AWS circular dependency with cognito user pool, lambda and cognito user pool app clients

We have a problem with circular dependencies with our Terraform structure. Beifly, we need to use the generated Cognito user pool app clients in our Lambda, but it does not work.

The problem is that we have a user pool with lambda dependencies, whilst the lambda dependencies has user pool app client dependencies, which in turn has user pool dependencies.

Basically, we do like this:

All of our lambdas have common environment variables.

module "post_authentication_lambda" {
  source            = "./modules/lambda"
  function_name     = "${module.meta.resource_prefix}-post-authentication-lambda"
  runtime           = "dotnetcore3.1"
  s3_bucket         = aws_s3_bucket.lambdas_bucket.id
  s3_key            = local.post_auth_zip
  s3_object_version = data.aws_s3_bucket_object.lambdas_zip.version_id
  handler           = "SecurityGateway.Lambdas::SecurityGateway.Lambdas.Functions.PostAuthentication::Function"
  memory_size       = 512
  timeout           = 15

  environment = {
    variables = merge(
      local.common_environment_variables,
      local.user_database_environment_variables
    )
  }
}

The common environment variables looks like this:

  common_environment_variables = {
    DOTNET_ENVIRONMENT = title(module.meta.env_long)
    SGW_ClientMapping  =  join(",", compact(local.client_mapping))
  }

It is due to the ClientMapping we get the circular dependencies.

  client_mapping = [
    "${aws_cognito_user_pool_client.backend.id}:Backend", "${aws_cognito_user_pool_client.performance_test.id}:PerformanceTest",
    "${aws_cognito_user_pool_client.anpcs_v3.id}:ANPCS",
    "${aws_cognito_user_pool_client.wow.id}:WOW",
    "${aws_cognito_user_pool_client.ww.id}:WW"
  ]

Each user pool client is created in the same cognito user pool.

resource "aws_cognito_user_pool_client" "anpcs_v3" {
  name            = "ANPCS"
  user_pool_id    = aws_cognito_user_pool.this.id
  generate_secret = true

  // ...

}

And the problem comes with the user pool. It has dependencies to our lambda.

resource "aws_cognito_user_pool" "this" {
  name = "${module.meta.resource_prefix}-user-pool"

  // ...

  lambda_config {
    post_authentication  = module.post_authentication_lambda.arn
    pre_token_generation = module.pre_token_generation_lambda.arn
  }

  // ...
}

Meaning, we’ll get a circular dependency.

Is there any good way to solve this issue? Can we somehow use the created user pool client ids in our lambdas without getting this problem?

Our current (hopefully temporary) solution is to apply terraform to get the client ids, and then hard code them into the terraform solution and run again. As you probably understand it’s not a very viable solution.

Are there any suggestions on alternative ways we can take?

Thank you.