resource/aws_api_gateway_authorizer: Add support for Cognito User Pool authorizer

aws/resource_aws_api_gateway_authorizer.go

@@ -21,7 +21,7 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource {
 		Schema: map[string]*schema.Schema{
 			"authorizer_uri": &schema.Schema{
 				Type:     schema.TypeString,
-				Required: true,
+				Optional: true,
 			},
 			"identity_source": &schema.Schema{
 				Type:     schema.TypeString,
@@ -55,6 +55,13 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"provider_arns": &schema.Schema{
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 		},
 	}
 }
@@ -63,13 +70,15 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac
 	conn := meta.(*AWSClient).apigateway
 
 	input := apigateway.CreateAuthorizerInput{
-		AuthorizerUri:  aws.String(d.Get("authorizer_uri").(string)),
 		IdentitySource: aws.String(d.Get("identity_source").(string)),
 		Name:           aws.String(d.Get("name").(string)),
 		RestApiId:      aws.String(d.Get("rest_api_id").(string)),
 		Type:           aws.String(d.Get("type").(string)),
 	}
 
+	if v, ok := d.GetOk("authorizer_uri"); ok {
+		input.AuthorizerUri = aws.String(v.(string))
+	}
 	if v, ok := d.GetOk("authorizer_credentials"); ok {
 		input.AuthorizerCredentials = aws.String(v.(string))
 	}
@@ -79,6 +88,9 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac
 	if v, ok := d.GetOk("identity_validation_expression"); ok {
 		input.IdentityValidationExpression = aws.String(v.(string))
 	}
+	if v, ok := d.GetOk("provider_arns"); ok {
+		input.ProviderARNs = expandStringList(v.([]interface{}))
+	}
 
 	log.Printf("[INFO] Creating API Gateway Authorizer: %s", input)
 	out, err := conn.CreateAuthorizer(&input)
@@ -118,6 +130,7 @@ func resourceAwsApiGatewayAuthorizerRead(d *schema.ResourceData, meta interface{
 	d.Set("identity_validation_expression", authorizer.IdentityValidationExpression)
 	d.Set("name", authorizer.Name)
 	d.Set("type", authorizer.Type)
+	d.Set("provider_arns", flattenStringList(authorizer.ProviderARNs))
 
 	return nil
 }
@@ -181,6 +194,13 @@ func resourceAwsApiGatewayAuthorizerUpdate(d *schema.ResourceData, meta interfac
 			Value: aws.String(d.Get("identity_validation_expression").(string)),
 		})
 	}
+	if d.HasChange("provider_arns") {
+		operations = append(operations, &apigateway.PatchOperation{
+			Op:    aws.String("replace"),
+			Path:  aws.String("/providerARNs"),
+			Value: aws.String(d.Get("provider_arns").(string)),
+		})
+	}
 	input.PatchOperations = operations
 
 	log.Printf("[INFO] Updating API Gateway Authorizer: %s", input)

website/docs/r/api_gateway_authorizer.html.markdown

@@ -96,9 +96,12 @@ resource "aws_lambda_function" "authorizer" {
 
 The following arguments are supported:
 
-* `authorizer_uri` - (Required) The authorizer's Uniform Resource Identifier (URI).
+* `authorizer_uri` - (Optional) The authorizer's Uniform Resource Identifier (URI).
 	For `TOKEN` type, this must be a well-formed Lambda function URI in the form of
 	`arn:aws:apigateway:{region}:lambda:path/{service_api}`. e.g. `arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations`
+* `provider_arns` - (Optional) List of Cognito User Pool ARNs associated with the athorizer.
+	For `COGNITO_USER_POOLS` type, this must be a well-formed array of ARN in the form of
+	`arn:aws:cognito-idp:{region}:{account}:userpool/{userpoolId}. e.g. `arn:aws:cognito-idp:us-west-2:012345678912:userpool/us-west-2_ABCDEFGH`
 * `name` - (Required) The name of the authorizer
 * `rest_api_id` - (Required) The ID of the associated REST API
 * `identity_source` - (Optional) The source of the identity in an incoming request.