Error: reading Cognito Managed User Pool Client - empty result - aws_cognito_managed_user_pool_client

Terraform Providers AWS
1

Does anyone know about error “empty result” when used with “aws_cognito_managed_user_pool_client”.
I am deploying openSearch with Cognito integration and can’t set the token option for the Cognito Identity Pool app client, as it results in no Role being assigned to the pool. When I don’t worry about setting the token the role is set and just have to manually set the token to be able to connect to the OpenSearch dashboard using the cognito integration.

Error: reading Cognito Managed User Pool Client (…)

with aws_cognito_managed_user_pool_client.OpenSearch-Cognito-Intergration_userPool,
on openSearch.tf line 107, in resource “aws_cognito_managed_user_pool_client” “OpenSearch-Cognito-Intergration_userPool”: 107: resource “aws_cognito_managed_user_pool_client” “OpenSearch-Cognito-Intergration_userPool” {

empty result (edited)

resource "aws_cognito_managed_user_pool_client" "OpenSearch-Cognito-Intergration_userPool" {
  name_prefix  = "AmazonOpenSearchService-Cognito-Intergration"
  user_pool_id = aws_cognito_user_pool.cognito_user_pool.id

  depends_on = [
    aws_opensearch_domain.opensearch-domain-project_id
  ]
}


resource "aws_cognito_identity_pool_roles_attachment" "default" {
  identity_pool_id = aws_cognito_identity_pool.cognitoIdentity-project_id.id

  roles = {
    authenticated   = aws_iam_role.cognitoIdenity-access-to-OpenSearch-project_id.arn
  }

/* This is commented out as its the offending mapping for setting the token authentication for this OpenSearch to Cognito User pool > app client.
  role_mapping {
    identity_provider         = "${aws_cognito_user_pool.cognito_user_pool.endpoint}:${aws_cognito_managed_user_pool_client.OpenSearch-Cognito-Intergration_userPool.id}"
    ambiguous_role_resolution = "AuthenticatedRole"
    type                      = "Token"
  }
*/ 

# This is another app client which illustrates how the token option can be set and works well.

  role_mapping {
    identity_provider         = "${aws_cognito_user_pool.cognito_user_pool.endpoint}:${aws_cognito_user_pool_client.cognito_user_pool_client.id}"
    ambiguous_role_resolution = "AuthenticatedRole"
    type                      = "Token"
  }

  depends_on = [ 
    aws_cognito_user_pool_client.cognito_user_pool_client
   ]
}

There was another depends on when it was enabled.
aws_cognito_managed_user_pool_client.OpenSearch-Cognito-Intergration_userPool

Updates to the stack then do wipe out this aws_cognito_managed_user_pool_client and it has to be added in manually. The Cognito Identity Pool > User Access > Identity Provider > Add identity provider.

I did add in to the aws_cognito_identity_pool:

  lifecycle {
    ignore_changes = [cognito_identity_providers]
  }

Added for OpenSearch - Cognito User Pool > App Client created as part of the OpenSearch Cognito integration.

Need to set this so when I set the Token for the OpenSearch - Cognito > app client it doesn’t get deleted.

Still however need to go the Cognito Identity Pool > User Access > Identity Provider > Add identity provider section and set the token option for the app client created by AWS as part of the OpenSearch - Cognito integration.

2

image
image1298×520 64 KB

i.e. Authenticated Role and Authenticated Role ARN are blank when the following is used:

  role_mapping {
    identity_provider         = "${aws_cognito_user_pool.cognito_user_pool.endpoint}:${aws_cognito_**managed**_user_pool_client.OpenSearch-Cognito-Intergration_userPool.id}"
    ambiguous_role_resolution = "AuthenticatedRole"
    type                      = "Token"
  }
3

Found the solution and got it working for the next person.

The error “empty result” really means I could not find an app client with that name.
ie from above
name_prefix = "AmazonOpenSearchService-Cognito-Intergration"
is for setting the name of an app client where as
name_pattern = "AmazonOpenSearchService-myproject"
is used to find an existing app client that starts with that string.

The OpenSearch instance for example is

resource "aws_opensearch_domain" "opensearch-domain-project_id" {
  domain_name    = "myproject"

which creates the app client with name:
AmazonOpenSearchService-myproject-[region]-cn5…6hi

Upon fix this one little issue the role mapping code then works

  role_mapping {
    identity_provider         = "${aws_cognito_user_pool.cognito_user_pool.endpoint}:${aws_cognito_managed_user_pool_client.OpenSearch-Cognito-Intergration_userPool.id}"
    ambiguous_role_resolution = "AuthenticatedRole"
    type                      = "Token"
  }

Which then does result in Cognito Identity Pool > User access > Identity providers > the managed app client > Role settings > Role selection = Role with preferred_role claim in tokens set.

Then the OpenSearch connection using IAM roles for all_access works and then roles and changes can be made using IAC within OpenSearch.

provider "opensearch" {
  url = "https://${aws_opensearch_domain.myproject-opensearch-domain-project_id.endpoint}"
  healthcheck        = "false"
  aws_region          = var.stack_region
  aws_assume_role_arn = "arn:aws:iam::${data.aws_caller_identity.edgeAccountIAM.account_id}:role/myproject-IAM-Admin-Role"  
  aws_assume_role_external_id = "opensearch-external"
  version_ping_timeout = "10"
}

resource "opensearch_roles_mapping" "admin-to-allAccess-roleMapping" {
  role_name   = "all_access"
  description = "Mapping AWS administrator IAM roles to OpenSearch default all_access role"
  backend_roles = [
    "arn:aws:iam::${data.aws_caller_identity.edgeAccountIAM.account_id}:role/myproject-IAM-Admin-Role",
    "arn:aws:iam::${data.aws_caller_identity.edgeAccountIAM.account_id}:role/myproject-PipelineRole"
  ]

  depends_on = [ aws_cognito_identity_pool_roles_attachment.default ]
}