Merge pull request #1084 from cloudskiff/res/api_gtw_authorizer

Add api_gateway_authorizer

pkg/iac/terraform/state/terraform_state_reader_test.go

@@ -152,6 +152,7 @@ func TestTerraformStateReader_AWS_Resources(t *testing.T) {
 		{name: "Api Gateway Rest Api", dirName: "api_gateway_rest_api", wantErr: false},
 		{name: "Api Gateway Account", dirName: "api_gateway_account", wantErr: false},
 		{name: "Api Gateway Api Key", dirName: "api_gateway_api_key", wantErr: false},
+		{name: "Api Gateway authorizer", dirName: "api_gateway_authorizer", wantErr: false},
 		{name: "AppAutoScaling Targets", dirName: "aws_appautoscaling_target", wantErr: false},
 		{name: "network acl", dirName: "aws_network_acl", wantErr: false},
 		{name: "network acl rule", dirName: "aws_network_acl_rule", wantErr: false},

pkg/iac/terraform/state/test/api_gateway_authorizer/results.golden.json

@@ -0,0 +1,32 @@
+[
+ {
+  "Id": "ypcpde",
+  "Type": "aws_api_gateway_authorizer",
+  "Attrs": {
+   "authorizer_credentials": "arn:aws:iam::047081014315:role/api_gateway_auth_invocation",
+   "authorizer_result_ttl_in_seconds": 300,
+   "authorizer_uri": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:047081014315:function:api_gateway_authorizer/invocations",
+   "id": "ypcpde",
+   "identity_source": "method.request.header.Authorization",
+   "identity_validation_expression": "",
+   "name": "bar",
+   "rest_api_id": "1jitcobwol",
+   "type": "TOKEN"
+  }
+ },
+ {
+  "Id": "bwhebj",
+  "Type": "aws_api_gateway_authorizer",
+  "Attrs": {
+   "authorizer_credentials": "arn:aws:iam::047081014315:role/api_gateway_auth_invocation",
+   "authorizer_result_ttl_in_seconds": 300,
+   "authorizer_uri": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:047081014315:function:api_gateway_authorizer/invocations",
+   "id": "bwhebj",
+   "identity_source": "method.request.header.Authorization",
+   "identity_validation_expression": "",
+   "name": "foo",
+   "rest_api_id": "1jitcobwol",
+   "type": "TOKEN"
+  }
+ }
+]

pkg/iac/terraform/state/test/api_gateway_authorizer/terraform.tfstate

@@ -0,0 +1,71 @@
+{
+  "version": 4,
+  "terraform_version": "1.0.7",
+  "serial": 48,
+  "lineage": "85f5bee6-139e-8db2-ae5d-82aa82f62611",
+  "outputs": {},
+  "resources": [
+    {
+      "mode": "managed",
+      "type": "aws_api_gateway_authorizer",
+      "name": "bar",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "authorizer_credentials": "arn:aws:iam::047081014315:role/api_gateway_auth_invocation",
+            "authorizer_result_ttl_in_seconds": 300,
+            "authorizer_uri": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:047081014315:function:api_gateway_authorizer/invocations",
+            "id": "ypcpde",
+            "identity_source": "method.request.header.Authorization",
+            "identity_validation_expression": "",
+            "name": "bar",
+            "provider_arns": null,
+            "rest_api_id": "1jitcobwol",
+            "type": "TOKEN"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "aws_api_gateway_rest_api.foo",
+            "aws_iam_role.invocation_role",
+            "aws_iam_role.lambda",
+            "aws_lambda_function.authorizer"
+          ]
+        }
+      ]
+    },
+    {
+      "mode": "managed",
+      "type": "aws_api_gateway_authorizer",
+      "name": "foo",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "authorizer_credentials": "arn:aws:iam::047081014315:role/api_gateway_auth_invocation",
+            "authorizer_result_ttl_in_seconds": 300,
+            "authorizer_uri": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:047081014315:function:api_gateway_authorizer/invocations",
+            "id": "bwhebj",
+            "identity_source": "method.request.header.Authorization",
+            "identity_validation_expression": "",
+            "name": "foo",
+            "provider_arns": null,
+            "rest_api_id": "1jitcobwol",
+            "type": "TOKEN"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "aws_api_gateway_rest_api.foo",
+            "aws_iam_role.invocation_role",
+            "aws_iam_role.lambda",
+            "aws_lambda_function.authorizer"
+          ]
+        }
+      ]
+    }
+  ]
+}

