github.com/minamijoyo/terraform@v0.7.8-0.20161029001309-18b3736ba44b/builtin/providers/aws/resource_aws_api_gateway_authorizer_test.go (about)

     1  package aws
     2  
     3  import (
     4  	"fmt"
     5  	"regexp"
     6  	"testing"
     7  
     8  	"github.com/aws/aws-sdk-go/aws"
     9  	"github.com/aws/aws-sdk-go/aws/awserr"
    10  	"github.com/aws/aws-sdk-go/service/apigateway"
    11  	"github.com/hashicorp/terraform/helper/resource"
    12  	"github.com/hashicorp/terraform/terraform"
    13  )
    14  
    15  func TestAccAWSAPIGatewayAuthorizer_basic(t *testing.T) {
    16  	var conf apigateway.Authorizer
    17  
    18  	expectedAuthUri := regexp.MustCompile("arn:aws:apigateway:region:lambda:path/2015-03-31/functions/" +
    19  		"arn:aws:lambda:[a-z0-9-]+:[0-9]{12}:function:tf_acc_api_gateway_authorizer/invocations")
    20  	expectedCreds := regexp.MustCompile("arn:aws:iam::[0-9]{12}:role/tf_acc_api_gateway_auth_invocation_role")
    21  
    22  	resource.Test(t, resource.TestCase{
    23  		PreCheck:     func() { testAccPreCheck(t) },
    24  		Providers:    testAccProviders,
    25  		CheckDestroy: testAccCheckAWSAPIGatewayAuthorizerDestroy,
    26  		Steps: []resource.TestStep{
    27  			resource.TestStep{
    28  				Config: testAccAWSAPIGatewayAuthorizerConfig,
    29  				Check: resource.ComposeTestCheckFunc(
    30  					testAccCheckAWSAPIGatewayAuthorizerExists("aws_api_gateway_authorizer.test", &conf),
    31  					testAccCheckAWSAPIGatewayAuthorizerAuthorizerUri(&conf, expectedAuthUri),
    32  					resource.TestMatchResourceAttr("aws_api_gateway_authorizer.test", "authorizer_uri", expectedAuthUri),
    33  					testAccCheckAWSAPIGatewayAuthorizerIdentitySource(&conf, "method.request.header.Authorization"),
    34  					resource.TestCheckResourceAttr("aws_api_gateway_authorizer.test", "identity_source", "method.request.header.Authorization"),
    35  					testAccCheckAWSAPIGatewayAuthorizerName(&conf, "tf-acc-test-authorizer"),
    36  					resource.TestCheckResourceAttr("aws_api_gateway_authorizer.test", "name", "tf-acc-test-authorizer"),
    37  					testAccCheckAWSAPIGatewayAuthorizerType(&conf, "TOKEN"),
    38  					resource.TestCheckResourceAttr("aws_api_gateway_authorizer.test", "type", "TOKEN"),
    39  					testAccCheckAWSAPIGatewayAuthorizerAuthorizerCredentials(&conf, expectedCreds),
    40  					resource.TestMatchResourceAttr("aws_api_gateway_authorizer.test", "authorizer_credentials", expectedCreds),
    41  					testAccCheckAWSAPIGatewayAuthorizerAuthorizerResultTtlInSeconds(&conf, nil),
    42  					resource.TestCheckResourceAttr("aws_api_gateway_authorizer.test", "authorizer_result_ttl_in_seconds", "0"),
    43  					testAccCheckAWSAPIGatewayAuthorizerIdentityValidationExpression(&conf, nil),
    44  					resource.TestCheckResourceAttr("aws_api_gateway_authorizer.test", "identity_validation_expression", ""),
    45  				),
    46  			},
    47  			resource.TestStep{
    48  				Config: testAccAWSAPIGatewayAuthorizerUpdatedConfig,
    49  				Check: resource.ComposeTestCheckFunc(
    50  					testAccCheckAWSAPIGatewayAuthorizerExists("aws_api_gateway_authorizer.test", &conf),
    51  					testAccCheckAWSAPIGatewayAuthorizerAuthorizerUri(&conf, expectedAuthUri),
    52  					resource.TestMatchResourceAttr("aws_api_gateway_authorizer.test", "authorizer_uri", expectedAuthUri),
    53  					testAccCheckAWSAPIGatewayAuthorizerIdentitySource(&conf, "method.request.header.Authorization"),
    54  					resource.TestCheckResourceAttr("aws_api_gateway_authorizer.test", "identity_source", "method.request.header.Authorization"),
