Terraform-provider-aws: Custom Authorizer for API Gateway does not insert '0' when specified in script
_This issue was originally opened by @Bschuster3434 as hashicorp/terraform#13808. It was migrated here as part of the provider split. The original body of the issue is below._
Hi there,
Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.
Terraform Version
0.8.6
Affected Resource(s)
-aws_api_gateway_authorizer
-authorizer_result_ttl_in_seconds
Terraform Configuration Files
############################
## Custom Authorizer
##
######
resource "aws_api_gateway_authorizer" "custom_authorizer" {
name = "CustomAuth"
rest_api_id = "${aws_api_gateway_rest_api.aetn_inod_api.id}"
authorizer_uri = "arn:aws:apigateway:region:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:${var.account_id}:function:${var.lambda_prefix}_custom_authorizer/invocations"
authorizer_credentials = "${aws_iam_role.ppas_inod_role.arn}"
identity_source = "method.request.header.Authorization"
authorizer_result_ttl_in_seconds = "0"
}
Debug Output
[12:07:48] : [Step 1/1] The Terraform execution plan has been generated and is shown below.
[12:07:48] : [Step 1/1] Resources are shown in alphabetical order for quick scanning. Green resources
[12:07:48] : [Step 1/1] will be created (or destroyed and then created if an existing resource
[12:07:48] : [Step 1/1] exists), yellow resources are being changed in-place, and red resources
[12:07:48] : [Step 1/1] will be destroyed. Cyan entries are data sources to be read.
[12:07:48] : [Step 1/1]
[12:07:48] : [Step 1/1] Note: You didn't specify an "-out" parameter to save this plan, so when
[12:07:48] : [Step 1/1] "apply" is called, Terraform can't guarantee this is what will execute.
[12:07:48] : [Step 1/1]
[12:07:48] : [Step 1/1] [33m~ aws_api_gateway_authorizer.custom_authorizer
[12:07:48] : [Step 1/1] [0m authorizer_result_ttl_in_seconds: "300" => "0"
[12:07:48] : [Step 1/1] authorizer_uri: "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:826422229211:function:aetn_inod_dev_custom_authorizer/invocations" => "arn:aws:apigateway:region:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:826422229211:function:aetn_inod_dev_custom_authorizer/invocations"
[12:07:48] : [Step 1/1] [0m
[12:07:48] : [Step 1/1] [0m [33m~ module.ppas_inod_admin_group.aws_iam_policy_attachment.policy-attach
[12:07:48] : [Step 1/1] [0m groups.#: "0" => "1"
[12:07:48] : [Step 1/1] groups.746781719: "" => "ppas_inod_admin"
[12:07:48] : [Step 1/1] [0m
[12:07:48] : [Step 1/1] [0m [33m~ module.ppas_inod_dev_group.aws_iam_policy_attachment.policy-attach
[12:07:48] : [Step 1/1] [0m groups.#: "0" => "1"
[12:07:48] : [Step 1/1] groups.350925485: "" => "ppas_inod_developer"
[12:07:48] : [Step 1/1] [0m
[12:07:48] : [Step 1/1] [0m
[12:07:48] : [Step 1/1] [0m [1mPlan: [0m 0 to add, 3 to change, 0 to destroy. [0m
[12:07:52] : [Step 1/1] There are warnings and/or errors related to your configuration. Please
[12:07:52] : [Step 1/1] fix these before continuing.
[12:07:52] : [Step 1/1]
[12:07:52] : [Step 1/1] [33mWarnings:
[12:07:52] : [Step 1/1] [0m [0m
[12:07:52] : [Step 1/1] [33m * template_file.user_data: using template_file as a resource is deprecated; consider using the data source instead [0m [0m
[12:07:52] : [Step 1/1] [33m
[12:07:52] : [Step 1/1] No errors found. Continuing with 1 warning(s).
Expected Behavior
Terraform deploys the script into the environment. When you go to the aws_console -> api_gateway -> Custom Authorizer, the TTL should be set to 0.
Actual Behavior
When you navigate to aws_console -> api_gateway -> Custom Authorizer, the value is showing as blank.
Steps to Reproduce
terraform apply
//No unusual errors are produced during the apply process
hashibot
All 10 comments
Hi guys
Any updates on this?
volkodava
on 4 Dec 2017
I just ran into this, here is a workaround:
resource "aws_api_gateway_authorizer" "authorizer" {
name = "authorizer"
rest_api_id = "${aws_api_gateway_rest_api.api.id}"
authorizer_uri = "arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/${var.lambda_arn}/invocations"
# Setting authorizer_result_ttl_in_seconds=0 does not work (aws apigateway get-authorizers --rest-api-id xxx shows no authorizerResultTtlInSeconds value)
authorizer_result_ttl_in_seconds = "0"
lifecycle {
# this is necessary to avoid identity_source value reset to "method.request.header.Authorization", which is the default value
ignore_changes = ["identity_source"]
}
type = "REQUEST"
}
resource "null_resource" "authorizer_result_ttl_in_seconds_workaround" {
depends_on = [
"aws_api_gateway_authorizer.authorizer"
]
triggers = {
authorizer_id = "${aws_api_gateway_authorizer.authorizer.id}"
}
# authorizerResultTtlInSeconds=0 must come before identitySource=""
provisioner "local-exec" {
command = "aws apigateway update-authorizer --rest-api-id ${aws_api_gateway_rest_api.api.id} --authorizer-id ${aws_api_gateway_authorizer.authorizer.id} --patch-operations op='replace',path='/authorizerResultTtlInSeconds',value=0"
}
# also, identitySource MUST be empty, otherwise API gateway returns 401 even when TTL=0, without even calling the custom authorizer
# this bug must be AWS related
provisioner "local-exec" {
command = "aws apigateway update-authorizer --rest-api-id ${aws_api_gateway_rest_api.api.id} --authorizer-id ${aws_api_gateway_authorizer.authorizer.id} --patch-operations op='replace',path='/identitySource',value="
}
}
yorrick
on 7 Feb 2018
It appears that also the UI in the AWS console is buggy with this parameter. It makes this really nasty to clear manually!
neg3ntropy
on 27 Apr 2018
Any update on this? Seems like a pretty relevant one seeing people are complaining on AWS forums as well about authorizer caching not working as expected.
https://forums.aws.amazon.com/thread.jspa?threadID=225934&tstart=0
paul-pop
on 4 May 2018
The documentation also mentions it defaults to 300 but actually the default (probably due to this bug) ends up being no TTL.
austinbutler
on 4 Dec 2018
This feels like a bug in terraform. @yorrick solutions worked for me
kyeotic
on 31 Jan 2019
It shoves "undefined" in for me when looking in the console, which, even though caching is unchecked/disabled, causes it to cache for some reason. Seems like multiple issues, but it really should be putting a 0 in there if possible.
If I change it in the console (check the box, set to 0, which will uncheck the box after applying...) and don't ever rip it out, terraform doesn't seem to touch it further and it works as expected.
Zeal0us
on 9 Mar 2019
The fix for this (defaulting the attribute to 300, which allows explicitly setting 0) has been merged and will release with version 2.35.0 of the Terraform AWS Provider, next Thursday. Thanks to @f3lang and @geriBatai for their fix efforts. 👍
bflad
on 1 Nov 2019
This has been released in version 2.35.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 7 Nov 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 29 Mar 2020
Related issues
hashibot
·
3Comments
modax
·
3Comments
hashibot
·
3Comments
carmas
·
3Comments
hashibot
·
3Comments
Most helpful comment
I just ran into this, here is a workaround: