Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

deploy opensearch with cognito auth without manual intervention (terraform)

0

Hi,

ive created a terraform module to deploy aws opensearch with cognito auth.

Then problem is that when creating the aws opensearch it needs the cognito user pool and identity pool. To create the idenity pool, i need to create a dummy client app. and when opensearch is created it creates a new client app. That is not added to identity pool mappings.

Is there any way around this? Is it a terraform problem or a cognito / opensearch problem / or finishes crossed a me problem!

Topics
AnalyticsSecurity, Identity, & Compliance
Tags
Amazon CognitoAmazon OpenSearch Service
Language
English
asked 3 years ago630 views
3 Answers
1

Hi,

Yes I ended up with a external data call to the aws cli to to link the opensearch created app client to idenitty pool!

thanks for the reply

answered 3 years ago
0
Accepted Answer

I believe there is a known issue with Terraform provider for this. There is a workaround you might want to give a try. Use local-exec provisioner in your opensearch.tf and run an AWS CLI command to update the Cognito IdP user pool client with the one you created in your cognito.tf. "aws cognito-idp update-user-pool-client......."

Please refer to https://github.com/aws-samples/opensearch-in-vpc/blob/main/opensearch-in-vpc-module/opensearch.tf

AWS
answered 3 years ago
0

There is a solution for this implemented and I have it working.

resource "aws_cognito_managed_user_pool_client" "OpenSearch-Cognito-Intergration_userPool" {
  name_pattern = "AmazonOpenSearchService-myproject"
  user_pool_id = aws_cognito_user_pool.myproject_cognito_user_pool.id

  depends_on = [
    aws_opensearch_domain.myproject-opensearch-domain-project_id
  ]
}

Then you can modify the Cognito Identity center setup of it

resource "aws_cognito_identity_pool_roles_attachment" "default" {
.....
  role_mapping {
    identity_provider         = "${aws_cognito_user_pool.myproject_cognito_user_pool.endpoint}:${aws_cognito_managed_user_pool_client.OpenSearch-Cognito-Intergration_userPool.id}"
    ambiguous_role_resolution = "AuthenticatedRole"
    type                      = "Token"
  }
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content