fix: Add support for passing authorization_scopes on routes with JWT authorizer (#67)

jschilperoord · web-flow · commit c2b8d6bd8b11 · 2022-04-01T17:18:06.000+02:00
Co-authored-by: Jeffrey Schilperoord &lt;jschilperoord@schubergphilis.com&gt;
diff --git a/examples/complete-http/main.tf b/examples/complete-http/main.tf
@@ -81,6 +81,20 @@ module "api_gateway" {
       authorizer_key         = "cognito"
     }
 
+    "GET /some-route-with-authorizer-and-scope" = {
+      lambda_arn             = module.lambda_function.lambda_function_arn
+      payload_format_version = "2.0"
+      authorizer_key         = "cognito"
+      authorization_scopes   = "tf/something.relevant.read,tf/something.relevant.write" # Should comply with the resource server configuration part of the cognito user pool
+    }
+
+    "GET /some-route-with-authorizer-and-different-scope" = {
+      lambda_arn             = module.lambda_function.lambda_function_arn
+      payload_format_version = "2.0"
+      authorizer_key         = "cognito"
+      authorization_scopes   = "tf/something.relevant.write" # Should comply with the resource server configuration part of the cognito user pool
+    }
+
     "POST /start-step-function" = {
       integration_type    = "AWS_PROXY"
       integration_subtype = "StepFunctions-StartExecution"
diff --git a/main.tf b/main.tf
@@ -125,16 +125,16 @@ resource "aws_apigatewayv2_route" "this" {
   route_key = each.key
 
   api_key_required                    = try(each.value.api_key_required, null)
+  authorization_scopes                = try(split(",", each.value.authorization_scopes), null)
   authorization_type                  = try(each.value.authorization_type, "NONE")
   authorizer_id                       = try(aws_apigatewayv2_authorizer.this[each.value.authorizer_key].id, each.value.authorizer_id, null)
   model_selection_expression          = try(each.value.model_selection_expression, null)
   operation_name                      = try(each.value.operation_name, null)
   route_response_selection_expression = try(each.value.route_response_selection_expression, null)
   target                              = "integrations/${aws_apigatewayv2_integration.this[each.key].id}"
 
-  # Not sure what structure is allowed for these arguments...
-  #  authorization_scopes = try(each.value.authorization_scopes, null)
-  #  request_models  = try(each.value.request_models, null)
+  # Have been added to the docs. But is WEBSOCKET only(not yet supported)
+  # request_models  = try(each.value.request_models, null)
 }
 
 resource "aws_apigatewayv2_integration" "this" {
