Resource: awsApiGatewayAuthorizer
Provides an API Gateway Authorizer.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsApiGatewayRestApiDemo = new aws.apiGatewayRestApi.ApiGatewayRestApi(
this,
"demo",
{
name: "auth-demo",
}
);
const awsIamRoleInvocationRole = new aws.iamRole.IamRole(
this,
"invocation_role",
{
assumeRolePolicy: "${data.aws_iam_role_policy_document.assume_role.json}",
name: "api_gateway_auth_invocation",
path: "/",
}
);
const dataAwsIamPolicyDocumentLambdaAssumeRole =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"lambda_assume_role",
{
statement: [
{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [
{
identifiers: ["lambda.amazonaws.com"],
type: "Service",
},
],
},
],
}
);
new aws.dataAwsIamRolePolicyDocument.DataAwsIamRolePolicyDocument(
this,
"invocation_assume_role",
{
statement: [
{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [
{
identifier: ["apigateway.amazonaws.com"],
type: "Service",
},
],
},
],
}
);
const awsIamRoleLambda = new aws.iamRole.IamRole(this, "lambda", {
assumeRolePolicy: dataAwsIamPolicyDocumentLambdaAssumeRole.json,
name: "demo-lambda",
});
const awsLambdaFunctionAuthorizer = new aws.lambdaFunction.LambdaFunction(
this,
"authorizer",
{
filename: "lambda-function.zip",
functionName: "api_gateway_authorizer",
handler: "exports.example",
role: awsIamRoleLambda.arn,
sourceCodeHash: '${filebase64sha256("lambda-function.zip")}',
}
);
const dataAwsIamPolicyDocumentInvocationPolicy =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"invocation_policy",
{
statement: [
{
actions: ["lambda:InvokeFunction"],
effect: "Allow",
resources: [awsLambdaFunctionAuthorizer.arn],
},
],
}
);
const awsApiGatewayAuthorizerDemo =
new aws.apiGatewayAuthorizer.ApiGatewayAuthorizer(this, "demo_7", {
authorizerCredentials: awsIamRoleInvocationRole.arn,
authorizerUri: awsLambdaFunctionAuthorizer.invokeArn,
name: "demo",
restApiId: awsApiGatewayRestApiDemo.id,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsApiGatewayAuthorizerDemo.overrideLogicalId("demo");
const awsIamRolePolicyInvocationPolicy = new aws.iamRolePolicy.IamRolePolicy(
this,
"invocation_policy_8",
{
name: "default",
policy: dataAwsIamPolicyDocumentInvocationPolicy.json,
role: awsIamRoleInvocationRole.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyInvocationPolicy.overrideLogicalId("invocation_policy");
Argument Reference
The following arguments are supported:
authorizerUri
- (Optional, required for typetoken
/request
) Authorizer's Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form ofarn:aws:apigateway:{region}:lambda:path/{serviceApi}
, e.g.,arn:aws:apigateway:usWest2:lambda:path/20150331/functions/arn:aws:lambda:usWest2:012345678912:function:myFunction/invocations
name
- (Required) Name of the authorizerrestApiId
- (Required) ID of the associated REST APIidentitySource
- (Optional) Source of the identity in an incoming request. Defaults tomethodRequestHeaderAuthorization
. Forrequest
type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g.,"methodRequestHeaderSomeHeaderName,methodRequestQuerystringSomeQueryStringName,stageVariablesSomeStageVariableName"
type
- (Optional) Type of the authorizer. Possible values aretoken
for a Lambda function using a single authorization token submitted in a custom header,request
for a Lambda function using incoming request parameters, orCOGNITO_USER_POOLS
for using an Amazon Cognito user pool. Defaults totoken
.authorizerCredentials
- (Optional) Credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.authorizerResultTtlInSeconds
- (Optional) TTL of cached authorizer results in seconds. Defaults to300
.identityValidationExpression
- (Optional) Validation expression for the incoming identity. Fortoken
type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn't match, the client receives a 401 Unauthorized response.providerArns
- (Optional, required for typeCOGNITO_USER_POOLS
) List of the Amazon Cognito user pool ARNs. Each element is of this format:arn:aws:cognitoIdp:{region}:{accountId}:userpool/{userPoolId}
.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn
- ARN of the API Gateway Authorizerid
- Authorizer identifier.
Import
AWS API Gateway Authorizer can be imported using the restApiId/authorizerId
, e.g.,