Merge pull request #1158 from cloudskiff/res/api_gtw_gateway_response

Add aws_api_gateway_gateway_response resource
2021-10-26 14:36:43 +02:00 · 2021-10-26 14:36:43 +02:00 · 289a29c92a
parent cfd2a3a099 9efa64200b
commit 289a29c92a
22 changed files with 172526 additions and 2 deletions
--- a/pkg/driftctl.go
+++ b/pkg/driftctl.go
@ -114,6 +114,7 @@ func (d DriftCTL) Run() (*analyser.Analysis, error) {
 		middlewares.NewAwsApiGatewayResourceExpander(d.resourceFactory),
 		middlewares.NewAwsApiGatewayRestApiExpander(d.resourceFactory),
 		middlewares.NewAwsApiGatewayRestApiPolicyExpander(d.resourceFactory),
+		middlewares.NewAwsConsoleApiGatewayGatewayResponse(),

 		middlewares.NewGoogleIAMBindingTransformer(d.resourceFactory),
 		middlewares.NewGoogleIAMPolicyTransformer(d.resourceFactory),
--- a/pkg/iac/terraform/state/terraform_state_reader_test.go
+++ b/pkg/iac/terraform/state/terraform_state_reader_test.go
@ -165,6 +165,7 @@ func TestTerraformStateReader_AWS_Resources(t *testing.T) {
 		{name: "Api Gateway method", dirName: "api_gateway_method", wantErr: false},
 		{name: "Api Gateway model", dirName: "api_gateway_model", wantErr: false},
 		{name: "Api Gateway method response", dirName: "api_gateway_method_response", wantErr: false},
+		{name: "Api Gateway gateway response", dirName: "api_gateway_gateway_response", wantErr: false},
 		{name: "AppAutoScaling Targets", dirName: "aws_appautoscaling_target", wantErr: false},
 		{name: "network acl", dirName: "aws_network_acl", wantErr: false},
 		{name: "network acl rule", dirName: "aws_network_acl_rule", wantErr: false},
--- a/pkg/iac/terraform/state/test/api_gateway_gateway_response/results.golden.json
+++ b/pkg/iac/terraform/state/test/api_gateway_gateway_response/results.golden.json
@ -0,0 +1,18 @@
+[
+ {
+  "Id": "aggr-vryjzimtj1-UNAUTHORIZED",
+  "Type": "aws_api_gateway_gateway_response",
+  "Attrs": {
+   "id": "aggr-vryjzimtj1-UNAUTHORIZED",
+   "response_parameters": {
+    "gatewayresponse.header.Authorization": "'Basic'"
+   },
+   "response_templates": {
+    "application/json": "{\"message\":$context.error.messageString}"
+   },
+   "response_type": "UNAUTHORIZED",
+   "rest_api_id": "vryjzimtj1",
+   "status_code": "401"
+  }
+ }
+]
--- a/pkg/iac/terraform/state/test/api_gateway_gateway_response/schema.golden.json
+++ b/pkg/iac/terraform/state/test/api_gateway_gateway_response/schema.golden.json
--- a/pkg/iac/terraform/state/test/api_gateway_gateway_response/terraform.tfstate
+++ b/pkg/iac/terraform/state/test/api_gateway_gateway_response/terraform.tfstate
@ -0,0 +1,37 @@
+{
+  "version": 4,
+  "terraform_version": "1.0.9",
+  "serial": 279,
+  "lineage": "85f5bee6-139e-8db2-ae5d-82aa82f62611",
+  "outputs": {},
+  "resources": [
+    {
+      "mode": "managed",
+      "type": "aws_api_gateway_gateway_response",
+      "name": "foo",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "aggr-vryjzimtj1-UNAUTHORIZED",
+            "response_parameters": {
+              "gatewayresponse.header.Authorization": "'Basic'"
+            },
+            "response_templates": {
+              "application/json": "{\"message\":$context.error.messageString}"
+            },
+            "response_type": "UNAUTHORIZED",
+            "rest_api_id": "vryjzimtj1",
+            "status_code": "401"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "aws_api_gateway_rest_api.foo"
+          ]
+        }
+      ]
+    }
+  ]
+}
--- a/pkg/middlewares/aws_api_gateway_rest_api_expander.go
+++ b/pkg/middlewares/aws_api_gateway_rest_api_expander.go
@ -8,6 +8,7 @@ import (
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
 	"github.com/getkin/kin-openapi/openapi2"
 	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/sirupsen/logrus"
 )

 // Explodes api gateway rest api body attribute to dedicated resources as per Terraform documentation (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api)
@ -15,6 +16,10 @@ type AwsApiGatewayRestApiExpander struct {
 	resourceFactory resource.ResourceFactory
 }

+type OpenAPIAwsExtensions struct {
+	GatewayResponses map[string]interface{} `json:"x-amazon-apigateway-gateway-responses"`
+}
+
 func NewAwsApiGatewayRestApiExpander(resourceFactory resource.ResourceFactory) AwsApiGatewayRestApiExpander {
 	return AwsApiGatewayRestApiExpander{
 		resourceFactory: resourceFactory,
@ -80,6 +85,9 @@ func (m *AwsApiGatewayRestApiExpander) handleBodyV3(apiId string, doc *openapi3.
 			}
 		}
 	}
+	if err := m.createExtensionsResources(apiId, doc.Extensions, results); err != nil {
+		return nil
+	}
 	return nil
 }

@ -95,6 +103,25 @@ func (m *AwsApiGatewayRestApiExpander) handleBodyV2(apiId string, doc *openapi2.
