Terraform-provider-aws: Allow identity_source to be empty for aws_api_gateway_authorizer
_This issue was originally opened by @tikendra-chand as hashicorp/terraform#18840. It was migrated here as a result of the provider split. The original body of the issue is below._
Use case:
I need authorizer to be triggered when request contains either Cookie header or Authorization header. In aws api gateway UI, I can set identity_source empty for 'REQUEST' type and it works.
Current terraform usage:
Currently https://www.terraform.io/docs/providers/aws/r/api_gateway_authorizer.html#identity_source specifies that, by default identity_source is 'method.request.header.Authorization', which means I cannot set it empty. I have tried to set identity_source = "" or null but that doesn't work. Same is the case when I use comma separated headers, where aws api gateway expects both headers to be present in request.
Changes suggested:
Remove default value for identity_source. Set it empty if there isn't anything configured for it.
hashibot[bot]
All 7 comments
Also experiencing this issue.
ddanf
on 16 Apr 2019
I am seeing this as well.
dansteen
on 17 Apr 2019
My [not very pretty] workaround for this is to allow terraform to create the resource with its default value and then use the AWS CLI to update it. I do this in my build script which allows it to be automated with the terraform apply step. Update the first two lines with something that produces the names of your API Gateway and Authorizer and the rest of the code should work fine.
Don't forget to include AWS profile or credentials in your env.
API_NAME="API-${ACCOUNT_ID}-${DEPLOYMENT}"
AUTH_NAME="Authorizer-${ACCOUNT_ID}-${DEPLOYMENT}"
API_ID=$(aws apigateway get-rest-apis --query 'items[?name==`'${API_NAME}'`].[id]' --output text)
AUTH_ID=$(aws apigateway get-authorizers --rest-api-id ${API_ID} --query 'items[?name==`'${AUTH_NAME}'`].[id]' --output text)
echo "applying workaround for terraform aws provider issue #5845 (allow empty identitySource)"
echo "REST API ID: ${API_ID} AUTHORIZER ID: ${AUTH_ID}"
aws apigateway update-authorizer --rest-api-id ${API_ID} --authorizer-id=${AUTH_ID} --patch-operations op='replace',path='/authorizerResultTtlInSeconds',value='0'
aws apigateway update-authorizer --rest-api-id ${API_ID} --authorizer-id=${AUTH_ID} --patch-operations op='replace',path='/identitySource',value=''
Also, I have observed that for identitySource to be empty, authorizerResultTtlInSeconds must be 0. This is alluded to in the AWS documentation, but the terraform aws provider does not seem to have a way of handling it. In fact, I found another issue related to that issue and it includes a different workaround...
https://github.com/terraform-providers/terraform-provider-aws/issues/705
ddanf
on 17 Apr 2019
I am facing the same issue.
As a workaround added
identity_source = "method.request.header.X-Forwarded-For"
Header X-Forwarded-For will always be present as it is being added by API GW itself
igor-pinchuk
on 4 Aug 2019
Another work around is to set identity_source = "," The comma parses as a list of two empty values and provisions an empty identity source. The resulting terraform state is an empty string, which terraform thinks is different, so this causes terraform to update it every time.
bryan-taylor
on 16 Jul 2020
Another work around is to set
identity_source = ","The comma parses as a list of two empty values and provisions an empty identity source. The resulting terraform state is an empty string, which terraform thinks is different, so this causes terraform to update it every time.
it didn't work for me. this solution results in a successful apply but the authorizer is not created. @bryan-taylor solution works for me.
diogoouterelo
on 28 Jul 2020
Related issues
hashibot
路
3Comments
dvishniakov
路
3Comments
gothrek22
路
3Comments
hashibot
路
3Comments
hashibot
路
3Comments
Most helpful comment
I am facing the same issue.
As a workaround added
identity_source = "method.request.header.X-Forwarded-For"
Header X-Forwarded-For will always be present as it is being added by API GW itself