我正在使用terraform创建Cognito用户池、用户池客户端和域。如果对cognito用户池(例如属性)进行了更新,则terraform需要销毁并重新创建这三个资源,但是在销毁aws_cognito_user_pool_domain:
InvalidParameter:发现1个验证错误时,terraform apply失败并出现错误。-最小字段大小为1,DeleteUserPoolDomainInput.UserPoolId.
Terraform版本:0.11.11
aws提供商版本:1.52.0
我尝试手动删除域并运行terraform plan/apply,但失败了,返回"InvalidParameterException:不存在这样的域或用户池">
resource "aws_cognito_user_pool" "admin_cognito_pool" {
name = "dev-admin-pool"
alias_attributes = ["email"]
auto_verified_attributes = ["email"]
admin_create_user_config = {
allow_admin_create_user_only = true
}
}
resource "aws_cognito_user_pool_client" "admin_cognito_pool_client" {
name = "dev-admin-pool-client"
user_pool_id = "${aws_cognito_user_pool.admin_cognito_pool.id}"
generate_secret = false
...
}
resource "aws_cognito_user_pool_domain" "admin_cognito_domain" {
domain = "demo-dev"
user_pool_id = "${aws_cognito_user_pool.admin_cognito_pool.id}"
}
以上代码将成功创建用户池、用户池客户端、用户池域。
接下来,在上面的代码中修改aws_cognito_user_pool并运行terraform plan/apply
resource "aws_cognito_user_pool" "admin_cognito_pool" {
name = "dev-admin-pool"
alias_attributes = ["email"]
auto_verified_attributes = ["email"]
admin_create_user_config = {
allow_admin_create_user_only = true
}
schema = [
{
attribute_data_type = "String",
name = "family_name",
required = true,
mutable = true,
string_attribute_constraints {
min_length = 6
max_length = 32
}
},
]
}
地形图:
-/+ module.aws-383.aws_cognito_user_pool.admin_cognito_pool (new resource required)
id: "ap-southeast-2_CFPLxLl5A" => <computed> (forces new resource)
admin_create_user_config.#: "1" => "1"
admin_create_user_config.0.allow_admin_create_user_only: "true" => "true"
admin_create_user_config.0.unused_account_validity_days: "7" => "7"
alias_attributes.#: "" => "1" (forces new resource)
alias_attributes.881205744: "" => "email" (forces new resource)
arn: "arn:aws:cognito-idp:ap-southeast-2:xxxxxxxx:userpool/ap-southeast-2_CFPLxLl5A" => <computed>
auto_verified_attributes.#: "1" => "1"
auto_verified_attributes.881205744: "email" => "email"
creation_date: "2018-12-19T04:49:06Z" => <computed>
email_verification_message: "" => <computed>
email_verification_subject: "" => <computed>
endpoint: "cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_CFPLxLl5A" => <computed>
lambda_config.#: "0" => <computed>
last_modified_date: "2018-12-19T04:49:06Z" => <computed>
mfa_configuration: "OFF" => "OFF"
name: "dev-admin-pool" => "dev-admin-pool"
password_policy.#: "1" => <computed>
schema.#: "0" => "1" (forces new resource)
schema.893014206.attribute_data_type: "" => "String" (forces new resource)
schema.893014206.developer_only_attribute: "" => ""
schema.893014206.mutable: "" => "true" (forces new resource)
schema.893014206.name: "" => "family_name" (forces new resource)
schema.893014206.number_attribute_constraints.#: "" => "0"
schema.893014206.required: "" => "true" (forces new resource)
schema.893014206.string_attribute_constraints.#: "" => "0"
verification_message_template.#: "1" => <computed>
-/+ module.aws-383.aws_cognito_user_pool_client.admin_cognito_pool_client (new resource required)
id: "2tsed339bl6ds4437n1h0hasr4" => <computed> (forces new resource)
allowed_oauth_flows.#: "2" => "2"
allowed_oauth_flows.2645166319: "code" => "code"
allowed_oauth_flows.3465961881: "implicit" => "implicit"
allowed_oauth_flows_user_pool_client: "true" => "true"
allowed_oauth_scopes.#: "2" => "2"
allowed_oauth_scopes.2517049750: "openid" => "openid"
allowed_oauth_scopes.881205744: "email" => "email"
callback_urls.#: "1" => "1"
callback_urls.0: "https://qnq2ds22xg.execute-api.ap-southeast-2.amazonaws.com/staging/admin-portal/redirectUrl/" => "https://qnq2ds22xg.execute-api.ap-southeast-2.amazonaws.com/staging/admin-portal/redirectUrl/"
client_secret: "" => <computed>
explicit_auth_flows.#: "2" => "2"
explicit_auth_flows.1860959087: "USER_PASSWORD_AUTH" => "USER_PASSWORD_AUTH"
explicit_auth_flows.245201344: "ADMIN_NO_SRP_AUTH" => "ADMIN_NO_SRP_AUTH"
generate_secret: "false" => "false"
name: "dev-admin-pool-client" => "dev-admin-pool-client"
refresh_token_validity: "30" => "30"
supported_identity_providers.#: "1" => "1"
supported_identity_providers.0: "COGNITO" => "COGNITO"
user_pool_id: "ap-southeast-2_CFPLxLl5A" => "${aws_cognito_user_pool.admin_cognito_pool.id}" (forces new resource)
-/+ module.aws-383.aws_cognito_user_pool_domain.admin_cognito_domain (new resource required)
id: "demo-dev" => <computed> (forces new resource)
aws_account_id: "" => <computed>
cloudfront_distribution_arn: "" => <computed>
domain: "demo-dev" => "demo-dev"
s3_bucket: "" => <computed>
user_pool_id: "" => "${aws_cognito_user_pool.admin_cognito_pool.id}" (forces new resource)
version: "" => <computed>
地形应用的精确误差-
[...]
module.aws-383.aws_cognito_user_pool_client.admin_cognito_pool_client: Destroying... (ID: 2tsed339bl6ds4437n1h0hasr4)
module.aws-383.aws_cognito_user_pool_domain.admin_cognito_domain: Destroying... (ID: demo-dev)
module.aws-383.aws_cognito_user_pool_client.admin_cognito_pool_client: Destruction complete after 0s
Error: Error applying plan:
1 error(s) occurred:
* module.aws-383.aws_cognito_user_pool_domain.admin_cognito_domain (destroy): 1 error(s) occurred:
* aws_cognito_user_pool_domain.admin_cognito_domain: InvalidParameter: 1 validation error(s) found.
- minimum field size of 1, DeleteUserPoolDomainInput.UserPoolId.
Terraform应该能够破坏cognito用户池域,这将允许重新创建资源。
目前地形中有一个错误阻止了这一点:https://github.com/terraform-providers/terraform-provider-aws/issues/5313
解决方案是手动删除它(aws-cli或console),然后使用state命令手动将其从地形状态中删除。
显然,我必须通过aws-cli管理删除terraform之外的用户池域,并更新terraform模板来创建用户池域。
首先使用以下命令行查找导致此问题的资源/模块的tfstate ID:
terraform state list
然后使用下一个命令行从tfstate正确销毁它:
terraform state rm '{the_id_from_tf_state_list}'
如果你有一个锁定的tfstate使用:
terraform force-unlock LOCK_ID