    55  					testAccCheckAWSAPIGatewayAuthorizerName(&conf, "tf-acc-test-authorizer_modified"),
    56  					resource.TestCheckResourceAttr("aws_api_gateway_authorizer.test", "name", "tf-acc-test-authorizer_modified"),
    57  					testAccCheckAWSAPIGatewayAuthorizerType(&conf, "TOKEN"),
    58  					resource.TestCheckResourceAttr("aws_api_gateway_authorizer.test", "type", "TOKEN"),
    59  					testAccCheckAWSAPIGatewayAuthorizerAuthorizerCredentials(&conf, expectedCreds),
    60  					resource.TestMatchResourceAttr("aws_api_gateway_authorizer.test", "authorizer_credentials", expectedCreds),
    61  					testAccCheckAWSAPIGatewayAuthorizerAuthorizerResultTtlInSeconds(&conf, aws.Int64(360)),
    62  					resource.TestCheckResourceAttr("aws_api_gateway_authorizer.test", "authorizer_result_ttl_in_seconds", "360"),
    63  					testAccCheckAWSAPIGatewayAuthorizerIdentityValidationExpression(&conf, aws.String(".*")),
    64  					resource.TestCheckResourceAttr("aws_api_gateway_authorizer.test", "identity_validation_expression", ".*"),
    65  				),
    66  			},
    67  		},
    68  	})
    69  }
    70  
    71  func testAccCheckAWSAPIGatewayAuthorizerAuthorizerUri(conf *apigateway.Authorizer, expectedUri *regexp.Regexp) resource.TestCheckFunc {
    72  	return func(s *terraform.State) error {
    73  		if conf.AuthorizerUri == nil {
    74  			return fmt.Errorf("Empty AuthorizerUri, expected: %q", expectedUri)
    75  		}
    76  
    77  		if !expectedUri.MatchString(*conf.AuthorizerUri) {
    78  			return fmt.Errorf("AuthorizerUri didn't match. Expected: %q, Given: %q", expectedUri, *conf.AuthorizerUri)
    79  		}
    80  		return nil
    81  	}
    82  }
    83  
    84  func testAccCheckAWSAPIGatewayAuthorizerIdentitySource(conf *apigateway.Authorizer, expectedSource string) resource.TestCheckFunc {
    85  	return func(s *terraform.State) error {
    86  		if conf.IdentitySource == nil {
    87  			return fmt.Errorf("Empty IdentitySource, expected: %q", expectedSource)
    88  		}
    89  		if *conf.IdentitySource != expectedSource {
    90  			return fmt.Errorf("IdentitySource didn't match. Expected: %q, Given: %q", expectedSource, *conf.IdentitySource)
    91  		}
    92  		return nil
    93  	}
    94  }
    95  
    96  func testAccCheckAWSAPIGatewayAuthorizerName(conf *apigateway.Authorizer, expectedName string) resource.TestCheckFunc {
    97  	return func(s *terraform.State) error {
    98  		if conf.Name == nil {
    99  			return fmt.Errorf("Empty Name, expected: %q", expectedName)
   100  		}
   101  		if *conf.Name != expectedName {
   102  			return fmt.Errorf("Name didn't match. Expected: %q, Given: %q", expectedName, *conf.Name)
   103  		}
   104  		return nil
   105  	}
   106  }
   107  
   108  func testAccCheckAWSAPIGatewayAuthorizerType(conf *apigateway.Authorizer, expectedType string) resource.TestCheckFunc {
   109  	return func(s *terraform.State) error {
   110  		if conf.Type == nil {
   111  			return fmt.Errorf("Empty Type, expected: %q", expectedType)
   112  		}
   113  		if *conf.Type != expectedType {
   114  			return fmt.Errorf("Type didn't match. Expected: %q, Given: %q", expectedType, *conf.Type)
   115  		}
   116  		return nil
   117  	}
   118  }
   119  
   120  func testAccCheckAWSAPIGatewayAuthorizerAuthorizerCredentials(conf *apigateway.Authorizer, expectedCreds *regexp.Regexp) resource.TestCheckFunc {
   121  	return func(s *terraform.State) error {
   122  		if conf.AuthorizerCredentials == nil {
   123  			return fmt.Errorf("Empty AuthorizerCredentials, expected: %q", expectedCreds)
   124  		}
   125  		if !expectedCreds.MatchString(*conf.AuthorizerCredentials) {
   126  			return fmt.Errorf("AuthorizerCredentials didn't match. Expected: %q, Given: %q",
   127  				expectedCreds, *conf.AuthorizerCredentials)
   128  		}
   129  		return nil
   130  	}
   131  }
   132  
   133  func testAccCheckAWSAPIGatewayAuthorizerAuthorizerResultTtlInSeconds(conf *apigateway.Authorizer, expectedTtl *int64) resource.TestCheckFunc {
   134  	return func(s *terraform.State) error {
   135  		if expectedTtl == conf.AuthorizerResultTtlInSeconds {
   136  			return nil
   137  		}
   138  		if expectedTtl == nil && conf.AuthorizerResultTtlInSeconds != nil {
   139  			return fmt.Errorf("Expected empty AuthorizerResultTtlInSeconds, given: %d", *conf.AuthorizerResultTtlInSeconds)
   140  		}
   141  		if conf.AuthorizerResultTtlInSeconds == nil {
   142  			return fmt.Errorf("Empty AuthorizerResultTtlInSeconds, expected: %d", expectedTtl)
   143  		}
   144  		if *conf.AuthorizerResultTtlInSeconds != *expectedTtl {
   145  			return fmt.Errorf("AuthorizerResultTtlInSeconds didn't match. Expected: %d, Given: %d",
   146  				*expectedTtl, *conf.AuthorizerResultTtlInSeconds)
   147  		}
   148  		return nil
   149  	}
   150  }
   151  
   152  func testAccCheckAWSAPIGatewayAuthorizerIdentityValidationExpression(conf *apigateway.Authorizer, expectedExpression *string) resource.TestCheckFunc {
   153  	return func(s *terraform.State) error {
   154  		if expectedExpression == conf.IdentityValidationExpression {
   155  			return nil
   156  		}
   157  		if expectedExpression == nil && conf.IdentityValidationExpression != nil {
   158  			return fmt.Errorf("Expected empty IdentityValidationExpression, given: %q", *conf.IdentityValidationExpression)
   159  		}
   160  		if conf.IdentityValidationExpression == nil {
   161  			return fmt.Errorf("Empty IdentityValidationExpression, expected: %q", *expectedExpression)
   162  		}
   163  		if *conf.IdentityValidationExpression != *expectedExpression {
   164  			return fmt.Errorf("IdentityValidationExpression didn't match. Expected: %q, Given: %q",
   165  				*expectedExpression, *conf.IdentityValidationExpression)
   166  		}
   167  		return nil
   168  	}
   169  }
   170  
   171  func testAccCheckAWSAPIGatewayAuthorizerExists(n string, res *apigateway.Authorizer) resource.TestCheckFunc {
   172  	return func(s *terraform.State) error {
   173  		rs, ok := s.RootModule().Resources[n]
   174  		if !ok {
   175  			return fmt.Errorf("Not found: %s", n)
   176  		}
   177  
   178  		if rs.Primary.ID == "" {
   179  			return fmt.Errorf("No API Gateway Authorizer ID is set")
   180  		}
   181  
   182  		conn := testAccProvider.Meta().(*AWSClient).apigateway
   183  
   184  		req := &apigateway.GetAuthorizerInput{
   185  			AuthorizerId: aws.String(rs.Primary.ID),
   186  			RestApiId:    aws.String(rs.Primary.Attributes["rest_api_id"]),
   187  		}
   188  		describe, err := conn.GetAuthorizer(req)
   189  		if err != nil {
   190  			return err
   191  		}
   192  
   193  		*res = *describe
   194  
   195  		return nil
   196  	}
   197  }
   198  
   199  func testAccCheckAWSAPIGatewayAuthorizerDestroy(s *terraform.State) error {
   200  	conn := testAccProvider.Meta().(*AWSClient).apigateway
   201  
   202  	for _, rs := range s.RootModule().Resources {
   203  		if rs.Type != "aws_api_gateway_authorizer" {
   204  			continue
   205  		}
   206  
   207  		req := &apigateway.GetAuthorizerInput{
   208  			AuthorizerId: aws.String(rs.Primary.ID),
