From 6d5363f5f79e62e3d8263c8a51e562fcb02d1d60 Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Tue, 10 Mar 2026 02:41:44 +0100 Subject: [PATCH] =?UTF-8?q?Remove=20Cognito=20groups=20from=20Terraform=20?= =?UTF-8?q?=E2=80=94=20managed=20by=20provisioner?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Groups are created dynamically by the team provisioner from groups.yaml and team YAMLs. Hardcoding them in Terraform conflicts with the provisioner and can't handle team groups that are created on the fly. Note: existing groups in state need terraform state rm before apply. --- terraform/platform/identity/main.tf | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/terraform/platform/identity/main.tf b/terraform/platform/identity/main.tf index 85c709f..9f27620 100644 --- a/terraform/platform/identity/main.tf +++ b/terraform/platform/identity/main.tf @@ -83,14 +83,13 @@ resource "aws_cognito_user_pool_domain" "internal" { user_pool_id = aws_cognito_user_pool.internal.id } -# Groups mirroring Google Workspace (managed by group provisioner from groups.yaml) -# These are the base groups — the provisioner creates additional ones as needed. -resource "aws_cognito_user_group" "internal_groups" { - for_each = toset(["helter", "styret", "drift", "pkom", "developers"]) +# Cognito groups are managed by the team provisioner (from groups.yaml and +# team YAMLs), not by Terraform. The provisioner creates them dynamically. - name = each.key - user_pool_id = aws_cognito_user_pool.internal.id - description = "${each.key} group (synced from Google Workspace)" +# Remove old Terraform-managed groups from state without deleting from Cognito. +removed { + from = aws_cognito_user_group.internal_groups + lifecycle { destroy = false } } ################################################################################