From cc38378870a9a99d07802c52c980ef05b8db1139 Mon Sep 17 00:00:00 2001
From: Radek Simko <radek.simko@gmail.com>
Date: Mon, 29 Aug 2016 20:51:59 +0100
Subject: [PATCH] provider/aws: API Gateway Custom Authorizer (#8535)

* [WIP] AWS APIGateway Custom Authorizer

* provider/aws: api_gateway_method - Add missing fields to Read+Update

* provider/aws: Make API Gateway name in test more specific

* provider/aws: APIG - Use minimal configuration in create request
---
 .../resource_aws_api_gateway_authorizer.go    |   7 +-
 .../aws/resource_aws_api_gateway_method.go    |  60 ++++++--
 .../resource_aws_api_gateway_method_test.go   | 142 +++++++++++++++++-
 .../aws/r/api_gateway_method.html.markdown    |   3 +-
 4 files changed, 200 insertions(+), 12 deletions(-)

diff --git a/builtin/providers/aws/resource_aws_api_gateway_authorizer.go b/builtin/providers/aws/resource_aws_api_gateway_authorizer.go
index 6b00518138..8f881e185c 100644
--- a/builtin/providers/aws/resource_aws_api_gateway_authorizer.go
+++ b/builtin/providers/aws/resource_aws_api_gateway_authorizer.go
@@ -3,6 +3,7 @@ package aws
 import (
 	"fmt"
 	"log"
+	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
@@ -200,7 +201,11 @@ func resourceAwsApiGatewayAuthorizerDelete(d *schema.ResourceData, meta interfac
 	log.Printf("[INFO] Deleting API Gateway Authorizer: %s", input)
 	_, err := conn.DeleteAuthorizer(&input)
 	if err != nil {
-		return fmt.Errorf("Deleting API Gateway Authorizer failed: %s", err)
+		// XXX: Figure out a way to delete the method that depends on the authorizer first
+		// otherwise the authorizer will be dangling until the API is deleted
+		if !strings.Contains(err.Error(), "ConflictException") {
+			return fmt.Errorf("Deleting API Gateway Authorizer failed: %s", err)
+		}
 	}
 
 	return nil
diff --git a/builtin/providers/aws/resource_aws_api_gateway_method.go b/builtin/providers/aws/resource_aws_api_gateway_method.go
index 0f26d634e5..577c44e152 100644
--- a/builtin/providers/aws/resource_aws_api_gateway_method.go
+++ b/builtin/providers/aws/resource_aws_api_gateway_method.go
@@ -46,6 +46,11 @@ func resourceAwsApiGatewayMethod() *schema.Resource {
 				Required: true,
 			},
 
+			"authorizer_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+
 			"api_key_required": &schema.Schema{
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -78,10 +83,21 @@ func resourceAwsApiGatewayMethod() *schema.Resource {
 func resourceAwsApiGatewayMethodCreate(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).apigateway
 
+	input := apigateway.PutMethodInput{
+		AuthorizationType: aws.String(d.Get("authorization").(string)),
+		HttpMethod:        aws.String(d.Get("http_method").(string)),
+		ResourceId:        aws.String(d.Get("resource_id").(string)),
+		RestApiId:         aws.String(d.Get("rest_api_id").(string)),
+		ApiKeyRequired:    aws.Bool(d.Get("api_key_required").(bool)),
+	}
+
 	models := make(map[string]string)
 	for k, v := range d.Get("request_models").(map[string]interface{}) {
 		models[k] = v.(string)
 	}
+	if len(models) > 0 {
+		input.RequestModels = aws.StringMap(models)
+	}
 
 	parameters := make(map[string]bool)
 	if kv, ok := d.GetOk("request_parameters"); ok {
@@ -92,22 +108,20 @@ func resourceAwsApiGatewayMethodCreate(d *schema.ResourceData, meta interface{})
 				parameters[k] = value
 			}
 		}
+		input.RequestParameters = aws.BoolMap(parameters)
 	}
 	if v, ok := d.GetOk("request_parameters_in_json"); ok {
 		if err := json.Unmarshal([]byte(v.(string)), &parameters); err != nil {
 			return fmt.Errorf("Error unmarshaling request_parameters_in_json: %s", err)
 		}
+		input.RequestParameters = aws.BoolMap(parameters)
 	}
 
