Add HTTP datasource authorization_config fields.

.github/workflows/release.yml

@@ -0,0 +1,42 @@
+# This GitHub action can publish assets for release when a tag is created.
+# Currently its setup to run on any tag that matches the pattern "v*" (ie. v0.1.0).
+#
+# This uses an action (paultyng/ghaction-import-gpg) that assumes you set your
+# private key in the `GPG_PRIVATE_KEY` secret and passphrase in the `PASSPHRASE`
+# secret. If you would rather own your own GPG handling, please fork this action
+# or use an alternative one for key handling.
+#
+# You will need to pass the `--batch` flag to `gpg` in your signing step
+# in `goreleaser` to indicate this is being used in a non-interactive mode.
+#
+name: release
+on:
+  push:
+    tags:
+      - "v*"
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Unshallow
+        run: git fetch --prune --unshallow
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.14
+      - name: Import GPG key
+        id: import_gpg
+        uses: paultyng/[email protected]
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          PASSPHRASE: ${{ secrets.PASSPHRASE }}
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yml

@@ -1,47 +1,48 @@
-archives:
-  - files:
-      - none*
-    format: zip
-    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
+# Visit https://goreleaser.com for documentation on how to customize this
+# behavior.
 before:
   hooks:
-    - go mod download
+    # this is just an example and not a requirement for provider building/publishing
+    - go mod tidy
 builds:
-  - binary: '{{ .ProjectName }}_{{ .Version }}'
+  - env:
+      # goreleaser does not work with CGO, it could also complicate
+      # usage by users in CI/CD systems like Terraform Cloud where
+      # they are unable to install libraries.
+      - CGO_ENABLED=0
+    mod_timestamp: "{{ .CommitTimestamp }}"
     flags:
       - -trimpath
+    ldflags:
+      - "-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}"
+    goos:
+      - linux
+      - darwin
     goarch:
-      - '386'
       - amd64
       - arm
       - arm64
-    goos:
-      - darwin
-      - freebsd
-      - linux
-      - windows
-    ignore:
-      - goarch: '386'
-        goos: darwin
-    ldflags:
-      - -s -w -X aws/version.ProviderVersion={{.Version}}
-    mod_timestamp: '{{ .CommitTimestamp }}'
-changelog:
-  skip: true
+    binary: "{{ .ProjectName }}_v{{ .Version }}"
+archives:
+  - format: zip
+    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
 checksum:
-  name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
+  name_template: "{{ .ProjectName }}_{{ .Version }}_SHA256SUMS"
   algorithm: sha256
-env:
-  - CGO_ENABLED=0
-release:
-  disable: true
 signs:
   - artifacts: checksum
     args:
+      # if you are using this is a GitHub action or some other automated pipeline, you
+      # need to pass the batch flag to indicate its not interactive.
       - "--batch"
       - "--local-user"
       - "{{ .Env.GPG_FINGERPRINT }}" # set this environment variable for your signing key
       - "--output"
       - "${signature}"
       - "--detach-sign"
       - "${artifact}"
+release:
+  # If you want to manually examine the release before its live, uncomment this line:
+  # draft: true
+changelog:
+  skip: true

aws/resource_aws_appsync_datasource.go

@@ -108,6 +108,42 @@ func resourceAwsAppsyncDatasource() *schema.Resource {
 							Type:     schema.TypeString,
 							Required: true,
 						},
+						"authorization_config": {
+							Type:     schema.TypeList,
+							Optional: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"authorization_type": {
+										Type:     schema.TypeString,
+										Required: true,
+										ValidateFunc: validation.StringInSlice([]string{
+											appsync.AuthorizationTypeAwsIam,
+										}, true),
+										StateFunc: func(v interface{}) string {
+											return strings.ToUpper(v.(string))
+										},
+									},
+									"aws_iam_config": {
+										Type:     schema.TypeList,
+										Optional: true,
+										MaxItems: 1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"signing_region": {
+													Type:     schema.TypeString,
+													Optional: true,
+												},
+												"signing_service_name": {
+													Type:     schema.TypeString,
+													Optional: true,
+												},
+											},
+										},
+									},
+								},
+							},
+						},
 					},
 				},
 				ConflictsWith: []string{"dynamodb_config", "elasticsearch_config", "lambda_config"},
@@ -385,6 +421,36 @@ func flattenAppsyncElasticsearchDataSourceConfig(config *appsync.ElasticsearchDa
 	return []map[string]interface{}{result}
 }
 
