Terraform在每次应用时都会重新创建Cognito用户池。

4
使用Terraform创建aws_cognito_user_pool,并在“schema”中使用任何内容将导致每次运行Terraform时重新创建用户池。我们希望使用自定义属性,因此需要在模式中设置选项。
根据文档,“当定义字符串或数字的属性数据类型时,相应的属性约束配置块(例如string_attribute_constraints或number_attribute_contraints)是必需的,以防止Terraform资源的重新创建。对于标准(例如名称、电子邮件)和自定义模式属性都是如此。”
如果我理解正确,我需要在模式中列出所有标准属性,这样我才能添加string_attribute_contraints。
  resource "aws_cognito_user_pool" "pool" {
  count = "${var.user_pool_count}"
  name  = "${lookup(var.user_pool[count.index], "name")}"

  username_attributes      = ["email"]
  auto_verified_attributes = ["email"]

  schema = [
    {
      name                = "address"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "birthdate"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "email"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "family_name"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "gender"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "given_name"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "locale"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "middle_name"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "name"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "nickname"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "phone_number"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "picture"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "preferred_username"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "profile"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "zoneinfo"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
    {
      name                = "updated_at"
      attribute_data_type = "Number"

      number_attribute_constraints = {
        min_value = 1
      }
    },
    {
      name                = "website"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
      }
    },
  ]
}

With the above example, even though I have not added any custom attributes yet, it recreates the user pool on every run.

EDIT - Added gist link to Terraform plan as it would put me over the Stackoverflow character limit.
https://gist.github.com/mehstg/6bf22a35254a168c14b98af57f86ed85

1
你能分享计划输出,以显示需要重新创建吗? - ydaetskcoR
当然,由于字符限制,我已将其添加为gist - https://gist.github.com/mehstg/6bf22a35254a168c14b98af57f86ed85 - mehstg
1
看起来这些属性缺少一堆约束条件(例如 max_length),而您已经在实际模式上设置了这些约束条件,因此Terraform正在检测漂移并强制更新。由于AWS中的模式是不可变的,因此Terraform知道它需要销毁和重新创建。添加缺失的约束条件应该可以解决这个问题。 - ydaetskcoR
1个回答

9

计划输出结果显示,大部分模式属性缺少在池中设置的max_length约束:

      schema.1286155211.attribute_data_type:                       "" => "String" (forces new resource)
      schema.1286155211.developer_only_attribute:                  "" => ""
      schema.1286155211.mutable:                                   "" => ""
      schema.1286155211.name:                                      "" => "locale" (forces new resource)
      schema.1286155211.number_attribute_constraints.#:            "" => "0"
      schema.1286155211.required:                                  "" => ""
      schema.1286155211.string_attribute_constraints.#:            "" => "1" (forces new resource)
      schema.1286155211.string_attribute_constraints.0.max_length: "" => ""
      schema.1286155211.string_attribute_constraints.0.min_length: "" => "1" (forces new resource)
...
      schema.3812649078.developer_only_attribute:                  "false" => "false"
      schema.3812649078.mutable:                                   "false" => "false"
      schema.3812649078.name:                                      "locale" => "" (forces new resource)
      schema.3812649078.number_attribute_constraints.#:            "0" => "0"
      schema.3812649078.required:                                  "false" => "false"
      schema.3812649078.string_attribute_constraints.#:            "1" => "0" (forces new resource)
      schema.3812649078.string_attribute_constraints.0.max_length: "2048" => "" (forces new resource)
      schema.3812649078.string_attribute_constraints.0.min_length: "1" => "" (forces new resource)

Terraform检测到了这种变化,并尝试将您的用户池更改以与配置相匹配。不幸的是,用户池模式属性是不可变的,因此Terraform被迫销毁整个用户池并创建一个新的。

添加缺失的约束应该可以解决此问题。

resource "aws_cognito_user_pool" "pool" {
  count = var.user_pool_count
  name  = var.user_pool[count.index]["name"]

  username_attributes      = ["email"]
  auto_verified_attributes = ["email"]

  schema = [
    # ...
    {
      name                = "locale"
      attribute_data_type = "String"

      string_attribute_constraints = {
        min_length = 1
        max_length = 1
      }
    },
    # ...
  ]
}

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接