By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

OpenSearch Cognito terraform (local-exec) deploy error on Windows

0

Hi all

I'm trying to deploy Amazon OpenSearch with Cognito using https://github.com/aws-samples/opensearch-in-vpc/tree/main. But I encountered an error in the following part:

resource "aws_elasticsearch_domain" "aos" {
  domain_name = var.aos_domain_name

  ...

  /*
  This is needed due to the issue with the AWS Terraform provider, as can be seen in the link below:
  https://github.com/hashicorp/terraform-provider-aws/issues/5557
  */
  provisioner "local-exec" {
    #interpreter = ["/bin/bash", "-c"]
    #interpreter = ["PowerShell", "-Command"]
    command = <<-COMMAND
      sleep 100 # Give some time for the endpoint to become available
      aws cognito-idp update-user-pool-client `
        --user-pool-id ${aws_cognito_user_pool.aos_pool.id} `
        --client-id ${aws_cognito_user_pool_client.aos_user_pool_client.id} `
        --supported-identity-providers "COGNITO" `
        --callback-urls "https://${self.kibana_endpoint}app/kibana" `
        --logout-urls "https://${self.kibana_endpoint}app/kibana" `
        --allowed-o-auth-flows "code" `
        --allowed-o-auth-scopes "email" "openid" `
        --allowed-o-auth-flows-user-pool-client `
        --region ${local.aws_region}
    COMMAND
  }

}

Errors are as follows:

module.opensearch_example.aws_elasticsearch_domain.aos (local-exec): operable program or batch file.
╷
│ Error: local-exec provisioner error
│
│   with module.opensearch_example.aws_elasticsearch_domain.aos,
│   on ..\opensearch-in-vpc-module\opensearch.tf line 74, in resource "aws_elasticsearch_domain" "aos":
│   74:   provisioner "local-exec" {
│
│ Error running command 'sleep 100 # Give some time for the endpoint to become available
│ aws cognito-idp update-user-pool-client `
│   --user-pool-id us-west-2_a4 `
│   --client-id 53u75eokkmmhd `
│   --supported-identity-providers "COGNITO" `
│   --callback-urls "https://vpc-my-example-20250323-fwzli.us-west-2.es.amazonaws.com/_plugin/kibana/app/kibana" `
│   --logout-urls "https://vpc-my-example-20250323-fwzlgxi.us-west-2.es.amazonaws.com/_plugin/kibana/app/kibana" `
│   --allowed-o-auth-flows "code" `
│   --allowed-o-auth-scopes "email" "openid" `
│   --allowed-o-auth-flows-user-pool-client `
│   --region us-west-2
│ ': exit status 1. Output: 'sleep' is not recognized as an internal or external command,
│ operable program or batch file.
│

I'm running this on Windows in PowerShell command prompt. I could successfully deploy it on Amazon Linux though.

Thanks.

Topics
Security, Identity, & ComplianceAnalyticsCompute
Tags
Amazon CognitoAmazon OpenSearch ServiceTerraformWindows
Language
English
profile picture
Sonic
asked 2 months ago32 views
1 Answer
0

The error you're encountering is due to running the local-exec provisioner on a Windows system. The command in the provisioner is using Unix/Linux syntax, which is not compatible with Windows PowerShell. To resolve this issue, you need to modify the local-exec provisioner to use Windows-compatible commands. Here's how you can adjust it:

  1. Replace 'sleep' with 'Start-Sleep': Windows doesn't have a 'sleep' command, but PowerShell has 'Start-Sleep'.

  2. Use PowerShell's line continuation character (backtick `) instead of the Unix-style backslash ().

  3. Specify PowerShell as the interpreter.

Here's an adjusted version of the local-exec provisioner that should work on Windows:

provisioner "local-exec" {
  interpreter = ["PowerShell", "-Command"]
  command = <<-COMMAND
    Start-Sleep -Seconds 100
    aws cognito-idp update-user-pool-client `
      --user-pool-id ${aws_cognito_user_pool.aos_pool.id} `
      --client-id ${aws_cognito_user_pool_client.aos_user_pool_client.id} `
      --supported-identity-providers "COGNITO" `
      --callback-urls "https://${self.kibana_endpoint}app/kibana" `
      --logout-urls "https://${self.kibana_endpoint}app/kibana" `
      --allowed-o-auth-flows "code" `
      --allowed-o-auth-scopes "email" "openid" `
      --allowed-o-auth-flows-user-pool-client `
      --region ${local.aws_region}
  COMMAND
}

This modification should allow the local-exec provisioner to run successfully on your Windows system. The 'Start-Sleep -Seconds 100' command will pause the execution for 100 seconds, giving time for the endpoint to become available before running the AWS CLI command.

Make sure you have the AWS CLI installed and configured on your Windows system, as the command relies on it to update the Cognito user pool client.

If you continue to face issues, you might want to consider using a more cross-platform approach, such as writing a small script (e.g., Python) that can run on both Windows and Linux, and calling that script from your Terraform configuration.
Sources
AWS Credentials Issues in Terraform | AWS re:Post
OpenSearchService: New-OSDomain Cmdlet | AWS Tools for PowerShell

profile picture
re:Post Agent
answered 2 months ago
profile pictureAWS
EXPERT
Jordan Sandri
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content