 			}
 		}
 	}
+	if err := m.createExtensionsResources(apiId, doc.Extensions, results); err != nil {
+		return nil
+	}
+	return nil
+}
+
+// Create resources based on our OpenAPIAwsExtensions struct
+func (m *AwsApiGatewayRestApiExpander) createExtensionsResources(apiId string, extensions map[string]interface{}, results *[]*resource.Resource) error {
+	ext, err := decodeExtensions(extensions)
+	if err != nil {
+		logrus.WithFields(logrus.Fields{
+			"id":   apiId,
+			"type": aws.AwsApiGatewayRestApiResourceType,
+		}).Debug("Failing to decode extensions from the OpenAPI body attribute")
+		return err
+	}
+	for gtwResponse := range ext.GatewayResponses {
+		m.createApiGatewayGatewayResponse(apiId, gtwResponse, results)
+	}
 	return nil
 }

@ -111,6 +138,16 @@ func (m *AwsApiGatewayRestApiExpander) createApiGatewayResource(apiId, path stri
 	return nil
 }

+// Create aws_api_gateway_gateway_response resource
+func (m *AwsApiGatewayRestApiExpander) createApiGatewayGatewayResponse(apiId, gtwResponse string, results *[]*resource.Resource) {
+	newResource := m.resourceFactory.CreateAbstractResource(
+		aws.AwsApiGatewayGatewayResponseResourceType,
+		strings.Join([]string{"aggr", apiId, gtwResponse}, "-"),
+		map[string]interface{}{},
+	)
+	*results = append(*results, newResource)
+}
+
 // Returns the aws_api_gateway_resource resource that matches the path attribute
 func foundMatchingResource(apiId, path string, remoteResources *[]*resource.Resource) *resource.Resource {
 	for _, res := range *remoteResources {
@ -144,3 +181,18 @@ func (m *AwsApiGatewayRestApiExpander) createApiGatewayMethodResponse(apiId, res
 	)
 	*results = append(*results, newResource)
 }
+
+// Decode openapi.Extensions into our custom OpenAPIAwsExtensions struct that follows AWS
+// OpenAPI addons.
+func decodeExtensions(extensions map[string]interface{}) (*OpenAPIAwsExtensions, error) {
+	rawExtensions, err := json.Marshal(extensions)
+	if err != nil {
+		return nil, err
+	}
+	decodedExtensions := &OpenAPIAwsExtensions{}
+	err = json.Unmarshal(rawExtensions, decodedExtensions)
+	if err != nil {
+		return nil, err
+	}
+	return decodedExtensions, nil
+}
--- a/pkg/middlewares/aws_api_gateway_rest_api_expander_test.go
+++ b/pkg/middlewares/aws_api_gateway_rest_api_expander_test.go
@ -602,6 +602,74 @@ func TestAwsApiGatewayRestApiExpander_Execute(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "create gateway responses based on OpenAPI v2 and v3",
+			mocks: func(factory *terraform.MockResourceFactory) {
+				factory.On(
+					"CreateAbstractResource",
+					aws.AwsApiGatewayGatewayResponseResourceType,
+					"aggr-v3-MISSING_AUTHENTICATION_TOKEN",
+					map[string]interface{}{},
+				).Once().Return(&resource.Resource{
+					Id:    "aggr-v3-MISSING_AUTHENTICATION_TOKEN",
+					Type:  aws.AwsApiGatewayGatewayResponseResourceType,
+					Attrs: &resource.Attributes{},
+				})
+				factory.On(
+					"CreateAbstractResource",
+					aws.AwsApiGatewayGatewayResponseResourceType,
+					"aggr-v2-MISSING_AUTHENTICATION_TOKEN",
+					map[string]interface{}{},
+				).Once().Return(&resource.Resource{
+					Id:    "aggr-v2-MISSING_AUTHENTICATION_TOKEN",
+					Type:  aws.AwsApiGatewayGatewayResponseResourceType,
+					Attrs: &resource.Attributes{},
+				})
+			},
+			resourcesFromState: []*resource.Resource{
+				{
+					Id:   "v3",
+					Type: aws.AwsApiGatewayRestApiResourceType,
+					Attrs: &resource.Attributes{
+						"body": "{\"info\":{\"title\":\"example\",\"version\":\"1.0\"},\"openapi\":\"3.0.1\",\"paths\":{\"/path1\":{\"get\":{\"x-amazon-apigateway-integration\":{\"httpMethod\":\"GET\",\"payloadFormatVersion\":\"1.0\",\"type\":\"HTTP_PROXY\",\"uri\":\"https://ip-ranges.amazonaws.com/ip-ranges.json\"}}}},\"x-amazon-apigateway-gateway-responses\":{\"MISSING_AUTHENTICATION_TOKEN\":{\"responseParameters\":{\"gatewayresponse.header.Access-Control-Allow-Origin\":\"'a.b.c'\"},\"responseTemplates\":{\"application/json\":\"{\\n     \\\"message\\\": $context.error.messageString,\\n     \\\"type\\\":  \\\"$context.error.responseType\\\",\\n     \\\"stage\\\":  \\\"$context.stage\\\",\\n     \\\"resourcePath\\\":  \\\"$context.resourcePath\\\",\\n     \\\"stageVariables.a\\\":  \\\"$stageVariables.a\\\",\\n     \\\"statusCode\\\": \\\"'403'\\\"\\n}\"},\"statusCode\":403}}}",
