diff --git a/aws/internal/service/apigatewayv2/finder/finder.go b/aws/internal/service/apigatewayv2/finder/finder.go new file mode 100644 index 00000000000..679475b6529 --- /dev/null +++ b/aws/internal/service/apigatewayv2/finder/finder.go @@ -0,0 +1,20 @@ +package finder + +import ( + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/apigatewayv2" +) + +// ApiByID returns the API corresponding to the specified ID. +func ApiByID(conn *apigatewayv2.ApiGatewayV2, apiID string) (*apigatewayv2.GetApiOutput, error) { + input := &apigatewayv2.GetApiInput{ + ApiId: aws.String(apiID), + } + + output, err := conn.GetApi(input) + if err != nil { + return nil, err + } + + return output, nil +} diff --git a/aws/resource_aws_apigatewayv2_authorizer.go b/aws/resource_aws_apigatewayv2_authorizer.go index 39e79bee38f..8fa64f8e410 100644 --- a/aws/resource_aws_apigatewayv2_authorizer.go +++ b/aws/resource_aws_apigatewayv2_authorizer.go @@ -9,6 +9,7 @@ import ( "github.com/aws/aws-sdk-go/service/apigatewayv2" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/apigatewayv2/finder" ) func resourceAwsApiGatewayV2Authorizer() *schema.Resource { @@ -32,23 +33,34 @@ func resourceAwsApiGatewayV2Authorizer() *schema.Resource { Optional: true, ValidateFunc: validateArn, }, + "authorizer_payload_format_version": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"1.0", "2.0"}, false), + }, + "authorizer_result_ttl_in_seconds": { + Type: schema.TypeInt, + Optional: true, + Computed: true, + ValidateFunc: validation.IntBetween(0, 3600), + }, "authorizer_type": { - Type: schema.TypeString, - Required: true, - ValidateFunc: validation.StringInSlice([]string{ - apigatewayv2.AuthorizerTypeJwt, - apigatewayv2.AuthorizerTypeRequest, - }, false), + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(apigatewayv2.AuthorizerType_Values(), false), }, "authorizer_uri": { Type: schema.TypeString, Optional: true, ValidateFunc: validation.StringLenBetween(1, 2048), }, + "enable_simple_responses": { + Type: schema.TypeBool, + Optional: true, + }, "identity_sources": { Type: schema.TypeSet, - Required: true, - MinItems: 1, + Optional: true, Elem: &schema.Schema{Type: schema.TypeString}, }, "jwt_configuration": { @@ -82,18 +94,42 @@ func resourceAwsApiGatewayV2Authorizer() *schema.Resource { func resourceAwsApiGatewayV2AuthorizerCreate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).apigatewayv2conn + apiId := d.Get("api_id").(string) + authorizerType := d.Get("authorizer_type").(string) + + apiOutput, err := finder.ApiByID(conn, apiId) + + if err != nil { + return fmt.Errorf("error reading API Gateway v2 API (%s): %s", apiId, err) + } + + protocolType := aws.StringValue(apiOutput.ProtocolType) + req := &apigatewayv2.CreateAuthorizerInput{ - ApiId: aws.String(d.Get("api_id").(string)), - AuthorizerType: aws.String(d.Get("authorizer_type").(string)), + ApiId: aws.String(apiId), + AuthorizerType: aws.String(authorizerType), IdentitySource: expandStringSet(d.Get("identity_sources").(*schema.Set)), Name: aws.String(d.Get("name").(string)), } if v, ok := d.GetOk("authorizer_credentials_arn"); ok { req.AuthorizerCredentialsArn = aws.String(v.(string)) } + if v, ok := d.GetOk("authorizer_payload_format_version"); ok { + req.AuthorizerPayloadFormatVersion = aws.String(v.(string)) + } + if v, ok := d.GetOkExists("authorizer_result_ttl_in_seconds"); ok { + req.AuthorizerResultTtlInSeconds = aws.Int64(int64(v.(int))) + } else if protocolType == apigatewayv2.ProtocolTypeHttp && authorizerType == apigatewayv2.AuthorizerTypeRequest { + // Default in the AWS Console is 300 seconds. + // Explicitly set on creation so that we can correctly detect changes to the 0 value. + req.AuthorizerResultTtlInSeconds = aws.Int64(300) + } if v, ok := d.GetOk("authorizer_uri"); ok { req.AuthorizerUri = aws.String(v.(string)) } + if v, ok := d.GetOk("enable_simple_responses"); ok { + req.EnableSimpleResponses = aws.Bool(v.(bool)) + } if v, ok := d.GetOk("jwt_configuration"); ok { req.JwtConfiguration = expandApiGateway2JwtConfiguration(v.