pkg/remote/api_gateway_scanner_test.go

@@ -263,3 +263,101 @@ func TestApiGatewayApiKey(t *testing.T) {
 		})
 	}
 }
+
+func TestApiGatewayAuthorizer(t *testing.T) {
+	dummyError := errors.New("this is an error")
+	apis := []*apigateway.RestApi{
+		{Id: awssdk.String("3of73v5ob4")},
+		{Id: awssdk.String("1jitcobwol")},
+	}
+
+	tests := []struct {
+		test           string
+		mocks          func(*repository.MockApiGatewayRepository, *mocks.AlerterInterface)
+		assertExpected func(t *testing.T, got []*resource.Resource)
+		wantErr        error
+	}{
+		{
+			test: "no api gateway authorizers",
+			mocks: func(repo *repository.MockApiGatewayRepository, alerter *mocks.AlerterInterface) {
+				repo.On("ListAllRestApis").Return(apis, nil)
+				repo.On("ListAllRestApiAuthorizers", apis).Return([]*apigateway.Authorizer{}, nil)
+			},
+			assertExpected: func(t *testing.T, got []*resource.Resource) {
+				assert.Len(t, got, 0)
+			},
+		},
+		{
+			test: "multiple api gateway authorizers",
+			mocks: func(repo *repository.MockApiGatewayRepository, alerter *mocks.AlerterInterface) {
+				repo.On("ListAllRestApis").Return(apis, nil)
+				repo.On("ListAllRestApiAuthorizers", apis).Return([]*apigateway.Authorizer{
+					{Id: awssdk.String("ypcpde")},
+					{Id: awssdk.String("bwhebj")},
+				}, nil)
+			},
+			assertExpected: func(t *testing.T, got []*resource.Resource) {
+				assert.Len(t, got, 2)
+
+				assert.Equal(t, got[0].ResourceId(), "ypcpde")
+				assert.Equal(t, got[0].ResourceType(), resourceaws.AwsApiGatewayAuthorizerResourceType)
+
+				assert.Equal(t, got[1].ResourceId(), "bwhebj")
+				assert.Equal(t, got[1].ResourceType(), resourceaws.AwsApiGatewayAuthorizerResourceType)
+			},
+		},
+		{
+			test: "cannot list rest apis",
+			mocks: func(repo *repository.MockApiGatewayRepository, alerter *mocks.AlerterInterface) {
+				repo.On("ListAllRestApis").Return(nil, dummyError)
+				alerter.On("SendAlert", resourceaws.AwsApiGatewayAuthorizerResourceType, alerts.NewRemoteAccessDeniedAlert(common.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(dummyError, resourceaws.AwsApiGatewayAuthorizerResourceType, resourceaws.AwsApiGatewayRestApiResourceType), alerts.EnumerationPhase)).Return()
+			},
+			wantErr: remoteerr.NewResourceListingErrorWithType(dummyError, resourceaws.AwsApiGatewayAuthorizerResourceType, resourceaws.AwsApiGatewayRestApiResourceType),
+		},
+		{
+			test: "cannot list api gateway resources",
+			mocks: func(repo *repository.MockApiGatewayRepository, alerter *mocks.AlerterInterface) {
+				repo.On("ListAllRestApis").Return(apis, nil)
+				repo.On("ListAllRestApiAuthorizers", apis).Return(nil, dummyError)
+				alerter.On("SendAlert", resourceaws.AwsApiGatewayAuthorizerResourceType, alerts.NewRemoteAccessDeniedAlert(common.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(dummyError, resourceaws.AwsApiGatewayAuthorizerResourceType, resourceaws.AwsApiGatewayAuthorizerResourceType), alerts.EnumerationPhase)).Return()
+			},
+			wantErr: remoteerr.NewResourceListingError(dummyError, resourceaws.AwsApiGatewayAuthorizerResourceType),
+		},
+	}
+
+	providerVersion := "3.19.0"
+	schemaRepository := testresource.InitFakeSchemaRepository("aws", providerVersion)
+	resourceaws.InitResourcesMetadata(schemaRepository)
+	factory := terraform.NewTerraformResourceFactory(schemaRepository)
+
+	for _, c := range tests {
+		t.Run(c.test, func(tt *testing.T) {
+			scanOptions := ScannerOptions{}
+			remoteLibrary := common.NewRemoteLibrary()
+
+			// Initialize mocks
+			alerter := &mocks.AlerterInterface{}
+			fakeRepo := &repository.MockApiGatewayRepository{}
+			c.mocks(fakeRepo, alerter)
+
+			var repo repository.ApiGatewayRepository = fakeRepo
+
+			remoteLibrary.AddEnumerator(aws.NewApiGatewayAuthorizerEnumerator(repo, factory))
+
+			testFilter := &filter.MockFilter{}
+			testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
+
+			s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
+			got, err := s.Resources()
+			assert.Equal(tt, err, c.wantErr)
+			if err != nil {
+				return
+			}
+
+			c.assertExpected(tt, got)
+			alerter.AssertExpectations(tt)
+			fakeRepo.AssertExpectations(tt)
+			testFilter.AssertExpectations(tt)
+		})
+	}
+}

