r/cognito_user_pool - add pre_token_generation_config to lambda_config

.changelog/35236.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_cognito_user_pool: Add `pre_token_generation_config` configuration block
+```

.changelog/36311.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_cognito_identity_provider: Fix `InvalidParameterException: ActiveEncryptionCertificate is not a valid key for SAML identity provider details` errors on resource Update
+```

examples/cognito-user-pool/main.tf

@@ -117,9 +117,14 @@ resource "aws_cognito_user_pool" "pool" {
     post_confirmation              = aws_lambda_function.main.arn
     pre_authentication             = aws_lambda_function.main.arn
     pre_sign_up                    = aws_lambda_function.main.arn
-    pre_token_generation           = aws_lambda_function.main.arn
+    pre_token_generation           = aws_lambda_function.main.arn # Set this parameter for legacy purposes; for new instances of pre token generation triggers, set the LambdaArn of `pre_token_generation_config`
     user_migration                 = aws_lambda_function.main.arn
     verify_auth_challenge_response = aws_lambda_function.main.arn
+
+    pre_token_generation_config {
+      lambda_arn     = aws_lambda_function.main.arn # Should be a identical to the pre_token_generation lambda ARN if used
+      lambda_version = "V2_0"
+    }
   }
 
   schema {

internal/service/cognitoidentity/exports_test.go

@@ -0,0 +1,11 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package cognitoidentity
+
+// Exports for use in tests only.
+var (
+	ResourcePool                     = resourcePool
+	ResourcePoolProviderPrincipalTag = resourcePoolProviderPrincipalTag
+	ResourcePoolRolesAttachment      = resourcePoolRolesAttachment
+)

internal/service/cognitoidentity/pool.go

@@ -26,7 +26,7 @@ import (
 
 // @SDKResource("aws_cognito_identity_pool", name="Pool")
 // @Tags(identifierAttribute="arn")
-func ResourcePool() *schema.Resource {
+func resourcePool() *schema.Resource {
 	return &schema.Resource{
 		CreateWithoutTimeout: resourcePoolCreate,
 		ReadWithoutTimeout:   resourcePoolRead,

internal/service/cognitoidentity/pool_data_source.go

@@ -21,7 +21,7 @@ import (
 
 // @SDKDataSource("aws_cognito_identity_pool", name="Pool")
 // @Tags(identifierAttribute="arn")
-func DataSourcePool() *schema.Resource {
+func dataSourcePool() *schema.Resource {
 	return &schema.Resource{
 		ReadWithoutTimeout: dataSourcePoolRead,
 

internal/service/cognitoidentity/pool_provider_principal_tag.go

@@ -24,8 +24,8 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
-// @SDKResource("aws_cognito_identity_pool_provider_principal_tag")
-func ResourcePoolProviderPrincipalTag() *schema.Resource {
+// @SDKResource("aws_cognito_identity_pool_provider_principal_tag", name="Provider Principal Tags")
+func resourcePoolProviderPrincipalTag() *schema.Resource {
 	return &schema.Resource{
 		CreateWithoutTimeout: resourcePoolProviderPrincipalTagCreate,
 		ReadWithoutTimeout:   resourcePoolProviderPrincipalTagRead,

internal/service/cognitoidentity/pool_roles_attachment.go

@@ -23,8 +23,8 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/names"
 )
 
-// @SDKResource("aws_cognito_identity_pool_roles_attachment")
-func ResourcePoolRolesAttachment() *schema.Resource {
+// @SDKResource("aws_cognito_identity_pool_roles_attachment", name="Pool Roles Association")
+func resourcePoolRolesAttachment() *schema.Resource {
 	return &schema.Resource{
 		CreateWithoutTimeout: resourcePoolRolesAttachmentCreate,
 		ReadWithoutTimeout:   resourcePoolRolesAttachmentRead,

internal/service/cognitoidp/consts.go

@@ -8,12 +8,10 @@ import (
 )
 
 const (
-	ResNameIdentityProvider  = "Identity Provider"
 	ResNameResourceServer    = "Resource Server"
 	ResNameRiskConfiguration = "Risk Configuration"
 	ResNameUserPoolClient    = "User Pool Client"
 	ResNameUserPoolDomain    = "User Pool Domain"
-	ResNameUserPool          = "User Pool"
 	ResNameUser              = "User"
 )
 

internal/service/cognitoidp/exports_test.go

@@ -5,9 +5,21 @@ package cognitoidp
 
 // Exports for use in tests only.
 var (
-	ResourceUserGroup             = resourceUserGroup
-	ResourceUserPoolClient        = newResourceUserPoolClient
-	ResourceManagedUserPoolClient = newResourceManagedUserPoolClient
+	ResourceIdentityProvider        = resourceIdentityProvider
+	ResourceManagedUserPoolClient   = newManagedUserPoolClientResource
+	ResourceResourceServer          = resourceResourceServer
+	ResourceRiskConfiguration       = resourceRiskConfiguration
+	ResourceUser                    = resourceUser
+	ResourceUserGroup               = resourceUserGroup
+	ResourceUserInGroup             = resourceUserInGroup
+	ResourceUserPool                = resourceUserPool
+	ResourceUserPoolClient          = newUserPoolClientResource
+	ResourceUserPoolDomain          = resourceUserPoolDomain
+	ResourceUserPoolUICustomization = resourceUserPoolUICustomization
 
-	FindGroupByTwoPartKey = findGroupByTwoPartKey
+	FindGroupByTwoPartKey                   = findGroupByTwoPartKey
+	FindIdentityProviderByTwoPartKey        = findIdentityProviderByTwoPartKey
+	FindUserByTwoPartKey                    = findUserByTwoPartKey
+	FindUserPoolByID                        = findUserPoolByID
+	FindUserPoolUICustomizationByTwoPartKey = findUserPoolUICustomizationByTwoPartKey
 )

internal/service/cognitoidp/find.go

@@ -7,7 +7,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"reflect"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/cognitoidentityprovider"
@@ -16,33 +15,6 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
 )
 
-// FindCognitoUserPoolUICustomization returns the UI Customization corresponding to the UserPoolId and ClientId.
-// Returns nil if no UI Customization is found.
-func FindCognitoUserPoolUICustomization(ctx context.Context, conn *cognitoidentityprovider.CognitoIdentityProvider, userPoolId, clientId string) (*cognitoidentityprovider.UICustomizationType, error) {
-	input := &cognitoidentityprovider.GetUICustomizationInput{
-		ClientId:   aws.String(clientId),
-		UserPoolId: aws.String(userPoolId),
-	}
-
-	output, err := conn.GetUICustomizationWithContext(ctx, input)
-
-	if err != nil {
-		return nil, err
-	}
-
-	if output == nil || output.UICustomization == nil {
-		return nil, nil
-	}
-
-	// The GetUICustomization API operation will return an empty struct
-	// if nothing is present rather than nil or an error, so we equate that with nil
-	if reflect.DeepEqual(output.UICustomization, &cognitoidentityprovider.UICustomizationType{}) {
-		return nil, nil
-	}
-
-	return output.UICustomization, nil
-}
-
 // FindCognitoUserInGroup checks whether the specified user is present in the specified group. Returns boolean value accordingly.
 func FindCognitoUserInGroup(ctx context.Context, conn *cognitoidentityprovider.CognitoIdentityProvider, groupName, userPoolId, username string) (bool, error) {
 	input := &cognitoidentityprovider.AdminListGroupsForUserInput{