Authorizer created but fails to attach to route

WojciechTF commented 2 weeks ago

Description

Running the below code creates the authorizer (you can see and manage it) but it does not attach it to the route. I have tried using the previous suggested fixes by adding authorization_type = "REQUEST" to the route section but it still doesnt work.

[X ] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

Module version [Required]:
Terraform version: 1.8.5
Provider version(s):
provider registry.terraform.io/hashicorp/archive v2.4.2
provider registry.terraform.io/hashicorp/aws v5.53.0
provider registry.terraform.io/hashicorp/external v2.3.3
provider registry.terraform.io/hashicorp/local v2.5.1
provider registry.terraform.io/hashicorp/null v3.2.2

Reproduction Code [Required]

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
  required_version = ">= 1.8.0"
}

# simple lambda - save to index.mjs

# export const handler =  function(event, context, callback) {
#     console.log(event);
# };

resource "local_file" "index" {
  content  = <<EOF
export const handler =  function(event, context, callback) {
     console.log(event);
 };
EOF
  filename = "${path.module}/index.js"
}

data "archive_file" "lambda" {
    depends_on = [ local_file.index ]
  type        = "zip"
  source_file = "${path.module}/index.js"
  output_path = "${path.module}/lambda_function_payload.zip"
}

module "lambda_function" {
  source  = "terraform-aws-modules/lambda/aws"
  version = "~> 7.5"

  function_name = "bug-test"
  description   = "Authorizer test"
  handler       = "index.handler"
  runtime       = "nodejs20.x"
  architectures = ["x86_64"]
  publish       = true

  create_package    = false
  local_existing_package = "${path.module}/lambda_function_payload.zip"

  cloudwatch_logs_retention_in_days = 7

    create_role = true

    // when publish = false we must skip current ver
    create_current_version_allowed_triggers = false

  allowed_triggers = {
    AllowExecutionFromAPIGateway = {
      service    = "apigateway"
      source_arn = "${module.authorizer-bug-api-gwy.api_execution_arn}/*/*"
    }
  }
}

data "aws_iam_policy" "full_sqs_policy" {
    arn = "arn:aws:iam::aws:policy/AmazonSQSFullAccess"
}

data "aws_iam_policy" "apigwy_cloudwatchlogs_policy" {
    arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
}

resource "aws_iam_role" "apigateway_service_role" {
  name = "Test-APIGWY-ServiceRole"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "full_sqs_policy_attach" {
   role       = "${aws_iam_role.apigateway_service_role.name}"
   policy_arn = "${data.aws_iam_policy.full_sqs_policy.arn}"
}

resource "aws_iam_role_policy_attachment" "apigwy_cloudwatchlogs_policy_attach" {
   role       = "${aws_iam_role.apigateway_service_role.name}"
   policy_arn = "${data.aws_iam_policy.apigwy_cloudwatchlogs_policy.arn}"
}

module "authorizer-bug-api-gwy" {
    source  = "terraform-aws-modules/apigateway-v2/aws"
    version = "~> 5.0"

    name = "BugTest"

    create_certificate = false
    create_domain_name = false
    create_domain_records = false
    create_stage = false

    // once we set up domain - this should be enabled
    //disable_execute_api_endpoint = true

    routes = {

        "POST /updatetest" = {
            integration = {
                type            = "AWS_PROXY"
                subtype         = "SQS-SendMessage"
                credentials_arn = "${aws_iam_role.apigateway_service_role.arn}"

                request_parameters = {
                    "QueueUrl"    = "$request.header.queueUrl"
                    "MessageBody" = "$request.body.message" 
                }

                payload_format_version  = "1.0"
                timeout_milliseconds    = 12000
                authorization_type      = "REQUEST"
                authorizer_key          = "hackyAuth"
            }
        }

    }

    authorizers = {
        hackyAuth = {
            authorizer_type  = "REQUEST"
            identity_sources = ["$request.header.Authorization"]
            name             = "HackyAuth"
            authorizer_payload_format_version = "2.0"

            authorizer_uri = "${module.lambda_function.lambda_function_invoke_arn}"
        }
    }  

}

Steps to reproduce the behavior:

terraform init && terraform apply

No Yes init && apply ## Expected behavior I need to attach the lambda authorizer to the gwy route ## Actual behavior authorizer is created but not attached - aws console verified

antonbabenko commented 2 weeks ago

You should move these from the integration key one level up to the "POST /updatetest":

authorization_type      = "REQUEST"
authorizer_key          = "hackyAuth"

See this example: https://github.com/terraform-aws-modules/terraform-aws-apigateway-v2/blob/6af44f5a90192660e519a3579fa81a7f2c73107d/examples/complete-http/main.tf#L74-L75

WojciechTF commented 2 weeks ago

Ugh... Thank you - that worked.

One clarification, had to change the type to "CUSTOM"

terraform-aws-modules / terraform-aws-apigateway-v2