From 2e56622c93289082309f10589bce37aca3b95c64 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Fri, 18 Sep 2020 17:13:50 -0400 Subject: [PATCH 1/4] r/aws_apigatewayv2_authorizer: Support Lambda authorization options for HTTP APIs. Acceptance test output: $ make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2Authorizer_' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2Authorizer_ -timeout 120m === RUN TestAccAWSAPIGatewayV2Authorizer_basic === PAUSE TestAccAWSAPIGatewayV2Authorizer_basic === RUN TestAccAWSAPIGatewayV2Authorizer_disappears === PAUSE TestAccAWSAPIGatewayV2Authorizer_disappears === RUN TestAccAWSAPIGatewayV2Authorizer_Credentials === PAUSE TestAccAWSAPIGatewayV2Authorizer_Credentials === RUN TestAccAWSAPIGatewayV2Authorizer_JWT === PAUSE TestAccAWSAPIGatewayV2Authorizer_JWT === RUN TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer === PAUSE TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer === CONT TestAccAWSAPIGatewayV2Authorizer_basic === CONT TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer === CONT TestAccAWSAPIGatewayV2Authorizer_JWT === CONT TestAccAWSAPIGatewayV2Authorizer_Credentials === CONT TestAccAWSAPIGatewayV2Authorizer_disappears resource_aws_apigatewayv2_authorizer_test.go:59: [INFO] Got non-empty plan, as expected --- PASS: TestAccAWSAPIGatewayV2Authorizer_disappears (50.06s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_basic (72.89s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer (87.77s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_JWT (100.85s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_Credentials (110.88s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 110.928s --- aws/resource_aws_apigatewayv2_authorizer.go | 44 +++- ...source_aws_apigatewayv2_authorizer_test.go | 211 ++++++++++++++---- .../r/apigatewayv2_authorizer.html.markdown | 11 +- 3 files changed, 212 insertions(+), 54 deletions(-) diff --git a/aws/resource_aws_apigatewayv2_authorizer.go b/aws/resource_aws_apigatewayv2_authorizer.go index 39e79bee38f9..80b4f4e4eba7 100644 --- a/aws/resource_aws_apigatewayv2_authorizer.go +++ b/aws/resource_aws_apigatewayv2_authorizer.go @@ -32,19 +32,30 @@ func resourceAwsApiGatewayV2Authorizer() *schema.Resource { Optional: true, ValidateFunc: validateArn, }, + "authorizer_payload_format_version": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{"1.0", "2.0"}, false), + }, + "authorizer_result_ttl_in_seconds": { + Type: schema.TypeInt, + Optional: true, + ValidateFunc: validation.IntBetween(0, 3600), + }, "authorizer_type": { - Type: schema.TypeString, - Required: true, - ValidateFunc: validation.StringInSlice([]string{ - apigatewayv2.AuthorizerTypeJwt, - apigatewayv2.AuthorizerTypeRequest, - }, false), + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice(apigatewayv2.AuthorizerType_Values(), false), }, "authorizer_uri": { Type: schema.TypeString, Optional: true, ValidateFunc: validation.StringLenBetween(1, 2048), }, + "enable_simple_responses": { + Type: schema.TypeBool, + Optional: true, + }, "identity_sources": { Type: schema.TypeSet, Required: true, @@ -91,9 +102,18 @@ func resourceAwsApiGatewayV2AuthorizerCreate(d *schema.ResourceData, meta interf if v, ok := d.GetOk("authorizer_credentials_arn"); ok { req.AuthorizerCredentialsArn = aws.String(v.(string)) } + if v, ok := d.GetOk("authorizer_payload_format_version"); ok { + req.AuthorizerPayloadFormatVersion = aws.String(v.(string)) + } + if v, ok := d.GetOk("authorizer_result_ttl_in_seconds"); ok { + req.AuthorizerResultTtlInSeconds = aws.Int64(int64(v.(int))) + } if v, ok := d.GetOk("authorizer_uri"); ok { req.AuthorizerUri = aws.String(v.(string)) } + if v, ok := d.GetOk("enable_simple_responses"); ok { + req.EnableSimpleResponses = aws.Bool(v.(bool)) + } if v, ok := d.GetOk("jwt_configuration"); ok { req.JwtConfiguration = expandApiGateway2JwtConfiguration(v.([]interface{})) } @@ -126,8 +146,11 @@ func resourceAwsApiGatewayV2AuthorizerRead(d *schema.ResourceData, meta interfac } d.Set("authorizer_credentials_arn", resp.AuthorizerCredentialsArn) + d.Set("authorizer_payload_format_version", resp.AuthorizerPayloadFormatVersion) + d.Set("authorizer_result_ttl_in_seconds", resp.AuthorizerResultTtlInSeconds) d.Set("authorizer_type", resp.AuthorizerType) d.Set("authorizer_uri", resp.AuthorizerUri) + d.Set("enable_simple_responses", resp.EnableSimpleResponses) if err := d.Set("identity_sources", flattenStringSet(resp.IdentitySource)); err != nil { return fmt.Errorf("error setting identity_sources: %s", err) } @@ -149,12 +172,21 @@ func resourceAwsApiGatewayV2AuthorizerUpdate(d *schema.ResourceData, meta interf if d.HasChange("authorizer_credentials_arn") { req.AuthorizerCredentialsArn = aws.String(d.Get("authorizer_credentials_arn").(string)) } + if d.HasChange("authorizer_payload_format_version") { + req.AuthorizerPayloadFormatVersion = aws.String(d.Get("authorizer_payload_format_version").