-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Add policy attribute to aws_api_gateway_rest_api #4211
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this contribution, @robwittman! Please see my initial comments below. The testing behavior is interesting, I'd see if its related to the wrapping fmt.Sprintf()
-- we are able to test this successfully in TestAccAWSIAMUserPolicy_basic
for example.
@@ -72,9 +79,15 @@ func resourceAwsApiGatewayRestApiCreate(d *schema.ResourceData, meta interface{} | |||
description = aws.String(d.Get("description").(string)) | |||
} | |||
|
|||
var policy *string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be simplified with (after params
declaration):
if v, ok := d.GetOk("policy"); ok && v.(string) != "" {
params.Policy = aws.String(v.(string))
}
@@ -127,6 +127,24 @@ func TestAccAWSAPIGatewayRestApi_basic(t *testing.T) { | |||
}) | |||
} | |||
|
|||
func TestAccAWSAPIGatewayRestApi_policy(t *testing.T) { | |||
expectedPolicyText := fmt.Sprintf(`{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"*"},"Action":"execute-api:Invoke","Resource":"*"}]}`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this work without the wrapping fmt.Sprintf()
?
Check: resource.ComposeTestCheckFunc( | ||
resource.TestCheckResourceAttr("aws_api_gateway_rest_api.test", "policy", expectedPolicyText), | ||
), | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should add test steps that attempt to:
- update the policy
- remove the policy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test steps for update and removal have been added
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @bflad. I removed the Sprintf()
and was still getting the encoding issues. I pulled in net/url
and used QueryUnescape
when reading the resource, similar to resource_aws_iam_user_policy
, and still no luck.
If I log the unescaped policy during resourceAwsApiGatewayRestApiRead()
, i get
2018/04/17 09:08:28 [DEBUG] Decoded Policy: {\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"execute-api:Invoke\",\"Resource\":\"*\"}]}
which I believe is to be expected. However, the tests still fail, and terraform plan
keeps trying to update the API Gateway on AWS.
I also added test steps for explicitly testing update / removal, but don't think they're running since the 1st step is failing.
Check: resource.ComposeTestCheckFunc( | ||
resource.TestCheckResourceAttr("aws_api_gateway_rest_api.test", "policy", expectedPolicyText), | ||
), | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test steps for update and removal have been added
This is likely happening because the API Gateway service uses JSON for its own API, which requires the extra escaping in its own response. It might make sense, odd as it is, to double unescape the policy that comes back from API Gateway and comment in the code why this is happening. |
Here's what Im using to try and double decode, but the tests are still failing for the same reason.
If I debug the Logging the outputs of |
Hi @robwittman! Thanks for really diving into this. I found a working configuration: // The API returns policy as an escaped JSON string
// {\\\"Version\\\":\\\"2012-10-17\\\",...}
policy, err := strconv.Unquote(`"` + aws.StringValue(api.Policy) + `"`)
if err != nil {
return fmt.Errorf("error unescaping policy: %s", err)
}
d.Set("policy", policy) This passes all acceptance testing 👍 Merging with your commits plus this one on top.
|
Thanks @bflad , appreciate the help. Looking forward to release! |
This has been released in version 1.16.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
Not this is the place to leave this, but using this policy: I get this error: "error unescaping policy: invalid syntax" |
Same issue, was there a reason it was done differently than the other IAM policies? resource "aws_api_gateway_rest_api" "api" {
name = "${var.api_gateway_name}"
description = "${var.api_gateway_description}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "xxx.xxx.xxx.xxx/xx"
}
}
}
]
}
EOF
} |
Hey @bflad , |
Please open a new issue filling in the template (if one has not already been opened) so we have all the relevant details to troubleshoot, specifically the debug logging. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Fixes #4171.
Adds a
policy
attribute to theaws_api_gateway_rest_api
resource.The
policy
attribute is currently being applied, however on every subsequentterraform plan
, its requesting to update the attribute in place. I assume this is due to how I am setting the policy inresourceAwsApiGatewayRestApiRead
causing one version to be escaped, and one not.Is there a standard for escaping -> unescaping JSON policies correctly? Sorry if it's obvious, I'm new to Go :)
Failing Test:
terraform plan
ran after apply.