+					},
+				},
+				{
+					Id:   "v2",
+					Type: aws.AwsApiGatewayRestApiResourceType,
+					Attrs: &resource.Attributes{
+						"body": "{\"info\":{\"title\":\"test\",\"version\":\"2017-04-20T04:08:08Z\"},\"paths\":{\"/test\":{\"get\":{\"responses\":{\"200\":{\"description\":\"OK\"}},\"x-amazon-apigateway-integration\":{\"httpMethod\":\"GET\",\"responses\":{\"default\":{\"statusCode\":200}},\"type\":\"HTTP\",\"uri\":\"https://aws.amazon.com/\"}}}},\"schemes\":[\"https\"],\"swagger\":\"2.0\",\"x-amazon-apigateway-gateway-responses\":{\"MISSING_AUTHENTICATION_TOKEN\":{\"responseParameters\":{\"gatewayresponse.header.Access-Control-Allow-Origin\":\"'a.b.c'\"},\"responseTemplates\":{\"application/json\":\"{\\n     \\\"message\\\": $context.error.messageString,\\n     \\\"type\\\":  \\\"$context.error.responseType\\\",\\n     \\\"stage\\\":  \\\"$context.stage\\\",\\n     \\\"resourcePath\\\":  \\\"$context.resourcePath\\\",\\n     \\\"stageVariables.a\\\":  \\\"$stageVariables.a\\\",\\n     \\\"statusCode\\\": \\\"'403'\\\"\\n}\"},\"statusCode\":403}}}",
+					},
+				},
+			},
+			remoteResources: []*resource.Resource{},
+			expected: []*resource.Resource{
+				{
+					Id:   "v3",
+					Type: aws.AwsApiGatewayRestApiResourceType,
+					Attrs: &resource.Attributes{
+						"body": "{\"info\":{\"title\":\"example\",\"version\":\"1.0\"},\"openapi\":\"3.0.1\",\"paths\":{\"/path1\":{\"get\":{\"x-amazon-apigateway-integration\":{\"httpMethod\":\"GET\",\"payloadFormatVersion\":\"1.0\",\"type\":\"HTTP_PROXY\",\"uri\":\"https://ip-ranges.amazonaws.com/ip-ranges.json\"}}}},\"x-amazon-apigateway-gateway-responses\":{\"MISSING_AUTHENTICATION_TOKEN\":{\"responseParameters\":{\"gatewayresponse.header.Access-Control-Allow-Origin\":\"'a.b.c'\"},\"responseTemplates\":{\"application/json\":\"{\\n     \\\"message\\\": $context.error.messageString,\\n     \\\"type\\\":  \\\"$context.error.responseType\\\",\\n     \\\"stage\\\":  \\\"$context.stage\\\",\\n     \\\"resourcePath\\\":  \\\"$context.resourcePath\\\",\\n     \\\"stageVariables.a\\\":  \\\"$stageVariables.a\\\",\\n     \\\"statusCode\\\": \\\"'403'\\\"\\n}\"},\"statusCode\":403}}}",
+					},
+				},
+				{
+					Id:    "aggr-v3-MISSING_AUTHENTICATION_TOKEN",
+					Type:  aws.AwsApiGatewayGatewayResponseResourceType,
+					Attrs: &resource.Attributes{},
+				},
+				{
+					Id:   "v2",
+					Type: aws.AwsApiGatewayRestApiResourceType,
+					Attrs: &resource.Attributes{
+						"body": "{\"info\":{\"title\":\"test\",\"version\":\"2017-04-20T04:08:08Z\"},\"paths\":{\"/test\":{\"get\":{\"responses\":{\"200\":{\"description\":\"OK\"}},\"x-amazon-apigateway-integration\":{\"httpMethod\":\"GET\",\"responses\":{\"default\":{\"statusCode\":200}},\"type\":\"HTTP\",\"uri\":\"https://aws.amazon.com/\"}}}},\"schemes\":[\"https\"],\"swagger\":\"2.0\",\"x-amazon-apigateway-gateway-responses\":{\"MISSING_AUTHENTICATION_TOKEN\":{\"responseParameters\":{\"gatewayresponse.header.Access-Control-Allow-Origin\":\"'a.b.c'\"},\"responseTemplates\":{\"application/json\":\"{\\n     \\\"message\\\": $context.error.messageString,\\n     \\\"type\\\":  \\\"$context.error.responseType\\\",\\n     \\\"stage\\\":  \\\"$context.stage\\\",\\n     \\\"resourcePath\\\":  \\\"$context.resourcePath\\\",\\n     \\\"stageVariables.a\\\":  \\\"$stageVariables.a\\\",\\n     \\\"statusCode\\\": \\\"'403'\\\"\\n}\"},\"statusCode\":403}}}",
+					},
+				},
+				{
+					Id:    "aggr-v2-MISSING_AUTHENTICATION_TOKEN",
+					Type:  aws.AwsApiGatewayGatewayResponseResourceType,
+					Attrs: &resource.Attributes{},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/pkg/middlewares/aws_console_api_gateway_gateway_response.go
+++ b/pkg/middlewares/aws_console_api_gateway_gateway_response.go
@ -0,0 +1,53 @@
+package middlewares
+
+import (
+	"github.com/cloudskiff/driftctl/pkg/resource"
+	"github.com/cloudskiff/driftctl/pkg/resource/aws"
+	"github.com/sirupsen/logrus"
+)
+
+// Each API Gateway rest API has by design all the gateway responses available to edit in the console
+// which result in useless noises (e.g. lots of unmanaged resources) by driftctl.
+// This middleware ignores all console responses if not managed by IAC.
+type AwsConsoleApiGatewayGatewayResponse struct{}
+
+func NewAwsConsoleApiGatewayGatewayResponse() AwsConsoleApiGatewayGatewayResponse {
+	return AwsConsoleApiGatewayGatewayResponse{}
+}
+
+func (m AwsConsoleApiGatewayGatewayResponse) Execute(remoteResources, resourcesFromState *[]*resource.Resource) error {
+	newRemoteResources := make([]*resource.Resource, 0)
+
+	for _, remoteResource := range *remoteResources {
+		// Ignore all resources other than gateway responses
+		if remoteResource.ResourceType() != aws.AwsApiGatewayGatewayResponseResourceType {
+			newRemoteResources = append(newRemoteResources, remoteResource)
+			continue
+		}
+
+		// Check if gateway response is managed by IaC
+		existInState := false
+		for _, stateResource := range *resourcesFromState {
+			if remoteResource.Equal(stateResource) {
+				existInState = true
+				break
+			}
+		}
+
+		// Include resource if it's managed by IaC
+		if existInState {
+			newRemoteResources = append(newRemoteResources, remoteResource)
+			continue
+		}
+
+		// Else, resource is not added to newRemoteResources slice so it will be ignored
+		logrus.WithFields(logrus.Fields{
+			"id":   remoteResource.ResourceId(),
+			"type": remoteResource.ResourceType(),
+		}).Debug("Ignoring default api gateway response as it is not managed by IaC")
+	}
+
+	*remoteResources = newRemoteResources
+
+	return nil
+}
--- a/pkg/middlewares/aws_console_api_gateway_gateway_response_test.go
+++ b/pkg/middlewares/aws_console_api_gateway_gateway_response_test.go
@ -0,0 +1,97 @@
+package middlewares
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws/awsutil"
+	"github.com/cloudskiff/driftctl/pkg/resource"
+	"github.com/cloudskiff/driftctl/pkg/resource/aws"
+	"github.com/r3labs/diff/v2"
+)
+
+func TestAwsConsoleApiGatewayGatewayResponse_Execute(t *testing.T) {
+	tests := []struct {
+		name               string
+		remoteResources    []*resource.Resource
+		resourcesFromState []*resource.Resource
+		expected           []*resource.Resource
+	}{
+		{
+			name: "console rest api gateway response is not ignored when managed by IaC",
+			remoteResources: []*resource.Resource{
+				{
+					Id:   "rest-api",
+					Type: aws.AwsApiGatewayRestApiResourceType,
+				},
+				{
+					Id:   "gtw-response",
+					Type: aws.AwsApiGatewayGatewayResponseResourceType,
+				},
+			},
+			resourcesFromState: []*resource.Resource{
+				{
+					Id:   "rest-api",
+					Type: aws.AwsApiGatewayRestApiResourceType,
+				},
+				{
+					Id:   "gtw-response",
+					Type: aws.AwsApiGatewayGatewayResponseResourceType,
+				},
+			},
+			expected: []*resource.Resource{
+				{
+					Id:   "rest-api",
+					Type: aws.AwsApiGatewayRestApiResourceType,
+				},
+				{
+					Id:   "gtw-response",
+					Type: aws.AwsApiGatewayGatewayResponseResourceType,
+				},
+			},
+		},
+		{
+			name: "console rest api gateway response is ignored when not managed by IaC",
+			remoteResources: []*resource.Resource{
+				{
+					Id:   "rest-api",
+					Type: aws.AwsApiGatewayRestApiResourceType,
+				},
+				{
+					Id:   "gtw-response",
+					Type: aws.AwsApiGatewayGatewayResponseResourceType,
+				},
+			},
+			resourcesFromState: []*resource.Resource{
+				{
+					Id:   "rest-api",
+					Type: aws.AwsApiGatewayRestApiResourceType,
+				},
+			},
+			expected: []*resource.Resource{
+				{
+					Id:   "rest-api",
+					Type: aws.AwsApiGatewayRestApiResourceType,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			m := NewAwsConsoleApiGatewayGatewayResponse()
+			err := m.Execute(&tt.remoteResources, &tt.resourcesFromState)
+			if err != nil {
+				t.Fatal(err)
+			}
+			changelog, err := diff.Diff(tt.expected, tt.remoteResources)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if len(changelog) > 0 {
+				for _, change := range changelog {
+					t.Errorf("%s got = %v, want %v", strings.Join(change.Path, "."), awsutil.Prettify(change.From), awsutil.Prettify(change.To))
+				}
+			}
+		})
+	}
+}
--- a/pkg/remote/api_gateway_scanner_test.go
+++ b/pkg/remote/api_gateway_scanner_test.go
@ -1320,3 +1320,100 @@ func TestApiGatewayMethodResponse(t *testing.T) {
 		})
 	}
 }
+
+func TestApiGatewayGatewayResponse(t *testing.T) {
+	dummyError := errors.New("this is an error")
+	apis := []*apigateway.RestApi{
+		{Id: awssdk.String("vryjzimtj1")},
+	}
+
+	tests := []struct {
+		test           string
+		mocks          func(*repository.MockApiGatewayRepository, *mocks.AlerterInterface)
+		assertExpected func(t *testing.T, got []*resource.Resource)
+		wantErr        error
+	}{
+		{
+			test: "no api gateway gateway responses",
+			mocks: func(repo *repository.MockApiGatewayRepository, alerter *mocks.AlerterInterface) {
+				repo.On("ListAllRestApis").Return(apis, nil)
