diff --git a/packages/@aws-cdk/aws-apigateway/README.md b/packages/@aws-cdk/aws-apigateway/README.md index 511a4239a22b8..deaf8d41f3a26 100644 --- a/packages/@aws-cdk/aws-apigateway/README.md +++ b/packages/@aws-cdk/aws-apigateway/README.md @@ -945,6 +945,18 @@ to allow users revert the stage to an old deployment manually. [Deployment]: https://docs.aws.amazon.com/apigateway/api-reference/resource/deployment/ [Stage]: https://docs.aws.amazon.com/apigateway/api-reference/resource/stage/ +In order to also create a new deployment when changes are made to any authorizer attached to the API, +the `@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId` [feature flag](https://docs.aws.amazon.com/cdk/v2/guide/featureflags.html) can be enabled. This can be set +in the `cdk.json` file. + +```json +{ + "context": { + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true + } +} +``` + ## Custom Domains To associate an API with a custom domain, use the `domainName` configuration when diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/cognito.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/cognito.ts index a1d000189354c..870c976d9ba20 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/authorizers/cognito.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/authorizers/cognito.ts @@ -1,7 +1,8 @@ import * as cognito from '@aws-cdk/aws-cognito'; -import { Duration, Lazy, Names, Stack } from '@aws-cdk/core'; +import { Duration, FeatureFlags, Lazy, Names, Stack } from '@aws-cdk/core'; +import { APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID } from '@aws-cdk/cx-api'; import { Construct } from 'constructs'; -import { CfnAuthorizer } from '../apigateway.generated'; +import { CfnAuthorizer, CfnAuthorizerProps } from '../apigateway.generated'; import { Authorizer, IAuthorizer } from '../authorizer'; import { AuthorizationType } from '../method'; import { IRestApi } from '../restapi'; @@ -64,18 +65,25 @@ export class CognitoUserPoolsAuthorizer extends Authorizer implements IAuthorize private restApiId?: string; + private readonly authorizerProps: CfnAuthorizerProps; + constructor(scope: Construct, id: string, props: CognitoUserPoolsAuthorizerProps) { super(scope, id); const restApiId = this.lazyRestApiId(); - const resource = new CfnAuthorizer(this, 'Resource', { + + const authorizerProps = { name: props.authorizerName ?? Names.uniqueId(this), restApiId, type: 'COGNITO_USER_POOLS', providerArns: props.cognitoUserPools.map(userPool => userPool.userPoolArn), authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(), identitySource: props.identitySource || 'method.request.header.Authorization', - }); + }; + + this.authorizerProps = authorizerProps; + + const resource = new CfnAuthorizer(this, 'Resource', authorizerProps); this.authorizerId = resource.ref; this.authorizerArn = Stack.of(this).formatArn({ @@ -96,6 +104,16 @@ export class CognitoUserPoolsAuthorizer extends Authorizer implements IAuthorize } this.restApiId = restApi.restApiId; + + const addToLogicalId = FeatureFlags.of(this).isEnabled(APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID); + + const deployment = restApi.latestDeployment; + if (deployment && addToLogicalId) { + deployment.node.addDependency(this); + deployment.addToLogicalId({ + authorizer: this.authorizerProps, + }); + } } /** diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts index f67cf4b7faa79..545e5440ef34b 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts @@ -1,8 +1,9 @@ import * as iam from '@aws-cdk/aws-iam'; import * as lambda from '@aws-cdk/aws-lambda'; -import { Arn, ArnFormat, Duration, Lazy, Names, Stack } from '@aws-cdk/core'; +import { Arn, ArnFormat, Duration, FeatureFlags, Lazy, Names, Stack } from '@aws-cdk/core'; +import { APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID } from '@aws-cdk/cx-api'; import { Construct } from 'constructs'; -import { CfnAuthorizer } from '../apigateway.generated'; +import { CfnAuthorizer, CfnAuthorizerProps } from '../apigateway.generated'; import { Authorizer, IAuthorizer } from '../authorizer'; import { IRestApi } from '../restapi'; @@ -69,6 +70,8 @@ abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer { protected restApiId?: string; + protected abstract readonly authorizerProps: CfnAuthorizerProps; + protected constructor(scope: Construct, id: string, props: LambdaAuthorizerProps) { super(scope, id); @@ -90,6 +93,28 @@ abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer { } this.restApiId = restApi.restApiId; + + const deployment = restApi.latestDeployment; + const addToLogicalId = FeatureFlags.of(this).isEnabled(APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID); + + if (deployment && addToLogicalId) { + let functionName; + + if (this.handler instanceof lambda.Function) { + // if not imported, attempt to get the function name, which + // may be a token + functionName = (this.handler.node.defaultChild as lambda.CfnFunction).functionName; + } else { + // if imported, the function name will be a token + functionName = this.handler.functionName; + } + + deployment.node.addDependency(this); + deployment.addToLogicalId({ + authorizer: this.authorizerProps, + authorizerToken: functionName, + }); + } } /** @@ -163,11 +188,14 @@ export class TokenAuthorizer extends LambdaAuthorizer { public readonly authorizerArn: string; + protected readonly authorizerProps: CfnAuthorizerProps; + constructor(scope: Construct, id: string, props: TokenAuthorizerProps) { super(scope, id, props); const restApiId = this.lazyRestApiId(); - const resource = new CfnAuthorizer(this, 'Resource', { + + const authorizerProps: CfnAuthorizerProps = { name: props.authorizerName ?? Names.uniqueId(this), restApiId, type: 'TOKEN', @@ -176,7 +204,11 @@ export class TokenAuthorizer extends LambdaAuthorizer { authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(), identitySource: props.identitySource || 'method.request.header.Authorization', identityValidationExpression: props.validationRegex, - }); + }; + + this.authorizerProps = authorizerProps; + + const resource = new CfnAuthorizer(this, 'Resource', authorizerProps); this.authorizerId = resource.ref; this.authorizerArn = Stack.of(this).formatArn({ @@ -221,6 +253,8 @@ export class RequestAuthorizer extends LambdaAuthorizer { public readonly authorizerArn: string; + protected readonly authorizerProps: CfnAuthorizerProps; + constructor(scope: Construct, id: string, props: RequestAuthorizerProps) { super(scope, id, props); @@ -229,7 +263,8 @@ export class RequestAuthorizer extends LambdaAuthorizer { } const restApiId = this.lazyRestApiId(); - const resource = new CfnAuthorizer(this, 'Resource', { + + const authorizerProps: CfnAuthorizerProps = { name: props.authorizerName ?? Names.uniqueId(this), restApiId, type: 'REQUEST', @@ -237,7 +272,11 @@ export class RequestAuthorizer extends LambdaAuthorizer { authorizerCredentials: props.assumeRole?.roleArn, authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(), identitySource: props.identitySources.map(is => is.toString()).join(','), - }); + }; + + this.authorizerProps = authorizerProps; + + const resource = new CfnAuthorizer(this, 'Resource', authorizerProps); this.authorizerId = resource.ref; this.authorizerArn = Stack.of(this).formatArn({ diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/cognito.test.ts b/packages/@aws-cdk/aws-apigateway/test/authorizers/cognito.test.ts index 906f772a8505b..214384359016b 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/cognito.test.ts +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/cognito.test.ts @@ -63,4 +63,58 @@ describe('Cognito Authorizer', () => { expect(authorizer.authorizerArn.endsWith(`/authorizers/${authorizer.authorizerId}`)).toBeTruthy(); }); + + test('rest api depends on the authorizer when @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId is enabled', () => { + const stack = new Stack(); + stack.node.setContext('@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId', true); + const userPool1 = new cognito.UserPool(stack, 'UserPool'); + + const authorizer = new CognitoUserPoolsAuthorizer(stack, 'Authorizer', { + cognitoUserPools: [userPool1], + }); + + const restApi = new RestApi(stack, 'Api'); + + restApi.root.addMethod('ANY', undefined, { + authorizer, + authorizationType: AuthorizationType.COGNITO, + }); + + const template = Template.fromStack(stack); + + const authorizerId = Object.keys(template.findResources('AWS::ApiGateway::Authorizer'))[0]; + const deployment = Object.values(template.findResources('AWS::ApiGateway::Deployment'))[0]; + + expect(deployment.DependsOn).toEqual(expect.arrayContaining([authorizerId])); + }); + + test('a new deployment is created when a cognito user pool is re-created and @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId is enabled', () => { + const createApiTemplate = (userPoolId: string) => { + const stack = new Stack(); + stack.node.setContext('@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId', true); + + const userPool = new cognito.UserPool(stack, userPoolId); + + const auth = new CognitoUserPoolsAuthorizer(stack, 'myauthorizer', { + resultsCacheTtl: Duration.seconds(0), + cognitoUserPools: [userPool], + }); + + const restApi = new RestApi(stack, 'myrestapi'); + restApi.root.addMethod('ANY', undefined, { + authorizer: auth, + authorizationType: AuthorizationType.COGNITO, + }); + + return Template.fromStack(stack); + }; + + const oldTemplate = createApiTemplate('foo'); + const newTemplate = createApiTemplate('bar'); + + const oldDeploymentId = Object.keys(oldTemplate.findResources('AWS::ApiGateway::Deployment'))[0]; + const newDeploymentId = Object.keys(newTemplate.findResources('AWS::ApiGateway::Deployment'))[0]; + + expect(oldDeploymentId).not.toEqual(newDeploymentId); + }); }); diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.assets.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.assets.json index ddef77182f50d..0a772224ed903 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.assets.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.assets.json @@ -1,7 +1,7 @@ { - "version": "20.0.0", + "version": "22.0.0", "files": { - "551baa1ebfdea9d8d905ffd1e2e8ac09982d0a49e669c97ad0d8f8c092cb96df": { + "81ccfaff55790eb0a0ba90c4ede5ca2168072939afb21004c5dcb5ca74295b40": { "source": { "path": "CognitoUserPoolsAuthorizerInteg.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "551baa1ebfdea9d8d905ffd1e2e8ac09982d0a49e669c97ad0d8f8c092cb96df.json", + "objectKey": "81ccfaff55790eb0a0ba90c4ede5ca2168072939afb21004c5dcb5ca74295b40.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.template.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.template.json index 377d0b8acb1d3..51688cc80a529 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.template.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/CognitoUserPoolsAuthorizerInteg.template.json @@ -105,7 +105,7 @@ "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, - "myrestapiDeployment419B1464b903292b53d7532ca4296973bcb95b1a": { + "myrestapiDeployment419B1464d5146a3a0aa3a9f79024a52930571dc6": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { @@ -114,6 +114,7 @@ "Description": "Automatically created by the RestApi construct" }, "DependsOn": [ + "myauthorizer23CB99DD", "myrestapiANY94B0497F" ] }, @@ -124,7 +125,7 @@ "Ref": "myrestapi551C8392" }, "DeploymentId": { - "Ref": "myrestapiDeployment419B1464b903292b53d7532ca4296973bcb95b1a" + "Ref": "myrestapiDeployment419B1464d5146a3a0aa3a9f79024a52930571dc6" }, "StageName": "prod" }, diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/cdk.out b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/cdk.out index 588d7b269d34f..145739f539580 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"20.0.0"} \ No newline at end of file +{"version":"22.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/cognitoauthorizerDefaultTestDeployAssert4551574C.assets.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/cognitoauthorizerDefaultTestDeployAssert4551574C.assets.json index c2d38a0a1c79b..da60b8f9da60e 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/cognitoauthorizerDefaultTestDeployAssert4551574C.assets.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/cognitoauthorizerDefaultTestDeployAssert4551574C.assets.json @@ -1,5 +1,5 @@ { - "version": "20.0.0", + "version": "22.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/integ.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/integ.json index 1e72b0d39b727..3be28d00ffde7 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/integ.json @@ -1,11 +1,12 @@ { - "version": "20.0.0", + "version": "22.0.0", "testCases": { "cognito-authorizer/DefaultTest": { "stacks": [ "CognitoUserPoolsAuthorizerInteg" ], - "assertionStack": "cognito-authorizer/DefaultTest/DeployAssert" + "assertionStack": "cognito-authorizer/DefaultTest/DeployAssert", + "assertionStackName": "cognitoauthorizerDefaultTestDeployAssert4551574C" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/manifest.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/manifest.json index 1de3c09fa1d8d..0761ffc156133 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/manifest.json @@ -1,12 +1,6 @@ { - "version": "20.0.0", + "version": "22.0.0", "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, "CognitoUserPoolsAuthorizerInteg.assets": { "type": "cdk:asset-manifest", "properties": { @@ -23,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/551baa1ebfdea9d8d905ffd1e2e8ac09982d0a49e669c97ad0d8f8c092cb96df.