(string)) + } + if d.HasChange("authorizer_result_ttl_in_seconds") { + req.AuthorizerResultTtlInSeconds = aws.Int64(int64(d.Get("authorizer_result_ttl_in_seconds").(int))) + } if d.HasChange("authorizer_type") { req.AuthorizerType = aws.String(d.Get("authorizer_type").(string)) } if d.HasChange("authorizer_uri") { req.AuthorizerUri = aws.String(d.Get("authorizer_uri").(string)) } + if d.HasChange("enable_simple_responses") { + req.EnableSimpleResponses = aws.Bool(d.Get("enable_simple_responses").(bool)) + } if d.HasChange("identity_sources") { req.IdentitySource = expandStringSet(d.Get("identity_sources").(*schema.Set)) } diff --git a/aws/resource_aws_apigatewayv2_authorizer_test.go b/aws/resource_aws_apigatewayv2_authorizer_test.go index 1e2940fe1234..36622afe4907 100644 --- a/aws/resource_aws_apigatewayv2_authorizer_test.go +++ b/aws/resource_aws_apigatewayv2_authorizer_test.go @@ -29,8 +29,11 @@ func TestAccAWSAPIGatewayV2Authorizer_basic(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.header.Auth"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), @@ -62,7 +65,7 @@ func TestAccAWSAPIGatewayV2Authorizer_disappears(t *testing.T) { Config: testAccAWSAPIGatewayV2AuthorizerConfig_basic(rName), Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), - testAccCheckAWSAPIGatewayV2AuthorizerDisappears(&apiId, &v), + testAccCheckResourceDisappears(testAccProvider, resourceAwsApiGatewayV2Authorizer(), resourceName), ), ExpectNonEmptyPlan: true, }, @@ -88,8 +91,11 @@ func TestAccAWSAPIGatewayV2Authorizer_Credentials(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttrPair(resourceName, "authorizer_credentials_arn", iamRoleResourceName, "arn"), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.header.Auth"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), @@ -108,7 +114,10 @@ func TestAccAWSAPIGatewayV2Authorizer_Credentials(t *testing.T) { testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttrPair(resourceName, "authorizer_credentials_arn", iamRoleResourceName, "arn"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "2"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.header.Auth"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.querystring.Name"), @@ -122,7 +131,10 @@ func TestAccAWSAPIGatewayV2Authorizer_Credentials(t *testing.T) { testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.header.Auth"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), @@ -149,8 +161,11 @@ func TestAccAWSAPIGatewayV2Authorizer_JWT(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "JWT"), resource.TestCheckResourceAttr(resourceName, "authorizer_uri", ""), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.header.Authorization"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "1"), @@ -170,8 +185,11 @@ func TestAccAWSAPIGatewayV2Authorizer_JWT(t *testing.T) { Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "JWT"), resource.TestCheckResourceAttr(resourceName, "authorizer_uri", ""), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.header.Authorization"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "1"), @@ -185,6 +203,61 @@ func TestAccAWSAPIGatewayV2Authorizer_JWT(t *testing.T) { }) } +func TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer(t *testing.T) { + var apiId string + var v apigatewayv2.GetAuthorizerOutput + resourceName := "aws_apigatewayv2_authorizer.test" + lambdaResourceName := "aws_lambda_function.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSAPIGatewayV2AuthorizerDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizer(rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), + resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "2.0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "600"), + resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "true"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.header.Auth"), + resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, + { + ResourceName: resourceName, + ImportStateIdFunc: testAccAWSAPIGatewayV2AuthorizerImportStateIdFunc(resourceName), + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), + resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "1.0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "3600"), + resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "2"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.querystring.User"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$context.routeKey"), + resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, + }, + }) +} + func testAccCheckAWSAPIGatewayV2AuthorizerDestroy(s *terraform.State) error { conn := testAccProvider.Meta().(*AWSClient).apigatewayv2conn @@ -210,19 +283,6 @@ func testAccCheckAWSAPIGatewayV2AuthorizerDestroy(s *terraform.State) error { return nil } -func testAccCheckAWSAPIGatewayV2AuthorizerDisappears(apiId *string, v *apigatewayv2.GetAuthorizerOutput) resource.TestCheckFunc { - return func(s *terraform.State) error { - conn := testAccProvider.Meta().