+				repo.On("ListAllRestApiGatewayResponses", *apis[0].Id).Return([]*apigateway.UpdateGatewayResponseOutput{}, nil)
+			},
+			assertExpected: func(t *testing.T, got []*resource.Resource) {
+				assert.Len(t, got, 0)
+			},
+		},
+		{
+			test: "multiple api gateway gateway responses",
+			mocks: func(repo *repository.MockApiGatewayRepository, alerter *mocks.AlerterInterface) {
+				repo.On("ListAllRestApis").Return(apis, nil)
+				repo.On("ListAllRestApiGatewayResponses", *apis[0].Id).Return([]*apigateway.UpdateGatewayResponseOutput{
+					{ResponseType: awssdk.String("UNAUTHORIZED")},
+					{ResponseType: awssdk.String("ACCESS_DENIED")},
+				}, nil)
+			},
+			assertExpected: func(t *testing.T, got []*resource.Resource) {
+				assert.Len(t, got, 2)
+
+				assert.Equal(t, got[0].ResourceId(), "aggr-vryjzimtj1-UNAUTHORIZED")
+				assert.Equal(t, got[0].ResourceType(), resourceaws.AwsApiGatewayGatewayResponseResourceType)
+
+				assert.Equal(t, got[1].ResourceId(), "aggr-vryjzimtj1-ACCESS_DENIED")
+				assert.Equal(t, got[1].ResourceType(), resourceaws.AwsApiGatewayGatewayResponseResourceType)
+			},
+		},
+		{
+			test: "cannot list rest apis",
+			mocks: func(repo *repository.MockApiGatewayRepository, alerter *mocks.AlerterInterface) {
+				repo.On("ListAllRestApis").Return(nil, dummyError)
+				alerter.On("SendAlert", resourceaws.AwsApiGatewayGatewayResponseResourceType, alerts.NewRemoteAccessDeniedAlert(common.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(dummyError, resourceaws.AwsApiGatewayGatewayResponseResourceType, resourceaws.AwsApiGatewayRestApiResourceType), alerts.EnumerationPhase)).Return()
+			},
+			wantErr: remoteerr.NewResourceListingErrorWithType(dummyError, resourceaws.AwsApiGatewayGatewayResponseResourceType, resourceaws.AwsApiGatewayRestApiResourceType),
+		},
+		{
+			test: "cannot list api gateway gateway responses",
+			mocks: func(repo *repository.MockApiGatewayRepository, alerter *mocks.AlerterInterface) {
+				repo.On("ListAllRestApis").Return(apis, nil)
+				repo.On("ListAllRestApiGatewayResponses", *apis[0].Id).Return(nil, dummyError)
+				alerter.On("SendAlert", resourceaws.AwsApiGatewayGatewayResponseResourceType, alerts.NewRemoteAccessDeniedAlert(common.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(dummyError, resourceaws.AwsApiGatewayGatewayResponseResourceType, resourceaws.AwsApiGatewayGatewayResponseResourceType), alerts.EnumerationPhase)).Return()
+			},
+			wantErr: remoteerr.NewResourceListingError(dummyError, resourceaws.AwsApiGatewayGatewayResponseResourceType),
+		},
+	}
+
+	providerVersion := "3.19.0"
+	schemaRepository := testresource.InitFakeSchemaRepository("aws", providerVersion)
+	resourceaws.InitResourcesMetadata(schemaRepository)
+	factory := terraform.NewTerraformResourceFactory(schemaRepository)
+
+	for _, c := range tests {
+		t.Run(c.test, func(tt *testing.T) {
+			scanOptions := ScannerOptions{}
+			remoteLibrary := common.NewRemoteLibrary()
+
+			// Initialize mocks
+			alerter := &mocks.AlerterInterface{}
+			fakeRepo := &repository.MockApiGatewayRepository{}
+			c.mocks(fakeRepo, alerter)
+
+			var repo repository.ApiGatewayRepository = fakeRepo
+
+			remoteLibrary.AddEnumerator(aws.NewApiGatewayGatewayResponseEnumerator(repo, factory))
+
+			testFilter := &filter.MockFilter{}
+			testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
+
+			s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
+			got, err := s.Resources()
+			assert.Equal(tt, err, c.wantErr)
+			if err != nil {
+				return
+			}
+
+			c.assertExpected(tt, got)
+			alerter.AssertExpectations(tt)
+			fakeRepo.AssertExpectations(tt)
+			testFilter.AssertExpectations(tt)
+		})
+	}
+}
--- a/pkg/remote/aws/api_gateway_gateway_response_enumerator.go
+++ b/pkg/remote/aws/api_gateway_gateway_response_enumerator.go
@ -0,0 +1,57 @@
+package aws
+
+import (
+	"strings"
+
+	"github.com/cloudskiff/driftctl/pkg/remote/aws/repository"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+	"github.com/cloudskiff/driftctl/pkg/resource"
+	"github.com/cloudskiff/driftctl/pkg/resource/aws"
+)
+
+type ApiGatewayGatewayResponseEnumerator struct {
+	repository repository.ApiGatewayRepository
+	factory    resource.ResourceFactory
+}
+
+func NewApiGatewayGatewayResponseEnumerator(repo repository.ApiGatewayRepository, factory resource.ResourceFactory) *ApiGatewayGatewayResponseEnumerator {
+	return &ApiGatewayGatewayResponseEnumerator{
+		repository: repo,
+		factory:    factory,
+	}
+}
+
+func (e *ApiGatewayGatewayResponseEnumerator) SupportedType() resource.ResourceType {
+	return aws.AwsApiGatewayGatewayResponseResourceType
+}
+
+func (e *ApiGatewayGatewayResponseEnumerator) Enumerate() ([]*resource.Resource, error) {
+	apis, err := e.repository.ListAllRestApis()
+	if err != nil {
+		return nil, remoteerror.NewResourceListingErrorWithType(err, string(e.SupportedType()), aws.AwsApiGatewayRestApiResourceType)
+	}
+
+	results := make([]*resource.Resource, 0)
+
+	for _, api := range apis {
+		a := api
+		gtwResponses, err := e.repository.ListAllRestApiGatewayResponses(*a.Id)
+		if err != nil {
+			return nil, remoteerror.NewResourceListingError(err, string(e.SupportedType()))
+		}
+
+		for _, gtwResponse := range gtwResponses {
+			g := gtwResponse
+			results = append(
+				results,
+				e.factory.CreateAbstractResource(
+					string(e.SupportedType()),
+					strings.Join([]string{"aggr", *a.Id, *g.ResponseType}, "-"),
+					map[string]interface{}{},
+				),
+			)
+		}
+
+	}
+	return results, err
+}
--- a/pkg/remote/aws/init.go
+++ b/pkg/remote/aws/init.go
@ -196,6 +196,7 @@ func Init(version string, alerter *alerter.Alerter,
 	remoteLibrary.AddEnumerator(NewApiGatewayMethodEnumerator(apigatewayRepository, factory))
 	remoteLibrary.AddEnumerator(NewApiGatewayModelEnumerator(apigatewayRepository, factory))
 	remoteLibrary.AddEnumerator(NewApiGatewayMethodResponseEnumerator(apigatewayRepository, factory))
+	remoteLibrary.AddEnumerator(NewApiGatewayGatewayResponseEnumerator(apigatewayRepository, factory))

 	remoteLibrary.AddEnumerator(NewAppAutoscalingTargetEnumerator(appAutoScalingRepository, factory))
 	remoteLibrary.AddDetailsFetcher(aws.AwsAppAutoscalingTargetResourceType, common.NewGenericDetailsFetcher(aws.AwsAppAutoscalingTargetResourceType, provider, deserializer))
--- a/pkg/remote/aws/repository/api_gateway_repository.go
+++ b/pkg/remote/aws/repository/api_gateway_repository.go
@ -22,6 +22,7 @@ type ApiGatewayRepository interface {
 	ListAllRestApiRequestValidators(string) ([]*apigateway.UpdateRequestValidatorOutput, error)
 	ListAllDomainNameBasePathMappings(string) ([]*apigateway.BasePathMapping, error)
 	ListAllRestApiModels(string) ([]*apigateway.Model, error)
+	ListAllRestApiGatewayResponses(string) ([]*apigateway.UpdateGatewayResponseOutput, error)
 }

 type apigatewayRepository struct {
@ -262,3 +263,21 @@ func (r *apigatewayRepository) ListAllRestApiModels(apiId string) ([]*apigateway
 	r.cache.Put(cacheKey, resources)
 	return resources, nil
 }
+
+func (r *apigatewayRepository) ListAllRestApiGatewayResponses(apiId string) ([]*apigateway.UpdateGatewayResponseOutput, error) {
+	cacheKey := fmt.Sprintf("apigatewayListAllRestApiGatewayResponses_api_%s", apiId)
+	if v := r.cache.Get(cacheKey); v != nil {
+		return v.([]*apigateway.UpdateGatewayResponseOutput), nil
+	}
+
+	input := &apigateway.GetGatewayResponsesInput{
+		RestApiId: &apiId,
+	}
+	resources, err := r.client.GetGatewayResponses(input)
+	if err != nil {
+		return nil, err
+	}
+
+	r.cache.Put(cacheKey, resources.Items)
+	return resources.Items, nil
+}
--- a/pkg/remote/aws/repository/api_gateway_repository_test.go
+++ b/pkg/remote/aws/repository/api_gateway_repository_test.go
@ -807,3 +807,82 @@ func Test_apigatewayRepository_ListAllRestApiModels(t *testing.T) {
 		})
 	}
 }
+
+func Test_apigatewayRepository_ListAllRestApiGatewayResponses(t *testing.T) {
+	api := &apigateway.RestApi{
+		Id: aws.String("restapi1"),
+	}
+
+	gtwResponses := []*apigateway.UpdateGatewayResponseOutput{
+		{ResponseType: aws.String("ACCESS_DENIED")},
+		{ResponseType: aws.String("DEFAULT_4XX")},
+		{ResponseType: aws.String("DEFAULT_5XX")},
+		{ResponseType: aws.String("UNAUTHORIZED")},
+	}
+
+	remoteError := errors.New("remote error")
+
+	tests := []struct {
+		name    string
+		mocks   func(client *awstest.MockFakeApiGateway, store *cache.MockCache)
+		want    []*apigateway.UpdateGatewayResponseOutput
+		wantErr error
+	}{
+		{
+			name: "list multiple rest api gateway responses",
+			mocks: func(client *awstest.MockFakeApiGateway, store *cache.MockCache) {
+				client.On("GetGatewayResponses",
+					&apigateway.GetGatewayResponsesInput{
+						RestApiId: aws.String("restapi1"),
+					}).Return(&apigateway.GetGatewayResponsesOutput{Items: gtwResponses}, nil).Once()
+
+				store.On("Get", "apigatewayListAllRestApiGatewayResponses_api_restapi1").Return(nil).Times(1)
+				store.On("Put", "apigatewayListAllRestApiGatewayResponses_api_restapi1", gtwResponses).Return(false).Times(1)
+			},
+			want: gtwResponses,
+		},
+		{
+			name: "should hit cache",
+			mocks: func(client *awstest.MockFakeApiGateway, store *cache.MockCache) {
+				store.On("Get", "apigatewayListAllRestApiGatewayResponses_api_restapi1").Return(gtwResponses).Times(1)
+			},
+			want: gtwResponses,
+		},
+		{
+			name: "should return remote error",
+			mocks: func(client *awstest.MockFakeApiGateway, store *cache.MockCache) {
+				client.On("GetGatewayResponses",
+					&apigateway.GetGatewayResponsesInput{
+						RestApiId: aws.String("restapi1"),
+					}).Return(nil, remoteError).Once()
+
