resource/api_gateway_authorizer: support authorizer type as COGNITO_USER_POOLS #3156
Conversation
|
loivis
force-pushed
the
resource-api-gateway-authorizer-support-cognito-user-pool
branch
from
f13113d to
7db27dc
Compare
|
Also introduced |
bflad
added
enhancement
|
@bflad Do you have time to take a look? Thanks. |
|
Not at the current time. Something that is an immediate red flag is this though:
We really do not like ignoring someone's contributions and the original author is asking for help in their issue. Can you help them instead of ignoring their contribution? |
|
Ok, understand. I’ll try to see how to commit changes to the other pr and merge my codes there if possible. Anyway I’m closing this pr. Thanks for your comments and explanation.
mvh
… 在 2018年2月1日,12:20,Brian Flad ***@***.***> 写道:
Not at the current time. Something that is an immediate red flag is this though:
I missed existing issue and pr when I started. Anyway I continued with this new pr.
We really do not like ignoring someone's contributions and the original author is asking for help in their issue. Can you help them instead of ignoring their contribution?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Back to this PR again with close of #2189. |
|
Thanks for the followup @loivis! Sorry if I came off a little mean earlier, that was not my intention. |
|
No need sorry, not at all. It's good to know how we're managing issue/prs and follow the same. |
|
@bflad do you have time to take a look? Thanks. |
There was a problem hiding this comment.
Hi @loivis! This is looking pretty good. I left you some initial feedback. Please ping me again when its ready to be looked at again or if you do not have time to implement 👍
Testing is currently passing for me:
=== RUN TestAccAWSAPIGatewayAuthorizer_cognito
--- PASS: TestAccAWSAPIGatewayAuthorizer_cognito (14.86s)
=== RUN TestAccAWSAPIGatewayAuthorizer_switchAuthType
--- PASS: TestAccAWSAPIGatewayAuthorizer_switchAuthType (48.30s)
=== RUN TestAccAWSAPIGatewayAuthorizer_basic
--- PASS: TestAccAWSAPIGatewayAuthorizer_basic (81.04s)
| @@ -55,6 +56,11 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource { | |||
| Type: schema.TypeString, | |||
| Optional: true, | |||
| }, | |||
| "provider_arns": &schema.Schema{ | |||
There was a problem hiding this comment.
Minor nitpick: the &schema.Schema here (copy paste 😄 ) is extra
| @@ -55,6 +56,11 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource { | |||
| Type: schema.TypeString, | |||
| Optional: true, | |||
| }, | |||
| "provider_arns": &schema.Schema{ | |||
| Type: schema.TypeList, | |||
There was a problem hiding this comment.
Does the ordering of the values matter for the provider_arns attribute? If not, we should probably switch this to schema.TypeSet 👍
| @@ -21,7 +21,7 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource { | |||
| Schema: map[string]*schema.Schema{ | |||
| "authorizer_uri": &schema.Schema{ | |||
| Type: schema.TypeString, | |||
| Required: true, | |||
| Optional: true, | |||
There was a problem hiding this comment.
Sorry I'm unfamiliar with this resource, but is this required for TOKEN/REQUEST? Just curious if that was an oversight before, if we should add documentation, or CustomizeDiff for continued plan-time validation
There was a problem hiding this comment.
@bflad Indeed CustomizeDiff should be used here. But it doesn't seem to get the argument. Did I miss something?
https://github.com/loivis/terraform-provider-aws/blob/9726a5187a1fb34a8edbc660e0d3968d8e46a3f0/aws/resource_aws_api_gateway_authorizer.go#L277-L280
There was a problem hiding this comment.
I think you need to perform two checks, one for existence and one for string length:
v, ok := diff.GetOk("authorizer_uri")
if ok {
if v.(string) == "" {
return errors.New("authorizer_uri must be non-empty when type is ...")
}
} else {
return errors.New("authorizer_uri is required when type is ...")
}You'll need to do the same with len() == 0 for provider_arns
There was a problem hiding this comment.
I added a few lines to debug
args := []string{"authorizer_uri", "name", "rest_api_id", "identity_source", "type", "identity_validation_expression", "authorizer_credentials"}
for _, arg := range args {
val, ok := diff.GetOk(arg)
log.Printf("[DEBUG] %s: #%s#, #%v#", arg, val.(string), ok)
}
It gives me logs:
2018/03/05 21:50:54 [DEBUG] authorizer_uri: ##, #false#
2018/03/05 21:50:54 [DEBUG] name: #tf-acctest-igw-authorizer-yddwa40#, #true#
2018/03/05 21:50:54 [DEBUG] rest_api_id: ##, #false#
2018/03/05 21:50:54 [DEBUG] identity_source: #method.request.header.Authorization#, #true#
2018/03/05 21:50:54 [DEBUG] type: #TOKEN#, #true#
2018/03/05 21:50:54 [DEBUG] identity_validation_expression: ##, #false#
2018/03/05 21:50:54 [DEBUG] authorizer_credentials: ##, #false#
name, identity_source, type are arguments with default value. It seems like diff.GetOk() doesn't return value for arguments without default value. This is what makes me confused.
There was a problem hiding this comment.
