Create cognito sync trigger to lambda function using Terraform

Question

We have identity pools which have event triggers configured to trigger lambda upon sync event from mobile users. Now that we are planning on re-creating the infrastructure using terraform so we can automate stuff, we are facing difficulties in setting up the cognito sync trigger.

We have attempted to use the aws_lambda_permission with source_arn pointing to the identity pool but still the trigger is created which shows that part of the configuration is missing (seen in web console). We are not able to identify the terraform configuration from the documentation for aws_cognito_identity_pool resource which can configure the event for identity pool. We are aware that AWS recommends Appsync in place of cognito sync but this was developed long back and we are not in the idea of migrating any sooner.

Answer 1

That functionality requires a call to the SetCognitoEvents method on the CognitoSync client. Searching through the AWS Terraform Provider source code, I can't find that anywhere. I also don't see anything in the AWS Terraform Provider documentation that would indicate you can configure this feature from Terraform.

I have to conclude that at this time you cannot configure this feature using Terraform, and since it is a deprecated feature I doubt Terraform will ever add support for it.

Your best bet may be to use a null provider to call the AWS CLI command aws cognito-sync set-cognito-events.

Answer 2

You can use aws_lambda_event_source_mapping to achieve this:

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping

resource "aws_lambda_event_source_mapping" "example" {
  event_source_arn = aws_cognito_identity_pool.main.arn
  function_name    = aws_lambda_function.main.arn
}

resource "aws_lambda_permission" "examle" {
  statement_id  = "AllowExecutionFromCognitoSync"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.main.function_name
  principal     = "cognito-sync.amazonaws.com"
  source_arn    = aws_cognito_identity_pool.main.arn
}

TLDR:

Looking to how we can handle this, we just need to add a trigger to the lambda configuration:

As api gateway trigger is added in the same way, we should do it in the same way with terraform:

https://aws.amazon.com/blogs/mobile/introducing-amazon-cognito-events-sync-triggers/

I hope this will help you ;)