I’m trying to figure out the best way to manage users in AWS Cognito via Terraform and give them access to multiple APIs.
Our idea is to have a single project (bootstrap) where we set up the user pool and add clients to it (these are all “software component clients”, not individuals who sign up). However, we would like the actual permission assignment to reside within each API project (so creating any scopes that project defines and assigning those scopes to existing users would be in the API project terraform).
The problem we face with that is that it seems to be necessary to define the scopes for each user at the time you create the client. We have not found any way to create a client with an empty scope in our bootstrap project but then create scopes and assign those to users in our API projects.
We’re using the aws_cognito_user_pool_client Terraform resource to create the clients and specifying the scopes for each client using the allowed_oauth_scopes attribute on that resource.
Can anyone tell me if adding a scope and assigning that scope to existing users is possible in Terraform somehow?