-	_, err := conn.PutMethod(&apigateway.PutMethodInput{
-		AuthorizationType: aws.String(d.Get("authorization").(string)),
-		HttpMethod:        aws.String(d.Get("http_method").(string)),
-		ResourceId:        aws.String(d.Get("resource_id").(string)),
-		RestApiId:         aws.String(d.Get("rest_api_id").(string)),
-		RequestModels:     aws.StringMap(models),
-		RequestParameters: aws.BoolMap(parameters),
-		ApiKeyRequired:    aws.Bool(d.Get("api_key_required").(bool)),
-	})
+	if v, ok := d.GetOk("authorizer_id"); ok {
+		input.AuthorizerId = aws.String(v.(string))
+	}
+
+	_, err := conn.PutMethod(&input)
 	if err != nil {
 		return fmt.Errorf("Error creating API Gateway Method: %s", err)
 	}
@@ -138,6 +152,10 @@ func resourceAwsApiGatewayMethodRead(d *schema.ResourceData, meta interface{}) e
 	d.SetId(fmt.Sprintf("agm-%s-%s-%s", d.Get("rest_api_id").(string), d.Get("resource_id").(string), d.Get("http_method").(string)))
 	d.Set("request_parameters", aws.BoolValueMap(out.RequestParameters))
 	d.Set("request_parameters_in_json", aws.BoolValueMap(out.RequestParameters))
+	d.Set("api_key_required", out.ApiKeyRequired)
+	d.Set("authorization_type", out.AuthorizationType)
+	d.Set("authorizer_id", out.AuthorizerId)
+	d.Set("request_models", aws.StringValueMap(out.RequestModels))
 
 	return nil
 }
@@ -184,6 +202,30 @@ func resourceAwsApiGatewayMethodUpdate(d *schema.ResourceData, meta interface{})
 		operations = append(operations, ops...)
 	}
 
+	if d.HasChange("authorization") {
+		operations = append(operations, &apigateway.PatchOperation{
+			Op:    aws.String("replace"),
+			Path:  aws.String("/authorizationType"),
+			Value: aws.String(d.Get("authorization").(string)),
+		})
+	}
+
+	if d.HasChange("authorizer_id") {
+		operations = append(operations, &apigateway.PatchOperation{
+			Op:    aws.String("replace"),
+			Path:  aws.String("/authorizerId"),
+			Value: aws.String(d.Get("authorizer_id").(string)),
+		})
+	}
+
+	if d.HasChange("api_key_required") {
+		operations = append(operations, &apigateway.PatchOperation{
+			Op:    aws.String("replace"),
+			Path:  aws.String("/apiKeyRequired"),
+			Value: aws.String(fmt.Sprintf("%t", d.Get("api_key_required").(bool))),
+		})
+	}
+
 	method, err := conn.UpdateMethod(&apigateway.UpdateMethodInput{
 		HttpMethod:      aws.String(d.Get("http_method").(string)),
 		ResourceId:      aws.String(d.Get("resource_id").(string)),
diff --git a/builtin/providers/aws/resource_aws_api_gateway_method_test.go b/builtin/providers/aws/resource_aws_api_gateway_method_test.go
index 05738affcb..4183838b7d 100644
--- a/builtin/providers/aws/resource_aws_api_gateway_method_test.go
+++ b/builtin/providers/aws/resource_aws_api_gateway_method_test.go
@@ -2,6 +2,7 @@ package aws
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -44,12 +45,51 @@ func TestAccAWSAPIGatewayMethod_basic(t *testing.T) {
 	})
 }
 
+func TestAccAWSAPIGatewayMethod_customauthorizer(t *testing.T) {
+	var conf apigateway.Method
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSAPIGatewayMethodDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSAPIGatewayMethodConfigWithCustomAuthorizer,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSAPIGatewayMethodExists("aws_api_gateway_method.test", &conf),
+					testAccCheckAWSAPIGatewayMethodAttributes(&conf),
+					resource.TestCheckResourceAttr(
+						"aws_api_gateway_method.test", "http_method", "GET"),
+					resource.TestCheckResourceAttr(
+						"aws_api_gateway_method.test", "authorization", "CUSTOM"),
+					resource.TestMatchResourceAttr(
+						"aws_api_gateway_method.test", "authorizer_id", regexp.MustCompile("^[a-z0-9]{6}$")),
+					resource.TestCheckResourceAttr(
+						"aws_api_gateway_method.test", "request_models.application/json", "Error"),
+				),
+			},
+
+			resource.TestStep{
+				Config: testAccAWSAPIGatewayMethodConfigUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSAPIGatewayMethodExists("aws_api_gateway_method.test", &conf),
+					testAccCheckAWSAPIGatewayMethodAttributesUpdate(&conf),
+					resource.TestCheckResourceAttr(
+						"aws_api_gateway_method.test", "authorization", "NONE"),
+					resource.TestCheckResourceAttr(
+						"aws_api_gateway_method.test", "authorizer_id", ""),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckAWSAPIGatewayMethodAttributes(conf *apigateway.Method) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		if *conf.HttpMethod != "GET" {
 			return fmt.Errorf("Wrong HttpMethod: %q", *conf.HttpMethod)
 		}
-		if *conf.AuthorizationType != "NONE" {
+		if *conf.AuthorizationType != "NONE" && *conf.AuthorizationType != "CUSTOM" {
 			return fmt.Errorf("Wrong Authorization: %q", *conf.AuthorizationType)
 		}
 
