Search code examples
terraformamazon-cognitoamazon-opensearch

Terraform AWS OpenSearch using Cognito module circular problem


Hi im trying to create a terraform module to deploy aws opensearch using cognito, but it seems it is not possible to complete!

To create an opensearch cluster with cognito, you need to create

  • cognito user pool
  • cognito user pool client app
  • cognito identity pool (giving it the user pool and client app)
  • Pass the user pool and identity pool to opensearch

After the opensearch cluster is installed, it creates a new client app That you then have to add to the identity pool!

Any know how to get around a terraform deploy -> manual update.

[EDIT]

Added code snippet that resolve the issue, i didnt attach the starter code as to deploy open-search with cognito as its a good few hundred lines of code and seemed redundant.

## calls after elasticsearch and cognito has been built to
## add the elasticsearch client app to the cognito identity pool

data "external" "cognito" {
  depends_on = [
    aws_opensearch_domain.this
  ]
  program = ["sh", "-c", "aws cognito-idp list-user-pool-clients --user-pool-id ${aws_cognito_user_pool.cognito-user-pool.id}| jq '.UserPoolClients | .[] | select(.ClientName | contains(\"AmazonOpenSearchService\"))'"]
}
output "cognito" {
  value = data.external.cognito.result["ClientId"]
}

resource "aws_cognito_identity_pool" "cognito-identity-pool-opensearch" {
  depends_on = [
    data.external.cognito
  ]

  identity_pool_name               = "opensearch-${var.domain_name}-identity-pool"
  allow_unauthenticated_identities = false

  cognito_identity_providers {
    client_id               = data.external.cognito.result["ClientId"]
    provider_name           = aws_cognito_user_pool.cognito-user-pool.endpoint
    server_side_token_check = false
  }
}

Solution

  • Although your question should provide some sample code, I happen to know exactly what you're referring to because I've had to deal with it in several projects.

    Unless things have changed since I last dealt with this, there is no easy solution and it's a gaping hole in the AWS API and Terraform AWS provider. The workaround I've used is:

    1. Create the OpenSearch domain and allow it to create the Cognito user pool client app.
    2. Use an external data source to make an AWS CLI call to read the OpenSearch domain, which will get you the details of the client app it created.
    3. Use an external data source to update the client app using the AWS CLI and change the necessary settings.

    It sucks, yes.