+				store.On("Get", "apigatewayListAllRestApiGatewayResponses_api_restapi1").Return(nil).Times(1)
+			},
+			wantErr: remoteError,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			store := &cache.MockCache{}
+			client := &awstest.MockFakeApiGateway{}
+			tt.mocks(client, store)
+			r := &apigatewayRepository{
+				client: client,
+				cache:  store,
+			}
+			got, err := r.ListAllRestApiGatewayResponses(*api.Id)
+			assert.Equal(t, tt.wantErr, err)
+
+			changelog, err := diff.Diff(got, tt.want)
+			assert.Nil(t, err)
+			if len(changelog) > 0 {
+				for _, change := range changelog {
+					t.Errorf("%s: %s -> %s", strings.Join(change.Path, "."), change.From, change.To)
+				}
+				t.Fail()
+			}
+			store.AssertExpectations(t)
+			client.AssertExpectations(t)
+		})
+	}
+}
--- a/pkg/remote/aws/repository/mock_ApiGatewayRepository.go
+++ b/pkg/remote/aws/repository/mock_ApiGatewayRepository.go
@ -150,6 +150,29 @@ func (_m *MockApiGatewayRepository) ListAllRestApiModels(_a0 string) ([]*apigate
 	return r0, r1
 }

+// ListAllRestApiGatewayResponses provides a mock function with given fields: _a0
+func (_m *MockApiGatewayRepository) ListAllRestApiGatewayResponses(_a0 string) ([]*apigateway.UpdateGatewayResponseOutput, error) {
+	ret := _m.Called(_a0)
+
+	var r0 []*apigateway.UpdateGatewayResponseOutput
+	if rf, ok := ret.Get(0).(func(string) []*apigateway.UpdateGatewayResponseOutput); ok {
+		r0 = rf(_a0)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*apigateway.UpdateGatewayResponseOutput)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(_a0)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // ListAllRestApiRequestValidators provides a mock function with given fields: _a0
 func (_m *MockApiGatewayRepository) ListAllRestApiRequestValidators(_a0 string) ([]*apigateway.UpdateRequestValidatorOutput, error) {
 	ret := _m.Called(_a0)
--- a/pkg/resource/aws/aws_api_gateway_gateway_response.go
+++ b/pkg/resource/aws/aws_api_gateway_gateway_response.go
@ -0,0 +1,3 @@
+package aws
+
+const AwsApiGatewayGatewayResponseResourceType = "aws_api_gateway_gateway_response"
--- a/pkg/resource/aws/aws_api_gateway_gateway_response_test.go
+++ b/pkg/resource/aws/aws_api_gateway_gateway_response_test.go
@ -0,0 +1,30 @@
+package aws_test
+
+import (
+	"testing"
+
+	"github.com/cloudskiff/driftctl/test"
+	"github.com/cloudskiff/driftctl/test/acceptance"
+)
+
+func TestAcc_Aws_ApiGatewayGatewayResponse(t *testing.T) {
+	acceptance.Run(t, acceptance.AccTestCase{
+		TerraformVersion: "0.15.5",
+		Paths:            []string{"./testdata/acc/aws_api_gateway_gateway_response"},
+		Args:             []string{"scan"},
+		Checks: []acceptance.AccCheck{
+			{
+				Env: map[string]string{
+					"AWS_REGION": "us-east-1",
+				},
+				Check: func(result *test.ScanResult, stdout string, err error) {
+					if err != nil {
+						t.Fatal(err)
+					}
+					result.AssertInfrastructureIsInSync()
+					result.AssertManagedCount(3)
+				},
+			},
+		},
+	})
+}
--- a/pkg/resource/aws/metadata_test.go
+++ b/pkg/resource/aws/metadata_test.go
@ -18,6 +18,7 @@ func TestAWS_Metadata_Flags(t *testing.T) {
 		AwsApiGatewayBasePathMappingResourceType:      {},
 		AwsApiGatewayDeploymentResourceType:           {},
 		AwsApiGatewayDomainNameResourceType:           {},
+		AwsApiGatewayGatewayResponseResourceType:      {},
 		AwsApiGatewayMethodResourceType:               {},
 		AwsApiGatewayMethodResponseResourceType:       {},
 		AwsApiGatewayModelResourceType:                {},
--- a/pkg/resource/aws/testdata/acc/aws_api_gateway_gateway_response/.driftignore
+++ b/pkg/resource/aws/testdata/acc/aws_api_gateway_gateway_response/.driftignore
@ -0,0 +1,2 @@
+*
+!aws_api_gateway_gateway_response
--- a/pkg/resource/aws/testdata/acc/aws_api_gateway_gateway_response/.terraform.lock.hcl
+++ b/pkg/resource/aws/testdata/acc/aws_api_gateway_gateway_response/.terraform.lock.hcl
@ -0,0 +1,20 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.19.0"
+  constraints = "3.19.0"
+  hashes = [
+    "h1:xur9tF49NgsovNnmwmBR8RdpN8Fcg1TD4CKQPJD6n1A=",
+    "zh:185a5259153eb9ee4699d4be43b3d509386b473683392034319beee97d470c3b",
+    "zh:2d9a0a01f93e8d16539d835c02b8b6e1927b7685f4076e96cb07f7dd6944bc6c",
+    "zh:703f6da36b1b5f3497baa38fccaa7765fb8a2b6440344e4c97172516b49437dd",
+    "zh:770855565462abadbbddd98cb357d2f1a8f30f68a358cb37cbd5c072cb15b377",
+    "zh:8008db43149fe4345301f81e15e6d9ddb47aa5e7a31648f9b290af96ad86e92a",
+    "zh:8cdd27d375da6dcb7687f1fed126b7c04efce1671066802ee876dbbc9c66ec79",
+    "zh:be22ae185005690d1a017c1b909e0d80ab567e239b4f06ecacdba85080667c1c",
+    "zh:d2d02e72dbd80f607636cd6237a6c862897caabc635c7b50c0cb243d11246723",
+    "zh:d8f125b66a1eda2555c0f9bbdf12036a5f8d073499a22ca9e4812b68067fea31",
