hashicorp · breathingdust · Dec 10, 2021 · Sep 8, 2021 · Sep 9, 2021 · Sep 9, 2021
diff --git a/aws/resource_aws_appsync_graphql_api.go b/aws/resource_aws_appsync_graphql_api.go
@@ -13,6 +13,10 @@ import (
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
 )
 
+var validateAuthorizerResultTtlInSeconds = validation.IntBetween(0, 3600)
+
+const defaultAuthorizerResultTtlInSeconds = 300
+
 func resourceAwsAppsyncGraphqlApi() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceAwsAppsyncGraphqlApiCreate,
@@ -82,6 +86,29 @@ func resourceAwsAppsyncGraphqlApi() *schema.Resource {
 								},
 							},
 						},
+						"lambda_authorizer_config": {
+							Type:     schema.TypeList,
+							Optional: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"authorizer_result_ttl_in_seconds": {
+										Type:         schema.TypeInt,
+										Optional:     true,
+										Default:      defaultAuthorizerResultTtlInSeconds,
+										ValidateFunc: validateAuthorizerResultTtlInSeconds,
+									},
+									"authorizer_uri": {
+										Type:     schema.TypeString,
+										Required: true,
+									},
+									"identity_validation_expression": {
+										Type:     schema.TypeString,
+										Optional: true,
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -187,6 +214,29 @@ func resourceAwsAppsyncGraphqlApi() *schema.Resource {
 					},
 				},
 			},
+			"lambda_authorizer_config": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"authorizer_result_ttl_in_seconds": {
+							Type:         schema.TypeInt,
+							Optional:     true,
+							Default:      defaultAuthorizerResultTtlInSeconds,
+							ValidateFunc: validateAuthorizerResultTtlInSeconds,
+						},
+						"authorizer_uri": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"identity_validation_expression": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+					},
+				},
+			},
 			"arn": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -230,6 +280,10 @@ func resourceAwsAppsyncGraphqlApiCreate(d *schema.ResourceData, meta interface{}
 		input.UserPoolConfig = expandAppsyncGraphqlApiUserPoolConfig(v.([]interface{}), meta.(*AWSClient).region)
 	}
 
+	if v, ok := d.GetOk("lambda_authorizer_config"); ok {
+		input.LambdaAuthorizerConfig = expandAppsyncGraphqlApiLambdaAuthorizerConfig(v.([]interface{}))
+	}
+
 	if v, ok := d.GetOk("additional_authentication_provider"); ok {
 		input.AdditionalAuthenticationProviders = expandAppsyncGraphqlApiAdditionalAuthProviders(v.([]interface{}), meta.(*AWSClient).region)
 	}
@@ -293,6 +347,10 @@ func resourceAwsAppsyncGraphqlApiRead(d *schema.ResourceData, meta interface{})
 		return fmt.Errorf("error setting user_pool_config: %s", err)
 	}
 
+	if err := d.Set("lambda_authorizer_config", flattenAppsyncGraphqlApiLambdaAuthorizerConfig(resp.GraphqlApi.LambdaAuthorizerConfig)); err != nil {
+		return fmt.Errorf("error setting lambda_authorizer_config: %s", err)
+	}
+
 	if err := d.Set("additional_authentication_provider", flattenAppsyncGraphqlApiAdditionalAuthenticationProviders(resp.GraphqlApi.AdditionalAuthenticationProviders)); err != nil {
 		return fmt.Errorf("error setting additional_authentication_provider: %s", err)
 	}
@@ -348,6 +406,10 @@ func resourceAwsAppsyncGraphqlApiUpdate(d *schema.ResourceData, meta interface{}
 		input.UserPoolConfig = expandAppsyncGraphqlApiUserPoolConfig(v.([]interface{}), meta.(*AWSClient).region)
 	}
 
+	if v, ok := d.GetOk("lambda_authorizer_config"); ok {
+		input.LambdaAuthorizerConfig = expandAppsyncGraphqlApiLambdaAuthorizerConfig(v.([]interface{}))
+	}
+
 	if v, ok := d.GetOk("additional_authentication_provider"); ok {
 		input.AdditionalAuthenticationProviders = expandAppsyncGraphqlApiAdditionalAuthProviders(v.([]interface{}), meta.(*AWSClient).region)
 	}
@@ -455,6 +517,25 @@ func expandAppsyncGraphqlApiUserPoolConfig(l []interface{}, currentRegion string
 	return userPoolConfig
 }
 
