Skip to content

Resource: awsApiGatewayAuthorizer

Provides an API Gateway Authorizer.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsApiGatewayRestApiDemo = new aws.apiGatewayRestApi.ApiGatewayRestApi(
  this,
  "demo",
  {
    name: "auth-demo",
  }
);
const awsIamRoleInvocationRole = new aws.iamRole.IamRole(
  this,
  "invocation_role",
  {
    assumeRolePolicy: "${data.aws_iam_role_policy_document.assume_role.json}",
    name: "api_gateway_auth_invocation",
    path: "/",
  }
);
const dataAwsIamPolicyDocumentLambdaAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "lambda_assume_role",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["lambda.amazonaws.com"],
              type: "Service",
            },
          ],
        },
      ],
    }
  );
new aws.dataAwsIamRolePolicyDocument.DataAwsIamRolePolicyDocument(
  this,
  "invocation_assume_role",
  {
    statement: [
      {
        actions: ["sts:AssumeRole"],
        effect: "Allow",
        principals: [
          {
            identifier: ["apigateway.amazonaws.com"],
            type: "Service",
          },
        ],
      },
    ],
  }
);
const awsIamRoleLambda = new aws.iamRole.IamRole(this, "lambda", {
  assumeRolePolicy: dataAwsIamPolicyDocumentLambdaAssumeRole.json,
  name: "demo-lambda",
});
const awsLambdaFunctionAuthorizer = new aws.lambdaFunction.LambdaFunction(
  this,
  "authorizer",
  {
    filename: "lambda-function.zip",
    functionName: "api_gateway_authorizer",
    handler: "exports.example",
    role: awsIamRoleLambda.arn,
    sourceCodeHash: '${filebase64sha256("lambda-function.zip")}',
  }
);
const dataAwsIamPolicyDocumentInvocationPolicy =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "invocation_policy",
    {
      statement: [
        {
          actions: ["lambda:InvokeFunction"],
          effect: "Allow",
          resources: [awsLambdaFunctionAuthorizer.arn],
        },
      ],
    }
  );
const awsApiGatewayAuthorizerDemo =
  new aws.apiGatewayAuthorizer.ApiGatewayAuthorizer(this, "demo_7", {
    authorizerCredentials: awsIamRoleInvocationRole.arn,
    authorizerUri: awsLambdaFunctionAuthorizer.invokeArn,
    name: "demo",
    restApiId: awsApiGatewayRestApiDemo.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsApiGatewayAuthorizerDemo.overrideLogicalId("demo");
const awsIamRolePolicyInvocationPolicy = new aws.iamRolePolicy.IamRolePolicy(
  this,
  "invocation_policy_8",
  {
    name: "default",
    policy: dataAwsIamPolicyDocumentInvocationPolicy.json,
    role: awsIamRoleInvocationRole.id,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyInvocationPolicy.overrideLogicalId("invocation_policy");

Argument Reference

The following arguments are supported:

  • authorizerUri - (Optional, required for type token/request) Authorizer's Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{serviceApi}, e.g., arn:aws:apigateway:usWest2:lambda:path/20150331/functions/arn:aws:lambda:usWest2:012345678912:function:myFunction/invocations
  • name - (Required) Name of the authorizer
  • restApiId - (Required) ID of the associated REST API
  • identitySource - (Optional) Source of the identity in an incoming request. Defaults to methodRequestHeaderAuthorization. For request type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g., "methodRequestHeaderSomeHeaderName,methodRequestQuerystringSomeQueryStringName,stageVariablesSomeStageVariableName"
  • type - (Optional) Type of the authorizer. Possible values are token for a Lambda function using a single authorization token submitted in a custom header, request for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user pool. Defaults to token.
  • authorizerCredentials - (Optional) Credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.
  • authorizerResultTtlInSeconds - (Optional) TTL of cached authorizer results in seconds. Defaults to 300.
  • identityValidationExpression - (Optional) Validation expression for the incoming identity. For token type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn't match, the client receives a 401 Unauthorized response.
  • providerArns - (Optional, required for type COGNITO_USER_POOLS) List of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognitoIdp:{region}:{accountId}:userpool/{userPoolId}.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - ARN of the API Gateway Authorizer
  • id - Authorizer identifier.

Import

AWS API Gateway Authorizer can be imported using the restApiId/authorizerId, e.g.,

$ terraform import aws_api_gateway_authorizer.authorizer 12345abcde/example