Missing Authentication Token on Unauthenticated Method

问题

I have the following Terraform for setting up a CORS method for my API on API Gateway:

resource "aws_api_gateway_method" "default" {
  rest_api_id   = "${var.rest_api_id}"
  resource_id   = "${var.resource_id}"
  http_method   = "OPTIONS"
  authorization = "NONE"
}

resource "aws_api_gateway_method_response" "default" {
  rest_api_id = "${var.rest_api_id}"
  resource_id = "${var.resource_id}"
  http_method = "${aws_api_gateway_method.default.http_method}"
  status_code = "200"

  response_parameters = {
    "method.response.header.Access-Control-Allow-Headers" = true,
    "method.response.header.Access-Control-Allow-Methods" = true,
    "method.response.header.Access-Control-Allow-Origin"  = true,
  }
}

resource "aws_api_gateway_integration" "default" {
  rest_api_id          = "${var.rest_api_id}"
  resource_id          = "${var.resource_id}"
  http_method          = "${aws_api_gateway_method.default.http_method}"
  type                 = "MOCK"
  passthrough_behavior = "WHEN_NO_MATCH"

  request_templates {
    "application/json" = "{ \"statusCode\": 200 }"
  }
}

resource "aws_api_gateway_integration_response" "default" {
  rest_api_id = "${var.rest_api_id}"
  resource_id = "${var.resource_id}"
  http_method = "${aws_api_gateway_method.default.http_method}"
  status_code = "${aws_api_gateway_method_response.default.status_code}"

  response_parameters = {
    "method.response.header.Access-Control-Allow-Headers" = "'${join(",", var.allow_headers)}'",
    "method.response.header.Access-Control-Allow-Methods" = "'${join(",", var.allow_methods)}'",
    "method.response.header.Access-Control-Allow-Origin"  = "'${var.allow_origin}'",
  }
}

My variables are defined as:

variable "allow_headers" {
  type = "list"
  default = ["Content-Type", "X-Amz-Date", "Authorization", "X-Api-Key", "X-Amz-Security-Token", "X-Requested-With"]
}

variable "allow_methods" {
  type = "list"
  default = ["*"]
}

variable "allow_origin" {
  default = "*"
}

variable "resource_id" {
  description = "The API Gateway Resource id."
}

variable "rest_api_id" {
  description = "The API Gateway REST API id."
}

When I use the API Gateway web console to test the endpoint, it works as expected:

However, when I try curl the endpoint, I get a 403:

$ curl -is -X OPTIONS https://api.naftuli.wtf/echo.json
HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 42
Connection: keep-alive
Date: Fri, 23 Feb 2018 20:45:09 GMT
x-amzn-RequestId: 70089d6b-18da-11e8-9042-c3baac8eebde
x-amzn-ErrorType: MissingAuthenticationTokenException
X-Cache: Error from cloudfront
Via: 1.1 5a582ba7fbecfc5948507c13d8d2078a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: VB2j87V6_wfSqXkyIPeqz8vjdDF5vBIi0DsJmIAn8kgyIjSAfkcf7A==

{"message":"Missing Authentication Token"}

The method is clearly configured with authorization = "NONE" and I can trigger it from the API Gateway console without issue.

How can I allow access to this method? I feel like I've done all that I can.

回答1:

TL;DR After every new resource/method added/changed, you must create a new deployment.

---

Terraform creates the deployment once and never updates it because none of its data changes. I have found a workaround to this:

resource "aws_api_gateway_stage" "default" {
  stage_name = "production"
  rest_api_id = "${aws_api_gateway_rest_api.default.id}"
  deployment_id = "${aws_api_gateway_deployment.default.id}"

  lifecycle {
    # a new deployment needs to be created on every resource change so we do it outside of terraform
    ignore_changes = ["deployment_id"]
  }
}

I tell the stage to ignore the deployment_id property so that Terraform won't show changes where there aren't any.

In order to create a new deployment, I simply added this command to my Makefile deploy target:

deploy:
    terraform apply -auto-approve
    aws apigateway create-deployment \
        --rest-api-id $(terraform output -json | jq -r .rest_api_id.value) \
        --stage-name $(terraform output -json | jq -r .stage_name.value)

This creates a new deployment of my REST API for the given stage.

I am sure there are better ways of maybe doing this entirely in Terraform, but they elude me at the moment.

回答2:

Here's a better way to do it

resource "aws_api_gateway_deployment" "petshop" {
  provider    = "aws.default"
  stage_description = "${md5(file("apigateway.tf"))}"
  rest_api_id = "${aws_api_gateway_rest_api.petshop.id}"
  stage_name  = "prod"
}

This saves you redeploying on every minor change and will only be triggered by changes in the apigateway.tf file

来源：https://stackoverflow.com/questions/48955987/missing-authentication-token-on-unauthenticated-method