@@ -154,6 +194,106 @@ func testAccCheckAWSAPIGatewayMethodDestroy(s *terraform.State) error {
 	return nil
 }
 
+const testAccAWSAPIGatewayMethodConfigWithCustomAuthorizer = `
+resource "aws_api_gateway_rest_api" "test" {
+  name = "tf-acc-test-custom-auth"
+}
+
+resource "aws_iam_role" "invocation_role" {
+  name = "tf_acc_api_gateway_auth_invocation_role"
+  path = "/"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "apigateway.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "invocation_policy" {
+  name = "default"
+  role = "${aws_iam_role.invocation_role.id}"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "lambda:InvokeFunction",
+      "Effect": "Allow",
+      "Resource": "${aws_lambda_function.authorizer.arn}"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role" "iam_for_lambda" {
+  name = "tf_acc_iam_for_lambda_api_gateway_authorizer"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_lambda_function" "authorizer" {
+  filename = "test-fixtures/lambdatest.zip"
+  source_code_hash = "${base64sha256(file("test-fixtures/lambdatest.zip"))}"
+  function_name = "tf_acc_api_gateway_authorizer"
+  role = "${aws_iam_role.iam_for_lambda.arn}"
+  handler = "exports.example"
+}
+
+resource "aws_api_gateway_authorizer" "test" {
+  name = "tf-acc-test-authorizer"
+  rest_api_id = "${aws_api_gateway_rest_api.test.id}"
+  authorizer_uri = "arn:aws:apigateway:region:lambda:path/2015-03-31/functions/${aws_lambda_function.authorizer.arn}/invocations"
+  authorizer_credentials = "${aws_iam_role.invocation_role.arn}"
+}
+
+resource "aws_api_gateway_resource" "test" {
+  rest_api_id = "${aws_api_gateway_rest_api.test.id}"
+  parent_id = "${aws_api_gateway_rest_api.test.root_resource_id}"
+  path_part = "test"
+}
+
+resource "aws_api_gateway_method" "test" {
+  rest_api_id = "${aws_api_gateway_rest_api.test.id}"
+  resource_id = "${aws_api_gateway_resource.test.id}"
+  http_method = "GET"
+  authorization = "CUSTOM"
+  authorizer_id = "${aws_api_gateway_authorizer.test.id}"
+
+  request_models = {
+    "application/json" = "Error"
+  }
+
+  request_parameters = {
+    "method.request.header.Content-Type" = false
+	  "method.request.querystring.page" = true
+  }
+}
+`
+
 const testAccAWSAPIGatewayMethodConfig = `
 resource "aws_api_gateway_rest_api" "test" {
   name = "test"
diff --git a/website/source/docs/providers/aws/r/api_gateway_method.html.markdown b/website/source/docs/providers/aws/r/api_gateway_method.html.markdown
index 7d1d097ede..716f2ee629 100644
--- a/website/source/docs/providers/aws/r/api_gateway_method.html.markdown
+++ b/website/source/docs/providers/aws/r/api_gateway_method.html.markdown
@@ -39,7 +39,8 @@ The following arguments are supported:
 * `rest_api_id` - (Required) The ID of the associated REST API
 * `resource_id` - (Required) The API resource ID
 * `http_method` - (Required) The HTTP Method (`GET`, `POST`, `PUT`, `DELETE`, `HEAD`, `OPTION`)
-* `authorization` - (Required) The type of authorization used for the method
+* `authorization` - (Required) The type of authorization used for the method (`NONE`, `CUSTOM`)
+* `authorizer_id` - (Optional) The authorizer id to be used when the authorization is `CUSTOM`
 * `api_key_required` - (Optional) Specify if the method requires an API key
 * `request_models` - (Optional) A map of the API models used for the request's content type
   where key is the content type (e.g. `application/json`)