(*AWSClient).apigatewayv2conn - - _, err := conn.DeleteAuthorizer(&apigatewayv2.DeleteAuthorizerInput{ - ApiId: apiId, - AuthorizerId: v.AuthorizerId, - }) - - return err - } -} - func testAccCheckAWSAPIGatewayV2AuthorizerExists(n string, vApiId *string, v *apigatewayv2.GetAuthorizerOutput) resource.TestCheckFunc { return func(s *terraform.State) error { rs, ok := s.RootModule().Resources[n] @@ -263,8 +323,27 @@ func testAccAWSAPIGatewayV2AuthorizerImportStateIdFunc(resourceName string) reso } } -func testAccAWSAPIGatewayV2AuthorizerConfig_baseWebSocket(rName string) string { - return baseAccAWSLambdaConfig(rName, rName, rName) + fmt.Sprintf(` +func testAccAWSAPIGatewayV2AuthorizerConfig_apiWebSocket(rName string) string { + return fmt.Sprintf(` +resource "aws_apigatewayv2_api" "test" { + name = %[1]q + protocol_type = "WEBSOCKET" + route_selection_expression = "$request.body.action" +} +`, rName) +} + +func testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName string) string { + return fmt.Sprintf(` +resource "aws_apigatewayv2_api" "test" { + name = %[1]q + protocol_type = "HTTP" +} +`, rName) +} + +func testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName string) string { + return composeConfig(baseAccAWSLambdaConfig(rName, rName, rName), fmt.Sprintf(` resource "aws_lambda_function" "test" { filename = "test-fixtures/lambdatest.zip" function_name = %[1]q @@ -273,12 +352,6 @@ resource "aws_lambda_function" "test" { runtime = "nodejs10.x" } -resource "aws_apigatewayv2_api" "test" { - name = %[1]q - protocol_type = "WEBSOCKET" - route_selection_expression = "$request.body.action" -} - resource "aws_iam_role" "test" { name = "%[1]s_auth_invocation_role" path = "/" @@ -294,24 +367,14 @@ resource "aws_iam_role" "test" { } EOF } -`, rName) -} - -func testAccAWSAPIGatewayV2AuthorizerConfig_baseHttp(rName string) string { - return baseAccAWSLambdaConfig(rName, rName, rName) + fmt.Sprintf(` -resource "aws_apigatewayv2_api" "test" { - name = %[1]q - protocol_type = "HTTP" -} - -resource "aws_cognito_user_pool" "test" { - name = %[1]q -} -`, rName) +`, rName)) } func testAccAWSAPIGatewayV2AuthorizerConfig_basic(rName string) string { - return testAccAWSAPIGatewayV2AuthorizerConfig_baseWebSocket(rName) + fmt.Sprintf(` + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiWebSocket(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_type = "REQUEST" @@ -319,11 +382,14 @@ resource "aws_apigatewayv2_authorizer" "test" { identity_sources = ["route.request.header.Auth"] name = %[1]q } -`, rName) +`, rName)) } func testAccAWSAPIGatewayV2AuthorizerConfig_credentials(rName string) string { - return testAccAWSAPIGatewayV2AuthorizerConfig_baseWebSocket(rName) + fmt.Sprintf(` + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiWebSocket(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_type = "REQUEST" @@ -333,11 +399,14 @@ resource "aws_apigatewayv2_authorizer" "test" { authorizer_credentials_arn = aws_iam_role.test.arn } -`, rName) +`, rName)) } func testAccAWSAPIGatewayV2AuthorizerConfig_credentialsUpdated(rName string) string { - return testAccAWSAPIGatewayV2AuthorizerConfig_baseWebSocket(rName) + fmt.Sprintf(` + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiWebSocket(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_type = "REQUEST" @@ -347,11 +416,18 @@ resource "aws_apigatewayv2_authorizer" "test" { authorizer_credentials_arn = aws_iam_role.test.arn } -`, rName) +`, rName)) } func testAccAWSAPIGatewayV2AuthorizerConfig_jwt(rName string) string { - return testAccAWSAPIGatewayV2AuthorizerConfig_baseHttp(rName) + fmt.Sprintf(` + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` +resource "aws_cognito_user_pool" "test" { + name = %[1]q +} + resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_type = "JWT" @@ -363,11 +439,18 @@ resource "aws_apigatewayv2_authorizer" "test" { issuer = "https://${aws_cognito_user_pool.test.endpoint}" } } -`, rName) +`, rName)) } func testAccAWSAPIGatewayV2AuthorizerConfig_jwtUpdated(rName string) string { - return testAccAWSAPIGatewayV2AuthorizerConfig_baseHttp(rName) + fmt.Sprintf(` + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` +resource "aws_cognito_user_pool" "test" { + name = %[1]q +} + resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_type = "JWT" @@ -379,5 +462,41 @@ resource "aws_apigatewayv2_authorizer" "test" { issuer = "https://${aws_cognito_user_pool.test.endpoint}" } } -`, rName) +`, rName)) +} + +func testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizer(rName string) string { + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` +resource "aws_apigatewayv2_authorizer" "test" { + api_id = aws_apigatewayv2_api.test.id + authorizer_payload_format_version = "2.0" + authorizer_result_ttl_in_seconds = 600 + authorizer_type = "REQUEST" + authorizer_uri = aws_lambda_function.test.invoke_arn + enable_simple_responses = true + identity_sources = ["$request.header.Auth"] + name = %[1]q +} +`, rName)) +} + +func testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName string) string { + return composeConfig( + testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName), + testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), + fmt.Sprintf(` +resource "aws_apigatewayv2_authorizer" "test" { + api_id = aws_apigatewayv2_api.test.id + authorizer_payload_format_version = "1.0" + authorizer_result_ttl_in_seconds = 3600 + authorizer_type = "REQUEST" + authorizer_uri = aws_lambda_function.test.invoke_arn + enable_simple_responses = false + identity_sources = ["$request.querystring.User", "$context.routeKey"] + name = %[1]q +} +`, rName)) } diff --git a/website/docs/r/apigatewayv2_authorizer.html.markdown b/website/docs/r/apigatewayv2_authorizer.html.markdown index dd604ad284a3..f63df82740f1 100644 --- a/website/docs/r/apigatewayv2_authorizer.html.markdown +++ b/website/docs/r/apigatewayv2_authorizer.html.markdown @@ -47,17 +47,24 @@ The following arguments are supported: * `api_id` - (Required) The API identifier. * `authorizer_type` - (Required) The authorizer type. Valid values: `JWT`, `REQUEST`. -For WebSocket APIs, specify `REQUEST` for a Lambda function using incoming request parameters. - For HTTP APIs, specify `JWT` to use JSON Web Tokens. +Specify `REQUEST` for a Lambda function using incoming request parameters. +For HTTP APIs, specify `JWT` to use JSON Web Tokens. * `identity_sources` - (Required) The identity sources for which authorization is requested. For `REQUEST` authorizers the value is a list of one or more mapping expressions of the specified request parameters. For `JWT` authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests. * `name` - (Required) The name of the authorizer. * `authorizer_credentials_arn` - (Optional) The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for `REQUEST` authorizers. +* `authorizer_payload_format_version` - (Optional) The format of the payload sent to an HTTP API Lambda authorizer. Required for HTTP API Lambda authorizers. +Valid values: `1.0`, `2.0`. +* `authorizer_result_ttl_in_seconds` - (Optional) The time to live (TTL) for cached authorizer results, in seconds. If it equals 0, authorization caching is disabled. +If it is greater than 0, API Gateway caches authorizer responses. The maximum value is 3600, or 1 hour. +Supported only for HTTP API Lambda authorizers. * `authorizer_uri` - (Optional) The authorizer's Uniform Resource Identifier (URI). For `REQUEST` authorizers this must be a well-formed Lambda function URI, such as the `invoke_arn` attribute of the [`aws_lambda_function`](/docs/providers/aws/r/lambda_function.html) resource. Supported only for `REQUEST` authorizers. +* `enable_simple_responses` - (Optional) Whether a Lambda authorizer returns a response in a simple format. If enabled, the Lambda authorizer can return a boolean value instead of an IAM policy. +Supported only for HTTP APIs. * `jwt_configuration` - (Optional) The configuration of a JWT authorizer. Required for the `JWT` authorizer type. Supported only for HTTP APIs. From 94931f7883c3e49682db0f3c50448474b6e4a35e Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Mon, 21 Sep 2020 09:54:26 -0400 Subject: [PATCH 2/4] r/aws_apigatewayv2_authorizer: Make 'identity_sources' optional. Acceptance test output: $ make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2Authorizer_' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2Authorizer_ -timeout 120m === RUN TestAccAWSAPIGatewayV2Authorizer_basic === PAUSE TestAccAWSAPIGatewayV2Authorizer_basic === RUN TestAccAWSAPIGatewayV2Authorizer_disappears === PAUSE TestAccAWSAPIGatewayV2Authorizer_disappears === RUN TestAccAWSAPIGatewayV2Authorizer_Credentials === PAUSE TestAccAWSAPIGatewayV2Authorizer_Credentials === RUN TestAccAWSAPIGatewayV2Authorizer_JWT === PAUSE TestAccAWSAPIGatewayV2Authorizer_JWT === RUN TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer === PAUSE TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer === CONT TestAccAWSAPIGatewayV2Authorizer_basic === CONT TestAccAWSAPIGatewayV2Authorizer_JWT === CONT TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer === CONT TestAccAWSAPIGatewayV2Authorizer_Credentials === CONT TestAccAWSAPIGatewayV2Authorizer_disappears --- PASS: TestAccAWSAPIGatewayV2Authorizer_basic (58.65s) === CONT TestAccAWSAPIGatewayV2Authorizer_disappears resource_aws_apigatewayv2_authorizer_test.go:58: [INFO] Got non-empty plan, as expected --- PASS: TestAccAWSAPIGatewayV2Authorizer_disappears (70.72s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_JWT (86.07s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_Credentials (93.11s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer (98.31s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 98.353s --- aws/resource_aws_apigatewayv2_authorizer.go | 3 +-- aws/resource_aws_apigatewayv2_authorizer_test.go | 15 ++++++--------- .../docs/r/apigatewayv2_authorizer.html.markdown | 6 +++--- 3 files changed, 10 insertions(+), 14 deletions(-) diff --git a/aws/resource_aws_apigatewayv2_authorizer.go b/aws/resource_aws_apigatewayv2_authorizer.go index 80b4f4e4eba7..d3385933aacd 100644 --- a/aws/resource_aws_apigatewayv2_authorizer.go +++ b/aws/resource_aws_apigatewayv2_authorizer.go @@ -58,8 +58,7 @@ func resourceAwsApiGatewayV2Authorizer() *schema.Resource { }, "identity_sources": { Type: schema.TypeSet, - Required: true, - MinItems: 1, + Optional: true, Elem: &schema.Schema{Type: schema.TypeString}, }, "jwt_configuration": { diff --git a/aws/resource_aws_apigatewayv2_authorizer_test.go b/aws/resource_aws_apigatewayv2_authorizer_test.go index 36622afe4907..9027b543ed02 100644 --- a/aws/resource_aws_apigatewayv2_authorizer_test.go +++ b/aws/resource_aws_apigatewayv2_authorizer_test.go @@ -34,8 +34,7 @@ func TestAccAWSAPIGatewayV2Authorizer_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), - resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), - tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.header.Auth"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "0"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), resource.TestCheckResourceAttr(resourceName, "name", rName), ), @@ -135,8 +134,7 @@ func TestAccAWSAPIGatewayV2Authorizer_Credentials(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), - resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "1"), - tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "route.request.header.Auth"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "0"), resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), resource.TestCheckResourceAttr(resourceName, "name", rName), ), @@ -376,11 +374,10 @@ func testAccAWSAPIGatewayV2AuthorizerConfig_basic(rName string) string { testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), fmt.Sprintf(` resource "aws_apigatewayv2_authorizer" "test" { - api_id = aws_apigatewayv2_api.test.id - authorizer_type = "REQUEST" - authorizer_uri = aws_lambda_function.test.invoke_arn - identity_sources = ["route.request.header.Auth"] - name = %[1]q + api_id = aws_apigatewayv2_api.test.id + authorizer_type = "REQUEST" + authorizer_uri = aws_lambda_function.test.invoke_arn + name = %[1]q } `, rName)) } diff --git a/website/docs/r/apigatewayv2_authorizer.html.markdown b/website/docs/r/apigatewayv2_authorizer.html.markdown index f63df82740f1..8cf4240763e5 100644 --- a/website/docs/r/apigatewayv2_authorizer.html.markdown +++ b/website/docs/r/apigatewayv2_authorizer.html.markdown @@ -49,9 +49,6 @@ The following arguments are supported: * `authorizer_type` - (Required) The authorizer type. Valid values: `JWT`, `REQUEST`. Specify `REQUEST` for a Lambda function using incoming request parameters. For HTTP APIs, specify `JWT` to use JSON Web Tokens. -* `identity_sources` - (Required) The identity sources for which authorization is requested. -For `REQUEST` authorizers the value is a list of one or more mapping expressions of the specified request parameters. -For `JWT` authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests. * `name` - (Required) The name of the authorizer. * `authorizer_credentials_arn` - (Optional) The required credentials as an IAM role for API Gateway to invoke the authorizer. Supported only for `REQUEST` authorizers. @@ -65,6 +62,9 @@ For `REQUEST` authorizers this must be a well-formed Lambda function URI, such a Supported only for `REQUEST` authorizers. * `enable_simple_responses` - (Optional) Whether a Lambda authorizer returns a response in a simple format. If enabled, the Lambda authorizer can return a boolean value instead of an IAM policy. Supported only for HTTP APIs. +* `identity_sources` - (Optional) The identity sources for which authorization is requested. +For `REQUEST` authorizers the value is a list of one or more mapping expressions of the specified request parameters. +For `JWT` authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests. * `jwt_configuration` - (Optional) The configuration of a JWT authorizer. Required for the `JWT` authorizer type. Supported only for HTTP APIs. From b066e8508b66f56d2839ae75c8269a3a01bb4f63 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 22 Sep 2020 11:07:03 -0400 Subject: [PATCH 3/4] r/aws_apigatewayv2_authorizer: Correctly handle result cache disabling. Acceptance test output: $ make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2Authorizer_' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2Authorizer_ -timeout 120m === RUN TestAccAWSAPIGatewayV2Authorizer_basic === PAUSE TestAccAWSAPIGatewayV2Authorizer_basic === RUN TestAccAWSAPIGatewayV2Authorizer_disappears === PAUSE TestAccAWSAPIGatewayV2Authorizer_disappears === RUN TestAccAWSAPIGatewayV2Authorizer_Credentials === PAUSE TestAccAWSAPIGatewayV2Authorizer_Credentials === RUN TestAccAWSAPIGatewayV2Authorizer_JWT === PAUSE TestAccAWSAPIGatewayV2Authorizer_JWT === RUN TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer === PAUSE TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer === CONT TestAccAWSAPIGatewayV2Authorizer_basic === CONT TestAccAWSAPIGatewayV2Authorizer_JWT === CONT TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer === CONT TestAccAWSAPIGatewayV2Authorizer_Credentials === CONT TestAccAWSAPIGatewayV2Authorizer_disappears resource_aws_apigatewayv2_authorizer_test.go:58: [INFO] Got non-empty plan, as expected --- PASS: TestAccAWSAPIGatewayV2Authorizer_disappears (57.32s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_basic (65.45s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_Credentials (86.23s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_JWT (91.33s) --- PASS: TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer (92.73s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 92.780s --- .../service/apigatewayv2/finder/finder.go | 20 +++++++++++++ aws/resource_aws_apigatewayv2_authorizer.go | 21 ++++++++++++-- ...source_aws_apigatewayv2_authorizer_test.go | 28 +++++++++++++++---- .../r/apigatewayv2_authorizer.html.markdown | 2 +- 4 files changed, 62 insertions(+), 9 deletions(-) create mode 100644 aws/internal/service/apigatewayv2/finder/finder.go diff --git a/aws/internal/service/apigatewayv2/finder/finder.go b/aws/internal/service/apigatewayv2/finder/finder.go new file mode 100644 index 000000000000..679475b65292 --- /dev/null +++ b/aws/internal/service/apigatewayv2/finder/finder.go @@ -0,0 +1,20 @@ +package finder + +import ( + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/apigatewayv2" +) + +// ApiByID returns the API corresponding to the specified ID. +func ApiByID(conn *apigatewayv2.ApiGatewayV2, apiID string) (*apigatewayv2.GetApiOutput, error) { + input := &apigatewayv2.GetApiInput{ + ApiId: aws.String(apiID), + } + + output, err := conn.GetApi(input) + if err != nil { + return nil, err + } + + return output, nil +} diff --git a/aws/resource_aws_apigatewayv2_authorizer.go b/aws/resource_aws_apigatewayv2_authorizer.go index d3385933aacd..cc258fb97571 100644 --- a/aws/resource_aws_apigatewayv2_authorizer.go +++ b/aws/resource_aws_apigatewayv2_authorizer.go @@ -9,6 +9,7 @@ import ( "github.com/aws/aws-sdk-go/service/apigatewayv2" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/apigatewayv2/finder" ) func resourceAwsApiGatewayV2Authorizer() *schema.Resource { @@ -40,6 +41,7 @@ func resourceAwsApiGatewayV2Authorizer() *schema.Resource { "authorizer_result_ttl_in_seconds": { Type: schema.TypeInt, Optional: true, + Computed: true, ValidateFunc: validation.IntBetween(0, 3600), }, "authorizer_type": { @@ -92,9 +94,20 @@ func resourceAwsApiGatewayV2Authorizer() *schema.Resource { func resourceAwsApiGatewayV2AuthorizerCreate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).apigatewayv2conn + apiId := d.Get("api_id").(string) + authorizerType := d.Get("authorizer_type").(string) + + apiOutput, err := finder.ApiByID(conn, apiId) + + if err != nil { + return fmt.Errorf("error reading API Gateway v2 API (%s): %s", apiId, err) + } + + protocolType := aws.StringValue(apiOutput.ProtocolType) + req := &apigatewayv2.CreateAuthorizerInput{ - ApiId: aws.String(d.Get("api_id").(string)), - AuthorizerType: aws.String(d.Get("authorizer_type").(string)), + ApiId: aws.String(apiId), + AuthorizerType: aws.String(authorizerType), IdentitySource: expandStringSet(d.Get("identity_sources").(*schema.Set)), Name: aws.String(d.Get("name").(string)), } @@ -106,6 +119,10 @@ func resourceAwsApiGatewayV2AuthorizerCreate(d *schema.ResourceData, meta interf } if v, ok := d.GetOk("authorizer_result_ttl_in_seconds"); ok { req.AuthorizerResultTtlInSeconds = aws.Int64(int64(v.(int))) + } else if protocolType == apigatewayv2.ProtocolTypeHttp && authorizerType == apigatewayv2.AuthorizerTypeRequest { + // Default in the AWS Console is 300 seconds. + // Explicitly set on creation so that we can correctly detect changes to the 0 value. + req.AuthorizerResultTtlInSeconds = aws.Int64(300) } if v, ok := d.GetOk("authorizer_uri"); ok { req.AuthorizerUri = aws.String(v.