hashicorp · bflad · Jun 4, 2018 · Apr 27, 2018 · May 14, 2018 · Jun 4, 2018
diff --git a/aws/resource_aws_api_gateway_method.go b/aws/resource_aws_api_gateway_method.go
@@ -51,6 +51,12 @@ func resourceAwsApiGatewayMethod() *schema.Resource {
 				Optional: true,
 			},
 
+			"authorization_scopes": &schema.Schema{
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+
 			"api_key_required": &schema.Schema{
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -126,6 +132,10 @@ func resourceAwsApiGatewayMethodCreate(d *schema.ResourceData, meta interface{})
 		input.AuthorizerId = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("authorization_scopes"); ok {
+		input.AuthorizationScopes = expandStringList(v.([]interface{}))
+	}
+
 	if v, ok := d.GetOk("request_validator_id"); ok {
 		input.RequestValidatorId = aws.String(v.(string))
 	}
@@ -165,6 +175,7 @@ func resourceAwsApiGatewayMethodRead(d *schema.ResourceData, meta interface{}) e
 	d.Set("api_key_required", out.ApiKeyRequired)
 	d.Set("authorization", out.AuthorizationType)
 	d.Set("authorizer_id", out.AuthorizerId)
+	d.Set("authorization_scopes", out.AuthorizationScopes)
 	d.Set("request_models", aws.StringValueMap(out.RequestModels))
 	d.Set("request_validator_id", out.RequestValidatorId)
 
@@ -229,6 +240,35 @@ func resourceAwsApiGatewayMethodUpdate(d *schema.ResourceData, meta interface{})
 		})
 	}
 
+	if d.HasChange("authorization_scopes") {
+		o, n := d.GetChange("authorization_scopes")
+		path := "/authorizationScopes"
+
+		old := o.([]interface{})
+		new := n.([]interface{})
+
+		// Remove every authorization scope. Simpler to remove and add new ones,
+		// since there are no replacings.
+		for _, v := range old {
+			operations = append(operations, &apigateway.PatchOperation{
+				Op:    aws.String("remove"),
+				Path:  aws.String(path),
+				Value: aws.String(v.(string)),
+			})
+		}
+
+		// Handle additions
+		if len(new) > 0 {
+			for _, v := range new {
+				operations = append(operations, &apigateway.PatchOperation{
+					Op:    aws.String("add"),
+					Path:  aws.String(path),
+					Value: aws.String(v.(string)),
+				})
+			}
+		}
+	}
+
 	if d.HasChange("api_key_required") {
 		operations = append(operations, &apigateway.PatchOperation{
 			Op:    aws.String("replace"),

diff --git a/aws/resource_aws_api_gateway_method_test.go b/aws/resource_aws_api_gateway_method_test.go
@@ -87,6 +87,46 @@ func TestAccAWSAPIGatewayMethod_customauthorizer(t *testing.T) {
 	})
 }
 
+func TestAccAWSAPIGatewayMethod_cognitoauthorizer(t *testing.T) {
+	var conf apigateway.Method
+	rInt := acctest.RandInt()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSAPIGatewayMethodDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSAPIGatewayMethodConfigWithCognitoAuthorizer(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSAPIGatewayMethodExists("aws_api_gateway_method.test", &conf),
+					testAccCheckAWSAPIGatewayMethodAttributes(&conf),
+					resource.TestCheckResourceAttr(
+						"aws_api_gateway_method.test", "http_method", "GET"),
+					resource.TestCheckResourceAttr(
+						"aws_api_gateway_method.test", "authorization", "COGNITO_USER_POOLS"),
+					resource.TestMatchResourceAttr(
+						"aws_api_gateway_method.test", "authorizer_id", regexp.MustCompile("^[a-z0-9]{6}$")),
+					resource.TestCheckResourceAttr(
+						"aws_api_gateway_method.test", "request_models.application/json", "Error"),
+				),
+			},
+
+			{
+				Config: testAccAWSAPIGatewayMethodConfigUpdate(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSAPIGatewayMethodExists("aws_api_gateway_method.test", &conf),
+					testAccCheckAWSAPIGatewayMethodAttributesUpdate(&conf),
+					resource.TestCheckResourceAttr(
+						"aws_api_gateway_method.test", "authorization", "NONE"),
+					resource.TestCheckResourceAttr(
+						"aws_api_gateway_method.test", "authorizer_id", ""),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSAPIGatewayMethod_customrequestvalidator(t *testing.T) {
 	var conf apigateway.Method
 	rInt := acctest.RandInt()
@@ -130,7 +170,7 @@ func testAccCheckAWSAPIGatewayMethodAttributes(conf *apigateway.Method) resource
 		if *conf.HttpMethod != "GET" {
 			return fmt.Errorf("Wrong HttpMethod: %q", *conf.HttpMethod)
 		}
-		if *conf.AuthorizationType != "NONE" && *conf.AuthorizationType != "CUSTOM" {
+		if *conf.AuthorizationType != "NONE" && *conf.AuthorizationType != "CUSTOM" && *conf.AuthorizationType != "COGNITO_USER_POOLS" {
 			return fmt.Errorf("Wrong Authorization: %q", *conf.AuthorizationType)
 		}
 
