search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.49k stars 9.51k forks source link

api_key_required not working, AWS API Gateway #6942

Closed cvandonderen closed 7 years ago

cvandonderen commented 8 years ago

Terraform Version

0.6.16

Affected Resource(s)

aws_api_gateway_method

Behavior

I have added api_key_required = "true" to my aws_api_gateway_method configuration. When running terraform show after applying I see api_key_required = true, But when looking in the AWS console, or when running aws apigateway get-method apiKeyRequired is set to false.

sharmaansh21 commented 8 years ago

@cvandonderen Can you please provide your template, so i can replicate it exactly.

mvantellingen commented 8 years ago

I run into the same issue:

The template is:

resource "aws_iam_role" "lambda_apigateway" {
  name = "lambda_apigateway"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "lambda_apigateway_invoke" {
  name = "lambda_apigateway_invoke"
  role = "${aws_iam_role.lambda_apigateway.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": [
        "*"
      ],
      "Action": [
        "lambda:InvokeFunction"
      ]
    }
  ]
}
EOF
}

resource "aws_api_gateway_rest_api" "webhooks" {
  name        = "Webhooks"
  description = "Webhooks"
}

resource "aws_api_gateway_resource" "sandbox_deploy" {
  parent_id   = "${aws_api_gateway_rest_api.webhooks.root_resource_id}"
  path_part   = "deploy"
  rest_api_id = "${aws_api_gateway_rest_api.webhooks.id}"
}

resource "aws_api_gateway_method" "sandbox_deploy_post" {
  rest_api_id      = "${aws_api_gateway_rest_api.webhooks.id}"
  resource_id      = "${aws_api_gateway_resource.sandbox_deploy.id}"
  http_method      = "POST"
  authorization    = "NONE"
  api_key_required = true
}

resource "aws_api_gateway_method_response" "sandbox_deploy_post_200" {
  rest_api_id = "${aws_api_gateway_rest_api.webhooks.id}"
  resource_id = "${aws_api_gateway_resource.sandbox_deploy.id}"
  http_method = "POST"
  status_code = "200"
}

resource "aws_api_gateway_integration" "sandbox_deploy_post" {
  rest_api_id             = "${aws_api_gateway_rest_api.webhooks.id}"
  resource_id             = "${aws_api_gateway_resource.sandbox_deploy.id}"
  http_method             = "${aws_api_gateway_method.sandbox_deploy_post.http_method}"
  integration_http_method = "POST"
  type                    = "AWS"
  uri                     = "arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/${aws_lambda_function.deployment.arn}/invocations"
  credentials             = "${aws_iam_role.lambda_apigateway.arn}"
}

resource "aws_api_gateway_integration_response" "sandbox_deploy_post_200" {
  rest_api_id = "${aws_api_gateway_rest_api.webhooks.id}"
  resource_id = "${aws_api_gateway_resource.sandbox_deploy.id}"
  http_method = "${aws_api_gateway_method.sandbox_deploy_post.http_method}"
  status_code = "${aws_api_gateway_method_response.sandbox_deploy_post_200.status_code}"
}
Ninir commented 7 years ago

Hi @cvandonderen

Just tried it with Terraform 0.7.13 and it works like a charm.

Here is the configuration I used (the one you provided didn't work as there isn't the lambda):

resource "aws_iam_role" "lambda_apigateway" {
  name = "lambda_apigateway"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "lambda_apigateway_invoke" {
  name = "lambda_apigateway_invoke"
  role = "${aws_iam_role.lambda_apigateway.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": [
        "*"
      ],
      "Action": [
        "lambda:InvokeFunction"
      ]
    }
  ]
}
EOF
}

resource "aws_api_gateway_rest_api" "webhooks" {
  name        = "Webhooks"
  description = "Webhooks"
}

resource "aws_api_gateway_resource" "sandbox_deploy" {
  parent_id   = "${aws_api_gateway_rest_api.webhooks.root_resource_id}"
  path_part   = "deploy"
  rest_api_id = "${aws_api_gateway_rest_api.webhooks.id}"
}

resource "aws_api_gateway_method" "sandbox_deploy_post" {
  rest_api_id      = "${aws_api_gateway_rest_api.webhooks.id}"
  resource_id      = "${aws_api_gateway_resource.sandbox_deploy.id}"
  http_method      = "POST"
  authorization    = "NONE"
  api_key_required = true
}

resource "aws_api_gateway_method_response" "sandbox_deploy_post_200" {
  rest_api_id = "${aws_api_gateway_rest_api.webhooks.id}"
  resource_id = "${aws_api_gateway_resource.sandbox_deploy.id}"
  http_method = "POST"
  status_code = "200"
}

resource "aws_lambda_function" "deployment" {
    filename = "lambdatest.zip"
    function_name = "mylambda"
    role = "${aws_iam_role.test.arn}"
    handler = "exports.example"
}

resource "aws_iam_role_policy" "iam_policy_for_lambda" {
    name = "iam_policy_for_lambda"
    role = "${aws_iam_role.test.id}"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:*:*:*"
    }
  ]
}
EOF
}

resource "aws_iam_role" "test" {
    name = "test2"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_api_gateway_integration" "sandbox_deploy_post" {
  rest_api_id             = "${aws_api_gateway_rest_api.webhooks.id}"
  resource_id             = "${aws_api_gateway_resource.sandbox_deploy.id}"
  http_method             = "${aws_api_gateway_method.sandbox_deploy_post.http_method}"
  integration_http_method = "POST"
  type                    = "AWS"
  uri                     = "arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/${aws_lambda_function.deployment.arn}/invocations"
  credentials             = "${aws_iam_role.lambda_apigateway.arn}"
}

resource "aws_api_gateway_integration_response" "sandbox_deploy_post_200" {
  depends_on = ["aws_api_gateway_integration.sandbox_deploy_post"]
  rest_api_id = "${aws_api_gateway_rest_api.webhooks.id}"
  resource_id = "${aws_api_gateway_resource.sandbox_deploy.id}"
  http_method = "${aws_api_gateway_method.sandbox_deploy_post.http_method}"
  status_code = "${aws_api_gateway_method_response.sandbox_deploy_post_200.status_code}"
}

I also checked on the console and the update works fine, i.e. passing from true to false and vice versa.

Could you check it and tell us how it goes?

Thanks :)

Ninir commented 7 years ago

@stack72 This seems like a non-issue anymore. What do you think?

stack72 commented 7 years ago

Hi all

A LOT of work has been added to the api_gateway resources. I cannot recreate this issue I'm afraid. I am going to close it out in the believe it is fixed

If you are still getting this with the 0.9.2 release, then please do let me know and we can look at it with immediate focus

Thanks

Paul

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.