resource/aws_appsync_graphql_api: Add lambda_authorizer_config argu…

…ment (#20857) * tests/resource/aws_appsync_graphql_api: Update deprecated Providers to ProviderFactories * resource/aws_appsync_graphql_api: Add `lambda_authorizer_config` argument (#20644) Issue: #20644 API docs: https://docs.aws.amazon.com/appsync/latest/APIReference/API_LambdaAuthorizerConfig.html Output from acceptance testing: ``` make testacc TESTARGS='-run=TestAccAWSAppsyncGraphqlApi_' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAppsyncGraphqlApi_ -timeout 180m --- PASS: TestAccAWSAppsyncGraphqlApi_basic (147.72s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_AWSIAM (148.24s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_APIKey (149.20s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_OpenIDConnect (149.32s) --- PASS: TestAccAWSAppsyncGraphqlApi_LogConfig (153.51s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_CognitoUserPools (173.33s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_AwsLambda (196.04s) --- PASS: TestAccAWSAppsyncGraphqlApi_AdditionalAuthentication_Multiple (204.38s) --- PASS: TestAccAWSAppsyncGraphqlApi_XrayEnabled (214.18s) --- PASS: TestAccAWSAppsyncGraphqlApi_Name (215.34s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_AwsLambda (221.80s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_AuthTTL (235.05s) --- PASS: TestAccAWSAppsyncGraphqlApi_Tags (236.82s) --- PASS: TestAccAWSAppsyncGraphqlApi_UserPoolConfig_AwsRegion (242.45s) --- PASS: TestAccAWSAppsyncGraphqlApi_LogConfig_ExcludeVerboseContent (250.77s) --- PASS: TestAccAWSAppsyncGraphqlApi_UserPoolConfig_DefaultAction (250.94s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_APIKey (116.05s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_OpenIDConnect (115.22s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_AmazonCognitoUserPools (125.39s) --- PASS: TestAccAWSAppsyncGraphqlApi_disappears (65.90s) --- PASS: TestAccAWSAppsyncGraphqlApi_LambdaAuthorizerConfig_IdentityValidationExpression (281.96s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType_AWSIAM (88.56s) --- PASS: TestAccAWSAppsyncGraphqlApi_LambdaAuthorizerConfig_AuthorizerUri (294.85s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_IatTTL (158.58s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_Issuer (154.12s) --- PASS: TestAccAWSAppsyncGraphqlApi_LogConfig_FieldLogLevel (312.61s) --- PASS: TestAccAWSAppsyncGraphqlApi_Schema (143.80s) --- PASS: TestAccAWSAppsyncGraphqlApi_AuthenticationType (126.84s) --- PASS: TestAccAWSAppsyncGraphqlApi_OpenIDConnectConfig_ClientID (113.13s) --- PASS: TestAccAWSAppsyncGraphqlApi_LambdaAuthorizerConfig_AuthorizerResultTtlInSeconds (356.98s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 359.589s ``` * resource/aws_appsync_graphql_api: Add changelog entry 20857.txt * resource/aws_appsync_graphql_api: Terraform fmt in test config * Revert "tests/resource/aws_appsync_graphql_api: Update deprecated Providers to ProviderFactories" This reverts commit 1f981fc. * tests/resource/aws_appsync_graphql_api: Changes from #20000 and #21400 * graphql_api: Re-order map alphabetically (review comment)
hashicorp · Dec 10, 2021 · 02ab688 · 02ab688
1 parent beffefd
commit 02ab688
Show file tree

Hide file tree

Showing 5 changed files with 499 additions and 28 deletions.
diff --git a/.changelog/20857.txt b/.changelog/20857.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_appsync_graphql_api: Add `lambda_authorizer_config` argument
+```
diff --git a/internal/service/appsync/appsync_test.go b/internal/service/appsync/appsync_test.go
@@ -32,6 +32,7 @@ func TestAccAppSync_serial(t *testing.T) {
 			"AuthenticationType_awsIAM": testAccAppSyncGraphQLAPI_AuthenticationType_awsIAM,
 			"AuthenticationType_amazonCognitoUserPools": testAccAppSyncGraphQLAPI_AuthenticationType_amazonCognitoUserPools,
 			"AuthenticationType_openIDConnect":          testAccAppSyncGraphQLAPI_AuthenticationType_openIDConnect,
+			"AuthenticationType_awsLambda":              testAccAppSyncGraphQLAPI_AuthenticationType_awsLambda,
 			"log":                                       testAccAppSyncGraphQLAPI_log,
 			"Log_fieldLogLevel":                         testAccAppSyncGraphQLAPI_Log_fieldLogLevel,
 			"Log_excludeVerboseContent":                 testAccAppSyncGraphQLAPI_Log_excludeVerboseContent,
@@ -42,11 +43,15 @@ func TestAccAppSync_serial(t *testing.T) {
 			"name":                                      testAccAppSyncGraphQLAPI_name,
 			"UserPool_awsRegion":                        testAccAppSyncGraphQLAPI_UserPool_awsRegion,
 			"UserPool_defaultAction":                    testAccAppSyncGraphQLAPI_UserPool_defaultAction,
+			"LambdaAuthorizerConfig_authorizerUri":      testAccAppSyncGraphQLAPI_LambdaAuthorizerConfig_authorizerUri,
+			"LambdaAuthorizerConfig_identityValidationExpression": testAccAppSyncGraphQLAPI_LambdaAuthorizerConfig_identityValidationExpression,
+			"LambdaAuthorizerConfig_authorizerResultTtlInSeconds": testAccAppSyncGraphQLAPI_LambdaAuthorizerConfig_authorizerResultTtlInSeconds,
 			"tags":                                      testAccAppSyncGraphQLAPI_tags,
 			"AdditionalAuthentication_apiKey":           testAccAppSyncGraphQLAPI_AdditionalAuthentication_apiKey,
 			"AdditionalAuthentication_awsIAM":           testAccAppSyncGraphQLAPI_AdditionalAuthentication_awsIAM,
 			"AdditionalAuthentication_cognitoUserPools": testAccAppSyncGraphQLAPI_AdditionalAuthentication_cognitoUserPools,
 			"AdditionalAuthentication_openIDConnect":    testAccAppSyncGraphQLAPI_AdditionalAuthentication_openIDConnect,
+			"AdditionalAuthentication_awsLambda":        testAccAppSyncGraphQLAPI_AdditionalAuthentication_awsLambda,
 			"AdditionalAuthentication_multiple":         testAccAppSyncGraphQLAPI_AdditionalAuthentication_multiple,
 			"xrayEnabled":                               testAccAppSyncGraphQLAPI_xrayEnabled,
 		},

