Support for Cognito Identity Provider

[mdolian]

I believe the following documentation is no longer accurate. I'm not sure when in the past an IAM SAML Provider was used as a Cognito Identity Provider, but Cognito now has it's own Identity Provider. Please see the following API documentation:
https://www.terraform.io/docs/providers/aws/r/cognito_identity_pool.html

I don't believe Terraform has support for this at the moment.

[Ninir]

Hi @mdolian

Thanks for reporting this!

Cognito Identity Pool is using Authentication providers which are one/many from: Cognito, Amazon, Facebook, Google+, Twitter / Digits, OpenID, SAML or a Custom one.
SAML is however a correct authentication provider.

... Cognito now has it's own Identity Provider

I'm wondering if you are referring to the Cognito authentication provider, which is using Cognito User Pool plus an Application... 🤔
Could you better explain what you have in mind, providing a news from the blog or documentation link?

Thanks!

[mdolian]

Sorry, I meant to include the actual API reference and forgot. I believe this is where the gap exists:

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateIdentityProvider.html

You can't use an IAM SAML Provider in Cognito, which is how the terraform documentation says to do it. You'll notice the identity provider in IAM is different from the API link above: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateSAMLProvider.html

[mdolian]

Did the above reply provide enough information? I'm more curious to know if this is a gap or if I'm potentially just doing it wrong. I wouldn't mind trying to work on adding this feature but I don't want to dive in unless it's confirmed that it's needed. Thanks!

[Ninir]

Hey @mdolian

Sorry for the late response. You can find the related SAML provider resource at https://www.terraform.io/docs/providers/aws/r/iam_saml_provider.html.

Thus, you should be able to use the cognito identity pool freely and fully.

Hope it fixes your issue!

[mdolian]

@Ninir

The IAM SAML Provider is not supported in Cognito. The example in your documentation above will produce an error. I tried it out and that is what led me to finding the new Cognito Identity Provider.

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateIdentityProvider.html

If you can point me to where Terraform creates the resource above, then that solves the issue. I believe Terraform is missing it.

Thanks

[Ninir]

Hey @mdolian

The IAM SAML provider is supported by Cognito, please see the related screenshot.

As you can see, I am able to select an IAM Saml provider already created. Also, our Cognito Identity Pool test also ensures that this is passing.

Can you provide more details about your issue so that we can further debug?

Thanks!

[rmzi]

@Ninir - It seems that Cognito identity pools allow the use of IAM SAML Providers, but * user pools * have a separate identity provider that is not currently supported in TF.

Here are the docs I've been referencing: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html

[mikkeldamsgaard]

I can confirm both @rmzi and @mdolian, that it looks like terraform is missing support to create UserPoolIdentityProviders. The corresponding commandline commands to list and create the objects are

aws cognito-idp describe-identity-provider
aws cognito-idp create-identity-provider

The both requires user-pool-id as an argument.

The corresponding AWS documentation about these kind of pools are: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-configuring-federation-with-social-idp.html

[bflad]

For what its worth, there is an open pull request for a new aws_cognito_identity_provider resource here: #3601

[bflad]

The new aws_cognito_identity_provider resource will release with v1.21.0 later today.

[bflad]

This has been released in version 1.21.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[realvictorprm]

I'm not understanding from the docs, how I can specifiy the XML File for SAML providers. Is this a gap or do I miss something?

[cilindrox]

@realvictorprm take a look at this answer: #4815 (comment)

[orfin]

@realvictorprm you can pass content of XML file directly to MetadataFile property:

resource "aws_cognito_identity_provider" "example" {
  user_pool_id  = "${aws_cognito_user_pool.example.id}"
  provider_name = "example"
  provider_type = "SAML"

  provider_details = {
    MetadataFile = "${file('path/to/file.xml')}"
  }
}

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!