Merge pull request #16614 from hashicorp/b-apigateway-authorizer-auth…

…cred r/api_gateway_authorizer: set authorizer_credentials via PatchOperation on create for COGNITO_USER_POOLS type
hashicorp · Jan 19, 2021 · d7b060d · d7b060d
2 parents 03c3ddb + e6d74f2
commit d7b060d
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 1 deletion.
diff --git a/aws/resource_aws_api_gateway_authorizer.go b/aws/resource_aws_api_gateway_authorizer.go
@@ -93,6 +93,7 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource {
 
 func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).apigatewayconn
+	var postCreateOps []*apigateway.PatchOperation
 
 	input := apigateway.CreateAuthorizerInput{
 		IdentitySource:               aws.String(d.Get("identity_source").(string)),
@@ -109,7 +110,19 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac
 		input.AuthorizerUri = aws.String(v.(string))
 	}
 	if v, ok := d.GetOk("authorizer_credentials"); ok {
-		input.AuthorizerCredentials = aws.String(v.(string))
+		// While the CreateAuthorizer method allows one to pass AuthorizerCredentials
+		// regardless of authorizer Type, the API ignores this setting if the authorizer
+		// is of Type "COGNITO_USER_POOLS"; thus, a PatchOperation is used as an alternative.
+		// Reference: https://github.com/hashicorp/terraform-provider-aws/issues/16613
+		if aws.StringValue(input.Type) != apigateway.AuthorizerTypeCognitoUserPools {
+			input.AuthorizerCredentials = aws.String(v.(string))
+		} else {
+			postCreateOps = append(postCreateOps, &apigateway.PatchOperation{
+				Op:    aws.String(apigateway.OpReplace),
+				Path:  aws.String("/authorizerCredentials"),
+				Value: aws.String(v.(string)),
+			})
+		}
 	}
 
 	if v, ok := d.GetOk("identity_validation_expression"); ok {
@@ -127,6 +140,20 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac
 
 	d.SetId(aws.StringValue(out.Id))
 
+	if postCreateOps != nil {
+		input := apigateway.UpdateAuthorizerInput{
+			AuthorizerId:    aws.String(d.Id()),
+			PatchOperations: postCreateOps,
+			RestApiId:       input.RestApiId,
+		}
+
+		log.Printf("[INFO] Applying update operations to API Gateway Authorizer: %s", d.Id())
+		_, err := conn.UpdateAuthorizer(&input)
+		if err != nil {
+			return fmt.Errorf("applying update operations to API Gateway Authorizer (%s) failed: %w", d.Id(), err)
+		}
+	}
+
 	return resourceAwsApiGatewayAuthorizerRead(d, meta)
 }
 

diff --git a/aws/resource_aws_api_gateway_authorizer_test.go b/aws/resource_aws_api_gateway_authorizer_test.go
@@ -97,6 +97,36 @@ func TestAccAWSAPIGatewayAuthorizer_cognito(t *testing.T) {
 	})
 }
 
+// Reference: https://github.com/hashicorp/terraform-provider-aws/issues/16613
+func TestAccAWSAPIGatewayAuthorizer_cognito_authorizerCredentials(t *testing.T) {
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_api_gateway_authorizer.test"
+	iamRoleResourceName := "aws_iam_role.lambda"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccAPIGatewayTypeEDGEPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSAPIGatewayAuthorizerDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSAPIGatewayAuthorizerConfig_cognitoAuthorizerCredentials(rName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair(resourceName, "authorizer_credentials", iamRoleResourceName, "arn"),
+					resource.TestCheckResourceAttr(resourceName, "name", rName),
+					resource.TestCheckResourceAttr(resourceName, "type", "COGNITO_USER_POOLS"),
+					resource.TestCheckResourceAttr(resourceName, "provider_arns.#", "2"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateIdFunc: testAccAWSAPIGatewayAuthorizerImportStateIdFunc(resourceName),
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccAWSAPIGatewayAuthorizer_switchAuthType(t *testing.T) {
 	rName := acctest.RandomWithPrefix("tf-acc-test")
 	resourceName := "aws_api_gateway_authorizer.test"
@@ -489,6 +519,49 @@ resource "aws_api_gateway_authorizer" "test" {
 `, rName)
 }
 
+func testAccAWSAPIGatewayAuthorizerConfig_cognitoAuthorizerCredentials(rName string) string {
+	return fmt.Sprintf(`
+data "aws_partition" "current" {}
+
+resource "aws_iam_role" "lambda" {
+  name = "%[1]s-lambda"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.${data.aws_partition.current.dns_suffix}"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_api_gateway_rest_api" "test" {
+  name = %[1]q
+}
+
+resource "aws_cognito_user_pool" "test" {
+  count = 2
+  name  = "%[1]s-${count.index}"
+}
+
+resource "aws_api_gateway_authorizer" "test" {
+  authorizer_credentials = aws_iam_role.lambda.arn
+  name                   = %[1]q
+  type                   = "COGNITO_USER_POOLS"
+  rest_api_id            = aws_api_gateway_rest_api.test.id
+  provider_arns          = aws_cognito_user_pool.test[*].arn
+}
+`, rName)
+}
+
 func testAccAWSAPIGatewayAuthorizerConfig_authTypeValidationDefaultToken(rName string) string {
 	return testAccAWSAPIGatewayAuthorizerConfigBase(rName) + fmt.Sprintf(`
 resource "aws_api_gateway_authorizer" "test" {