diff --git a/README.md b/README.md index 56a07ae..1896c71 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,22 @@ module "aws_cognito_user_pool_simple" { } ``` +### Example (conditional creation) + +Sometimes you need to have a way to create Cognito User Pool resources conditionally but Terraform does not allow to use `count` inside `module` block, so the solution is to specify argument `enabled`. + +``` +# This Cognito User Pool will not be created +module "aws_cognito_user_pool_conditional_creation" { + + source = "lgallard/cognito-user-pool/aws" + + user_pool_name = "conditional_user_pool" + enabled = false + +} +``` + ### Example (complete) This more complete example creates a AWS Cognito User Pool using a detailed configuration. Please check the example folder to get the example with all options: @@ -159,6 +175,7 @@ module "aws_cognito_user_pool_complete" { | email\_configuration\_source\_arn | The ARN of the email source | `string` | `""` | no | | email\_verification\_message | A string representing the email verification message | `string` | `null` | no | | email\_verification\_subject | A string representing the email verification subject | `string` | `null` | no | +| enabled | Controls if Cognito User Pool should be created | `bool` | `false` | no | | lambda\_config | A container for the AWS Lambda triggers associated with the user pool | `map` | `null` | no | | lambda\_config\_create\_auth\_challenge | The ARN of the lambda creating an authentication challenge. | `string` | `""` | no | | lambda\_config\_custom\_message | A custom Message AWS Lambda trigger. | `string` | `""` | no | diff --git a/client.tf b/client.tf index 6ab0593..c3b337f 100644 --- a/client.tf +++ b/client.tf @@ -1,5 +1,5 @@ resource "aws_cognito_user_pool_client" "client" { - count = length(local.clients) + count = var.enabled ? length(local.clients) : 0 allowed_oauth_flows = lookup(element(local.clients, count.index), "allowed_oauth_flows", null) allowed_oauth_flows_user_pool_client = lookup(element(local.clients, count.index), "allowed_oauth_flows_user_pool_client", null) allowed_oauth_scopes = lookup(element(local.clients, count.index), "allowed_oauth_scopes", null) @@ -14,7 +14,7 @@ resource "aws_cognito_user_pool_client" "client" { supported_identity_providers = lookup(element(local.clients, count.index), "supported_identity_providers", null) prevent_user_existence_errors = lookup(element(local.clients, count.index), "prevent_user_existence_errors", null) write_attributes = lookup(element(local.clients, count.index), "write_attributes", null) - user_pool_id = aws_cognito_user_pool.pool.id + user_pool_id = aws_cognito_user_pool.pool[0].id } locals { diff --git a/domain.tf b/domain.tf index a6a36eb..cd6bdac 100644 --- a/domain.tf +++ b/domain.tf @@ -1,6 +1,6 @@ resource "aws_cognito_user_pool_domain" "domain" { - count = var.domain == null || var.domain == "" ? 0 : 1 + count = ! var.enabled || var.domain == null || var.domain == "" ? 0 : 1 domain = var.domain certificate_arn = var.domain_certificate_arn - user_pool_id = aws_cognito_user_pool.pool.id + user_pool_id = aws_cognito_user_pool.pool[0].id } diff --git a/main.tf b/main.tf index d9357ae..1e46008 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,5 @@ resource "aws_cognito_user_pool" "pool" { + count = var.enabled ? 1 : 0 alias_attributes = var.alias_attributes auto_verified_attributes = var.auto_verified_attributes @@ -196,7 +197,6 @@ resource "aws_cognito_user_pool" "pool" { ignore_changes = [ schema, ] - prevent_destroy = true } } diff --git a/outputs.tf b/outputs.tf index 2ba5e92..2f5606d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,26 +1,26 @@ output "id" { description = "The id of the user pool" - value = aws_cognito_user_pool.pool.id + value = var.enabled ? aws_cognito_user_pool.pool[0].id : null } output "arn" { description = "The ARN of the user pool" - value = aws_cognito_user_pool.pool.arn + value = var.enabled ? aws_cognito_user_pool.pool[0].arn : null } output "endpoint" { description = "The endpoint name of the user pool. Example format: cognito-idp.REGION.amazonaws.com/xxxx_yyyyy" - value = aws_cognito_user_pool.pool.endpoint + value = var.enabled ? aws_cognito_user_pool.pool[0].endpoint : null } output "creation_date" { description = "The date the user pool was created" - value = aws_cognito_user_pool.pool.creation_date + value = var.enabled ? aws_cognito_user_pool.pool[0].creation_date : null } output "last_modified_date" { description = "The date the user pool was last modified" - value = aws_cognito_user_pool.pool.last_modified_date + value = var.enabled ? aws_cognito_user_pool.pool[0].last_modified_date : null } # @@ -28,22 +28,22 @@ output "last_modified_date" { # output "domain_aws_account_id" { description = "The AWS account ID for the user pool owner" - value = join("", aws_cognito_user_pool_domain.domain.*.aws_account_id) + value = var.enabled ? join("", aws_cognito_user_pool_domain.domain.*.aws_account_id) : null } output "domain_cloudfront_distribution_arn" { description = "The ARN of the CloudFront distribution" - value = join("", aws_cognito_user_pool_domain.domain.*.cloudfront_distribution_arn) + value = var.enabled ? join("", aws_cognito_user_pool_domain.domain.*.cloudfront_distribution_arn) : null } output "domain_s3_bucket" { description = "The S3 bucket where the static files for this domain are stored" - value = join("", aws_cognito_user_pool_domain.domain.*.s3_bucket) + value = var.enabled ? join("", aws_cognito_user_pool_domain.domain.*.s3_bucket) : null } output "domain_app_version" { description = "The app version" - value = join("", aws_cognito_user_pool_domain.domain.*.version) + value = var.enabled ? join("", aws_cognito_user_pool_domain.domain.*.version) : null } # @@ -51,12 +51,12 @@ output "domain_app_version" { # output "client_ids" { description = "The ids of the user pool clients" - value = aws_cognito_user_pool_client.client.*.id + value = var.enabled ? aws_cognito_user_pool_client.client.*.id : null } output "client_secrets" { description = " The client secrets of the user pool clients" - value = aws_cognito_user_pool_client.client.*.client_secret + value = var.enabled ? aws_cognito_user_pool_client.client.*.client_secret : null } # @@ -64,5 +64,5 @@ output "client_secrets" { # output "resource_servers_scope_identifiers" { description = " A list of all scopes configured in the format identifier/scope_name" - value = aws_cognito_resource_server.resource.*.scope_identifiers + value = var.enabled ? aws_cognito_resource_server.resource.*.scope_identifiers : null } diff --git a/resource-server.tf b/resource-server.tf index df4a7b0..487cff1 100644 --- a/resource-server.tf +++ b/resource-server.tf @@ -1,5 +1,5 @@ resource "aws_cognito_resource_server" "resource" { - count = length(local.resource_servers) + count = var.enabled ? length(local.resource_servers) : 0 name = lookup(element(local.resource_servers, count.index), "name") identifier = lookup(element(local.resource_servers, count.index), "identifier") @@ -12,7 +12,7 @@ resource "aws_cognito_resource_server" "resource" { } } - user_pool_id = aws_cognito_user_pool.pool.id + user_pool_id = aws_cognito_user_pool.pool[0].id } locals { diff --git a/user-group.tf b/user-group.tf index 52b3cc6..c21cdf9 100644 --- a/user-group.tf +++ b/user-group.tf @@ -1,10 +1,10 @@ resource "aws_cognito_user_group" "main" { - count = length(local.groups) + count = var.enabled ? length(local.groups) : 0 name = lookup(element(local.groups, count.index), "name") description = lookup(element(local.groups, count.index), "description") precedence = lookup(element(local.groups, count.index), "precedence") role_arn = lookup(element(local.groups, count.index), "role_arn") - user_pool_id = aws_cognito_user_pool.pool.id + user_pool_id = aws_cognito_user_pool.pool[0].id } locals { diff --git a/variables.tf b/variables.tf index 41b983f..d41a90b 100644 --- a/variables.tf +++ b/variables.tf @@ -1,6 +1,12 @@ # # aws_cognito_user_pool # +variable "enabled" { + description = "Controls if Cognito User Pool should be created" + type = bool + default = false +} + variable "user_pool_name" { description = "The name of the user pool" type = string