Skip to content

aws.apigatewayv2-authorizer resource

Description

Authorizer manages an API Gateway v2 authorizer. The authorizer belongs to one API for life, so changing api-id replaces it; the name, type, identity sources, URI, credentials, payload format, TTL, simple-response flag, and JWT configuration update in place with one UpdateAuthorizer patch. Identity sources and JWT audiences are set-like: empty strings, duplicate entries, and order are ignored before calls reach AWS. Create first reads the parent API so an HTTP REQUEST authorizer with identity sources gets API Gateway's 300-second cache TTL default when the input omits it.

Source: internal/service/apigatewayv2/authorizer_rsrc.go:44

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.apigatewayv2-authorizer {
    # Set input fields here.
  }
}

Inputs

api-id

string

required

authorizer-type

string

required

identity-sources

list(string)

name

string

required

authorizer-credentials-arn

optional(string)

authorizer-payload-format-version

optional(string)

authorizer-result-ttl-in-seconds

optional(integer)

authorizer-uri

optional(string)

enable-simple-responses

optional(boolean)

jwt-configuration

optional(object) 
optional(
  object({
    audience: optional(list(string))
    issuer: optional(string)
  })
)

Input Constraints

Authorizer type rules

authorizer-type must be JWT or REQUEST.

Rule logic
Require
input.authorizer-type == 'JWT'
|| input.authorizer-type == 'REQUEST'

Name rules

name must not be empty.

Rule logic
Require
input.name != null
&& @core.length(input.name) >= 1

Authorizer payload format version rules

authorizer-payload-format-version must be 1.0 or 2.0.

Rule logic
When
input.authorizer-payload-format-version != null
Require
input.authorizer-payload-format-version == '1.0'
|| input.authorizer-payload-format-version == '2.0'

Authorizer result ttl in seconds rules

authorizer-result-ttl-in-seconds must be between 0 and 3600.

Rule logic
When
input.authorizer-result-ttl-in-seconds != null
Require
(input.authorizer-result-ttl-in-seconds == null || input.authorizer-result-ttl-in-seconds >= 0)
&& (input.authorizer-result-ttl-in-seconds == null || input.authorizer-result-ttl-in-seconds <= 3600)

Authorizer uri rules

authorizer-uri must not be empty.

Rule logic
When
input.authorizer-uri != null
Require
input.authorizer-uri != null
&& @core.length(input.authorizer-uri) >= 1

Outputs

api-id

string

authorizer-id

string

authorizer-result-ttl-in-seconds

integer