+func expandAppsyncGraphqlApiLambdaAuthorizerConfig(l []interface{}) *appsync.LambdaAuthorizerConfig {
+	if len(l) < 1 || l[0] == nil {
+		return nil
+	}
+
+	m := l[0].(map[string]interface{})
+
+	lambdaAuthorizerConfig := &appsync.LambdaAuthorizerConfig{
+		AuthorizerResultTtlInSeconds: aws.Int64(int64(m["authorizer_result_ttl_in_seconds"].(int))),
+		AuthorizerUri:                aws.String(m["authorizer_uri"].(string)),
+	}
+
+	if v, ok := m["identity_validation_expression"].(string); ok && v != "" {
+		lambdaAuthorizerConfig.IdentityValidationExpression = aws.String(v)
+	}
+
+	return lambdaAuthorizerConfig
+}
+
 func expandAppsyncGraphqlApiAdditionalAuthProviders(items []interface{}, currentRegion string) []*appsync.AdditionalAuthenticationProvider {
 	if len(items) < 1 {
 		return nil
@@ -479,6 +560,10 @@ func expandAppsyncGraphqlApiAdditionalAuthProviders(items []interface{}, current
 			additionalAuthProvider.UserPoolConfig = expandAppsyncGraphqlApiCognitoUserPoolConfig(v.([]interface{}), currentRegion)
 		}
 
+		if v, ok := m["lambda_authorizer_config"]; ok {
+			additionalAuthProvider.LambdaAuthorizerConfig = expandAppsyncGraphqlApiLambdaAuthorizerConfig(v.([]interface{}))
+		}
+
 		additionalAuthProviders = append(additionalAuthProviders, additionalAuthProvider)
 	}
 
@@ -555,6 +640,28 @@ func flattenAppsyncGraphqlApiUserPoolConfig(userPoolConfig *appsync.UserPoolConf
 	return []interface{}{m}
 }
 
+func flattenAppsyncGraphqlApiLambdaAuthorizerConfig(lambdaAuthorizerConfig *appsync.LambdaAuthorizerConfig) []interface{} {
+	if lambdaAuthorizerConfig == nil {
+		return []interface{}{}
+	}
+
+	m := map[string]interface{}{
+		"authorizer_uri": aws.StringValue(lambdaAuthorizerConfig.AuthorizerUri),
+	}
+
+	if lambdaAuthorizerConfig.AuthorizerResultTtlInSeconds != nil {
+		m["authorizer_result_ttl_in_seconds"] = aws.Int64Value(lambdaAuthorizerConfig.AuthorizerResultTtlInSeconds)
+	} else {
+		m["authorizer_result_ttl_in_seconds"] = defaultAuthorizerResultTtlInSeconds
+	}
+
+	if lambdaAuthorizerConfig.IdentityValidationExpression != nil {
+		m["identity_validation_expression"] = aws.StringValue(lambdaAuthorizerConfig.IdentityValidationExpression)
+	}
+
+	return []interface{}{m}
+}
+
 func flattenAppsyncGraphqlApiAdditionalAuthenticationProviders(additionalAuthenticationProviders []*appsync.AdditionalAuthenticationProvider) []interface{} {
 	if len(additionalAuthenticationProviders) == 0 {
 		return []interface{}{}
@@ -563,9 +670,10 @@ func flattenAppsyncGraphqlApiAdditionalAuthenticationProviders(additionalAuthent
 	result := make([]interface{}, len(additionalAuthenticationProviders))
 	for i, provider := range additionalAuthenticationProviders {
 		result[i] = map[string]interface{}{
-			"authentication_type":   aws.StringValue(provider.AuthenticationType),
-			"openid_connect_config": flattenAppsyncGraphqlApiOpenIDConnectConfig(provider.OpenIDConnectConfig),
-			"user_pool_config":      flattenAppsyncGraphqlApiCognitoUserPoolConfig(provider.UserPoolConfig),
+			"authentication_type":      aws.StringValue(provider.AuthenticationType),
+			"openid_connect_config":    flattenAppsyncGraphqlApiOpenIDConnectConfig(provider.OpenIDConnectConfig),
+			"user_pool_config":         flattenAppsyncGraphqlApiCognitoUserPoolConfig(provider.UserPoolConfig),
+			"lambda_authorizer_config": flattenAppsyncGraphqlApiLambdaAuthorizerConfig(provider.LambdaAuthorizerConfig),
 		}
 	}