([]interface{})) } @@ -126,8 +162,11 @@ func resourceAwsApiGatewayV2AuthorizerRead(d *schema.ResourceData, meta interfac } d.Set("authorizer_credentials_arn", resp.AuthorizerCredentialsArn) + d.Set("authorizer_payload_format_version", resp.AuthorizerPayloadFormatVersion) + d.Set("authorizer_result_ttl_in_seconds", resp.AuthorizerResultTtlInSeconds) d.Set("authorizer_type", resp.AuthorizerType) d.Set("authorizer_uri", resp.AuthorizerUri) + d.Set("enable_simple_responses", resp.EnableSimpleResponses) if err := d.Set("identity_sources", flattenStringSet(resp.IdentitySource)); err != nil { return fmt.Errorf("error setting identity_sources: %s", err) } @@ -149,12 +188,21 @@ func resourceAwsApiGatewayV2AuthorizerUpdate(d *schema.ResourceData, meta interf if d.HasChange("authorizer_credentials_arn") { req.AuthorizerCredentialsArn = aws.String(d.Get("authorizer_credentials_arn").(string)) } + if d.HasChange("authorizer_payload_format_version") { + req.AuthorizerPayloadFormatVersion = aws.String(d.Get("authorizer_payload_format_version").(string)) + } + if d.HasChange("authorizer_result_ttl_in_seconds") { + req.AuthorizerResultTtlInSeconds = aws.Int64(int64(d.Get("authorizer_result_ttl_in_seconds").(int))) + } if d.HasChange("authorizer_type") { req.AuthorizerType = aws.String(d.Get("authorizer_type").(string)) } if d.HasChange("authorizer_uri") { req.AuthorizerUri = aws.String(d.Get("authorizer_uri").(string)) } + if d.HasChange("enable_simple_responses") { + req.EnableSimpleResponses = aws.Bool(d.Get("enable_simple_responses").(bool)) + } if d.HasChange("identity_sources") { req.IdentitySource = expandStringSet(d.Get("identity_sources").(*schema.Set)) } diff --git a/aws/resource_aws_apigatewayv2_authorizer_test.go b/aws/resource_aws_apigatewayv2_authorizer_test.go index 1e2940fe123..b934a72c2da 100644 --- a/aws/resource_aws_apigatewayv2_authorizer_test.go +++ b/aws/resource_aws_apigatewayv2_authorizer_test.go @@ -29,10 +29,12 @@ func TestAccAWSAPIGatewayV2Authorizer_basic(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), - resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), - tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.header.Auth"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "0"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), resource.TestCheckResourceAttr(resourceName, "name", rName), ), @@ -62,7 +64,7 @@ func TestAccAWSAPIGatewayV2Authorizer_disappears(t *testing.T) { Config: testAccAWSAPIGatewayV2AuthorizerConfig_basic(rName), Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), - testAccCheckAWSAPIGatewayV2AuthorizerDisappears(&apiId, &v), + testAccCheckResourceDisappears(testAccProvider, resourceAwsApiGatewayV2Authorizer(), resourceName), ), ExpectNonEmptyPlan: true, }, @@ -88,8 +90,11 @@ func TestAccAWSAPIGatewayV2Authorizer_Credentials(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttrPair(resourceName, "authorizer_credentials_arn", iamRoleResourceName, "arn"), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.header.Auth"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), @@ -108,7 +113,10 @@ func TestAccAWSAPIGatewayV2Authorizer_Credentials(t *testing.T) { testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttrPair(resourceName, "authorizer_credentials_arn", iamRoleResourceName, "arn"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "2"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.header.Auth"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.querystring.Name"), @@ -122,9 +130,11 @@ func TestAccAWSAPIGatewayV2Authorizer_Credentials(t *testing.T) { testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), - resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), - tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.header.Auth"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "0"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), resource.TestCheckResourceAttr(resourceName, "name", rName), ), @@ -149,8 +159,11 @@ func TestAccAWSAPIGatewayV2Authorizer_JWT(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "JWT"), resource.TestCheckResourceAttr(resourceName, "authorizer_uri", ""), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.header.Authorization"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "1"), @@ -170,8 +183,11 @@ func