-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cognito: Added Identity Pool Roles Attachment #863
Conversation
"ambiguous_role_resolution": { | ||
Type: schema.TypeString, | ||
ValidateFunc: validateCognitoRoleMappingsAmbiguousRoleResolution, | ||
Optional: true, // Required if Type equals Token or Rules. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the moment, as token
is required and has only 2 possibles values (Token or Rules), this seems required too.
The API states that this is Optional though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @Ninir
Sorry it took me so long to get to this!
I looked at the API structs and the schema to understand the reasoning behind such deeply nested schema, which I think is/was the primary blocker for this PR.
How would you feel about flattening the schema like this?
map[string]*schema.Schema{
"identity_pool_id": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"role_mapping": {
Type: schema.TypeSet,
Optional: true,
MaxItems: 1,
Set: nil,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"identity_provider": {
Type: schema.TypeString,
Required: true,
},
"ambiguous_role_resolution": {
Type: schema.TypeString,
ValidateFunc: validateCognitoRoleMappingsAmbiguousRoleResolution,
Optional: true, // Required if Type equals Token or Rules.
},
"type": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsType,
},
"mapping_rule": {
Type: schema.TypeList,
Required: true,
MaxItems: 25,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"claim": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsRulesClaim,
},
"match_type": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsRulesMatchType,
},
"role_arn": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateArn,
},
"value": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsRulesValue,
},
},
},
},
},
},
},
"roles": {
Type: schema.TypeMap,
Required: true,
ForceNew: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"authenticated": {
Type: schema.TypeString,
ValidateFunc: validateArn,
Optional: true, // Required if unauthenticated isn't defined.
},
"unauthenticated": {
Type: schema.TypeString,
ValidateFunc: validateArn,
Optional: true, // Required if authenticated isn't defined.
},
},
},
},
}
then the HCL config could look something like this
resource "aws_cognito_identity_pool_roles_attachment" "main" {
identity_pool_id = "${aws_cognito_identity_pool.main.id}"
role_mapping {
identity_provider = "graph.facebook.com"
ambiguous_role_resolution = "AuthenticatedRole"
type = "Rules"
mapping_rule {
claim = "isAdmin"
match_type = "Equals"
role_arn = "${aws_iam_role.authenticated.arn}"
value = "paid"
}
}
roles {
"authenticated" = "${aws_iam_role.authenticated.arn}"
}
}
eventually I'm thinking identity_provider
could be shortened to idp
, but that's really a nitpick in this context - the main goal is to reduce the nesting here.
Let me know what you think - then we can proceed with the rest of the PR as the schema change is the probably the most significant thing here.
83891a3
to
c595651
Compare
@radeksimko This is a much better approach, thank you for the suggestion :) While tests are passing, I would like to check another time that everything is ok on my side before merging the work:
|
c595651
to
4716be9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left you one comment, but this LGTM once you fix the Printf vet
errors as reported in Travis.
Thanks for bringing it to the finish line! 👍
return nil | ||
} | ||
|
||
const baseAWSCognitoIdentityPoolRolesAttachmentConfig = ` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick, but how do you feel about exposing this as a wrapper around fmt.Sprinf
so that we get the validation-at-compile-time benefit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't it the case as this constant is concatenated to another string but wrapped into a fmt.Sprintf line https://github.com/terraform-providers/terraform-provider-aws/pull/863/files/4716be981696dcd13458a0e660bfe19b1ab15860#diff-213dd3d721447149c2fa3d3ddfb5e5b1R305 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The link isn't valid anymore, but yeah - I thought you could do something like this:
func testAccAWSCognitoIdentityPoolRolesAttachmentConfig_basic(name string) string {
return fmt.Sprintf(baseAWSCognitoIdentityPoolRolesAttachmentConfig(name)+`
resource "aws_cognito_identity_pool_roles_attachment" "main" {
the benefit you get there is you may change baseAWSCognitoIdentityPoolRolesAttachmentConfig
template and add/remove modifiers as necessary without having to refactor all references.
It's not a big deal though - so feel free to ignore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done :) thanks for the advice!
4716be9
to
e7ed12f
Compare
921f94e
to
230b696
Compare
@radeksimko Ready to go on my side :) |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Description
This adds the AWS Cognito Identity Roles association resource, based on the following API: http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_SetIdentityPoolRoles.html
(Migrated from hashicorp/terraform#12846)
Related issues
Tests
TODOs