首页 文章

使用terraform的自定义API网关授权程序

提问于
浏览
0

我正在尝试部署使用terraform的自定义授权程序的API Gateway REST API .

自定义授权程序使用现有的lambda函数 .

resource "aws_api_gateway_authorizer" "accountprofileauth" {
  name                   = "auth"
  rest_api_id            = "${aws_api_gateway_rest_api.accountprofileapi.id}"
  authorizer_uri         = "arn:aws:lambda:us-east-2:XXXX:function:dev-authorizer"
  identity_source        = "method.request.header.Authorization"
  type                   = "REQUEST"
}

当我做terraform apply时,我得到了以下错误

* aws_api_gateway_authorizer.accountprofileauth: Error creating API Gateway Authorizer: BadRequestException: Invalid Authorizer URI: arn:aws:lambda:us-east-2:XXXX:function:dev-authorizer. Authorizer URI should be a valid API Gateway ARN that represents a Lambda function invocation.
    status code: 400, request id: XXXX

lambda函数存在,它工作正常 . 使用无服务器进行部署时,同样的arn工作正常 .

你知道格式/提供有效arn的例子吗?

谢谢 .

lambda aws-lambda aws-api-gateway terraform

2 回答

  • 0

    我找到了实际的格式

    arn:aws:apigateway:us-east-2:lambda:path / 2015-03-31 / functions / arn:aws:lambda:us-east-2:XXXX:function:dev-authorizer / invocations

    看起来日期有点硬编码 . 我很困惑:)

    回复于
  • 0

    您可以参考AWS文档Amazon Resource Names (ARNs) and AWS Service Namespaces

    对于lambda

    AWS Lambda(Lambda)

    Syntax:

arn:aws:lambda:region:account-id:function:function-name
arn:aws:lambda:region:account-id:function:function-name:alias-name
arn:aws:lambda:region:account-id:function:function-name:version
arn:aws:lambda:region:account-id:event-source-mappings:event-source-mapping-id

    例子:

    arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords
arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:your alias
arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:1.0
arn:aws:lambda:us-east-1:123456789012:event-source-mappings:kinesis-stream-arn

    如果您也在terraform中创建labmda函数(不是在您的情况下,但我建议管理terraform中的所有aws资源,如果您已经开始使用它)

    resource "aws_lambda_function" "authorizer" {
  filename         = "lambda-function.zip"
  source_code_hash = "${base64sha256(file("lambda-function.zip"))}"
  function_name    = "api_gateway_authorizer"
  role             = "${aws_iam_role.lambda.arn}"
  handler          = "exports.example"
}

    您可以轻松地将lambda arn引用为 authorizer_uri

    resource "aws_api_gateway_authorizer" "demo" {
  name                   = "demo"
  rest_api_id            = "${aws_api_gateway_rest_api.demo.id}"
  authorizer_uri         = "${aws_lambda_function.authorizer.invoke_arn}"
  authorizer_credentials = "${aws_iam_role.invocation_role.arn}"
}
    回复于

相关问题