pkg/remote/aws/api_gateway_authorizer_enumerator.go

@@ -0,0 +1,51 @@
+package aws
+
+import (
+	"github.com/cloudskiff/driftctl/pkg/remote/aws/repository"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+	"github.com/cloudskiff/driftctl/pkg/resource"
+	"github.com/cloudskiff/driftctl/pkg/resource/aws"
+)
+
+type ApiGatewayAuthorizerEnumerator struct {
+	repository repository.ApiGatewayRepository
+	factory    resource.ResourceFactory
+}
+
+func NewApiGatewayAuthorizerEnumerator(repo repository.ApiGatewayRepository, factory resource.ResourceFactory) *ApiGatewayAuthorizerEnumerator {
+	return &ApiGatewayAuthorizerEnumerator{
+		repository: repo,
+		factory:    factory,
+	}
+}
+
+func (e *ApiGatewayAuthorizerEnumerator) SupportedType() resource.ResourceType {
+	return aws.AwsApiGatewayAuthorizerResourceType
+}
+
+func (e *ApiGatewayAuthorizerEnumerator) Enumerate() ([]*resource.Resource, error) {
+	apis, err := e.repository.ListAllRestApis()
+	if err != nil {
+		return nil, remoteerror.NewResourceListingErrorWithType(err, string(e.SupportedType()), aws.AwsApiGatewayRestApiResourceType)
+	}
+
+	authorizers, err := e.repository.ListAllRestApiAuthorizers(apis)
+	if err != nil {
+		return nil, remoteerror.NewResourceListingError(err, string(e.SupportedType()))
+	}
+
+	results := make([]*resource.Resource, len(authorizers))
+
+	for _, authorizer := range authorizers {
+		results = append(
+			results,
+			e.factory.CreateAbstractResource(
+				string(e.SupportedType()),
+				*authorizer.Id,
+				map[string]interface{}{},
+			),
+		)
+	}
+
+	return results, err
+}

pkg/remote/aws/init.go

@@ -185,6 +185,7 @@ func Init(version string, alerter *alerter.Alerter,
 	remoteLibrary.AddEnumerator(NewApiGatewayRestApiEnumerator(apigatewayRepository, factory))
 	remoteLibrary.AddEnumerator(NewApiGatewayAccountEnumerator(apigatewayRepository, factory))
 	remoteLibrary.AddEnumerator(NewApiGatewayApiKeyEnumerator(apigatewayRepository, factory))
+	remoteLibrary.AddEnumerator(NewApiGatewayAuthorizerEnumerator(apigatewayRepository, factory))
 
