Skip to content

Commit

Permalink
for cognito user pools type, set authcred via PatchOperation
Browse files Browse the repository at this point in the history
  • Loading branch information
anGie44 committed Dec 6, 2020
1 parent 7cbb1e8 commit e6d74f2
Show file tree
Hide file tree
Showing 2 changed files with 101 additions and 1 deletion.
29 changes: 28 additions & 1 deletion aws/resource_aws_api_gateway_authorizer.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource {

func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interface{}) error {
conn := meta.(*AWSClient).apigatewayconn
var postCreateOps []*apigateway.PatchOperation

input := apigateway.CreateAuthorizerInput{
IdentitySource: aws.String(d.Get("identity_source").(string)),
Expand All @@ -109,7 +110,19 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac
input.AuthorizerUri = aws.String(v.(string))
}
if v, ok := d.GetOk("authorizer_credentials"); ok {
input.AuthorizerCredentials = aws.String(v.(string))
// While the CreateAuthorizer method allows one to pass AuthorizerCredentials
// regardless of authorizer Type, the API ignores this setting if the authorizer
// is of Type "COGNITO_USER_POOLS"; thus, a PatchOperation is used as an alternative.
// Reference: https://github.com/hashicorp/terraform-provider-aws/issues/16613
if aws.StringValue(input.Type) != apigateway.AuthorizerTypeCognitoUserPools {
input.AuthorizerCredentials = aws.String(v.(string))
} else {
postCreateOps = append(postCreateOps, &apigateway.PatchOperation{
Op: aws.String(apigateway.OpReplace),
Path: aws.String("/authorizerCredentials"),
Value: aws.String(v.(string)),
})
}
}

if v, ok := d.GetOk("identity_validation_expression"); ok {
Expand All @@ -127,6 +140,20 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac

d.SetId(aws.StringValue(out.Id))

if postCreateOps != nil {
input := apigateway.UpdateAuthorizerInput{
AuthorizerId: aws.String(d.Id()),
PatchOperations: postCreateOps,
RestApiId: input.RestApiId,
}

log.Printf("[INFO] Applying update operations to API Gateway Authorizer: %s", d.Id())
_, err := conn.UpdateAuthorizer(&input)
if err != nil {
return fmt.Errorf("applying update operations to API Gateway Authorizer (%s) failed: %w", d.Id(), err)
}
}

return resourceAwsApiGatewayAuthorizerRead(d, meta)
}

Expand Down
73 changes: 73 additions & 0 deletions aws/resource_aws_api_gateway_authorizer_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,36 @@ func TestAccAWSAPIGatewayAuthorizer_cognito(t *testing.T) {
})
}

// Reference: https://github.com/hashicorp/terraform-provider-aws/issues/16613
func TestAccAWSAPIGatewayAuthorizer_cognito_authorizerCredentials(t *testing.T) {
rName := acctest.RandomWithPrefix("tf-acc-test")
resourceName := "aws_api_gateway_authorizer.test"
iamRoleResourceName := "aws_iam_role.lambda"

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t); testAccAPIGatewayTypeEDGEPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSAPIGatewayAuthorizerDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSAPIGatewayAuthorizerConfig_cognitoAuthorizerCredentials(rName),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttrPair(resourceName, "authorizer_credentials", iamRoleResourceName, "arn"),
resource.TestCheckResourceAttr(resourceName, "name", rName),
resource.TestCheckResourceAttr(resourceName, "type", "COGNITO_USER_POOLS"),
resource.TestCheckResourceAttr(resourceName, "provider_arns.#", "2"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateIdFunc: testAccAWSAPIGatewayAuthorizerImportStateIdFunc(resourceName),
ImportStateVerify: true,
},
},
})
}

func TestAccAWSAPIGatewayAuthorizer_switchAuthType(t *testing.T) {
rName := acctest.RandomWithPrefix("tf-acc-test")
resourceName := "aws_api_gateway_authorizer.test"
Expand Down Expand Up @@ -489,6 +519,49 @@ resource "aws_api_gateway_authorizer" "test" {
`, rName)
}

func testAccAWSAPIGatewayAuthorizerConfig_cognitoAuthorizerCredentials(rName string) string {
return fmt.Sprintf(`
data "aws_partition" "current" {}
resource "aws_iam_role" "lambda" {
name = "%[1]s-lambda"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.${data.aws_partition.current.dns_suffix}"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_api_gateway_rest_api" "test" {
name = %[1]q
}
resource "aws_cognito_user_pool" "test" {
count = 2
name = "%[1]s-${count.index}"
}
resource "aws_api_gateway_authorizer" "test" {
authorizer_credentials = aws_iam_role.lambda.arn
name = %[1]q
type = "COGNITO_USER_POOLS"
rest_api_id = aws_api_gateway_rest_api.test.id
provider_arns = aws_cognito_user_pool.test[*].arn
}
`, rName)
}

func testAccAWSAPIGatewayAuthorizerConfig_authTypeValidationDefaultToken(rName string) string {
return testAccAWSAPIGatewayAuthorizerConfigBase(rName) + fmt.Sprintf(`
resource "aws_api_gateway_authorizer" "test" {
Expand Down

0 comments on commit e6d74f2

Please sign in to comment.