Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resource/api_gateway_authorizer: support authorizer type as COGNITO_USER_POOLS #3156

Merged
merged 6 commits into from
Mar 7, 2018
Merged

resource/api_gateway_authorizer: support authorizer type as COGNITO_USER_POOLS #3156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8c8c25f
resource/api_gateway_authorizer: support authorizer type as COGNITO_U…
Jan 27, 2018
3cd1b02
resource/api_gateway_authorizer: remove extra copy/pasted '&schema.Sc…
Mar 3, 2018
f32ffbd
resource/api_gateway_authorizer: add ValidateFunc for authorizer type
Mar 3, 2018
dfea540
resource/api_gateway_authorizer: add CustomizeDiff
Mar 3, 2018
dbf93c6
resource/api_gateway_authorizer: simplify logic on provider_arns changes
Mar 6, 2018
6463c99
resource/api_gateway_authorizer: move type validation out of Customiz…
Mar 6, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 90 additions & 14 deletions aws/resource_aws_api_gateway_authorizer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,52 +9,64 @@ import (
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/apigateway"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/terraform/helper/validation"
)

func resourceAwsApiGatewayAuthorizer() *schema.Resource {
return &schema.Resource{
Create: resourceAwsApiGatewayAuthorizerCreate,
Read: resourceAwsApiGatewayAuthorizerRead,
Update: resourceAwsApiGatewayAuthorizerUpdate,
Delete: resourceAwsApiGatewayAuthorizerDelete,
Create: resourceAwsApiGatewayAuthorizerCreate,
Read: resourceAwsApiGatewayAuthorizerRead,
Update: resourceAwsApiGatewayAuthorizerUpdate,
Delete: resourceAwsApiGatewayAuthorizerDelete,
CustomizeDiff: resourceAwsApiGatewayAuthorizerCustomizeDiff,

Schema: map[string]*schema.Schema{
"authorizer_uri": &schema.Schema{
"authorizer_uri": {
Type: schema.TypeString,
Required: true,
Optional: true, // authorizer_uri is required for authorizer TOKEN/REQUEST
},
"identity_source": &schema.Schema{
"identity_source": {
Type: schema.TypeString,
Optional: true,
Default: "method.request.header.Authorization",
},
"name": &schema.Schema{
"name": {
Type: schema.TypeString,
Required: true,
},
"rest_api_id": &schema.Schema{
"rest_api_id": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"type": &schema.Schema{
"type": {
Type: schema.TypeString,
Optional: true,
Default: "TOKEN",
ValidateFunc: validation.StringInSlice([]string{
apigateway.AuthorizerTypeCognitoUserPools,
apigateway.AuthorizerTypeRequest,
apigateway.AuthorizerTypeToken,
}, false),
},
"authorizer_credentials": &schema.Schema{
"authorizer_credentials": {
Type: schema.TypeString,
Optional: true,
},
"authorizer_result_ttl_in_seconds": &schema.Schema{
"authorizer_result_ttl_in_seconds": {
Type: schema.TypeInt,
Optional: true,
ValidateFunc: validateIntegerInRange(0, 3600),
},
"identity_validation_expression": &schema.Schema{
"identity_validation_expression": {
Type: schema.TypeString,
Optional: true,
},
"provider_arns": {
Type: schema.TypeSet,
Optional: true, // provider_arns is required for authorizer COGNITO_USER_POOLS.
Elem: &schema.Schema{Type: schema.TypeString},
},
},
}
}
Expand All @@ -63,13 +75,18 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac
conn := meta.(*AWSClient).apigateway

input := apigateway.CreateAuthorizerInput{
AuthorizerUri: aws.String(d.Get("authorizer_uri").(string)),
IdentitySource: aws.String(d.Get("identity_source").(string)),
Name: aws.String(d.Get("name").(string)),
RestApiId: aws.String(d.Get("rest_api_id").(string)),
Type: aws.String(d.Get("type").(string)),
}