 	remoteLibrary.AddEnumerator(NewAppAutoscalingTargetEnumerator(appAutoScalingRepository, factory))
 	remoteLibrary.AddDetailsFetcher(aws.AwsAppAutoscalingTargetResourceType, common.NewGenericDetailsFetcher(aws.AwsAppAutoscalingTargetResourceType, provider, deserializer))

pkg/remote/aws/repository/api_gateway_repository.go

@@ -1,6 +1,8 @@
 package repository
 
 import (
+	"fmt"
+
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/apigateway"
 	"github.com/aws/aws-sdk-go/service/apigateway/apigatewayiface"
@@ -11,6 +13,7 @@ type ApiGatewayRepository interface {
 	ListAllRestApis() ([]*apigateway.RestApi, error)
 	GetAccount() (*apigateway.Account, error)
 	ListAllApiKeys() ([]*apigateway.ApiKey, error)
+	ListAllRestApiAuthorizers([]*apigateway.RestApi) ([]*apigateway.Authorizer, error)
 }
 
 type apigatewayRepository struct {
@@ -80,3 +83,27 @@ func (r *apigatewayRepository) ListAllApiKeys() ([]*apigateway.ApiKey, error) {
 	r.cache.Put("apigatewayListAllApiKeys", apiKeys)
 	return apiKeys, nil
 }
+
+func (r *apigatewayRepository) ListAllRestApiAuthorizers(apis []*apigateway.RestApi) ([]*apigateway.Authorizer, error) {
+	var authorizers []*apigateway.Authorizer
+	for _, api := range apis {
+		a := *api
+		cacheKey := fmt.Sprintf("apigatewayListAllRestApiAuthorizers_api_%s", *a.Id)
+		if v := r.cache.Get(cacheKey); v != nil {
+			authorizers = append(authorizers, v.([]*apigateway.Authorizer)...)
+			continue
+		}
+
+		input := &apigateway.GetAuthorizersInput{
+			RestApiId: a.Id,
+		}
+		resources, err := r.client.GetAuthorizers(input)
+		if err != nil {
+			return nil, err
+		}
+
+		r.cache.Put(cacheKey, resources.Items)
+		authorizers = append(authorizers, resources.Items...)
+	}
+	return authorizers, nil
+}