TestAccAWSAPIGatewayV2Authorizer_JWT(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "JWT"), resource.TestCheckResourceAttr(resourceName, "authorizer_uri", ""), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.header.Authorization"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "1"), @@ -185,6 +201,134 @@ func TestAccAWSAPIGatewayV2Authorizer_JWT(t *testing.T) { }) } +func TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialMissingCacheTTL(t *testing.T) { + var apiId string + var v apigatewayv2.GetAuthorizerOutput + resourceName := "aws_apigatewayv2_authorizer.test" + lambdaResourceName := "aws_lambda_function.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSAPIGatewayV2AuthorizerDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizer(rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), + resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "2.0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "300"), + resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "true"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.header.Auth"), + resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, + { + ResourceName: resourceName, + ImportStateIdFunc: testAccAWSAPIGatewayV2AuthorizerImportStateIdFunc(resourceName), + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName, 3600), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), + resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "1.0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "3600"), + resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "2"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.querystring.User"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$context.routeKey"), + resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, + { + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName, 0), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), + resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "1.0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "2"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.querystring.User"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$context.routeKey"), + resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, + }, + }) +} + +func TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialZeroCacheTTL(t *testing.T) { + var apiId string + var v apigatewayv2.GetAuthorizerOutput + resourceName := "aws_apigatewayv2_authorizer.test" + lambdaResourceName := "aws_lambda_function.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSAPIGatewayV2AuthorizerDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName, 0), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), + resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "1.0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "2"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.querystring.User"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$context.routeKey"), + resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, + { + ResourceName: resourceName, + ImportStateIdFunc: testAccAWSAPIGatewayV2AuthorizerImportStateIdFunc(resourceName), + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName, 600), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), + resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "1.0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "600"), + resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "2"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.querystring.User"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$context.routeKey"), + resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, + }, + }) +} + func testAccCheckAWSAPIGatewayV2AuthorizerDestroy(s *terraform.State) error { conn := testAccProvider.Meta().(*AWSClient).apigatewayv2conn @@ -210,19 +354,6 @@ func testAccCheckAWSAPIGatewayV2AuthorizerDestroy(s *terraform.State) error { return nil } -func testAccCheckAWSAPIGatewayV2AuthorizerDisappears(apiId *string, v *apigatewayv2.GetAuthorizerOutput) resource.TestCheckFunc { - return func(s *terraform.State) error { - conn := testAccProvider.Meta().