+func expandAppsyncAwsIamConfig(l []interface{}) *appsync.AwsIamConfig {
+	if len(l) == 0 {
+		return nil
+	}
+
+	configured := l[0].(map[string]interface{})
+
+	result := &appsync.AwsIamConfig{
+		SigningRegion:      aws.String(configured["signing_region"].(string)),
+		SigningServiceName: aws.String(configured["signing_service_name"].(string)),
+	}
+
+	return result
+}
+
+func expandAppsyncHTTPAuthorizationConfig(l []interface{}) *appsync.AuthorizationConfig {
+	if len(l) == 0 {
+		return nil
+	}
+
+	configured := l[0].(map[string]interface{})
+
+	result := &appsync.AuthorizationConfig{
+		AuthorizationType: aws.String(configured["authorization_type"].(string)),
+		AwsIamConfig:      expandAppsyncAwsIamConfig(configured["aws_iam_config"].([]interface{})),
+	}
+
+	return result
+}
+
 func expandAppsyncHTTPDataSourceConfig(l []interface{}) *appsync.HttpDataSourceConfig {
 	if len(l) == 0 || l[0] == nil {
 		return nil
@@ -393,19 +459,47 @@ func expandAppsyncHTTPDataSourceConfig(l []interface{}) *appsync.HttpDataSourceC
 	configured := l[0].(map[string]interface{})
 
 	result := &appsync.HttpDataSourceConfig{
-		Endpoint: aws.String(configured["endpoint"].(string)),
+		Endpoint:            aws.String(configured["endpoint"].(string)),
+		AuthorizationConfig: expandAppsyncHTTPAuthorizationConfig(configured["authorization_config"].([]interface{})),
 	}
 
 	return result
 }
 
+func flattenAppsyncAwsIamConfig(config *appsync.AwsIamConfig) []map[string]interface{} {
+	if config == nil {
+		return nil
+	}
+
+	result := map[string]interface{}{
+		"signing_region":       aws.StringValue(config.SigningRegion),
+		"signing_service_name": aws.StringValue(config.SigningServiceName),
+	}
+
+	return []map[string]interface{}{result}
+}
+
+func flattenAppsyncHTTPAuthorizationConfig(config *appsync.AuthorizationConfig) []map[string]interface{} {
+	if config == nil {
+		return nil
+	}
+
+	result := map[string]interface{}{
+		"authorization_type": aws.StringValue(config.AuthorizationType),
+		"aws_iam_config":     flattenAppsyncAwsIamConfig(config.AwsIamConfig),
+	}
+
+	return []map[string]interface{}{result}
+}
+
 func flattenAppsyncHTTPDataSourceConfig(config *appsync.HttpDataSourceConfig) []map[string]interface{} {
 	if config == nil {
 		return nil
 	}
 
 	result := map[string]interface{}{
-		"endpoint": aws.StringValue(config.Endpoint),
+		"endpoint":             aws.StringValue(config.Endpoint),
+		"authorization_config": flattenAppsyncHTTPAuthorizationConfig(config.AuthorizationConfig),
 	}
 
 	return []map[string]interface{}{result}

aws/resource_aws_appsync_datasource_test.go

@@ -178,6 +178,37 @@ func TestAccAwsAppsyncDatasource_ElasticsearchConfig_Region(t *testing.T) {
 	})
 }
 