(string)) diff --git a/aws/resource_aws_apigatewayv2_authorizer_test.go b/aws/resource_aws_apigatewayv2_authorizer_test.go index 9027b543ed02..cd56daa2d7ca 100644 --- a/aws/resource_aws_apigatewayv2_authorizer_test.go +++ b/aws/resource_aws_apigatewayv2_authorizer_test.go @@ -219,7 +219,7 @@ func TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer(t *testing. testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "2.0"), - resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "600"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "300"), resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "true"), @@ -236,7 +236,7 @@ func TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer(t *testing. ImportStateVerify: true, }, { - Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName), + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName, 3600), Check: resource.ComposeTestCheckFunc( testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), @@ -252,6 +252,23 @@ func TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer(t *testing. resource.TestCheckResourceAttr(resourceName, "name", rName), ), }, + { + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName, 0), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), + resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "1.0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "2"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.querystring.User"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$context.routeKey"), + resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, }, }) } @@ -470,7 +487,6 @@ func testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizer(rName resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_payload_format_version = "2.0" - authorizer_result_ttl_in_seconds = 600 authorizer_type = "REQUEST" authorizer_uri = aws_lambda_function.test.invoke_arn enable_simple_responses = true @@ -480,7 +496,7 @@ resource "aws_apigatewayv2_authorizer" "test" { `, rName)) } -func testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName string) string { +func testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName string, authorizerResultTtl int) string { return composeConfig( testAccAWSAPIGatewayV2AuthorizerConfig_apiHttp(rName), testAccAWSAPIGatewayV2AuthorizerConfig_baseLambda(rName), @@ -488,12 +504,12 @@ func testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdate resource "aws_apigatewayv2_authorizer" "test" { api_id = aws_apigatewayv2_api.test.id authorizer_payload_format_version = "1.0" - authorizer_result_ttl_in_seconds = 3600 + authorizer_result_ttl_in_seconds = %[2]d authorizer_type = "REQUEST" authorizer_uri = aws_lambda_function.test.invoke_arn enable_simple_responses = false identity_sources = ["$request.querystring.User", "$context.routeKey"] name = %[1]q } -`, rName)) +`, rName, authorizerResultTtl)) } diff --git a/website/docs/r/apigatewayv2_authorizer.html.markdown b/website/docs/r/apigatewayv2_authorizer.html.markdown index 8cf4240763e5..4a9998020b45 100644 --- a/website/docs/r/apigatewayv2_authorizer.html.markdown +++ b/website/docs/r/apigatewayv2_authorizer.html.markdown @@ -55,7 +55,7 @@ Supported only for `REQUEST` authorizers. * `authorizer_payload_format_version` - (Optional) The format of the payload sent to an HTTP API Lambda authorizer. Required for HTTP API Lambda authorizers. Valid values: `1.0`, `2.0`. * `authorizer_result_ttl_in_seconds` - (Optional) The time to live (TTL) for cached authorizer results, in seconds. If it equals 0, authorization caching is disabled. -If it is greater than 0, API Gateway caches authorizer responses. The maximum value is 3600, or 1 hour. +If it is greater than 0, API Gateway caches authorizer responses. The maximum value is 3600, or 1 hour. Defaults to `300`. Supported only for HTTP API Lambda authorizers. * `authorizer_uri` - (Optional) The authorizer's Uniform Resource Identifier (URI). For `REQUEST` authorizers this must be a well-formed Lambda function URI, such as the `invoke_arn` attribute of the [`aws_lambda_function`](/docs/providers/aws/r/lambda_function.html) resource. From fc1bc5b244b6ad0f710071b899e3140b6aa2ea92 Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Tue, 22 Sep 2020 16:07:03 -0400 Subject: [PATCH 4/4] r/aws_apigatewayv2_authorizer: Distinguish between missing and zero values for cache TTL. Acceptance test output: $ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSAPIGatewayV2Authorizer_' ACCTEST_PARALLELISM=2 ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 2 -run=TestAccAWSAPIGatewayV2Authorizer_ -timeout 120m === RUN TestAccAWSAPIGatewayV2Authorizer_basic === PAUSE TestAccAWSAPIGatewayV2Authorizer_basic === RUN TestAccAWSAPIGatewayV2Authorizer_disappears === PAUSE TestAccAWSAPIGatewayV2Authorizer_disappears === RUN TestAccAWSAPIGatewayV2Authorizer_Credentials === PAUSE TestAccAWSAPIGatewayV2Authorizer_Credentials === RUN TestAccAWSAPIGatewayV2Authorizer_JWT === PAUSE TestAccAWSAPIGatewayV2Authorizer_JWT === RUN TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialMissingCacheTTL === PAUSE TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialMissingCacheTTL === RUN TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialZeroCacheTTL === PAUSE TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialZeroCacheTTL === CONT TestAccAWSAPIGatewayV2Authorizer_basic === CONT TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialMissingCacheTTL --- PASS: TestAccAWSAPIGatewayV2Authorizer_basic (39.77s) === CONT TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialZeroCacheTTL --- PASS: TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialMissingCacheTTL (88.17s) === CONT TestAccAWSAPIGatewayV2Authorizer_Credentials --- PASS: TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialZeroCacheTTL (73.00s) === CONT TestAccAWSAPIGatewayV2Authorizer_JWT --- PASS: TestAccAWSAPIGatewayV2Authorizer_Credentials (86.61s) === CONT TestAccAWSAPIGatewayV2Authorizer_disappears --- PASS: TestAccAWSAPIGatewayV2Authorizer_JWT (90.80s) === CONT TestAccAWSAPIGatewayV2Authorizer_disappears resource_aws_apigatewayv2_authorizer_test.go:58: [INFO] Got non-empty plan, as expected --- PASS: TestAccAWSAPIGatewayV2Authorizer_disappears (37.71s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 212.532s --- aws/resource_aws_apigatewayv2_authorizer.go | 2 +- ...source_aws_apigatewayv2_authorizer_test.go | 58 ++++++++++++++++++- 2 files changed, 58 insertions(+), 2 deletions(-) diff --git a/aws/resource_aws_apigatewayv2_authorizer.go b/aws/resource_aws_apigatewayv2_authorizer.go index cc258fb97571..8fa64f8e410b 100644 --- a/aws/resource_aws_apigatewayv2_authorizer.go +++ b/aws/resource_aws_apigatewayv2_authorizer.go @@ -117,7 +117,7 @@ func resourceAwsApiGatewayV2AuthorizerCreate(d *schema.ResourceData, meta interf if v, ok := d.GetOk("authorizer_payload_format_version"); ok { req.AuthorizerPayloadFormatVersion = aws.String(v.(string)) } - if v, ok := d.GetOk("authorizer_result_ttl_in_seconds"); ok { + if v, ok := d.GetOkExists("authorizer_result_ttl_in_seconds"); ok { req.AuthorizerResultTtlInSeconds = aws.Int64(int64(v.(int))) } else if protocolType == apigatewayv2.ProtocolTypeHttp && authorizerType == apigatewayv2.AuthorizerTypeRequest { // Default in the AWS Console is 300 seconds. diff --git a/aws/resource_aws_apigatewayv2_authorizer_test.go b/aws/resource_aws_apigatewayv2_authorizer_test.go index cd56daa2d7ca..b934a72c2da2 100644 --- a/aws/resource_aws_apigatewayv2_authorizer_test.go +++ b/aws/resource_aws_apigatewayv2_authorizer_test.go @@ -201,7 +201,7 @@ func TestAccAWSAPIGatewayV2Authorizer_JWT(t *testing.T) { }) } -func TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer(t *testing.T) { +func TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialMissingCacheTTL(t *testing.T) { var apiId string var v apigatewayv2.GetAuthorizerOutput resourceName := "aws_apigatewayv2_authorizer.test" @@ -273,6 +273,62 @@ func TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer(t *testing. }) } +func TestAccAWSAPIGatewayV2Authorizer_HttpApiLambdaRequestAuthorizer_InitialZeroCacheTTL(t *testing.T) { + var apiId string + var v apigatewayv2.GetAuthorizerOutput + resourceName := "aws_apigatewayv2_authorizer.test" + lambdaResourceName := "aws_lambda_function.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSAPIGatewayV2AuthorizerDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName, 0), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), + resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "1.0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "2"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.querystring.User"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$context.routeKey"), + resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, + { + ResourceName: resourceName, + ImportStateIdFunc: testAccAWSAPIGatewayV2AuthorizerImportStateIdFunc(resourceName), + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSAPIGatewayV2AuthorizerConfig_httpApiLambdaRequestAuthorizerUpdated(rName, 600), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSAPIGatewayV2AuthorizerExists(resourceName, &apiId, &v), + resource.TestCheckResourceAttr(resourceName, "authorizer_credentials_arn", ""), + resource.TestCheckResourceAttr(resourceName, "authorizer_payload_format_version", "1.0"), + resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "600"), + resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"), + resource.TestCheckResourceAttrPair(resourceName, "authorizer_uri", lambdaResourceName, "invoke_arn"), + resource.TestCheckResourceAttr(resourceName, "enable_simple_responses", "false"), + resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "2"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$request.querystring.User"), + tfawsresource.TestCheckTypeSetElemAttr(resourceName, "identity_sources.*", "$context.routeKey"), + resource.TestCheckResourceAttr(resourceName, "jwt_configuration.#", "0"), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, + }, + }) +} + func testAccCheckAWSAPIGatewayV2AuthorizerDestroy(s *terraform.State) error { conn := testAccProvider.Meta().(*AWSClient).apigatewayv2conn