Support COGNITO_USER_POOLS authorizer

[batkuip]

Terraform Version

0.9.11

Affected Resource(s)

• aws_api_gateway_authorizer
• aws_api_gateway_method

Expected Behavior

type="COGNITO_USER_POOLS" supported

Actual Behavior

not supported

References

• http://docs.aws.amazon.com/cli/latest/reference/apigateway/create-authorizer.html
• http://docs.aws.amazon.com/cli/latest/reference/apigateway/put-method.html

[peterpostmann]

Hi,

I needed a workaround and used this one:

• Use a null_ressource which creates the authorizer using aws cli
• Use data "external" to quiery aws for the id of the authorizer

resource "null_resource" "aws_api_gateway_authorizer_myPool" {
  provisioner "local-exec" {
    command = "export AWS_DEFAULT_REGION=${var.region} && 
               aws apigateway create-authorizer 
               --rest-api-id ${aws_api_gateway_rest_api.myApi.id} 
               --name 'myPool' --type COGNITO_USER_POOLS 
               --provider-arns '${aws_cognito_user_pool.myPool.arn}' 
               --identity-source 'method.request.header.Authorization'"
  }

  provisioner "local-exec" {
    when    = "destroy"
    command = "export AWS_DEFAULT_REGION=${var.region} && 
               aws apigateway delete-authorizer 
               --rest-api-id ${aws_api_gateway_rest_api.myApi.id} 
               --authorizer-id ${data.external.aws_api_gateway_authorizer_myPool.result.id}"
  }
}

data "external" "aws_api_gateway_authorizer_myPool" {
  program = [
    "./awsGetAuhtorizerByName.sh", 
    "${aws_api_gateway_rest_api.MyApi.id}", 
    "myPool"
  ]
}

using this script

#!/bin/bash

echo {\"id\": \"$(aws apigateway  get-authorizers --rest-api-id $1 | jq -r '.items[] | select(.name == "'$2'") | .id')\"}

This script uses 'jq' for simplicity. It recives a list of authorizers from aws and selects the item where the name matches and returns the id of this entry in json format.

The authorizer can be attached to a gateway method like this:

resource "aws_api_gateway_method" "myMethod" {
  rest_api_id   = "${aws_api_gateway_rest_api.myApi.id}"
  resource_id   = "${aws_api_gateway_resource.myRessource.id}"
  http_method   = "POST"
  authorization = "COGNITO_USER_POOLS"
  authorizer_id = "${data.external.aws_api_gateway_authorizer_myPool.result.id}"
}

All of this would have a been a lot easier if one could overright/set variables of the null_resource ;)

Hope someone else my find this useful as well. Looking forward for feedback.

[arbabnazar]

Here is an example is somebody still looking for it:

resource "aws_api_gateway_authorizer" "api_gateway_authorizer" {
  name                   = "demo-authorizer"
  rest_api_id            = "${module.lambda_app.api_gateway_id}"
  identity_source = "method.request.header.Authorization"
  type = "COGNITO_USER_POOLS"
  provider_arns = ["${aws_cognito_user_pool.cognito_user_pool.arn}"]
}```

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!