refactor(cognito): switch user groups from count to for_each

[catrielg]

Switch Cognito User Groups from count to for_each

Changes

• Replaces count-based iteration with for_each in Cognito user group resources
• Uses group name as the resource identifier instead of list index
• Maintains existing lookup functionality for optional attributes

Motivation

The previous implementation used count with a list of groups, which made the resources sensitive to list order changes. Any reordering of the groups would cause Terraform to destroy and recreate the groups, even when only the order changed. By switching to for_each with the group name as the key, we ensure stable resource identifiers that are independent of list order.

⚠️ Breaking Change

This change modifies how Terraform identifies user groups, which will trigger recreation of existing groups. This requires careful handling during deployment.

Migration Steps

1. Before applying:
   • Export existing user group memberships to a backup location
   • You can use AWS CLI or SDK:

     aws cognito-idp list-users-in-group --user-pool-id <pool_id> --group-name <group_name>

2. Apply the changes
3. After applying:
   • Restore user group memberships from backup
   • You can use AWS CLI or SDK:

     aws cognito-idp admin-add-user-to-group --user-pool-id <pool_id> --group-name <group_name> --username <username>

[lgallard]

@catrielg thanks for the PR. I like the refactoring. My only concern is the breaking code part and wonder if we can use terraform move to have a flawless transition.