CHALLENGE_DEFINE_ARN,VerifyAuthChallengeResponse=$LAMBDA_AUTH_CHALLENGE_VERIFY_ARN,KMSKeyID=$KMS_KEY_ARN"
USER_POOL_NAME="qrcg-users-$STAGE"
echo "Looking for userpool: $USER_POOL_NAME"
USER_POOL_ID=$(aws cognito-idp list-user-pools --max-results 10 | jq -r -c '.UserPools[] | select(.Name | contains("'$USER_POOL_NAME'")) | .Id')
echo "Lambda config:"
echo $LAMBDA_CONFIG
# cf. https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool.html
echo "Updating user-pool '$USER_POOL_ID' for lambda '$LAMBDA_CUSTOM_SENDER_ARN'"
aws cognito-idp update-user-pool --user-pool-id $USER_POOL_ID --lambda-config $LAMBDA_CONFIG --auto-verified-attributes "email"
echo "Describing user-pool"
aws cognito-idp list-user-pools --max-results 10 | jq '.UserPools[] | select(.Name | contains("'$USER_POOL_NAME'"))'
KMS Key terraform:
resource "aws_kms_key" "kms_key_lambda_custom_email_sender" {
description = "Custom KMS key for AWS cognito lambda"
}
resource "aws_kms_alias" "kms_key_lambda_custom_email_sender_alias" {
name = "alias/lambda-custom-email-sender"
target_key_id = aws_kms_key.kms_key_lambda_custom_email_sender.key_id
}
from terraform-aws-cognito-user-pool.
This is already supported by the provider.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool#custom_email_sender
I'm trying to do it but I'm having issues generating the content of "lambda_config" dynamically as it contains a mix of values and maps now.
dynamic "lambda_config" {
for_each = var.lambda_config == null && length(join("", values(local.lambda_config[0]))) == 0 ? [] : local.lambda_config
content {
create_auth_challenge = lookup(lambda_config.value, "create_auth_challenge")
custom_message = lookup(lambda_config.value, "custom_message")
define_auth_challenge = lookup(lambda_config.value, "define_auth_challenge")
post_authentication = lookup(lambda_config.value, "post_authentication")
post_confirmation = lookup(lambda_config.value, "post_confirmation")
pre_authentication = lookup(lambda_config.value, "pre_authentication")
pre_sign_up = lookup(lambda_config.value, "pre_sign_up")
pre_token_generation = lookup(lambda_config.value, "pre_token_generation")
user_migration = lookup(lambda_config.value, "user_migration")
verify_auth_challenge_response = lookup(lambda_config.value, "verify_auth_challenge_response")
kms_key_id = lookup(lambda_config.value, "kms_key_id")
dynamic "custom_email_sender" {
for_each = lambda_config.value["custom_email_sender"]
content {
lambda_arn = custom_email_sender.value["lambda_arn"]
lambda_version = custom_email_sender.value["lambda_version"]
}
}
dynamic "custom_sms_sender" {
for_each = lambda_config.value["custom_sms_sender"]
content {
lambda_arn = custom_sms_sender.value["lambda_arn"]
lambda_version = custom_sms_sender.value["lambda_version"]
}
}
}
}
so values(local.lambda_config[0]))) == 0
in the for_each is not accepted anymore
from terraform-aws-cognito-user-pool.
@xposix maybe this:
for_each = var.lambda_config == null && length(join("", values(local.lambda_config[0]))) == 0 ? [] : local.lambda_config
..can be changed for:
for_each = var.lambda_config == null && length(local.lambda_config) == 0 ? [] : local.lambda_config
Are you going to create a PR with these changes?
from terraform-aws-cognito-user-pool.
If I can fix it properly yes I will. I will try that now. Thanks!
from terraform-aws-cognito-user-pool.
But now I think about it, local.lambda_config
will always have content (be > 0), right? we provide the map with all the keys and (initially) empty values.
from terraform-aws-cognito-user-pool.
According to the variables definition is null
by default https://github.com/lgallard/terraform-aws-cognito-user-pool/blob/master/variables.tf#L160
from terraform-aws-cognito-user-pool.
You might or might have lambda triggers
from terraform-aws-cognito-user-pool.
#75 closes this issue!
from terraform-aws-cognito-user-pool.
Related Issues (20)
- client_prevent_user_existence_errors = "ENABLED" is not working HOT 2
- deletion_protection added in 0.20.0 now requires AWS provider V4.38 HOT 1
- New auth_session_validity parameter in user pool client HOT 2
- Call to function "lookup" failed: lookup failed to find key "attributes_require_verification_before_update" HOT 1
- FYI: Terraform AWS Provider 4.58.0 requires recovery_mechanism HOT 1
- noobie: cannot create user pool with assume role terraform permissions HOT 1
- new value: .write_attributes: was cty.SetValEmpty(cty.String), but now │ null HOT 1
- Definitive List for: client_supported_identity_providers HOT 1
- Unable to have devices remembered and force MFA sign in every time HOT 1
- device configuration Options are wrong
- String schemas are updated on every terraform run due to missing string_attribute_constraints attribute HOT 3
- Unable to find "Self-service sign-up" option in the module HOT 4
- InvalidParameterException: The provider XXXXXX does not exist for User Pool YYYYYY.
- Invalid MFA configuration given, can't turn off MFA and configure an MFA together. HOT 5
- Update to allow AWS provider version 4.x HOT 3
- lamdba configuration HOT 3
- lambda_config keeps changing. HOT 4
- String schema issue
- feat: grant cognito lambda execution permissions to all functions HOT 1
- Identity providers keep changing to null HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-cognito-user-pool.