JWT authorizer created but is not attacheable, terraform gives error

[askaribragimov]

Description

Trying to use this code (concern is about the authorizer):

module "api_gateway" {
  source  = "terraform-aws-modules/apigateway-v2/aws"
  version = "~> 2.2.2"

  name          = local.api_gateway_name
  description   = " App - ${var.environment_name}"
  protocol_type = "HTTP"

  cors_configuration = {
    allow_headers = [
      "content-type",
      "x-amz-date",
      "authorization",
      "x-api-key",
      "x-amz-security-token",
      "x-amz-user-agent"
    ]
    allow_methods = [
      "*"
    ]
    allow_origins = [
      "*"
    ]
  }

  # Custom domain
  create_api_domain_name      = true
  domain_name                 = local.apigw_full_dns_name
  domain_name_certificate_arn = module.acm.acm_certificate_arn

  # Access logs
  default_stage_access_log_destination_arn = aws_cloudwatch_log_group.api-layer-log-group.arn
  default_stage_access_log_format          = "$context.identity.sourceIp - - [$context.requestTime] \"$context.httpMethod $context.routeKey $context.protocol\" $context.status $context.responseLength $context.requestId $context.integrationErrorMessage"

  # Routes and integrations.
  integrations = {

    "POST /apimethod" = {
      integration_type        = "AWS_PROXY"
      integration_http_method = "POST"
      payload_format_version  = "2.0"
      lambda_arn              = module.lambda_billing_use_credits.lambda_function_qualified_arn
      credentials_arn         = aws_iam_role.api_gateway_credentials_call_lambda.arn
      authorizer_key          = "user_pool"
    }

  }
  tags        = var.tags
  authorizers = {
    # see https://aws.amazon.com/ru/blogs/security/how-to-secure-api-gateway-http-endpoints-with-jwt-authorizer/.
    "user_pool" = {
      authorizer_type  = "JWT"
      identity_sources = ["$request.header.Authorization"]
      name             = "${local.env}-apigw-userpool-jwt-authorizer-int"
      audience         = [aws_cognito_user_pool_client.cognito.id]
      issuer           = "https://${aws_cognito_user_pool.users.endpoint}"
    }
  }
}

Authorizer is created, but I get the error

 Error: updating API Gateway v2 route (xgwpui1): BadRequestException: Unable to update route. Authorizer type is invalid or null.

The same authorizer is easily attached via Console, after which Terraform sees no changes to be made.

• [x] ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]:

• Terraform version:

  Terraform v1.5.2 on windows_386

• provider registry.terraform.io/hashicorp/aws v5.11.0

• provider registry.terraform.io/hashicorp/external v2.3.1

• provider registry.terraform.io/hashicorp/local v2.4.0

• provider registry.terraform.io/hashicorp/null v3.2.1

• provider registry.terraform.io/hashicorp/random v3.5.1

• Provider version(s):

  Terraform v1.5.2 on windows_386

• provider registry.terraform.io/hashicorp/aws v5.11.0

• provider registry.terraform.io/hashicorp/external v2.3.1

• provider registry.terraform.io/hashicorp/local v2.4.0

• provider registry.terraform.io/hashicorp/null v3.2.1

• provider registry.terraform.io/hashicorp/random v3.5.1

Reproduction Code [Required]

Steps to reproduce the behavior:

• Create an API Gateway with a Lambda integration.
• Add a JWT authorizer info
• Modify route for the integration to use the authorizer

Latest versions of provider and module were used.

Expected behavior

JWT authorizer is attached as shown in your documentation example.

I remind that in your readme you have

    "GET /some-route-with-authorizer" = {
      integration_type = "HTTP_PROXY"
      integration_uri  = "some url"
      authorizer_key   = "azure"
    }

    "$default" = {
      lambda_arn = "arn:aws:lambda:eu-west-1:052235179155:function:my-default-function"
    }
  }

  authorizers = {
    "azure" = {
      authorizer_type  = "JWT"
      identity_sources = "$request.header.Authorization"
      name             = "azure-auth"
      audience         = ["d6a38afd-45d6-4874-d1aa-3c5c558aqcc2"]
      issuer           = "https://sts.windows.net/aaee026e-8f37-410e-8869-72d9154873e4/"
    }
  }

Actual behavior

JWT authorizer is created OK but is not attached as expected

Terminal Output Screenshot(s)

Additional context

[askaribragimov]

UPD solved by using this advice https://github.com/hashicorp/terraform-provider-aws/issues/17497

added

 integrations = {

  ...
    "POST /apimethod" = {
     ...
     authorization_type = "JWT" // added
     authorizer_key          = "user_pool"
     }

(authorizer_type = "JWT" still has to be present but it does not do the right thing anyway!)

So it might be necessary to add to the plugin the need to specify authorization_type using authorizer_type from the "authorizers" block

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.