+func TestAccAwsAppsyncDatasource_HTTPConfig_AuthorizationConfig(t *testing.T) {
+	rName := fmt.Sprintf("tfacctest%d", acctest.RandInt())
+	resourceName := "aws_appsync_datasource.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(appsync.EndpointsID, t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsAppsyncDatasourceDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAppsyncDatasourceConfig_HTTPConfig_AuthorizationConfig(rName, testAccGetRegion(), "s3"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsAppsyncDatasourceExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "http_config.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "http_config.0.authorization_config.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "http_config.0.authorization_config.0.authorization_type", "AWS_IAM"),
+					resource.TestCheckResourceAttr(resourceName, "http_config.0.authorization_config.0.aws_iam_config.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "http_config.0.authorization_config.0.aws_iam_config.0.signing_region", testAccGetRegion()),
+					resource.TestCheckResourceAttr(resourceName, "http_config.0.authorization_config.0.aws_iam_config.0.signing_service_name", "s3"),
+					resource.TestCheckResourceAttr(resourceName, "type", "HTTP"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccAwsAppsyncDatasource_HTTPConfig_Endpoint(t *testing.T) {
 	rName := fmt.Sprintf("tfacctest%d", acctest.RandInt())
 	resourceName := "aws_appsync_datasource.test"
@@ -705,6 +736,52 @@ resource "aws_appsync_datasource" "test" {
 `, rName, rName, region)
 }
 
+func testAccAppsyncDatasourceConfig_HTTPConfig_AuthorizationConfig(rName, region string, serviceName string) string {
+	return fmt.Sprintf(`
+resource "aws_iam_role" "test" {
+	name = %q
+
+	assume_role_policy = <<EOF
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Action": "sts:AssumeRole",
+			"Principal": {
+				"Service": "appsync.amazonaws.com"
+			},
+			"Effect": "Allow"
+		}
+	]
+}
+EOF
+}
+
+resource "aws_appsync_graphql_api" "test" {
+	authentication_type = "API_KEY"
+	name                = %q
+}
+
+resource "aws_appsync_datasource" "test" {
+	api_id = "${aws_appsync_graphql_api.test.id}"
+	name   = %q
+	type   = "HTTP"
+	service_role_arn = "${aws_iam_role.test.arn}"
+
+	http_config {
+		endpoint = "http://example.com"
+		authorization_config {
+			authorization_type = "AWS_IAM"
+			aws_iam_config {
+				signing_region = %q
+				signing_service_name = %q
+			}
+		}
+	}
+}
+`, rName, rName, rName, region, serviceName)
+}
+
 func testAccAppsyncDatasourceConfig_HTTPConfig_Endpoint(rName, endpoint string) string {
 	return fmt.Sprintf(`
 resource "aws_appsync_graphql_api" "test" {

tools/go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/client9/misspell v0.3.4
 	github.com/golangci/golangci-lint v1.32.2
 	github.com/katbyte/terrafmt v0.2.1-0.20200913185704-5ff4421407b4
+	github.com/pavius/impi v0.0.3 // indirect
 	github.com/terraform-linters/tflint v0.20.3
 )
 

tools/go.sum

@@ -638,6 +638,8 @@ github.com/onsi/gomega v1.10.2 h1:aY/nuoWlKJud2J6U0E3NWsjlg+0GtwXxgEqthRdzlcs=
 github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/packer-community/winrmcp v0.0.0-20180921211025-c76d91c1e7db/go.mod h1:f6Izs6JvFTdnRbziASagjZ2vmf55NSIkC/weStxCHqk=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pavius/impi v0.0.3 h1:DND6MzU+BLABhOZXbELR3FU8b+zDgcq4dOCNLhiTYuI=
+github.com/pavius/impi v0.0.3/go.mod h1:x/hU0bfdWIhuOT1SKwiJg++yvkk6EuOtJk8WtDZqgr8=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=

website/docs/r/appsync_datasource.html.markdown

@@ -117,13 +117,28 @@ The following arguments are supported:
 The following arguments are supported:
 
 * `endpoint` - (Required) HTTP URL.
+* `authorization_config` - (Optional) HTTP Authorization settings. See [below](#authorization_config)
 
 ### lambda_config
 
 The following arguments are supported:
 
 * `function_arn` - (Required) The ARN for the Lambda function.
 
+### authorization_config
+
+The following arguments are supported:
+
+* `authorization_type` - (Required) The type of the authorization. Valid values: `AWS_IAM`
+* `aws_iam_config` - (Optional) AWS IAM settings. See [below](#aws_iam_config)
+
+### aws_iam_config
+
+The following arguments are supported:
+
+* `signing_region` - (Optional) The signing region for AWS IAM authorization.
+* `signing_service_name` - (Optional) The signing service name for AWS IAM authorization.
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported: