-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] AWS APIGateway Custom Authorizer #6731
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -45,6 +45,11 @@ func resourceAwsApiGatewayMethod() *schema.Resource { | |
Required: true, | ||
}, | ||
|
||
"authorizer_id": &schema.Schema{ | ||
Type: schema.TypeString, | ||
Optional: true, | ||
}, | ||
|
||
"api_key_required": &schema.Schema{ | ||
Type: schema.TypeBool, | ||
Optional: true, | ||
|
@@ -89,6 +94,7 @@ func resourceAwsApiGatewayMethodCreate(d *schema.ResourceData, meta interface{}) | |
// TODO reimplement once [GH-2143](https://github.com/hashicorp/terraform/issues/2143) has been implemented | ||
RequestParameters: aws.BoolMap(parameters), | ||
ApiKeyRequired: aws.Bool(d.Get("api_key_required").(bool)), | ||
AuthorizerId: aws.String(d.Get("authorizer_id").(string)), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we'll need to update the other functions too so that user can change the i.e.
and There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If this all works for you, let's On Monday, July 25, 2016, Radek Simko notifications@github.com wrote:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It works for common workflow - i.e. create/destroy, doesn't work for update and won't work for import either when we add it. |
||
}) | ||
if err != nil { | ||
return fmt.Errorf("Error creating API Gateway Method: %s", err) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -44,12 +44,45 @@ func TestAccAWSAPIGatewayMethod_basic(t *testing.T) { | |
}) | ||
} | ||
|
||
func TestAccAWSAPIGatewayMethod_customauthorizer(t *testing.T) { | ||
var conf apigateway.Method | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
CheckDestroy: testAccCheckAWSAPIGatewayMethodDestroy, | ||
Steps: []resource.TestStep{ | ||
resource.TestStep{ | ||
Config: testAccAWSAPIGatewayMethodConfigWithCustomAuthorizer, | ||
Check: resource.ComposeTestCheckFunc( | ||
testAccCheckAWSAPIGatewayMethodExists("aws_api_gateway_method.test", &conf), | ||
testAccCheckAWSAPIGatewayMethodAttributes(&conf), | ||
resource.TestCheckResourceAttr( | ||
"aws_api_gateway_method.test", "http_method", "GET"), | ||
resource.TestCheckResourceAttr( | ||
"aws_api_gateway_method.test", "authorization", "CUSTOM"), | ||
resource.TestCheckResourceAttr( | ||
"aws_api_gateway_method.test", "request_models.application/json", "Error"), | ||
), | ||
}, | ||
|
||
resource.TestStep{ | ||
Config: testAccAWSAPIGatewayMethodConfigUpdate, | ||
Check: resource.ComposeTestCheckFunc( | ||
testAccCheckAWSAPIGatewayMethodExists("aws_api_gateway_method.test", &conf), | ||
testAccCheckAWSAPIGatewayMethodAttributesUpdate(&conf), | ||
), | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func testAccCheckAWSAPIGatewayMethodAttributes(conf *apigateway.Method) resource.TestCheckFunc { | ||
return func(s *terraform.State) error { | ||
if *conf.HttpMethod != "GET" { | ||
return fmt.Errorf("Wrong HttpMethod: %q", *conf.HttpMethod) | ||
} | ||
if *conf.AuthorizationType != "NONE" { | ||
if *conf.AuthorizationType != "NONE" && *conf.AuthorizationType != "CUSTOM" { | ||
return fmt.Errorf("Wrong Authorization: %q", *conf.AuthorizationType) | ||
} | ||
|
||
|
@@ -154,6 +187,108 @@ func testAccCheckAWSAPIGatewayMethodDestroy(s *terraform.State) error { | |
return nil | ||
} | ||
|
||
const testAccAWSAPIGatewayMethodConfigWithCustomAuthorizer = ` | ||
resource "aws_api_gateway_rest_api" "test" { | ||
name = "test" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Probably a nitpick, but it may be better to give the API unique name, e.g. |
||
} | ||
|
||
resource "aws_iam_role" "invocation_role" { | ||
name = "tf_acc_api_gateway_auth_invocation_role" | ||
path = "/" | ||
assume_role_policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Principal": { | ||
"Service": "apigateway.amazonaws.com" | ||
}, | ||
"Effect": "Allow", | ||
"Sid": "" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
resource "aws_iam_role_policy" "invocation_policy" { | ||
name = "default" | ||
role = "${aws_iam_role.invocation_role.id}" | ||
policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": "lambda:InvokeFunction", | ||
"Effect": "Allow", | ||
"Resource": "${aws_lambda_function.authorizer.arn}" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
resource "aws_iam_role" "iam_for_lambda" { | ||
name = "tf_acc_iam_for_lambda_api_gateway_authorizer" | ||
assume_role_policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Principal": { | ||
"Service": "lambda.amazonaws.com" | ||
}, | ||
"Effect": "Allow", | ||
"Sid": "" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
resource "aws_lambda_function" "authorizer" { | ||
filename = "test-fixtures/lambdatest.zip" | ||
source_code_hash = "${base64sha256(file("test-fixtures/lambdatest.zip"))}" | ||
function_name = "tf_acc_api_gateway_authorizer" | ||
role = "${aws_iam_role.iam_for_lambda.arn}" | ||
handler = "exports.example" | ||
} | ||
|
||
resource "aws_api_gateway_authorizer" "test" { | ||
name = "tf-acc-test-authorizer" | ||
rest_api_id = "${aws_api_gateway_rest_api.test.id}" | ||
authorizer_uri = "arn:aws:apigateway:region:lambda:path/2015-03-31/functions/${aws_lambda_function.authorizer.arn}/invocations" | ||
authorizer_credentials = "${aws_iam_role.invocation_role.arn}" | ||
} | ||
|
||
resource "aws_api_gateway_resource" "test" { | ||
rest_api_id = "${aws_api_gateway_rest_api.test.id}" | ||
parent_id = "${aws_api_gateway_rest_api.test.root_resource_id}" | ||
path_part = "test" | ||
} | ||
|
||
resource "aws_api_gateway_method" "test" { | ||
rest_api_id = "${aws_api_gateway_rest_api.test.id}" | ||
resource_id = "${aws_api_gateway_resource.test.id}" | ||
http_method = "GET" | ||
authorization = "CUSTOM" | ||
authorizer_id = "${aws_api_gateway_authorizer.test.id}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this is the tricky part. Because I have a reference to the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
in what situation exactly? on complete
|
||
|
||
request_models = { | ||
"application/json" = "Error" | ||
} | ||
|
||
request_parameters_in_json = <<PARAMS | ||
{ | ||
"method.request.header.Content-Type": false, | ||
"method.request.querystring.page": true | ||
} | ||
PARAMS | ||
} | ||
` | ||
|
||
const testAccAWSAPIGatewayMethodConfig = ` | ||
resource "aws_api_gateway_rest_api" "test" { | ||
name = "test" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As long as the authorizer is managed in the same terraform scope and is referenced properly (i.e. not hardcoded authorizer IDs in methods) Terraform will schedule the deletion correctly by default - i.e. for complete destruction
1st method => 2nd authorizer
. Have a look at the dependency graph viaterraform graph
. 😉The only issue that may theoretically arise is eventual consistency of the AWS API (or the implementation of it) - i.e. the
authorizer_id
change may take time to propagate. We usually just retry the deletion in such cases with a reasonable timeout.Did you experience this problem yourself @johnjelinek ?