Cognito: Added Identity Pool Roles Attachment #863
Conversation
Ninir
changed the title
| "ambiguous_role_resolution": { | ||
| Type: schema.TypeString, | ||
| ValidateFunc: validateCognitoRoleMappingsAmbiguousRoleResolution, | ||
| Optional: true, // Required if Type equals Token or Rules. |
There was a problem hiding this comment.
At the moment, as token is required and has only 2 possibles values (Token or Rules), this seems required too.
The API states that this is Optional though.
There was a problem hiding this comment.
Hey @Ninir
Sorry it took me so long to get to this!
I looked at the API structs and the schema to understand the reasoning behind such deeply nested schema, which I think is/was the primary blocker for this PR.
How would you feel about flattening the schema like this?
map[string]*schema.Schema{
"identity_pool_id": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"role_mapping": {
Type: schema.TypeSet,
Optional: true,
MaxItems: 1,
Set: nil,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"identity_provider": {
Type: schema.TypeString,
Required: true,
},
"ambiguous_role_resolution": {
Type: schema.TypeString,
ValidateFunc: validateCognitoRoleMappingsAmbiguousRoleResolution,
Optional: true, // Required if Type equals Token or Rules.
},
"type": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsType,
},
"mapping_rule": {
Type: schema.TypeList,
Required: true,
MaxItems: 25,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"claim": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsRulesClaim,
},
"match_type": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsRulesMatchType,
},
"role_arn": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateArn,
},
"value": {
Type: schema.TypeString,
Required: true,
ValidateFunc: validateCognitoRoleMappingsRulesValue,
},
},
},
},
},
},
},
"roles": {
Type: schema.TypeMap,
Required: true,
ForceNew: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"authenticated": {
Type: schema.TypeString,
ValidateFunc: validateArn,
Optional: true, // Required if unauthenticated isn't defined.
},
"unauthenticated": {
Type: schema.TypeString,
ValidateFunc: validateArn,
Optional: true, // Required if authenticated isn't defined.
},
},
},
},
}then the HCL config could look something like this
resource "aws_cognito_identity_pool_roles_attachment" "main" {
identity_pool_id = "${aws_cognito_identity_pool.main.id}"
role_mapping {
identity_provider = "graph.facebook.com"
ambiguous_role_resolution = "AuthenticatedRole"
type = "Rules"
mapping_rule {
claim = "isAdmin"
match_type = "Equals"
role_arn = "${aws_iam_role.authenticated.arn}"
value = "paid"
}
}
roles {
"authenticated" = "${aws_iam_role.authenticated.arn}"
}
}eventually I'm thinking identity_provider could be shortened to idp, but that's really a nitpick in this context - the main goal is to reduce the nesting here.
Let me know what you think - then we can proceed with the rest of the PR as the schema change is the probably the most significant thing here.
radeksimko
added
the
waiting-response
Ninir
force-pushed
the
f-cognito-ip-roles-attachment
branch
2 times, most recently
from
83891a3
to
c595651
Compare
|
@radeksimko This is a much better approach, thank you for the suggestion :) While tests are passing, I would like to check another time that everything is ok on my side before merging the work: |
Ninir
removed
the
waiting-response
Ninir
force-pushed
the
f-cognito-ip-roles-attachment
branch
from
c595651
to
4716be9
Compare
| return nil | ||
| } | ||
|
|
||
| const baseAWSCognitoIdentityPoolRolesAttachmentConfig = ` |
There was a problem hiding this comment.
Nitpick, but how do you feel about exposing this as a wrapper around fmt.Sprinf so that we get the validation-at-compile-time benefit?
There was a problem hiding this comment.
Isn't it the case as this constant is concatenated to another string but wrapped into a fmt.Sprintf line https://github.com/terraform-providers/terraform-provider-aws/pull/863/files/4716be981696dcd13458a0e660bfe19b1ab15860#diff-213dd3d721447149c2fa3d3ddfb5e5b1R305 ?
There was a problem hiding this comment.
The link isn't valid anymore, but yeah - I thought you could do something like this:
func testAccAWSCognitoIdentityPoolRolesAttachmentConfig_basic(name string) string {
return fmt.Sprintf(baseAWSCognitoIdentityPoolRolesAttachmentConfig(name)+`
resource "aws_cognito_identity_pool_roles_attachment" "main" {the benefit you get there is you may change baseAWSCognitoIdentityPoolRolesAttachmentConfig template and add/remove modifiers as necessary without having to refactor all references.
It's not a big deal though - so feel free to ignore.
There was a problem hiding this comment.
Done :) thanks for the advice!
Ninir
force-pushed
the
f-cognito-ip-roles-attachment
branch
from
4716be9
to
e7ed12f
Compare
Ninir
changed the title
Ninir
force-pushed
the
f-cognito-ip-roles-attachment
branch
from
921f94e
to
230b696
Compare
|
@radeksimko Ready to go on my side :) |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Description
This adds the AWS Cognito Identity Roles association resource, based on the following API: http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_SetIdentityPoolRoles.html
(Migrated from hashicorp/terraform#12846)
Related issues
Tests
TODOs