'Cognito User Pool Authorizer defined in openapi without hardcoded values

I have a API Gateway Rest Api resource defined with this template:

AWSTemplateFormatVersion: '2010-09-09'
Description: "Api gateway"
Resources:
  ApiGateway:
    Type: "AWS::ApiGateway::RestApi"
    Properties:
      BodyS3Location: "./openapi-spec.yaml"

And the contents of openapi-spec.yaml (based on this example) being:

openapi: "3.0.2"
info:
  title: SampleApi
paths:
  /test:
    get:
      summary: Test
      responses:
        "200":
          description: Ok
      security:
        - UserPool: [ ]
      x-amazon-apigateway-integration:
        # ....

components:
  securitySchemes:
    UserPool:
      type: apiKey
      name: Authorization
      in: header
      x-amazon-apigateway-authtype: cognito_user_pools
      x-amazon-apigateway-authorizer:
        type: cognito_user_pools
        providerARNs:
          ### THIS VALUE ###
          - "arn:aws:cognito-idp:eu-west-1:123456789012:userpool/eu-west-1_abcd12345"

I'd like to be able to deploy this template in multiple environments/account and having this hardcoded providerARN is limiting that. So my questions are:

How can values for the providerARNs field be passed in dynamically?

If that can't be done, then are there any workarounds to this so that I don't have to hardcode the providerArns here?

Note: Already tried to use stage variables and they don't seem to work here.

aws-api-gatewayamazon-cognitoopenapiaws-jwt-authorizer


Solution 1:[1]

If you don't have an existing Cognito user pool then you would have to define one using AWS::Cognito::UserPool in CloudFormation, then you can simply reference the arn of this user pool using !GetAtt.

But if you have an existing Cognito user pool then you can also import it to a stack using CloudFormation following these steps.

Here's an example:

template.yaml

Resources:
  ApiGateway:
    Type: "AWS::ApiGateway::RestApi"
    Properties:
      BodyS3Location: "./openapi-spec.yaml"

  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      # ....

openapi-spec.yaml

openapi: "3.0.2"
# ....
components:
  securitySchemes:
    UserPool:
      type: apiKey
      name: Authorization
      in: header
      x-amazon-apigateway-authtype: cognito_user_pools
      x-amazon-apigateway-authorizer:
        type: cognito_user_pools
        providerARNs:
          - !GetAtt CognitoUserPool.Arn

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function