+    "zh:f5a98024c64d5d2973ff15b093725a074c0cb4afde07ef32c542e69f17ac90bc",
+  ]
+}
--- a/pkg/resource/aws/testdata/acc/aws_api_gateway_gateway_response/terraform.tf
+++ b/pkg/resource/aws/testdata/acc/aws_api_gateway_gateway_response/terraform.tf
@ -0,0 +1,106 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+terraform {
+  required_providers {
+    aws = "3.19.0"
+  }
+}
+
+resource "aws_api_gateway_rest_api" "foo" {
+    name        = "foo"
+    description = "This is foo API"
+}
+
+resource "aws_api_gateway_gateway_response" "foo" {
+    rest_api_id   = aws_api_gateway_rest_api.foo.id
+    status_code   = "401"
+    response_type = "UNAUTHORIZED"
+    response_templates = {
+        "application/json" = "{\"message\":$context.error.messageString}"
+    }
+    response_parameters = {
+        "gatewayresponse.header.Authorization" = "'Basic'"
+    }
+}
+
+resource "aws_api_gateway_rest_api" "bar" {
+    name        = "bar"
+    description = "This is bar API"
+    body = jsonencode({
+        openapi = "3.0.1"
+        info = {
+            title   = "example"
+            version = "1.0"
+        }
+        paths = {
+            "/path1" = {
+                get = {
+                    x-amazon-apigateway-integration = {
+                        httpMethod           = "GET"
+                        payloadFormatVersion = "1.0"
+                        type                 = "HTTP_PROXY"
+                        uri                  = "https://ip-ranges.amazonaws.com/ip-ranges.json"
+                    }
+                }
+            }
+        }
+        "x-amazon-apigateway-gateway-responses": {
+            "MISSING_AUTHENTICATION_TOKEN": {
+                "statusCode": 403,
+                "responseParameters": {
+                    "gatewayresponse.header.Access-Control-Allow-Origin": "'a.b.c'",
+                },
+                "responseTemplates": {
+                    "application/json": "{\n     \"message\": $context.error.messageString,\n     \"type\":  \"$context.error.responseType\",\n     \"stage\":  \"$context.stage\",\n     \"resourcePath\":  \"$context.resourcePath\",\n     \"stageVariables.a\":  \"$stageVariables.a\",\n     \"statusCode\": \"'403'\"\n}"
+                }
+            }
+        }
+    })
+}
+
+resource "aws_api_gateway_rest_api" "baz" {
+    name        = "baz"
+    description = "This is baz API"
+    body = jsonencode({
+        swagger = "2.0"
+        info = {
+            title   = "test"
+            version = "2017-04-20T04:08:08Z"
+        }
+        schemes = ["https"]
+        paths = {
+            "/test" = {
+                get = {
+                    responses = {
+                        "200" = {
+                            description = "OK"
+                        }
+                    }
+                    x-amazon-apigateway-integration = {
+                        httpMethod = "GET"
+                        type       = "HTTP"
+                        responses = {
+                            default = {
+                                statusCode = 200
+                            }
+                        }
+                        uri = "https://aws.amazon.com/"
+                    }
+                }
+            }
+        }
+        "x-amazon-apigateway-gateway-responses": {
+            "MISSING_AUTHENTICATION_TOKEN": {
+                "statusCode": 403,
+                "responseParameters": {
+                    "gatewayresponse.header.Access-Control-Allow-Origin": "'a.b.c'",
+                },
+                "responseTemplates": {
+                    "application/json": "{\n     \"message\": $context.error.messageString,\n     \"type\":  \"$context.error.responseType\",\n     \"stage\":  \"$context.stage\",\n     \"resourcePath\":  \"$context.resourcePath\",\n     \"stageVariables.a\":  \"$stageVariables.a\",\n     \"statusCode\": \"'403'\"\n}"
+                }
+            }
+        }
+    })
+}
--- a/pkg/resource/resource_types.go
+++ b/pkg/resource/resource_types.go
@ -104,6 +104,7 @@ var supportedTypes = map[string]ResourceTypeMeta{
 	"aws_api_gateway_rest_api": {children: []ResourceType{
 		"aws_api_gateway_resource",
 		"aws_api_gateway_rest_api_policy",
+		"aws_api_gateway_gateway_response",
 	}},
 	"aws_api_gateway_account":    {},
 	"aws_api_gateway_api_key":    {},
@ -124,8 +125,9 @@ var supportedTypes = map[string]ResourceTypeMeta{
 	"aws_api_gateway_method": {children: []ResourceType{
 		"aws_api_gateway_method_response",
 	}},
-	"aws_api_gateway_method_response": {},
-	"aws_appautoscaling_target":       {},
+	"aws_api_gateway_method_response":  {},
+	"aws_api_gateway_gateway_response": {},
+	"aws_appautoscaling_target":        {},
 	"aws_rds_cluster_instance": {children: []ResourceType{
 		"aws_db_instance",
 	}},