New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support COGNITO_USER_POOLS authorizer #1106

Closed
batkuip opened this Issue Jul 11, 2017 · 1 comment

Comments

Projects
None yet
4 participants
@batkuip

batkuip commented Jul 11, 2017

Terraform Version

0.9.11

Affected Resource(s)

  • aws_api_gateway_authorizer
  • aws_api_gateway_method

Expected Behavior

type="COGNITO_USER_POOLS" supported

Actual Behavior

not supported

References

@peterpostmann

This comment has been minimized.

Show comment
Hide comment
@peterpostmann

peterpostmann Jan 29, 2018

Hi,

I needed a workaround and used this one:

  • Use a null_ressource which creates the authorizer using aws cli
  • Use data "external" to quiery aws for the id of the authorizer
resource "null_resource" "aws_api_gateway_authorizer_myPool" {
  provisioner "local-exec" {
    command = "export AWS_DEFAULT_REGION=${var.region} && 
               aws apigateway create-authorizer 
               --rest-api-id ${aws_api_gateway_rest_api.myApi.id} 
               --name 'myPool' --type COGNITO_USER_POOLS 
               --provider-arns '${aws_cognito_user_pool.myPool.arn}' 
               --identity-source 'method.request.header.Authorization'"
  }

  provisioner "local-exec" {
    when    = "destroy"
    command = "export AWS_DEFAULT_REGION=${var.region} && 
               aws apigateway delete-authorizer 
               --rest-api-id ${aws_api_gateway_rest_api.myApi.id} 
               --authorizer-id ${data.external.aws_api_gateway_authorizer_myPool.result.id}"
  }
}

data "external" "aws_api_gateway_authorizer_myPool" {
  program = [
    "./awsGetAuhtorizerByName.sh", 
    "${aws_api_gateway_rest_api.MyApi.id}", 
    "myPool"
  ]
}

using this script

#!/bin/bash

echo {\"id\": \"$(aws apigateway  get-authorizers --rest-api-id $1 | jq -r '.items[] | select(.name == "'$2'") | .id')\"}

This script uses 'jq' for simplicity. It recives a list of authorizers from aws and selects the item where the name matches and returns the id of this entry in json format.

The authorizer can be attached to a gateway method like this:

resource "aws_api_gateway_method" "myMethod" {
  rest_api_id   = "${aws_api_gateway_rest_api.myApi.id}"
  resource_id   = "${aws_api_gateway_resource.myRessource.id}"
  http_method   = "POST"
  authorization = "COGNITO_USER_POOLS"
  authorizer_id = "${data.external.aws_api_gateway_authorizer_myPool.result.id}"
}

All of this would have a been a lot easier if one could overright/set variables of the null_resource ;)

Hope someone else my find this useful as well. Looking forward for feedback.

peterpostmann commented Jan 29, 2018

Hi,

I needed a workaround and used this one:

  • Use a null_ressource which creates the authorizer using aws cli
  • Use data "external" to quiery aws for the id of the authorizer
resource "null_resource" "aws_api_gateway_authorizer_myPool" {
  provisioner "local-exec" {
    command = "export AWS_DEFAULT_REGION=${var.region} && 
               aws apigateway create-authorizer 
               --rest-api-id ${aws_api_gateway_rest_api.myApi.id} 
               --name 'myPool' --type COGNITO_USER_POOLS 
               --provider-arns '${aws_cognito_user_pool.myPool.arn}' 
               --identity-source 'method.request.header.Authorization'"
  }

  provisioner "local-exec" {
    when    = "destroy"
    command = "export AWS_DEFAULT_REGION=${var.region} && 
               aws apigateway delete-authorizer 
               --rest-api-id ${aws_api_gateway_rest_api.myApi.id} 
               --authorizer-id ${data.external.aws_api_gateway_authorizer_myPool.result.id}"
  }
}

data "external" "aws_api_gateway_authorizer_myPool" {
  program = [
    "./awsGetAuhtorizerByName.sh", 
    "${aws_api_gateway_rest_api.MyApi.id}", 
    "myPool"
  ]
}

using this script

#!/bin/bash

echo {\"id\": \"$(aws apigateway  get-authorizers --rest-api-id $1 | jq -r '.items[] | select(.name == "'$2'") | .id')\"}

This script uses 'jq' for simplicity. It recives a list of authorizers from aws and selects the item where the name matches and returns the id of this entry in json format.

The authorizer can be attached to a gateway method like this:

resource "aws_api_gateway_method" "myMethod" {
  rest_api_id   = "${aws_api_gateway_rest_api.myApi.id}"
  resource_id   = "${aws_api_gateway_resource.myRessource.id}"
  http_method   = "POST"
  authorization = "COGNITO_USER_POOLS"
  authorizer_id = "${data.external.aws_api_gateway_authorizer_myPool.result.id}"
}

All of this would have a been a lot easier if one could overright/set variables of the null_resource ;)

Hope someone else my find this useful as well. Looking forward for feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment