Home > Software engineering >  How to enable API Gateway endpoint Authorization flag to use AWS Cognito user pool - using Terraform
How to enable API Gateway endpoint Authorization flag to use AWS Cognito user pool - using Terraform

Time:11-28

I am trying to enable the Authorization Flag and Enable OAuth scope directly from API JSON definition deployed through Terraform. Although I am able to attach Cognito to the API Gateway as the Authorizer but not able to enable the endpoints with it using terraform (Please see the attached screenshot).

#Screenshot

enter image description here

Here's the attached code for API Gateway:

#Create API Gateway
resource "aws_api_gateway_rest_api" "manidemoapi" {
  name = "manidemoapi"
  body = <<EOF
    {
  "openapi": "3.0.1",
  "info": {
    "title": "Example Pet Store",
    "description": "A Pet Store API.",
    "version": "1.0"
  },
  "paths": {
    "/pets": {
      "get": {
        "operationId": "GET HTTP",
        "parameters": [
          {
            "name": "type",
            "in": "query",
            "schema": {
              "type": "string"
            }
          },
          {
            "name": "page",
            "in": "query",
            "schema": {
              "type": "string"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "200 response",
            "headers": {
              "Access-Control-Allow-Origin": {
                "schema": {
                  "type": "string"
                }
              }
            },
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/Pets"
                }
              }
            }
          }
        },
        "x-amazon-apigateway-integration": {
          "type": "HTTP_PROXY",
          "httpMethod": "GET",
          "uri": "http://petstore.execute-api.us-west-1.amazonaws.com/petstore/pets",
          "payloadFormatVersion": 1.0
        }
      },
      "post": {
        "operationId": "Create Pet",
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/NewPet"
              }
            }
          },
          "required": true
        },
        "responses": {
          "200": {
            "description": "200 response",
            "headers": {
              "Access-Control-Allow-Origin": {
                "schema": {
                  "type": "string"
                }
              }
            },
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/NewPetResponse"
                }
              }
            }
          }
        },
        "x-amazon-apigateway-integration": {
          "type": "HTTP_PROXY",
          "httpMethod": "POST",
          "uri": "http://petstore.execute-api.us-west-1.amazonaws.com/petstore/pets",
          "payloadFormatVersion": 1.0
        }
      }
    },
    "/pets/{petId}": {
      "get": {
        "operationId": "Get Pet",
        "parameters": [
          {
            "name": "petId",
            "in": "path",
            "required": true,
            "schema": {
              "type": "string"
            }
          }
        ],
        "responses": {
          "200": {
            "description": "200 response",
            "headers": {
              "Access-Control-Allow-Origin": {
                "schema": {
                  "type": "string"
                }
              }
            },
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/Pet"
                }
              }
            }
          }
        },        
        "x-amazon-apigateway-integration": {
          "type": "HTTP_PROXY",
          "httpMethod": "GET",
          "uri": "http://petstore.execute-api.us-west-1.amazonaws.com/petstore/pets/{petId}",
          "payloadFormatVersion": 1.0
        }
      }
    }
  },
  "x-amazon-apigateway-cors": {
    "allowOrigins": [
      "*"
    ],
    "security" : [ {
          "manicognito-authorizer" : [ "get_details" ]
        } ],
    "allowMethods": [
      "GET",
      "OPTIONS",
      "POST"
    ],
    "allowHeaders": [
      "x-amzm-header",
      "x-apigateway-header",
      "x-api-key",
      "authorization",
      "x-amz-date",
      "content-type"
    ]
  },
  "components": {
    "securitySchemes" : {
      "manicognito-authorizer" : {
        "type" : "apiKey",
        "name" : "Authorization",
        "in" : "header",
        "x-amazon-apigateway-authtype" : "cognito_user_pools"
      }
    },
    "schemas": {
      "Pets": {
        "type": "array",
        "items": {
          "$ref": "#/components/schemas/Pet"
        }
      },
      "Empty": {
        "type": "object"
      },
      "NewPetResponse": {
        "type": "object",
        "properties": {
          "pet": {
            "$ref": "#/components/schemas/Pet"
          },
          "message": {
            "type": "string"
          }
        }
      },
      "Pet": {
        "type": "object",
        "properties": {
          "id": {
            "type": "string"
          },
          "type": {
            "type": "string"
          },
          "price": {
            "type": "number"
          }
        }
      },
      "NewPet": {
        "type": "object",
        "properties": {
          "type": {
            "$ref": "#/components/schemas/PetType"
          },
          "price": {
            "type": "number"
          }
        }
      },
      "PetType": {
        "type": "string",
        "enum": [
          "dog",
          "cat",
          "fish",
          "bird",
          "gecko"
        ]
      }
    }
  }
}
  EOF
  endpoint_configuration {
    types = ["REGIONAL"]
  }
}

#Deploy API Gateway
resource "aws_api_gateway_deployment" "manidemoapi" {
  rest_api_id = aws_api_gateway_rest_api.manidemoapi.id

  triggers = {
    redeployment = sha1(jsonencode(aws_api_gateway_rest_api.manidemoapi.body))
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_api_gateway_stage" "manidemoapi" {
  deployment_id = aws_api_gateway_deployment.manidemoapi.id
  rest_api_id   = aws_api_gateway_rest_api.manidemoapi.id
  stage_name    = "manidemoapi-dev"
}

resource "aws_api_gateway_authorizer" "manidemoapi" {
  name                   = "manicognito-authorizer"
  type                   = "COGNITO_USER_POOLS"
  rest_api_id            = aws_api_gateway_rest_api.manidemoapi.id
  provider_arns          = [aws_cognito_user_pool.pool.arn]
}

CodePudding user response:

The root problem is that authorization is "method-scoped", i.e. you have to specify the authorizer for each API method. You should add a terraform resource "aws_api_gateway_method" as the following:

resource "aws_api_gateway_method" "default" {
  http_method   = <http-method>
  authorization = "COGNITO_USER_POOLS"
  authorizer_id = <your-authorizer-id>
  resource_id   = <resource-id>
  rest_api_id   = <rest-api-id>
}

However, since you are using OpenAPI Specification approach rather than Terraform resource approach to define Terraform, you may need to consider to transform your template to the latter approach.

  • Related