Set cognito identity pool providers role resolution via Terraform

Question

im trying to deploy cognito for opensearch via terraform. I have a manually built cognito working and ow trying to port it to terraform.

does anyone know how to set the below part?:

• Choose role from token
• role resolution 'DENY'

Terraform for the identity pool:

resource "aws_cognito_identity_pool" "cognito-identity-pool" {
  identity_pool_name               = "opensearch-${var.domain_name}-identity-pool"
  allow_unauthenticated_identities = false

  cognito_identity_providers {
    client_id               = aws_cognito_user_pool_client.cognito-user-pool-client.id
    provider_name           = aws_cognito_user_pool.cognito-user-pool.endpoint
  }
}

ive tried adding server_side_token_check = false but no joy..

Answer 1

You need to use a different resource, namely aws_cognito_identity_pool_roles_attachment [1]. In order to achieve the same thing you see in the AWS console, you need to add the following block:

resource "aws_cognito_identity_pool_roles_attachment" "name" {
  identity_pool_id = aws_cognito_identity_pool.cognito-identity-pool.id
  roles = {
    "authenticated" = <your-role-arn>
  }
  role_mapping {
    ambiguous_role_resolution = "Deny"
    type                      = "Token"
    identity_provider         = "${aws_cognito_user_pool.cognito-user-pool.endpoint}:${aws_cognito_user_pool_client.cognito-user-pool-client.id}"
  }
}

Note that the roles block is required and the key can be authenticated or unathenticated. Additionally, you will probably have to figure out what kind of permissions the role will need and create it. The example in the documentation can be used as a blueprint. There are also other settings like mapping_rule block which might be of use to you, but since the details are lacking I omitted it from the answer.

---

[1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool_roles_attachment