pkg/remote/aws/repository/api_gateway_repository_test.go

@@ -209,3 +209,77 @@ func Test_apigatewayRepository_ListAllApiKeys(t *testing.T) {
 		})
 	}
 }
+
+func Test_apigatewayRepository_ListAllRestApiAuthorizers(t *testing.T) {
+	apis := []*apigateway.RestApi{
+		{Id: aws.String("restapi1")},
+		{Id: aws.String("restapi2")},
+	}
+
+	apiAuthorizers := []*apigateway.Authorizer{
+		{Id: aws.String("resource1")},
+		{Id: aws.String("resource2")},
+		{Id: aws.String("resource3")},
+		{Id: aws.String("resource4")},
+	}
+
+	tests := []struct {
+		name    string
+		mocks   func(client *awstest.MockFakeApiGateway, store *cache.MockCache)
+		want    []*apigateway.Authorizer
+		wantErr error
+	}{
+		{
+			name: "list multiple rest api authorizers",
+			mocks: func(client *awstest.MockFakeApiGateway, store *cache.MockCache) {
+				client.On("GetAuthorizers",
+					&apigateway.GetAuthorizersInput{
+						RestApiId: aws.String("restapi1"),
+					}).Return(&apigateway.GetAuthorizersOutput{Items: apiAuthorizers[:2]}, nil).Once()
+
+				client.On("GetAuthorizers",
+					&apigateway.GetAuthorizersInput{
+						RestApiId: aws.String("restapi2"),
+					}).Return(&apigateway.GetAuthorizersOutput{Items: apiAuthorizers[2:]}, nil).Once()
+
+				store.On("Get", "apigatewayListAllRestApiAuthorizers_api_restapi1").Return(nil).Times(1)
+				store.On("Put", "apigatewayListAllRestApiAuthorizers_api_restapi1", apiAuthorizers[:2]).Return(false).Times(1)
+				store.On("Get", "apigatewayListAllRestApiAuthorizers_api_restapi2").Return(nil).Times(1)
+				store.On("Put", "apigatewayListAllRestApiAuthorizers_api_restapi2", apiAuthorizers[2:]).Return(false).Times(1)
+			},
+			want: apiAuthorizers,
+		},
+		{
+			name: "should hit cache",
+			mocks: func(client *awstest.MockFakeApiGateway, store *cache.MockCache) {
+				store.On("Get", "apigatewayListAllRestApiAuthorizers_api_restapi1").Return(apiAuthorizers[:2]).Times(1)
+				store.On("Get", "apigatewayListAllRestApiAuthorizers_api_restapi2").Return(apiAuthorizers[2:]).Times(1)
+			},
+			want: apiAuthorizers,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			store := &cache.MockCache{}
+			client := &awstest.MockFakeApiGateway{}
+			tt.mocks(client, store)
+			r := &apigatewayRepository{
+				client: client,
+				cache:  store,
+			}
+			got, err := r.ListAllRestApiAuthorizers(apis)
+			assert.Equal(t, tt.wantErr, err)
+
+			changelog, err := diff.Diff(got, tt.want)
+			assert.Nil(t, err)
+			if len(changelog) > 0 {
+				for _, change := range changelog {
+					t.Errorf("%s: %s -> %s", strings.Join(change.Path, "."), change.From, change.To)
+				}
+				t.Fail()
+			}
+			store.AssertExpectations(t)
+			client.AssertExpectations(t)
+		})
+	}
+}

pkg/remote/aws/repository/mock_ApiGatewayRepository.go

@@ -58,6 +58,29 @@ func (_m *MockApiGatewayRepository) ListAllApiKeys() ([]*apigateway.ApiKey, erro
 	return r0, r1
 }
 
+// ListAllRestApiAuthorizers provides a mock function with given fields: _a0
+func (_m *MockApiGatewayRepository) ListAllRestApiAuthorizers(_a0 []*apigateway.RestApi) ([]*apigateway.Authorizer, error) {
+	ret := _m.Called(_a0)
+
+	var r0 []*apigateway.Authorizer
+	if rf, ok := ret.Get(0).(func([]*apigateway.RestApi) []*apigateway.Authorizer); ok {
+		r0 = rf(_a0)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*apigateway.Authorizer)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func([]*apigateway.RestApi) error); ok {
+		r1 = rf(_a0)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // ListAllRestApis provides a mock function with given fields:
 func (_m *MockApiGatewayRepository) ListAllRestApis() ([]*apigateway.RestApi, error) {
 	ret := _m.Called()

pkg/resource/aws/aws_api_gateway_authorizer.go

@@ -0,0 +1,3 @@
+package aws
+
+const AwsApiGatewayAuthorizerResourceType = "aws_api_gateway_authorizer"

pkg/resource/aws/aws_api_gateway_authorizer_test.go

@@ -0,0 +1,30 @@
+package aws_test
+
+import (
+	"testing"
+
+	"github.com/cloudskiff/driftctl/test"
+	"github.com/cloudskiff/driftctl/test/acceptance"
+)
+
+func TestAcc_Aws_ApiGatewayAuthorizer(t *testing.T) {
+	acceptance.Run(t, acceptance.AccTestCase{
+		TerraformVersion: "0.15.5",
+		Paths:            []string{"./testdata/acc/aws_api_gateway_authorizer"},
+		Args:             []string{"scan", "--filter", "Type=='aws_api_gateway_authorizer'"},
+		Checks: []acceptance.AccCheck{
+			{
+				Env: map[string]string{
+					"AWS_REGION": "us-east-1",
+				},
+				Check: func(result *test.ScanResult, stdout string, err error) {
+					if err != nil {
+						t.Fatal(err)
+					}
+					result.AssertInfrastructureIsInSync()
+					result.AssertManagedCount(2)
+				},
+			},
+		},
+	})
+}