(*AWSClient).apigatewayv2conn - - _, err := conn.DeleteAuthorizer(&apigatewayv2.DeleteAuthorizerInput{ - ApiId: apiId, - AuthorizerId: v.AuthorizerId, - }) - - return err - } -} - func testAccCheckAWSAPIGatewayV2AuthorizerExists(n string, vApiId *string, v *apigatewayv2.GetAuthorizerOutput) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -263,8 +394,27 @@ func testAccAWSAPIGatewayV2AuthorizerImportStateIdFunc(resourceName string) reso } } -func testAccAWSAPIGatewayV2AuthorizerConfig_baseWebSocket(rName string) string { - return baseAccAWSLambdaConfig(rName, rName, rName) + fmt.Sprintf(` +func testAccAWSAPIGatewayV2AuthorizerConfig_apiWebSocket(rName string) string { + return fmt.Sprintf(` +resource "aws_apigatewayv2_api" "test" { + name = %[1]q + protocol_type = "WEBSOCKET" + route_selection_expression = "$request.body.action" +} +`, rName) +} + +func testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName string) string { + return fmt.Sprintf(` +resource "aws_apigatewayv2_api" "test" { + name = %[1]q + protocol_type = "HTTP" +} +`, rName) +} + +func testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName string) string { + return composeConfig(baseAccAWSLambdaConfig(rName, rName, rName), fmt.Sprintf(` resource "aws_lambda_function" "test" { filename = "test-fixtures/lambdatest.zip" function_name = %[1]q @@ -273,12 +423,6 @@ resource "aws_lambda_function" "test" { runtime = "nodejs10.x" } -resource "aws_apigatewayv2_api" "test" { - name = %[1]q - protocol_type = "WEBSOCKET" - route_selection_expression = "$request.body.action" -} - resource "aws_iam_role" "test" { name = "%[1]s_auth_invocation_role" path = "/" @@ -294,36 +438,28 @@ resource "aws_iam_role" "test" { } EOF } -`, rName) -} - -func testAccAWSAPIGatewayV2AuthorizerConfig_baseHttp(rName string) string { - return baseAccAWSLambdaConfig(rName, rName, rName) + fmt.Sprintf(` -resource "aws_apigatewayv2_api" "test" { - name = %[1]q - protocol_type = "HTTP" -} - -resource "aws_cognito_user_pool" "test" { - name = %[1]q -} -`, rName) +`, rName)) } func testAccAWSAPIGatewayV2AuthorizerConfig_basic(rName string) string { - return testAccAWSAPIGatewayV2AuthorizerConfig_baseWebSocket(rName) + fmt.Sprintf(` + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiWebSocket(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` resource "aws_apigatewayv2_authorizer" "test" { - api_id = aws_apigatewayv2_api.test.id - authorizer_type = "REQUEST" - authorizer_uri = aws_lambda_function.test.invoke_arn - identity_sources = ["route.request.header.Auth"] - name = %[1]q + api_id = aws_apigatewayv2_api.test.id + authorizer_type = "REQUEST" + authorizer_uri = aws_lambda_function.test.invoke_arn + name = %[1]q } -`, rName) +`, rName)) } func testAccAWSAPIGatewayV2AuthorizerConfig_credentials(rName string) string { - return testAccAWSAPIGatewayV2AuthorizerConfig_baseWebSocket(rName) + fmt.Sprintf(` + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiWebSocket(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_type = "REQUEST" @@ -333,11 +469,14 @@ resource "aws_apigatewayv2_authorizer" "test" { authorizer_credentials_arn = aws_iam_role.test.arn } -`, rName) +`, rName)) } func testAccAWSAPIGatewayV2AuthorizerConfig_credentialsUpdated(rName string) string { - return testAccAWSAPIGatewayV2AuthorizerConfig_baseWebSocket(rName) + fmt.Sprintf(` + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiWebSocket(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_type = "REQUEST" @@ -347,11 +486,18 @@ resource "aws_apigatewayv2_authorizer" "test" { authorizer_credentials_arn = aws_iam_role.test.arn } -`, rName) +`, rName)) } func testAccAWSAPIGatewayV2AuthorizerConfig_jwt(rName string) string { - return testAccAWSAPIGatewayV2AuthorizerConfig_baseHttp(rName) + fmt.Sprintf(` + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` +resource "aws_cognito_user_pool" "test" { + name = %[1]q +} + resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_type = "JWT" @@ -363,11 +509,18 @@ resource "aws_apigatewayv2_authorizer" "test" { issuer = "https://${aws_cognito_user_pool.test.endpoint}" } } -`, rName) +`, rName)) } func testAccAWSAPIGatewayV2AuthorizerConfig_jwtUpdated(rName string) string { - return testAccAWSAPIGatewayV2AuthorizerConfig_baseHttp(rName) + fmt.Sprintf(` + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` +resource "aws_cognito_user_pool" "test" { + name = %[1]q +} + resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_type = "JWT" @@ -379,5 +532,40 @@ resource "aws_apigatewayv2_authorizer" "test" { issuer = "https://${aws_cognito_user_pool.test.endpoint}" } } -`, rName) +`, rName)) +} + +func testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizer(rName string) string { + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` +resource "aws_apigatewayv2_authorizer" "test" { + api_id = aws_apigatewayv2_api.test.id + authorizer_payload_format_version = "2.0" + authorizer_type = "REQUEST" + authorizer_uri = aws_lambda_function.test.invoke_arn + enable_simple_responses = true + identity_sources = ["$request.header.Auth"] + name = %[1]q +} +`, rName)) +} + +func testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName string, authorizerResultTtl int) string { + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` +resource "aws_apigatewayv2_authorizer" "test" { + api_id = aws_apigatewayv2_api.test.id + authorizer_payload_format_version = "1.0" + authorizer_result_ttl_in_seconds = %[2]d + authorizer_type = "REQUEST" + authorizer_uri = aws_lambda_function.test.invoke_arn + enable_simple_responses = false + identity_sources = ["$request.querystring.User", "$context.routeKey"] + name = %[1]q +} +`, rName, authorizerResultTtl)) } diff --git a/website/docs/r/apigatewayv2_authorizer.html.markdown b/website/docs/r/apigatewayv2_authorizer.html.markdown index dd604ad284a..4a9998020b4 100644 --- a/website/docs/r/apigatewayv2_authorizer.html.markdown +++ b/website/docs/r/apigatewayv2_authorizer.html.markdown @@ -47,17 +47,24 @@ The following arguments are supported: * `api_id` - (Required) The API identifier. * `authorizer_type` - (Required) The authorizer type. Valid values: `JWT`, `REQUEST`. -For WebSocket APIs, specify `REQUEST` for a Lambda function using incoming request parameters. - For HTTP APIs, specify `JWT` to use JSON Web Tokens. -* `identity_sources` - (Required) The identity sources for which authorization is requested. -For `REQUEST` authorizers the value is a list of one or more mapping expressions of the specified request parameters. -For `JWT` authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests. +Specify `REQUEST` for a Lambda function using incoming request parameters. +For HTTP APIs, specify `JWT` to use JSON Web Tokens. * `name` - (Required) The name of the authorizer. * `authorizer_credentials_arn` - (Optional) The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for `REQUEST` authorizers. +* `authorizer_payload_format_version` - (Optional) The format of the payload sent to an HTTP API Lambda authorizer. Required for HTTP API Lambda authorizers. +Valid values: `1.0`, `2.0`. +* `authorizer_result_ttl_in_seconds` - (Optional) The time to live (TTL) for cached authorizer results, in seconds. If it equals 0, authorization caching is disabled. +If it is greater than 0, API Gateway caches authorizer responses. The maximum value is 3600, or 1 hour. Defaults to `300`. +Supported only for HTTP API Lambda authorizers. * `authorizer_uri` - (Optional) The authorizer's Uniform Resource Identifier (URI). For `REQUEST` authorizers this must be a well-formed Lambda function URI, such as the `invoke_arn` attribute of the [`aws_lambda_function`](/docs/providers/aws/r/lambda_function.html) resource. Supported only for `REQUEST` authorizers. +* `enable_simple_responses` - (Optional) Whether a Lambda authorizer returns a response in a simple format. If enabled, the Lambda authorizer can return a boolean value instead of an IAM policy. +Supported only for HTTP APIs. +* `identity_sources` - (Optional) The identity sources for which authorization is requested. +For `REQUEST` authorizers the value is a list of one or more mapping expressions of the specified request parameters. +For `JWT` authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests. * `jwt_configuration` - (Optional) The configuration of a JWT authorizer. Required for the `JWT` authorizer type. Supported only for HTTP APIs.