Ah, this is happening because the values are computed:
Unfortunately, I'm not sure of a workaround at the moment. For now, we can keep that logic outside CustomizeDiff. 🙁
| @@ -210,3 +228,38 @@ func resourceAwsApiGatewayAuthorizerDelete(d *schema.ResourceData, meta interfac | |||
|
|
|||
| return nil | |||
| } | |||
|
|
|||
| func diffProviderARNsOp(prefix string, old, new []interface{}) (ops []*apigateway.PatchOperation) { | |||
| // providerARNs can't be empty, so add first and then remove | |||
| "github.com/hashicorp/terraform/helper/resource" | ||
| "github.com/hashicorp/terraform/terraform" | ||
| ) | ||
|
|
||
| func TestAccAWSAPIGatewayAuthorizer_basic(t *testing.T) { | ||
| var conf apigateway.Authorizer | ||
| rString := acctest.RandString(7) |
| @@ -113,3 +113,4 @@ The following arguments are supported: | |||
| For `TOKEN` type, this value should be a regular expression. The incoming token from the client is matched | |||
| against this expression, and will proceed if the token matches. If the token doesn't match, | |||
| the client receives a 401 Unauthorized response. | |||
| * `provider_arns` - (Optional, required for type `COGNITO_USER_POOLS`) A list of the Amazon Cognito user pool ARNs. Each element is of this format: `arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}`. | |||
There was a problem hiding this comment.
Would you mind taking a look at adding a CustomizeDiff function that adds plan-time validation for this situation? Maybe something similar to aws_dynamodb_table function can work here too:
| For `TOKEN` type, this must be a well-formed Lambda function URI in the form of | ||
| `arn:aws:apigateway:{region}:lambda:path/{service_api}`. e.g. `arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations` | ||
| * `name` - (Required) The name of the authorizer | ||
| * `rest_api_id` - (Required) The ID of the associated REST API | ||
| * `identity_source` - (Optional) The source of the identity in an incoming request. | ||
| Defaults to `method.request.header.Authorization`. For `REQUEST` type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g. `"method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"` | ||
| * `type` - (Optional) The type of the authorizer. Possible values are `TOKEN` and `REQUEST`. | ||
| * `type` - (Optional) The type of the authorizer. Possible values are `TOKEN` for a Lambda function using a single authorization token submitted in a custom header, `REQUEST` for a Lambda function using incoming request parameters, or `COGNITO_USER_POOLS` for using an Amazon Cognito user pool. |
| resource "aws_api_gateway_authorizer" "test" { | ||
| name = "tf-acc-test-authorizer" | ||
| rest_api_id = "${aws_api_gateway_rest_api.test.id}" | ||
| func testAccAWSAPIGatewayAuthorizerConfig_lambda(apiGatewayName, authorizerName, lambdaName string) string { |
| @@ -41,6 +41,7 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource { | |||
| Type: schema.TypeString, | |||
| Optional: true, | |||
| Default: "TOKEN", | |||
| ForceNew: true, | |||
There was a problem hiding this comment.
Can you add plan-time validation here please?
ValidateFunc: validation.StringInSlice([]string{
apigateway.AuthorizerTypeCognitoUserPools,
apigateway.AuthorizerTypeRequest,
apigateway.AuthorizerTypeToken
}, false),
bflad
added
the
waiting-response
|
To answer your question above:
You can use a |
loivis
force-pushed
the
resource-api-gateway-authorizer-support-cognito-user-pool
branch
from
a2f4a49 to
f32ffbd
Compare
loivis
force-pushed
the
resource-api-gateway-authorizer-support-cognito-user-pool
branch
from
9726a51 to
dfea540
Compare
| @@ -181,6 +199,12 @@ func resourceAwsApiGatewayAuthorizerUpdate(d *schema.ResourceData, meta interfac | |||
| Value: aws.String(d.Get("identity_validation_expression").(string)), | |||
| }) | |||
| } | |||
| if d.HasChange("provider_arns") { | |||
There was a problem hiding this comment.
This can be simplified using schema.Set Difference(), here's an example in action:
…eDiff; add acceptance tests for type validation
|
There was a problem hiding this comment.
This looks fantastic, thanks for the great work! 🚀
4 tests passed (all tests)
=== RUN TestAccAWSAPIGatewayAuthorizer_authTypeValidation
--- PASS: TestAccAWSAPIGatewayAuthorizer_authTypeValidation (29.27s)
=== RUN TestAccAWSAPIGatewayAuthorizer_switchAuthType
--- PASS: TestAccAWSAPIGatewayAuthorizer_switchAuthType (64.32s)
=== RUN TestAccAWSAPIGatewayAuthorizer_basic
--- PASS: TestAccAWSAPIGatewayAuthorizer_basic (105.69s)
=== RUN TestAccAWSAPIGatewayAuthorizer_cognito
--- PASS: TestAccAWSAPIGatewayAuthorizer_cognito (220.05s)
|
This has been released in version 1.11.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Fixes #1106
Duplicate of #2189
I missed existing issue and pr when I started. Anyway I continued with this new pr.
QUSTION:
typechanged toForceNewBecause
COGNITO_USER_POOLSis different withTOKEN/REQUEST. But when changing betweenTOKENandREQUEST, it doesn't required new resource. To conditionallyForceNew, the only way I can think of is to have some logic inupdatefunction that will detecttypechange and callcreatefunction. I was wondering if terraform has already supported conditionalForceNewsomeway or we just go with alwaysForceNew.