pkg/resource/aws/testdata/acc/aws_api_gateway_authorizer/.terraform.lock.hcl

@@ -0,0 +1,20 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.19.0"
+  constraints = "3.19.0"
+  hashes = [
+    "h1:xur9tF49NgsovNnmwmBR8RdpN8Fcg1TD4CKQPJD6n1A=",
+    "zh:185a5259153eb9ee4699d4be43b3d509386b473683392034319beee97d470c3b",
+    "zh:2d9a0a01f93e8d16539d835c02b8b6e1927b7685f4076e96cb07f7dd6944bc6c",
+    "zh:703f6da36b1b5f3497baa38fccaa7765fb8a2b6440344e4c97172516b49437dd",
+    "zh:770855565462abadbbddd98cb357d2f1a8f30f68a358cb37cbd5c072cb15b377",
+    "zh:8008db43149fe4345301f81e15e6d9ddb47aa5e7a31648f9b290af96ad86e92a",
+    "zh:8cdd27d375da6dcb7687f1fed126b7c04efce1671066802ee876dbbc9c66ec79",
+    "zh:be22ae185005690d1a017c1b909e0d80ab567e239b4f06ecacdba85080667c1c",
+    "zh:d2d02e72dbd80f607636cd6237a6c862897caabc635c7b50c0cb243d11246723",
+    "zh:d8f125b66a1eda2555c0f9bbdf12036a5f8d073499a22ca9e4812b68067fea31",
+    "zh:f5a98024c64d5d2973ff15b093725a074c0cb4afde07ef32c542e69f17ac90bc",
+  ]
+}

pkg/resource/aws/testdata/acc/aws_api_gateway_authorizer/terraform.tf

@@ -0,0 +1,95 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+terraform {
+  required_providers {
+    aws = "3.19.0"
+  }
+}
+
+resource "aws_api_gateway_rest_api" "foo" {
+    name        = "foo"
+    description = "This is foo API"
+}
+
+resource "aws_api_gateway_authorizer" "foo" {
+    name                   = "foo"
+    rest_api_id            = aws_api_gateway_rest_api.foo.id
+    authorizer_uri         = aws_lambda_function.authorizer.invoke_arn
+    authorizer_credentials = aws_iam_role.invocation_role.arn
+}
+
+resource "aws_api_gateway_authorizer" "bar" {
+    name                   = "bar"
+    rest_api_id            = aws_api_gateway_rest_api.foo.id
+    authorizer_uri         = aws_lambda_function.authorizer.invoke_arn
+    authorizer_credentials = aws_iam_role.invocation_role.arn
+}
+
+resource "aws_iam_role" "invocation_role" {
+    name = "api_gateway_auth_invocation"
+    path = "/"
+
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "apigateway.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "invocation_policy" {
+    name = "default"
+    role = aws_iam_role.invocation_role.id
+
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "lambda:InvokeFunction",
+      "Effect": "Allow",
+      "Resource": "${aws_lambda_function.authorizer.arn}"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role" "lambda" {
+    name = "demo-lambda"
+
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_lambda_function" "authorizer" {
+    filename      = "lambda.zip"
+    function_name = "api_gateway_authorizer"
+    role          = aws_iam_role.lambda.arn
+    handler       = "lambda.handler"
+    runtime       = "nodejs12.x"
+}

pkg/resource/resource_types.go

@@ -63,6 +63,7 @@ var supportedTypes = map[string]struct{}{
 	"aws_api_gateway_rest_api":              {},
 	"aws_api_gateway_account":               {},
 	"aws_api_gateway_api_key":               {},
+	"aws_api_gateway_authorizer":            {},
 	"aws_appautoscaling_target":             {},
 	"aws_rds_cluster_instance":              {},