   209  			RestApiId:    aws.String(rs.Primary.Attributes["rest_api_id"]),
   210  		}
   211  		_, err := conn.GetAuthorizer(req)
   212  
   213  		if err == nil {
   214  			return fmt.Errorf("API Gateway Authorizer still exists")
   215  		}
   216  
   217  		aws2err, ok := err.(awserr.Error)
   218  		if !ok {
   219  			return err
   220  		}
   221  		if aws2err.Code() != "NotFoundException" {
   222  			return err
   223  		}
   224  
   225  		return nil
   226  	}
   227  
   228  	return nil
   229  }
   230  
   231  const testAccAWSAPIGatewayAuthorizerConfig_base = `
   232  resource "aws_api_gateway_rest_api" "test" {
   233    name = "tf-auth-test"
   234  }
   235  
   236  resource "aws_iam_role" "invocation_role" {
   237    name = "tf_acc_api_gateway_auth_invocation_role"
   238    path = "/"
   239    assume_role_policy = <<EOF
   240  {
   241    "Version": "2012-10-17",
   242    "Statement": [
   243      {
   244        "Action": "sts:AssumeRole",
   245        "Principal": {
   246          "Service": "apigateway.amazonaws.com"
   247        },
   248        "Effect": "Allow",
   249        "Sid": ""
   250      }
   251    ]
   252  }
   253  EOF
   254  }
   255  
   256  resource "aws_iam_role_policy" "invocation_policy" {
   257    name = "default"
   258    role = "${aws_iam_role.invocation_role.id}"
   259    policy = <<EOF
   260  {
   261    "Version": "2012-10-17",
   262    "Statement": [
   263      {
   264        "Action": "lambda:InvokeFunction",
   265        "Effect": "Allow",
   266        "Resource": "${aws_lambda_function.authorizer.arn}"
   267      }
   268    ]
   269  }
   270  EOF
   271  }
   272  
   273  resource "aws_iam_role" "iam_for_lambda" {
   274    name = "tf_acc_iam_for_lambda_api_gateway_authorizer"
   275    assume_role_policy = <<EOF
   276  {
   277    "Version": "2012-10-17",
   278    "Statement": [
   279      {
   280        "Action": "sts:AssumeRole",
   281        "Principal": {
   282          "Service": "lambda.amazonaws.com"
   283        },
   284        "Effect": "Allow",
   285        "Sid": ""
   286      }
   287    ]
   288  }
   289  EOF
   290  }
   291  
   292  resource "aws_lambda_function" "authorizer" {
   293    filename = "test-fixtures/lambdatest.zip"
   294    source_code_hash = "${base64sha256(file("test-fixtures/lambdatest.zip"))}"
   295    function_name = "tf_acc_api_gateway_authorizer"
   296    role = "${aws_iam_role.iam_for_lambda.arn}"
   297    handler = "exports.example"
   298  }
   299  `
   300  
   301  const testAccAWSAPIGatewayAuthorizerConfig = testAccAWSAPIGatewayAuthorizerConfig_base + `
   302  resource "aws_api_gateway_authorizer" "test" {
   303    name = "tf-acc-test-authorizer"
   304    rest_api_id = "${aws_api_gateway_rest_api.test.id}"
   305    authorizer_uri = "arn:aws:apigateway:region:lambda:path/2015-03-31/functions/${aws_lambda_function.authorizer.arn}/invocations"
   306    authorizer_credentials = "${aws_iam_role.invocation_role.arn}"
   307  }
   308  `
   309  
   310  const testAccAWSAPIGatewayAuthorizerUpdatedConfig = testAccAWSAPIGatewayAuthorizerConfig_base + `
   311  resource "aws_api_gateway_authorizer" "test" {
   312    name = "tf-acc-test-authorizer_modified"
   313    rest_api_id = "${aws_api_gateway_rest_api.test.id}"
   314    authorizer_uri = "arn:aws:apigateway:region:lambda:path/2015-03-31/functions/${aws_lambda_function.authorizer.arn}/invocations"
   315    authorizer_credentials = "${aws_iam_role.invocation_role.arn}"
   316    authorizer_result_ttl_in_seconds = 360
   317    identity_validation_expression = ".*"
   318  }
   319  `