-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_appsync_graphql_api resource doesn't support LAMBDA authentication type #20644
Comments
Suggested implementation (I need this too!):
Based on AppSync's additional authorization provider UI for AWS Lambda authorization mode. In the meantime, anyone who needs to use this by manually updating their AppSync configuration through the console can use the following inside of their aws_appsync_graphql_api resource declaration:
|
I am working on a PR for this. Usage example: resource "aws_appsync_graphql_api" "example" {
authentication_type = "AWS_LAMBDA"
name = "example"
lambda_authorizer_config {
authorizer_uri = "arn:aws:lambda:us-east-1:123456789012:function:custom_lambda_authorizer"
}
}
resource "aws_lambda_permission" "appsync_lambda_authorizer" {
statement_id = "appsync_lambda_authorizer"
action = "lambda:InvokeFunction"
function_name = "custom_lambda_authorizer"
principal = "appsync.amazonaws.com"
source_arn = aws_appsync_graphql_api.example.arn
} |
…ment (hashicorp#20644) Issue: hashicorp#20644 API docs: https://docs.aws.amazon.com/appsync/latest/APIReference/API_LambdaAuthorizerConfig.html Output from acceptance testing: ``` make testacc TESTARGS='-run=TestAccAWSAppsyncGraphqlApi_' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAppsyncGraphqlApi_ -timeout 180m --- PASS: TestAccAWSAppsyncGraphqlApi_basic (147.72s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_AWSIAM (148.24s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_APIKey (149.20s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_OpenIDConnect (149.32s) --- PASS: TestAccAWSAppsyncGraphqlApi_LogConfig (153.51s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_CognitoUserPools (173.33s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_AwsLambda (196.04s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_Multiple (204.38s) --- PASS: TestAccAWSAppsyncGraphqlApi_XrayEnabled (214.18s) --- PASS: TestAccAWSAppsyncGraphqlApi_Name (215.34s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_AwsLambda (221.80s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_AuthTTL (235.05s) --- PASS: TestAccAWSAppsyncGraphqlApi_Tags (236.82s) --- PASS: TestAccAWSAppsyncGraphqlApi_UserPoolConfig_AwsRegion (242.45s) --- PASS: TestAccAWSAppsyncGraphqlApi_LogConfig_ExcludeVerboseContent (250.77s) --- PASS: TestAccAWSAppsyncGraphqlApi_UserPoolConfig_DefaultAction (250.94s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_APIKey (116.05s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_OpenIDConnect (115.22s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_AmazonCognitoUserPools (125.39s) --- PASS: TestAccAWSAppsyncGraphqlApi_disappears (65.90s) --- PASS: TestAccAWSAppsyncGraphqlApi_LambdaAuthorizerConfig_IdentityValidationExpression (281.96s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_AWSIAM (88.56s) --- PASS: TestAccAWSAppsyncGraphqlApi_LambdaAuthorizerConfig_AuthorizerUri (294.85s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_IatTTL (158.58s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_Issuer (154.12s) --- PASS: TestAccAWSAppsyncGraphqlApi_LogConfig_FieldLogLevel (312.61s) --- PASS: TestAccAWSAppsyncGraphqlApi_Schema (143.80s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType (126.84s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_ClientID (113.13s) --- PASS: TestAccAWSAppsyncGraphqlApi_LambdaAuthorizerConfig_AuthorizerResultTtlInSeconds (356.98s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 359.589s ```
How can we get #20857 pushed over that finish line? |
Any update, would love to use this feature :) |
I am waiting for this change. At this moment I am using AWS CLI command in my CI/CD post terraform but still when working form console by myself I find this being a pain.
|
thank you @filipjakubowski, based on your cli, I'm using AWS_LAMBDA as second auth type:
|
…ment (#20857) * tests/resource/aws_appsync_graphql_api: Update deprecated Providers to ProviderFactories * resource/aws_appsync_graphql_api: Add `lambda_authorizer_config` argument (#20644) Issue: #20644 API docs: https://docs.aws.amazon.com/appsync/latest/APIReference/API_LambdaAuthorizerConfig.html Output from acceptance testing: ``` make testacc TESTARGS='-run=TestAccAWSAppsyncGraphqlApi_' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAppsyncGraphqlApi_ -timeout 180m --- PASS: TestAccAWSAppsyncGraphqlApi_basic (147.72s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_AWSIAM (148.24s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_APIKey (149.20s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_OpenIDConnect (149.32s) --- PASS: TestAccAWSAppsyncGraphqlApi_LogConfig (153.51s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_CognitoUserPools (173.33s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_AwsLambda (196.04s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_Multiple (204.38s) --- PASS: TestAccAWSAppsyncGraphqlApi_XrayEnabled (214.18s) --- PASS: TestAccAWSAppsyncGraphqlApi_Name (215.34s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_AwsLambda (221.80s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_AuthTTL (235.05s) --- PASS: TestAccAWSAppsyncGraphqlApi_Tags (236.82s) --- PASS: TestAccAWSAppsyncGraphqlApi_UserPoolConfig_AwsRegion (242.45s) --- PASS: TestAccAWSAppsyncGraphqlApi_LogConfig_ExcludeVerboseContent (250.77s) --- PASS: TestAccAWSAppsyncGraphqlApi_UserPoolConfig_DefaultAction (250.94s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_APIKey (116.05s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_OpenIDConnect (115.22s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_AmazonCognitoUserPools (125.39s) --- PASS: TestAccAWSAppsyncGraphqlApi_disappears (65.90s) --- PASS: TestAccAWSAppsyncGraphqlApi_LambdaAuthorizerConfig_IdentityValidationExpression (281.96s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_AWSIAM (88.56s) --- PASS: TestAccAWSAppsyncGraphqlApi_LambdaAuthorizerConfig_AuthorizerUri (294.85s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_IatTTL (158.58s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_Issuer (154.12s) --- PASS: TestAccAWSAppsyncGraphqlApi_LogConfig_FieldLogLevel (312.61s) --- PASS: TestAccAWSAppsyncGraphqlApi_Schema (143.80s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType (126.84s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_ClientID (113.13s) --- PASS: TestAccAWSAppsyncGraphqlApi_LambdaAuthorizerConfig_AuthorizerResultTtlInSeconds (356.98s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 359.589s ``` * resource/aws_appsync_graphql_api: Add changelog entry 20857.txt * resource/aws_appsync_graphql_api: Terraform fmt in test config * Revert "tests/resource/aws_appsync_graphql_api: Update deprecated Providers to ProviderFactories" This reverts commit 1f981fc. * tests/resource/aws_appsync_graphql_api: Changes from #20000 and #21400 * graphql_api: Re-order map alphabetically (review comment)
This functionality has been released in v3.70.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Description
The aws_appsync_graphql_api resource is missing the new LAMBDA authentication_type that was released on July 30th 2021. This new authentication system makes it much simpler to add entirely custom auth to AppSync (no Cognito/etc. needed).
I might be interested in adding support for this but I've never contributed to this codebase before.
Feature release blog post: https://aws.amazon.com/blogs/mobile/appsync-lambda-auth/
New or Affected Resource(s)
The text was updated successfully, but these errors were encountered: