Merge pull request #32629 from hashicorp/b-ttl_breaks_apigateway_auth…

…orizer_creation r/aws_apigatewayv2_authorizer: Skip ttl when there are no identity sources
hashicorp · Jul 25, 2023 · a2206e2 · a2206e2
2 parents d97efa9 + bde3101
commit a2206e2
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/.changelog/32629.txt b/.changelog/32629.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_apigatewayv2_authorizer: Skip setting authorizer TTL when there are no identity sources
+```
diff --git a/internal/service/apigatewayv2/authorizer.go b/internal/service/apigatewayv2/authorizer.go
@@ -130,9 +130,10 @@ func resourceAuthorizerCreate(ctx context.Context, d *schema.ResourceData, meta
 	}
 	if v, ok := d.GetOkExists("authorizer_result_ttl_in_seconds"); ok {
 		req.AuthorizerResultTtlInSeconds = aws.Int64(int64(v.(int)))
-	} else if protocolType == apigatewayv2.ProtocolTypeHttp && authorizerType == apigatewayv2.AuthorizerTypeRequest {
+	} else if protocolType == apigatewayv2.ProtocolTypeHttp && authorizerType == apigatewayv2.AuthorizerTypeRequest && len(req.IdentitySource) > 0 {
 		// Default in the AWS Console is 300 seconds.
 		// Explicitly set on creation so that we can correctly detect changes to the 0 value.
+		// This value should only be set when IdentitySources have been defined
 		req.AuthorizerResultTtlInSeconds = aws.Int64(300)
 	}
 	if v, ok := d.GetOk("authorizer_uri"); ok {

diff --git a/internal/service/apigatewayv2/authorizer_test.go b/internal/service/apigatewayv2/authorizer_test.go
@@ -48,6 +48,16 @@ func TestAccAPIGatewayV2Authorizer_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "name", rName),
 				),
 			},
+			{
+				Config: testAccAuthorizerConfig_httpNoAuthenticationSources(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAuthorizerExists(ctx, resourceName, &apiId, &v),
+					resource.TestCheckResourceAttr(resourceName, "authorizer_type", "REQUEST"),
+					resource.TestCheckResourceAttr(resourceName, "identity_sources.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "authorizer_result_ttl_in_seconds", "0"),
+					resource.TestCheckResourceAttr(resourceName, "name", rName),
+				),
+			},
 			{
 				ResourceName:      resourceName,
 				ImportStateIdFunc: testAccAuthorizerImportStateIdFunc(resourceName),
@@ -573,6 +583,22 @@ resource "aws_apigatewayv2_authorizer" "test" {
 `, rName))
 }
 
+func testAccAuthorizerConfig_httpNoAuthenticationSources(rName string) string {
+	return acctest.ConfigCompose(
+		testAccAuthorizerConfig_apiHTTP(rName),
+		testAccAuthorizerConfig_baseLambda(rName),
+		fmt.Sprintf(`
+resource "aws_apigatewayv2_authorizer" "test" {
+  api_id                            = aws_apigatewayv2_api.test.id
+  authorizer_payload_format_version = "2.0"
+  authorizer_type                   = "REQUEST"
+  authorizer_uri                    = aws_lambda_function.test.invoke_arn
+  enable_simple_responses           = true
+  name                              = %[1]q
+}
+`, rName))
+}
+
 func testAccAuthorizerConfig_httpAPILambdaRequestUpdated(rName string, authorizerResultTtl int) string {
 	return acctest.ConfigCompose(
 		testAccAuthorizerConfig_apiHTTP(rName),