if err := validateAuthorizerType(d); err != nil {
return err
}
if v, ok := d.GetOk("authorizer_uri"); ok {
input.AuthorizerUri = aws.String(v.(string))
}
if v, ok := d.GetOk("authorizer_credentials"); ok {
input.AuthorizerCredentials = aws.String(v.(string))
}
Expand All @@ -79,6 +96,9 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac
if v, ok := d.GetOk("identity_validation_expression"); ok {
input.IdentityValidationExpression = aws.String(v.(string))
}
if v, ok := d.GetOk("provider_arns"); ok {
input.ProviderARNs = expandStringList(v.(*schema.Set).List())
}

log.Printf("[INFO] Creating API Gateway Authorizer: %s", input)
out, err := conn.CreateAuthorizer(&input)
Expand Down Expand Up @@ -118,6 +138,7 @@ func resourceAwsApiGatewayAuthorizerRead(d *schema.ResourceData, meta interface{
d.Set("identity_validation_expression", authorizer.IdentityValidationExpression)
d.Set("name", authorizer.Name)
d.Set("type", authorizer.Type)
d.Set("provider_arns", flattenStringList(authorizer.ProviderARNs))

return nil
}
Expand Down Expand Up @@ -181,6 +202,29 @@ func resourceAwsApiGatewayAuthorizerUpdate(d *schema.ResourceData, meta interfac
Value: aws.String(d.Get("identity_validation_expression").(string)),
})
}
if d.HasChange("provider_arns") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be simplified using schema.Set Difference(), here's an example in action:

https://github.com/terraform-providers/terraform-provider-aws/blob/90e2e8df03e4ded02c825169bc64b3dae747b9a0/aws/resource_aws_api_gateway_integration.go#L338-L361

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice:+1:

old, new := d.GetChange("provider_arns")
os := old.(*schema.Set)
ns := new.(*schema.Set)
// providerARNs can't be empty, so add first and then remove
additionList := ns.Difference(os)
for _, v := range additionList.List() {
operations = append(operations, &apigateway.PatchOperation{
Op: aws.String("add"),
Path: aws.String("/providerARNs"),
Value: aws.String(v.(string)),
})
}
removalList := os.Difference(ns)
for _, v := range removalList.List() {
operations = append(operations, &apigateway.PatchOperation{
Op: aws.String("remove"),
Path: aws.String("/providerARNs"),
Value: aws.String(v.(string)),
})
}
}

input.PatchOperations = operations

log.Printf("[INFO] Updating API Gateway Authorizer: %s", input)
Expand Down Expand Up @@ -210,3 +254,35 @@ func resourceAwsApiGatewayAuthorizerDelete(d *schema.ResourceData, meta interfac

return nil
}

func resourceAwsApiGatewayAuthorizerCustomizeDiff(diff *schema.ResourceDiff, v interface{}) error {
// switch type between COGNITO_USER_POOLS and TOKEN/REQUEST will create new resource.
if diff.HasChange("type") {
o, n := diff.GetChange("type")
if o.(string) == apigateway.AuthorizerTypeCognitoUserPools || n.(string) == apigateway.AuthorizerTypeCognitoUserPools {
if err := diff.ForceNew("type"); err != nil {
return err
}
}
}

return nil
}

func validateAuthorizerType(d *schema.ResourceData) error {
authType := d.Get("type").(string)
// authorizer_uri is required for authorizer TOKEN/REQUEST
if authType == apigateway.AuthorizerTypeRequest || authType == apigateway.AuthorizerTypeToken {
if v, ok := d.GetOk("authorizer_uri"); !ok || v.(string) == "" {
return fmt.Errorf("authorizer_uri must be set non-empty when authorizer type is %s", authType)
}
}
// provider_arns is required for authorizer COGNITO_USER_POOLS.
if authType == apigateway.AuthorizerTypeCognitoUserPools {
if v, ok := d.GetOk("provider_arns"); !ok || len(v.(*schema.Set).List()) == 0 {
return fmt.Errorf("provider_arns must be set non-empty when authorizer type is %s", authType)
}
}

return nil
}
Loading