diff --git a/internal/service/appsync/graphql_api.go b/internal/service/appsync/graphql_api.go
@@ -16,6 +16,10 @@ import (
 	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 )
 
+var validateAuthorizerResultTtlInSeconds = validation.IntBetween(0, 3600)
+
+const DefaultAuthorizerResultTtlInSeconds = 300
+
 func ResourceGraphQLAPI() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceGraphQLAPICreate,
@@ -85,6 +89,29 @@ func ResourceGraphQLAPI() *schema.Resource {
 								},
 							},
 						},
+						"lambda_authorizer_config": {
+							Type:     schema.TypeList,
+							Optional: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"authorizer_result_ttl_in_seconds": {
+										Type:         schema.TypeInt,
+										Optional:     true,
+										Default:      DefaultAuthorizerResultTtlInSeconds,
+										ValidateFunc: validateAuthorizerResultTtlInSeconds,
+									},
+									"authorizer_uri": {
+										Type:     schema.TypeString,
+										Required: true,
+									},
+									"identity_validation_expression": {
+										Type:     schema.TypeString,
+										Optional: true,
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -190,6 +217,29 @@ func ResourceGraphQLAPI() *schema.Resource {
 					},
 				},
 			},
+			"lambda_authorizer_config": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"authorizer_result_ttl_in_seconds": {
+							Type:         schema.TypeInt,
+							Optional:     true,
+							Default:      DefaultAuthorizerResultTtlInSeconds,
+							ValidateFunc: validateAuthorizerResultTtlInSeconds,
+						},
+						"authorizer_uri": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"identity_validation_expression": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+					},
+				},
+			},
 			"arn": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -233,6 +283,10 @@ func resourceGraphQLAPICreate(d *schema.ResourceData, meta interface{}) error {
 		input.UserPoolConfig = expandAppsyncGraphqlApiUserPoolConfig(v.([]interface{}), meta.(*conns.AWSClient).Region)
 	}
 
+	if v, ok := d.GetOk("lambda_authorizer_config"); ok {
+		input.LambdaAuthorizerConfig = expandAppsyncGraphqlApiLambdaAuthorizerConfig(v.([]interface{}))
+	}
+
 	if v, ok := d.GetOk("additional_authentication_provider"); ok {
 		input.AdditionalAuthenticationProviders = expandAppsyncGraphqlApiAdditionalAuthProviders(v.([]interface{}), meta.(*conns.AWSClient).Region)
 	}
@@ -296,6 +350,10 @@ func resourceGraphQLAPIRead(d *schema.ResourceData, meta interface{}) error {
 		return fmt.Errorf("error setting user_pool_config: %s", err)
 	}
 
+	if err := d.Set("lambda_authorizer_config", flattenAppsyncGraphqlApiLambdaAuthorizerConfig(resp.GraphqlApi.LambdaAuthorizerConfig)); err != nil {
+		return fmt.Errorf("error setting lambda_authorizer_config: %s", err)
+	}
+
 	if err := d.Set("additional_authentication_provider", flattenAppsyncGraphqlApiAdditionalAuthenticationProviders(resp.GraphqlApi.AdditionalAuthenticationProviders)); err != nil {
 		return fmt.Errorf("error setting additional_authentication_provider: %s", err)
 	}
@@ -351,6 +409,10 @@ func resourceGraphQLAPIUpdate(d *schema.ResourceData, meta interface{}) error {
 		input.UserPoolConfig = expandAppsyncGraphqlApiUserPoolConfig(v.([]interface{}), meta.(*conns.AWSClient).Region)
 	}
 
+	if v, ok := d.GetOk("lambda_authorizer_config"); ok {
+		input.LambdaAuthorizerConfig = expandAppsyncGraphqlApiLambdaAuthorizerConfig(v.([]interface{}))
+	}
+
 	if v, ok := d.GetOk("additional_authentication_provider"); ok {
 		input.AdditionalAuthenticationProviders = expandAppsyncGraphqlApiAdditionalAuthProviders(v.([]interface{}), meta.(*conns.AWSClient).Region)
 	}
@@ -458,6 +520,25 @@ func expandAppsyncGraphqlApiUserPoolConfig(l []interface{}, currentRegion string
 	return userPoolConfig
 }
 
+func expandAppsyncGraphqlApiLambdaAuthorizerConfig(l []interface{}) *appsync.LambdaAuthorizerConfig {
+	if len(l) < 1 || l[0] == nil {
+		return nil
+	}
+
+	m := l[0].(map[string]interface{})
+
+	lambdaAuthorizerConfig := &appsync.LambdaAuthorizerConfig{
+		AuthorizerResultTtlInSeconds: aws.Int64(int64(m["authorizer_result_ttl_in_seconds"].(int))),
+		AuthorizerUri:                aws.String(m["authorizer_uri"].(string)),
+	}
+
+	if v, ok := m["identity_validation_expression"].(string); ok && v != "" {
+		lambdaAuthorizerConfig.IdentityValidationExpression = aws.String(v)
+	}
+
+	return lambdaAuthorizerConfig
+}
+
 func expandAppsyncGraphqlApiAdditionalAuthProviders(items []interface{}, currentRegion string) []*appsync.AdditionalAuthenticationProvider {
 	if len(items) < 1 {
 		return nil
@@ -482,6 +563,10 @@ func expandAppsyncGraphqlApiAdditionalAuthProviders(items []interface{}, current
 			additionalAuthProvider.UserPoolConfig = expandAppsyncGraphqlApiCognitoUserPoolConfig(v.([]interface{}), currentRegion)
 		}
 
+		if v, ok := m["lambda_authorizer_config"]; ok {
+			additionalAuthProvider.LambdaAuthorizerConfig = expandAppsyncGraphqlApiLambdaAuthorizerConfig(v.([]interface{}))
+		}
+
 		additionalAuthProviders = append(additionalAuthProviders, additionalAuthProvider)
 	}
 
@@ -558,6 +643,28 @@ func flattenAppsyncGraphqlApiUserPoolConfig(userPoolConfig *appsync.UserPoolConf
 	return []interface{}{m}
 }
 
+func flattenAppsyncGraphqlApiLambdaAuthorizerConfig(lambdaAuthorizerConfig *appsync.LambdaAuthorizerConfig) []interface{} {
+	if lambdaAuthorizerConfig == nil {
+		return []interface{}{}
+	}
+
+	m := map[string]interface{}{
+		"authorizer_uri": aws.StringValue(lambdaAuthorizerConfig.AuthorizerUri),
+	}
+
+	if lambdaAuthorizerConfig.AuthorizerResultTtlInSeconds != nil {
+		m["authorizer_result_ttl_in_seconds"] = aws.Int64Value(lambdaAuthorizerConfig.AuthorizerResultTtlInSeconds)
+	} else {
+		m["authorizer_result_ttl_in_seconds"] = DefaultAuthorizerResultTtlInSeconds
+	}
+
+	if lambdaAuthorizerConfig.IdentityValidationExpression != nil {
+		m["identity_validation_expression"] = aws.StringValue(lambdaAuthorizerConfig.IdentityValidationExpression)
+	}
+
+	return []interface{}{m}
+}
+
 func flattenAppsyncGraphqlApiAdditionalAuthenticationProviders(additionalAuthenticationProviders []*appsync.AdditionalAuthenticationProvider) []interface{} {
 	if len(additionalAuthenticationProviders) == 0 {
 		return []interface{}{}
@@ -566,9 +673,10 @@ func flattenAppsyncGraphqlApiAdditionalAuthenticationProviders(additionalAuthent
 	result := make([]interface{}, len(additionalAuthenticationProviders))
 	for i, provider := range additionalAuthenticationProviders {
 		result[i] = map[string]interface{}{
-			"authentication_type":   aws.StringValue(provider.AuthenticationType),
-			"openid_connect_config": flattenAppsyncGraphqlApiOpenIDConnectConfig(provider.OpenIDConnectConfig),
-			"user_pool_config":      flattenAppsyncGraphqlApiCognitoUserPoolConfig(provider.UserPoolConfig),
+			"authentication_type":      aws.StringValue(provider.AuthenticationType),
+			"lambda_authorizer_config": flattenAppsyncGraphqlApiLambdaAuthorizerConfig(provider.LambdaAuthorizerConfig),
+			"openid_connect_config":    flattenAppsyncGraphqlApiOpenIDConnectConfig(provider.OpenIDConnectConfig),
+			"user_pool_config":         flattenAppsyncGraphqlApiCognitoUserPoolConfig(provider.UserPoolConfig),
 		}
 	}