-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] AWS APIGateway Custom Authorizer #6731
Conversation
I'm trying to figure out how to handle the following:
any tips? |
@radeksimko: could you have a look here? |
I got a repro, where if the authorizer is deleted prior to the apigateway method, then it results in the conflict exception:
|
resource_id = "${aws_api_gateway_resource.test.id}" | ||
http_method = "GET" | ||
authorization = "CUSTOM" | ||
authorizer_id = "${aws_api_gateway_authorizer.test.id}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is the tricky part. Because I have a reference to the authorizer_id
here, terraform wants to delete the authorizer before deleting the method, but the AWS SDK API expects all methods to be deleted first. Maybe instead, the authorizer should have a collection of methods it should attach to, instead. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
terraform wants to delete the authorizer before deleting the method
in what situation exactly? on complete terraform destroy
? I believe the opposite is reality:
https://gist.github.com/radeksimko/3d9b0637ad821b34de7be4e7e2c993fe - snippet below:
aws_api_gateway_method.MyDemoMethod: Destruction complete
...
aws_api_gateway_authorizer.demo: Destroying...
aws_api_gateway_authorizer.demo: Destruction complete
If I set an explicit dependency like this:
then I get an error like this:
|
I added a |
@radeksimko: docs are in place for review. |
any feedback? |
This is pretty important for our use case, and the I'm going to cherry-pick this into my fork and test it against our stack. I'm happy to report back here if it will be helpful. |
That would be super helpful if you could test. I can remove WIP also. On Wednesday, July 13, 2016, Greg Thole notifications@github.com wrote:
|
I built the binaries with this commit on top of v0.6.16 ( |
That's great! Glad to hear it. Can we get this merged? On Wednesday, July 13, 2016, Greg Thole notifications@github.com wrote:
|
return fmt.Errorf("Deleting API Gateway Authorizer failed: %s", err) | ||
// XXX: Figure out a way to delete the method that depends on the authorizer first | ||
// otherwise the authorizer will be dangling until the API is deleted | ||
if !strings.Contains(err.Error(), "ConflictException") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As long as the authorizer is managed in the same terraform scope and is referenced properly (i.e. not hardcoded authorizer IDs in methods) Terraform will schedule the deletion correctly by default - i.e. for complete destruction 1st method => 2nd authorizer
. Have a look at the dependency graph via terraform graph
. 😉
The only issue that may theoretically arise is eventual consistency of the AWS API (or the implementation of it) - i.e. the authorizer_id
change may take time to propagate. We usually just retry the deletion in such cases with a reasonable timeout.
Did you experience this problem yourself @johnjelinek ?
Hi @johnjelinek , If you saw this error while using the exact same config, it must be eventual consistency and we should add Retry block in that case. If you do decide to add such retry block, I'd suggest you check the error code via exact match instead of using I left you one more comment about reading + updating the field. Once that's resolved I'm happy to merge this 😉 |
+1 for merging. |
Closed in favour of #8535 |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
I see that there is already an AWS APIGateway Authorizer. I'm going to try to wire up the resource to an AWS APIGateway method. Looking for feedback along the way :). This is a WIP placeholder unless someone else can beat me to it.