Error: reading Cognito Managed User Pool Client - empty result - aws_cognito_managed_user_pool_client

Does anyone know about error “empty result” when used with “aws_cognito_managed_user_pool_client”.
I am deploying openSearch with Cognito integration and can’t set the token option for the Cognito Identity Pool app client, as it results in no Role being assigned to the pool. When I don’t worry about setting the token the role is set and just have to manually set the token to be able to connect to the OpenSearch dashboard using the cognito integration.

Error: reading Cognito Managed User Pool Client (…)

with aws_cognito_managed_user_pool_client.OpenSearch-Cognito-Intergration_userPool,
on openSearch.tf line 107, in resource “aws_cognito_managed_user_pool_client” “OpenSearch-Cognito-Intergration_userPool”: 107: resource “aws_cognito_managed_user_pool_client” “OpenSearch-Cognito-Intergration_userPool” {

empty result (edited)

resource "aws_cognito_managed_user_pool_client" "OpenSearch-Cognito-Intergration_userPool" {
  name_prefix  = "AmazonOpenSearchService-Cognito-Intergration"
  user_pool_id = aws_cognito_user_pool.cognito_user_pool.id

  depends_on = [
    aws_opensearch_domain.opensearch-domain-project_id
  ]
}

resource "aws_cognito_identity_pool_roles_attachment" "default" {
  identity_pool_id = aws_cognito_identity_pool.cognitoIdentity-project_id.id

  roles = {
    authenticated   = aws_iam_role.cognitoIdenity-access-to-OpenSearch-project_id.arn
  }

/* This is commented out as its the offending mapping for setting the token authentication for this OpenSearch to Cognito User pool > app client.
  role_mapping {
    identity_provider         = "${aws_cognito_user_pool.cognito_user_pool.endpoint}:${aws_cognito_managed_user_pool_client.OpenSearch-Cognito-Intergration_userPool.id}"
    ambiguous_role_resolution = "AuthenticatedRole"
    type                      = "Token"
  }
*/ 

# This is another app client which illustrates how the token option can be set and works well.

  role_mapping {
    identity_provider         = "${aws_cognito_user_pool.cognito_user_pool.endpoint}:${aws_cognito_user_pool_client.cognito_user_pool_client.id}"
    ambiguous_role_resolution = "AuthenticatedRole"
    type                      = "Token"
  }

  depends_on = [ 
    aws_cognito_user_pool_client.cognito_user_pool_client
   ]
}

There was another depends on when it was enabled.
aws_cognito_managed_user_pool_client.OpenSearch-Cognito-Intergration_userPool

Updates to the stack then do wipe out this aws_cognito_managed_user_pool_client and it has to be added in manually. The Cognito Identity Pool > User Access > Identity Provider > Add identity provider.

I did add in to the aws_cognito_identity_pool:

  lifecycle {
    ignore_changes = [cognito_identity_providers]
  }

Added for OpenSearch - Cognito User Pool > App Client created as part of the OpenSearch Cognito integration.

Need to set this so when I set the Token for the OpenSearch - Cognito > app client it doesn’t get deleted.

Still however need to go the Cognito Identity Pool > User Access > Identity Provider > Add identity provider section and set the token option for the app client created by AWS as part of the OpenSearch - Cognito integration.


i.e. Authenticated Role and Authenticated Role ARN are blank when the following is used:

  role_mapping {
    identity_provider         = "${aws_cognito_user_pool.cognito_user_pool.endpoint}:${aws_cognito_**managed**_user_pool_client.OpenSearch-Cognito-Intergration_userPool.id}"
    ambiguous_role_resolution = "AuthenticatedRole"
    type                      = "Token"
  }