From e6d74f22df4f54de5f90867d0131068b77bb2644 Mon Sep 17 00:00:00 2001 From: Angie Pinilla Date: Sun, 6 Dec 2020 09:46:05 -0500 Subject: [PATCH] for cognito user pools type, set authcred via PatchOperation --- aws/resource_aws_api_gateway_authorizer.go | 29 +++++++- ...esource_aws_api_gateway_authorizer_test.go | 73 +++++++++++++++++++ 2 files changed, 101 insertions(+), 1 deletion(-) diff --git a/aws/resource_aws_api_gateway_authorizer.go b/aws/resource_aws_api_gateway_authorizer.go index aef14d5540c..c48f7d8d36e 100644 --- a/aws/resource_aws_api_gateway_authorizer.go +++ b/aws/resource_aws_api_gateway_authorizer.go @@ -93,6 +93,7 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource { func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).apigatewayconn + var postCreateOps []*apigateway.PatchOperation input := apigateway.CreateAuthorizerInput{ IdentitySource: aws.String(d.Get("identity_source").(string)), @@ -109,7 +110,19 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac input.AuthorizerUri = aws.String(v.(string)) } if v, ok := d.GetOk("authorizer_credentials"); ok { - input.AuthorizerCredentials = aws.String(v.(string)) + // While the CreateAuthorizer method allows one to pass AuthorizerCredentials + // regardless of authorizer Type, the API ignores this setting if the authorizer + // is of Type "COGNITO_USER_POOLS"; thus, a PatchOperation is used as an alternative. + // Reference: https://github.com/hashicorp/terraform-provider-aws/issues/16613 + if aws.StringValue(input.Type) != apigateway.AuthorizerTypeCognitoUserPools { + input.AuthorizerCredentials = aws.String(v.(string)) + } else { + postCreateOps = append(postCreateOps, &apigateway.PatchOperation{ + Op: aws.String(apigateway.OpReplace), + Path: aws.String("/authorizerCredentials"), + Value: aws.String(v.(string)), + }) + } } if v, ok := d.GetOk("identity_validation_expression"); ok { @@ -127,6 +140,20 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac d.SetId(aws.StringValue(out.Id)) + if postCreateOps != nil { + input := apigateway.UpdateAuthorizerInput{ + AuthorizerId: aws.String(d.Id()), + PatchOperations: postCreateOps, + RestApiId: input.RestApiId, + } + + log.Printf("[INFO] Applying update operations to API Gateway Authorizer: %s", d.Id()) + _, err := conn.UpdateAuthorizer(&input) + if err != nil { + return fmt.Errorf("applying update operations to API Gateway Authorizer (%s) failed: %w", d.Id(), err) + } + } + return resourceAwsApiGatewayAuthorizerRead(d, meta) } diff --git a/aws/resource_aws_api_gateway_authorizer_test.go b/aws/resource_aws_api_gateway_authorizer_test.go index b05bf2c5477..aaf8293087f 100644 --- a/aws/resource_aws_api_gateway_authorizer_test.go +++ b/aws/resource_aws_api_gateway_authorizer_test.go @@ -97,6 +97,36 @@ func TestAccAWSAPIGatewayAuthorizer_cognito(t *testing.T) { }) } +// Reference: https://github.com/hashicorp/terraform-provider-aws/issues/16613 +func TestAccAWSAPIGatewayAuthorizer_cognito_authorizerCredentials(t *testing.T) { + rName := acctest.RandomWithPrefix("tf-acc-test") + resourceName := "aws_api_gateway_authorizer.test" + iamRoleResourceName := "aws_iam_role.lambda" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t); testAccAPIGatewayTypeEDGEPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSAPIGatewayAuthorizerDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSAPIGatewayAuthorizerConfig_cognitoAuthorizerCredentials(rName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrPair(resourceName, "authorizer_credentials", iamRoleResourceName, "arn"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + resource.TestCheckResourceAttr(resourceName, "type", "COGNITO_USER_POOLS"), + resource.TestCheckResourceAttr(resourceName, "provider_arns.#", "2"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateIdFunc: testAccAWSAPIGatewayAuthorizerImportStateIdFunc(resourceName), + ImportStateVerify: true, + }, + }, + }) +} + func TestAccAWSAPIGatewayAuthorizer_switchAuthType(t *testing.T) { rName := acctest.RandomWithPrefix("tf-acc-test") resourceName := "aws_api_gateway_authorizer.test" @@ -489,6 +519,49 @@ resource "aws_api_gateway_authorizer" "test" { `, rName) } +func testAccAWSAPIGatewayAuthorizerConfig_cognitoAuthorizerCredentials(rName string) string { + return fmt.Sprintf(` +data "aws_partition" "current" {} + +resource "aws_iam_role" "lambda" { + name = "%[1]s-lambda" + + assume_role_policy = <