[Bug]: aws_apigatewayv2_route APIGW Websocket Authorizer should not attach to another route than connect

[Klopklopi]

Terraform Core Version

1.10.1

AWS Provider Version

5.82.2

Affected Resource(s)

aws_apigatewayv2_route

Expected Behavior

The resource should trigger a warning/error because in the console you can only attach an authorizer on the connect route

Actual Behavior

when terraform plan with an authorizer to a route other than connect, terraform is trying to create an authorizer to this route. The bug does not make the apply crash but this should raise a warning or an error

Relevant Error/Panic Output Snippet

# aws_apigatewayv2_route.chat_websocket will be updated in-place
  ~ resource "aws_apigatewayv2_route" "chat_websocket" {
      + authorizer_id                       = "266m9t"
        id                                  = "c625cx1"
        # (10 unchanged attributes hidden)
    }

Terraform Configuration Files

# API Gateway v2 (WebSocket)
resource "aws_apigatewayv2_api" "websocket_api" {
  name                       = "websocket-api"
  protocol_type             = "WEBSOCKET"
  route_selection_expression = "$request.body.action"
}

# Lambda Authorizer Function
resource "aws_lambda_function" "authorizer" {
  filename         = "authorizer.zip"  # Vous devrez créer ce fichier
  function_name    = "websocket-authorizer"
  role            = aws_iam_role.lambda_authorizer_role.arn
  handler         = "index.handler"
  runtime         = "nodejs18.x"
}

# API Gateway Authorizer
resource "aws_apigatewayv2_authorizer" "websocket_authorizer" {
  api_id           = aws_apigatewayv2_api.websocket_api.id
  authorizer_type  = "REQUEST"
  authorizer_uri   = aws_lambda_function.authorizer.invoke_arn
  identity_sources = ["route.request.header.Authorization"]
  name            = "websocket-authorizer"
}
resource "aws_apigatewayv2_integration" "connect" {
  api_id = aws_apigatewayv2_api.websocket_api.id
  integration_type = "AWS_PROXY"
  integration_uri = aws_lambda_function.authorizer.invoke_arn
  integration_method = "POST"
}
# Connect Route
resource "aws_apigatewayv2_route" "connect" {
  api_id             = aws_apigatewayv2_api.websocket_api.id
  route_key          = "$connect"
  authorization_type = "CUSTOM"
  authorizer_id      = aws_apigatewayv2_authorizer.websocket_authorizer.id
  target            = "integrations/${aws_apigatewayv2_integration.connect.id}"
}

resource "aws_apigatewayv2_integration" "default" {
  api_id = aws_apigatewayv2_api.websocket_api.id
  integration_type = "AWS_PROXY"
  integration_uri = aws_lambda_function.authorizer.invoke_arn
  integration_method = "POST"
}
# Default Route
resource "aws_apigatewayv2_route" "default" {
  api_id             = aws_apigatewayv2_api.websocket_api.id
  route_key          = "$default"
  authorization_type = "CUSTOM"
  authorizer_id      = aws_apigatewayv2_authorizer.websocket_authorizer.id
  target            = "integrations/${aws_apigatewayv2_integration.default.id}"
}

resource "aws_iam_role" "lambda_authorizer_role" {
  name = "websocket-authorizer-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "lambda.amazonaws.com"
        }
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "lambda_basic" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
  role       = aws_iam_role.lambda_authorizer_role.name
}

Steps to Reproduce

1. terraform plan
2. see that there is no error on the connect route and terraform is trying to attach an authorizer to the route

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

Yes

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.