resource/api_gateway_authorizer: add CustomizeDiff

aws/resource_aws_api_gateway_authorizer.go

@@ -14,10 +14,11 @@ import (
 
 func resourceAwsApiGatewayAuthorizer() *schema.Resource {
 	return &schema.Resource{
-		Create: resourceAwsApiGatewayAuthorizerCreate,
-		Read:   resourceAwsApiGatewayAuthorizerRead,
-		Update: resourceAwsApiGatewayAuthorizerUpdate,
-		Delete: resourceAwsApiGatewayAuthorizerDelete,
+		Create:        resourceAwsApiGatewayAuthorizerCreate,
+		Read:          resourceAwsApiGatewayAuthorizerRead,
+		Update:        resourceAwsApiGatewayAuthorizerUpdate,
+		Delete:        resourceAwsApiGatewayAuthorizerDelete,
+		CustomizeDiff: resourceAwsApiGatewayAuthorizerCustomizeDiff,
 
 		Schema: map[string]*schema.Schema{
 			"authorizer_uri": {
@@ -42,12 +43,12 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 				Default:  "TOKEN",
-				ForceNew: true,
 				ValidateFunc: validation.StringInSlice([]string{
 					apigateway.AuthorizerTypeCognitoUserPools,
 					apigateway.AuthorizerTypeRequest,
 					apigateway.AuthorizerTypeToken,
-				}, false)},
+				}, false),
+			},
 			"authorizer_credentials": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -62,7 +63,7 @@ func resourceAwsApiGatewayAuthorizer() *schema.Resource {
 				Optional: true,
 			},
 			"provider_arns": {
-				Type:     schema.TypeList,
+				Type:     schema.TypeSet,
 				Optional: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
@@ -93,7 +94,7 @@ func resourceAwsApiGatewayAuthorizerCreate(d *schema.ResourceData, meta interfac
 		input.IdentityValidationExpression = aws.String(v.(string))
 	}
 	if v, ok := d.GetOk("provider_arns"); ok {
-		input.ProviderARNs = expandStringList(v.([]interface{}))
+		input.ProviderARNs = expandStringList(v.(*schema.Set).List())
 	}
 
 	log.Printf("[INFO] Creating API Gateway Authorizer: %s", input)
@@ -200,8 +201,8 @@ func resourceAwsApiGatewayAuthorizerUpdate(d *schema.ResourceData, meta interfac
 	}
 	if d.HasChange("provider_arns") {
 		old, new := d.GetChange("provider_arns")
-		oldValue := old.([]interface{})
-		newValue := new.([]interface{})
+		oldValue := old.(*schema.Set).List()
+		newValue := new.(*schema.Set).List()
 		operations = append(operations, diffProviderARNsOp("/providerARNs", oldValue, newValue)...)
 	}
 	input.PatchOperations = operations
@@ -268,3 +269,37 @@ func diffProviderARNsOp(prefix string, old, new []interface{}) (ops []*apigatewa
 	}
 	return
 }
+
+func resourceAwsApiGatewayAuthorizerCustomizeDiff(diff *schema.ResourceDiff, v interface{}) error {
+	args := []string{"authorizer_uri", "name", "rest_api_id", "identity_source", "type", "identity_validation_expression", "authorizer_credentials"}
+	for _, arg := range args {
+		val, ok := diff.GetOk(arg)
+		log.Printf("[DEBUG] %s: #%s#, #%v#", arg, val.(string), ok)
+	}
+
+	authType := diff.Get("type").(string)
+	// authorizer_uri is required for authorizer TOKEN/REQUEST
+	if authType == apigateway.AuthorizerTypeRequest || authType == apigateway.AuthorizerTypeToken {
+		if val, ok := diff.GetOk("authorizer_uri"); !ok || val.(string) == "" {
+			return fmt.Errorf("authorizer_uri must be set non-empty when authorizer type is %s", authType)
+		}
+	}
+	// provider_arns is required for authorizer COGNITO_USER_POOLS.
+	if authType == apigateway.AuthorizerTypeCognitoUserPools {
+		if val, ok := diff.GetOk("provider_arns"); !ok || len(val.(*schema.Set).List()) == 0 {
+			return fmt.Errorf("provider_arns must be set non-empty when authorizer type is %s", authType)
+		}
+	}
+
+	// switch type between COGNITO_USER_POOLS and TOKEN/REQUEST will create new resource.
+	if diff.HasChange("type") {
+		o, n := diff.GetChange("type")
+		if o.(string) == apigateway.AuthorizerTypeCognitoUserPools || n.(string) == apigateway.AuthorizerTypeCognitoUserPools {
+			if err := diff.ForceNew("type"); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}

website/docs/r/api_gateway_authorizer.html.markdown

@@ -96,9 +96,9 @@ resource "aws_lambda_function" "authorizer" {
 
 The following arguments are supported:
 
-* `authorizer_uri` - (Optional) The authorizer's Uniform Resource Identifier (URI).
-	For `TOKEN` type, this must be a well-formed Lambda function URI in the form of
-	`arn:aws:apigateway:{region}:lambda:path/{service_api}`. e.g. `arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations`
+* `authorizer_uri` - (Optional, required for type `TOKEN`/`REQUEST`) The authorizer's Uniform Resource Identifier (URI).
+	This must be a well-formed Lambda function URI in the form of `arn:aws:apigateway:{region}:lambda:path/{service_api}`,
+	e.g. `arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations`
 * `name` - (Required) The name of the authorizer
 * `rest_api_id` - (Required) The ID of the associated REST API
 * `identity_source` - (Optional) The source of the identity in an incoming request.
@@ -113,4 +113,5 @@ The following arguments are supported:
 	For `TOKEN` type, this value should be a regular expression. The incoming token from the client is matched
 	against this expression, and will proceed if the token matches. If the token doesn't match,
 	the client receives a 401 Unauthorized response.
-* `provider_arns` - (Optional, required for type `COGNITO_USER_POOLS`) A list of the Amazon Cognito user pool ARNs. Each element is of this format: `arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}`.
+* `provider_arns` - (Optional, required for type `COGNITO_USER_POOLS`) A list of the Amazon Cognito user pool ARNs.
+	Each element is of this format: `arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}`.