[New]: Resource for GetOpenIdTokenForDeveloperIdentity

[tze-dev]

Description

Request for a new resource for managing Cognito developer ID - https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html

The API GetOpenIdTokenForDeveloperIdentity not only provides the ability to obtain an OpenID token, it also creates a 'developer identity' in a Cognito Pool.
This is useful for OIDC workflows, where third party system needs to match/filter JWT claims from Cognito - where the subject of the JWT claims is based on the Developer ID.

If GetOpenIdTokenForDeveloperIdentity is implemented as a Terraform Resource, it would make it much simpler to manage the workload identify federation workflows in general.

Requested Resource(s) and/or Data Source(s)

• aws_cognito_openid_developer_identity

Potential Terraform Configuration

resource "aws_cognito_identity_pool" "this" {
  identity_pool_name               = "my-identity-pool"
  allow_unauthenticated_identities = false
  allow_classic_flow               = false
  developer_provider_name          = "my-dev-provider-name"
}

resource "aws_cognito_openid_developer_identity" "this" {
  identity_pool_id = aws_cognito_identity_pool.this.id
  logins = {
     developer_provider_name = aws_cognito_identity_pool.this.developer_provider_name
     developer_user_identifier = "dev-user-01" # Some user defined identifier
  }
  token_duration = 3600 # in seconds
}

# This will output the OpenID developer identity
# - This ID is the 'subject' of the JWT token claim.
#   With this string, we can configure the destination system to trust
#   a JWT claim through matching the 'subject'
output "identity_id" {
  value = aws_cognito_openid_developer_identity.this.identity_id
}

output "openid_token" { # this will output the JWT claim token
  value = aws_cognito_openid_developer_identity.this.token
}

References

https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[AdamTylerLynch]

Can you provide an overarching example of the Workflows you would like to support? I'd love to understand the peices involved here.

The Token has a limited lifetime (as specified by the duration). Tokens are ephemeral by design, and there is no way to update/delete them, so adding this to a resource would cause the resource to be recreated on every terraform refresh. The Cognito team has a request per second rate limit of 50 for this action, and you could potentially get throttled on refresh.

But let's say a refresh was desirable, every resource that leverages this Token would need to be recreated as the token changes, potentially causing an availability issue on resource recreation.

[tze-dev]

Hi @AdamTylerLynch, the main objective is to be able to use Terraform to create the OpenID Developer Identity in Cognito pool. Token generation/output is optional.

The ability to generate the token is not that important (though it can be useful). Once a Developer Identity is created, the abilty to generate a token can be done outside of Terraform as part of some workflow.

However, having the ability to output token can be useful - i.e., If within the same Terraform workspace, another resource was to be created using the token in the same workflow as the auth input. This is generally not a good idea, but in some corner cases it's convenient. Granted, that the token would need to be ignore by TF lifecycle state management.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[clementdenis]

The new ephemeral resource does not cover the use case to create a developer identity for OIDC federation workflows.

We actually need a regular resource that would have a single IdentityId attribute (we don't care about the token in that case).

[github-actions]

This functionality has been released in v5.83.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[clementdenis]

I created a follow-up issue: #40866

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.