fix: Add support for passing authorization_scopes on routes with JWT …

…authorizer (#67) Co-authored-by: Jeffrey Schilperoord <[email protected]>
terraform-aws-modules · Apr 1, 2022 · c2b8d6b · c2b8d6b
1 parent bafb534
commit c2b8d6b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/examples/complete-http/main.tf b/examples/complete-http/main.tf
@@ -81,6 +81,20 @@ module "api_gateway" {
       authorizer_key         = "cognito"
     }
 
+    "GET /some-route-with-authorizer-and-scope" = {
+      lambda_arn             = module.lambda_function.lambda_function_arn
+      payload_format_version = "2.0"
+      authorizer_key         = "cognito"
+      authorization_scopes   = "tf/something.relevant.read,tf/something.relevant.write" # Should comply with the resource server configuration part of the cognito user pool
+    }
+
+    "GET /some-route-with-authorizer-and-different-scope" = {
+      lambda_arn             = module.lambda_function.lambda_function_arn
+      payload_format_version = "2.0"
+      authorizer_key         = "cognito"
+      authorization_scopes   = "tf/something.relevant.write" # Should comply with the resource server configuration part of the cognito user pool
+    }
+
     "POST /start-step-function" = {
       integration_type    = "AWS_PROXY"
       integration_subtype = "StepFunctions-StartExecution"

diff --git a/main.tf b/main.tf
@@ -125,16 +125,16 @@ resource "aws_apigatewayv2_route" "this" {
   route_key = each.key
 
   api_key_required                    = try(each.value.api_key_required, null)
+  authorization_scopes                = try(split(",", each.value.authorization_scopes), null)
   authorization_type                  = try(each.value.authorization_type, "NONE")
   authorizer_id                       = try(aws_apigatewayv2_authorizer.this[each.value.authorizer_key].id, each.value.authorizer_id, null)
   model_selection_expression          = try(each.value.model_selection_expression, null)
   operation_name                      = try(each.value.operation_name, null)
   route_response_selection_expression = try(each.value.route_response_selection_expression, null)
   target                              = "integrations/${aws_apigatewayv2_integration.this[each.key].id}"
 
-  # Not sure what structure is allowed for these arguments...
-  #  authorization_scopes = try(each.value.authorization_scopes, null)
-  #  request_models  = try(each.value.request_models, null)
+  # Have been added to the docs. But is WEBSOCKET only(not yet supported)
+  # request_models  = try(each.value.request_models, null)
 }
 
 resource "aws_apigatewayv2_integration" "this" {