@@ -337,6 +377,90 @@ resource "aws_api_gateway_method" "test" {
 }`, rInt, rInt, rInt, rInt, rInt)
 }
 
+func testAccAWSAPIGatewayMethodConfigWithCognitoAuthorizer(rInt int) string {
+	return fmt.Sprintf(`
+resource "aws_api_gateway_rest_api" "test" {
+  name = "tf-acc-test-cognito-auth-%d"
+}
+
+resource "aws_iam_role" "invocation_role" {
+  name = "tf_acc_api_gateway_auth_invocation_role-%d"
+  path = "/"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "apigateway.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role" "iam_for_lambda" {
+  name = "tf_acc_iam_for_lambda_api_gateway_authorizer-%d"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_cognito_user_pool" "test" {
+  name = "tf-acc-test-cognito-pool"
+}
+
+
+resource "aws_api_gateway_authorizer" "test" {
+  name = "tf-acc-test-cognito-authorizer"
+  rest_api_id = "${aws_api_gateway_rest_api.test.id}"
+  authorizer_uri = "${aws_cognito_user_pool.test.arn}"
+	identity_source = "method.request.header.Authorization"
+	provider_arns = ["${aws_cognito_user_pool.test.arn}"]
+	type = "COGNITO_USER_POOLS"
+}
+
+resource "aws_api_gateway_resource" "test" {
+  rest_api_id = "${aws_api_gateway_rest_api.test.id}"
+  parent_id = "${aws_api_gateway_rest_api.test.root_resource_id}"
+  path_part = "test"
+}
+
+resource "aws_api_gateway_method" "test" {
+  rest_api_id = "${aws_api_gateway_rest_api.test.id}"
+  resource_id = "${aws_api_gateway_resource.test.id}"
+  http_method = "GET"
+  authorization = "COGNITO_USER_POOLS"
+	authorizer_id = "${aws_api_gateway_authorizer.test.id}"
+	authorization_scopes = ["test.read", "test.write"]
+
+  request_models = {
+    "application/json" = "Error"
+  }
+
+  request_parameters = {
+    "method.request.header.Content-Type" = false
+	  "method.request.querystring.page" = true
+  }
+}`, rInt, rInt, rInt)
+}
+
 func testAccAWSAPIGatewayMethodConfig(rInt int) string {
 	return fmt.Sprintf(`
 resource "aws_api_gateway_rest_api" "test" {

diff --git a/website/docs/r/api_gateway_method.html.markdown b/website/docs/r/api_gateway_method.html.markdown
@@ -77,14 +77,15 @@ The following arguments are supported:
 * `rest_api_id` - (Required) The ID of the associated REST API
 * `resource_id` - (Required) The API resource ID
 * `http_method` - (Required) The HTTP Method (`GET`, `POST`, `PUT`, `DELETE`, `HEAD`, `OPTIONS`, `ANY`)
-* `authorization` - (Required) The type of authorization used for the method (`NONE`, `CUSTOM`, `AWS_IAM`)
-* `authorizer_id` - (Optional) The authorizer id to be used when the authorization is `CUSTOM`
+* `authorization` - (Required) The type of authorization used for the method (`NONE`, `CUSTOM`, `AWS_IAM`, `COGNITO_USER_POOLS`)
+* `authorizer_id` - (Optional) The authorizer id to be used when the authorization is `CUSTOM` or `COGNITO_USER_POOLS`
 * `api_key_required` - (Optional) Specify if the method requires an API key
 * `request_models` - (Optional) A map of the API models used for the request's content type
   where key is the content type (e.g. `application/json`)
   and value is either `Error`, `Empty` (built-in models) or `aws_api_gateway_model`'s `name`.
 * `request_validator_id` - (Optional) The ID of a `aws_api_gateway_request_validator`
 * `request_parameters` - (Optional) A map of request query string parameters and headers that should be passed to the integration.
+* `authorization_scopes` - (Optional) The authorization scopes used when the authorization is `COGNITO_USER_POOLS`
   For example:
 ```hcl
 request_parameters = {