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/81ccfaff55790eb0a0ba90c4ede5ca2168072939afb21004c5dcb5ca74295b40.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -72,7 +66,7 @@ "/CognitoUserPoolsAuthorizerInteg/myrestapi/Deployment/Resource": [ { "type": "aws:cdk:logicalId", - "data": "myrestapiDeployment419B1464b903292b53d7532ca4296973bcb95b1a" + "data": "myrestapiDeployment419B1464d5146a3a0aa3a9f79024a52930571dc6" } ], "/CognitoUserPoolsAuthorizerInteg/myrestapi/DeploymentStage.prod/Resource": [ @@ -104,6 +98,15 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } + ], + "myrestapiDeployment419B1464b903292b53d7532ca4296973bcb95b1a": [ + { + "type": "aws:cdk:logicalId", + "data": "myrestapiDeployment419B1464b903292b53d7532ca4296973bcb95b1a", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } ] }, "displayName": "CognitoUserPoolsAuthorizerInteg" @@ -154,6 +157,12 @@ ] }, "displayName": "cognito-authorizer/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/tree.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/tree.json index 06688fd7cbcc8..c7963b5f43382 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.cognito-authorizer.js.snapshot/tree.json @@ -4,14 +4,6 @@ "id": "App", "path": "", "children": { - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" - } - }, "CognitoUserPoolsAuthorizerInteg": { "id": "CognitoUserPoolsAuthorizerInteg", "path": "CognitoUserPoolsAuthorizerInteg", @@ -122,6 +114,14 @@ "id": "CloudWatchRole", "path": "CognitoUserPoolsAuthorizerInteg/myrestapi/CloudWatchRole", "children": { + "ImportCloudWatchRole": { + "id": "ImportCloudWatchRole", + "path": "CognitoUserPoolsAuthorizerInteg/myrestapi/CloudWatchRole/ImportCloudWatchRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "CognitoUserPoolsAuthorizerInteg/myrestapi/CloudWatchRole/Resource", @@ -227,7 +227,7 @@ "Ref": "myrestapi551C8392" }, "deploymentId": { - "Ref": "myrestapiDeployment419B1464b903292b53d7532ca4296973bcb95b1a" + "Ref": "myrestapiDeployment419B1464d5146a3a0aa3a9f79024a52930571dc6" }, "stageName": "prod" } @@ -247,8 +247,8 @@ "id": "Endpoint", "path": "CognitoUserPoolsAuthorizerInteg/myrestapi/Endpoint", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.CfnOutput", + "version": "0.0.0" } }, "Default": { @@ -320,11 +320,27 @@ "fqn": "@aws-cdk/aws-apigateway.RestApi", "version": "0.0.0" } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "CognitoUserPoolsAuthorizerInteg/BootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "CognitoUserPoolsAuthorizerInteg/CheckBootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnRule", + "version": "0.0.0" + } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.Stack", + "version": "0.0.0" } }, "cognito-authorizer": { @@ -340,15 +356,33 @@ "path": "cognito-authorizer/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.85" + "version": "10.1.168" } }, "DeployAssert": { "id": "DeployAssert", "path": "cognito-authorizer/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "cognito-authorizer/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "cognito-authorizer/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnRule", + "version": "0.0.0" + } + } + }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.Stack", + "version": "0.0.0" } } }, @@ -362,11 +396,19 @@ "fqn": "@aws-cdk/integ-tests.IntegTest", "version": "0.0.0" } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.168" + } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.assets.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.assets.json index a5d63e72ed201..2eb109263812d 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.assets.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.assets.json @@ -1,5 +1,5 @@ { - "version": "20.0.0", + "version": "29.0.0", "files": { "3dc8c5549b88fef617feef923524902b3650973ae1159c9489ee8405344dd5a0": { "source": { @@ -14,7 +14,7 @@ } } }, - "5ba1108f5d1f7ce23d5bad675df22e0d3beb4f42fc970713488ea99585299b43": { + "a605b6be7a978439cf7b93d6214f4ce6d30a9163415575fa17ba0a5857238906": { "source": { "path": "RequestAuthorizerInteg.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "5ba1108f5d1f7ce23d5bad675df22e0d3beb4f42fc970713488ea99585299b43.json", + "objectKey": "a605b6be7a978439cf7b93d6214f4ce6d30a9163415575fa17ba0a5857238906.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json index 5d3dd9f410c25..034601d9d70fd 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json @@ -93,6 +93,46 @@ } } }, + "MyAuthorizerFunctionRequestAuthorizerIntegMySecondAuthorizerCCC4ECEDPermissions055F817A": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "MyRestApi2D1F47A9" + }, + "/authorizers/", + { + "Ref": "MySecondAuthorizer25A69B96" + } + ] + ] + } + } + }, "MyRestApi2D1F47A9": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -148,7 +188,7 @@ "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, - "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb": { + "MyRestApiDeploymentB555B582d83364d66d67f510f848797cd89349d5": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { @@ -157,7 +197,11 @@ "Description": "Automatically created by the RestApi construct" }, "DependsOn": [ - "MyRestApiANY05143F93" + "MyAuthorizer6575980E", + "MyRestApiANY05143F93", + "MyRestApiauthANY12A3CAB7", + "MyRestApiauth918A22B9", + "MySecondAuthorizer25A69B96" ] }, "MyRestApiDeploymentStageprodC33B8E5F": { @@ -167,7 +211,7 @@ "Ref": "MyRestApi2D1F47A9" }, "DeploymentId": { - "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb" + "Ref": "MyRestApiDeploymentB555B582d83364d66d67f510f848797cd89349d5" }, "StageName": "prod" }, @@ -211,6 +255,54 @@ ] } }, + "MyRestApiauth918A22B9": { + "Type": "AWS::ApiGateway::Resource", + "Properties": { + "ParentId": { + "Fn::GetAtt": [ + "MyRestApi2D1F47A9", + "RootResourceId" + ] + }, + "PathPart": "auth", + "RestApiId": { + "Ref": "MyRestApi2D1F47A9" + } + } + }, + "MyRestApiauthANY12A3CAB7": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "HttpMethod": "ANY", + "ResourceId": { + "Ref": "MyRestApiauth918A22B9" + }, + "RestApiId": { + "Ref": "MyRestApi2D1F47A9" + }, + "AuthorizationType": "CUSTOM", + "AuthorizerId": { + "Ref": "MySecondAuthorizer25A69B96" + }, + "Integration": { + "IntegrationResponses": [ + { + "StatusCode": "200" + } + ], + "PassthroughBehavior": "NEVER", + "RequestTemplates": { + "application/json": "{ \"statusCode\": 200 }" + }, + "Type": "MOCK" + }, + "MethodResponses": [ + { + "StatusCode": "200" + } + ] + } + }, "MyAuthorizer6575980E": { "Type": "AWS::ApiGateway::Authorizer", "Properties": { @@ -270,6 +362,66 @@ }, "IdentitySource": "method.request.header.Authorization,method.request.querystring.allow" } + }, + "MySecondAuthorizer25A69B96": { + "Type": "AWS::ApiGateway::Authorizer", + "Properties": { + "Name": "RequestAuthorizerIntegMySecondAuthorizerCCC4ECED", + "RestApiId": { + "Ref": "MyRestApi2D1F47A9" + }, + "Type": "REQUEST", + "AuthorizerUri": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + } + ] + } + ] + }, + ":apigateway:", + { + "Fn::Select": [ + 3, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + } + ] + } + ] + }, + ":lambda:path/2015-03-31/functions/", + { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + }, + "/invocations" + ] + ] + }, + "IdentitySource": "method.request.header.Authorization,method.request.querystring.allow" + } } }, "Outputs": { diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/cdk.out b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/cdk.out index 588d7b269d34f..d8b441d447f8a 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"20.0.0"} \ No newline at end of file +{"version":"29.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/integ.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/integ.json index 672507dc37b1c..0898fdc8ceefa 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "20.0.0", + "version": "29.0.0", "testCases": { "integ.request-authorizer.lit": { "stacks": [ diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/manifest.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/manifest.json index 6bc875ca85fff..9b3020372b883 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/manifest.json @@ -1,12 +1,6 @@ { - "version": "20.0.0", + "version": "29.0.0", "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, "RequestAuthorizerInteg.assets": { "type": "cdk:asset-manifest", "properties": { @@ -23,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5ba1108f5d1f7ce23d5bad675df22e0d3beb4f42fc970713488ea99585299b43.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a605b6be7a978439cf7b93d6214f4ce6d30a9163415575fa17ba0a5857238906.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -57,6 +51,12 @@ "data": "MyAuthorizerFunctionRequestAuthorizerIntegMyAuthorizer5D9D41C5PermissionsCB8B246E" } ], + "/RequestAuthorizerInteg/MyAuthorizerFunction/RequestAuthorizerIntegMySecondAuthorizerCCC4ECED:Permissions": [ + { + "type": "aws:cdk:logicalId", + "data": "MyAuthorizerFunctionRequestAuthorizerIntegMySecondAuthorizerCCC4ECEDPermissions055F817A" + } + ], "/RequestAuthorizerInteg/MyRestApi/Resource": [ { "type": "aws:cdk:logicalId", @@ -78,7 +78,7 @@ "/RequestAuthorizerInteg/MyRestApi/Deployment/Resource": [ { "type": "aws:cdk:logicalId", - "data": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb" + "data": "MyRestApiDeploymentB555B582d83364d66d67f510f848797cd89349d5" } ], "/RequestAuthorizerInteg/MyRestApi/DeploymentStage.prod/Resource": [ @@ -99,12 +99,30 @@ "data": "MyRestApiANY05143F93" } ], + "/RequestAuthorizerInteg/MyRestApi/Default/auth/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyRestApiauth918A22B9" + } + ], + "/RequestAuthorizerInteg/MyRestApi/Default/auth/ANY/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyRestApiauthANY12A3CAB7" + } + ], "/RequestAuthorizerInteg/MyAuthorizer/Resource": [ { "type": "aws:cdk:logicalId", "data": "MyAuthorizer6575980E" } ], + "/RequestAuthorizerInteg/MySecondAuthorizer/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MySecondAuthorizer25A69B96" + } + ], "/RequestAuthorizerInteg/BootstrapVersion": [ { "type": "aws:cdk:logicalId", @@ -116,9 +134,24 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } + ], + "MyRestApiDeploymentB555B5824e51b8fe7583a45923d0b84d7acf920f": [ + { + "type": "aws:cdk:logicalId", + "data": "MyRestApiDeploymentB555B5824e51b8fe7583a45923d0b84d7acf920f", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } ] }, "displayName": "RequestAuthorizerInteg" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/tree.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/tree.json index 0efd3e0dc3177..e9bba1a26a1f6 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/tree.json @@ -4,14 +4,6 @@ "id": "App", "path": "", "children": { - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" - } - }, "RequestAuthorizerInteg": { "id": "RequestAuthorizerInteg", "path": "RequestAuthorizerInteg", @@ -24,6 +16,14 @@ "id": "ServiceRole", "path": "RequestAuthorizerInteg/MyAuthorizerFunction/ServiceRole", "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "RequestAuthorizerInteg/MyAuthorizerFunction/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "RequestAuthorizerInteg/MyAuthorizerFunction/ServiceRole/Resource", @@ -77,8 +77,8 @@ "id": "Stage", "path": "RequestAuthorizerInteg/MyAuthorizerFunction/Code/Stage", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.AssetStaging", + "version": "0.0.0" } }, "AssetBucket": { @@ -169,6 +169,54 @@ "fqn": "@aws-cdk/aws-lambda.CfnPermission", "version": "0.0.0" } + }, + "RequestAuthorizerIntegMySecondAuthorizerCCC4ECED:Permissions": { + "id": "RequestAuthorizerIntegMySecondAuthorizerCCC4ECED:Permissions", + "path": "RequestAuthorizerInteg/MyAuthorizerFunction/RequestAuthorizerIntegMySecondAuthorizerCCC4ECED:Permissions", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Permission", + "aws:cdk:cloudformation:props": { + "action": "lambda:InvokeFunction", + "functionName": { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + }, + "principal": "apigateway.amazonaws.com", + "sourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "MyRestApi2D1F47A9" + }, + "/authorizers/", + { + "Ref": "MySecondAuthorizer25A69B96" + } + ] + ] + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-lambda.CfnPermission", + "version": "0.0.0" + } } }, "constructInfo": { @@ -198,6 +246,14 @@ "id": "CloudWatchRole", "path": "RequestAuthorizerInteg/MyRestApi/CloudWatchRole", "children": { + "ImportCloudWatchRole": { + "id": "ImportCloudWatchRole", + "path": "RequestAuthorizerInteg/MyRestApi/CloudWatchRole/ImportCloudWatchRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "RequestAuthorizerInteg/MyRestApi/CloudWatchRole/Resource", @@ -303,7 +359,7 @@ "Ref": "MyRestApi2D1F47A9" }, "deploymentId": { - "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb" + "Ref": "MyRestApiDeploymentB555B582d83364d66d67f510f848797cd89349d5" }, "stageName": "prod" } @@ -323,8 +379,8 @@ "id": "Endpoint", "path": "RequestAuthorizerInteg/MyRestApi/Endpoint", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.CfnOutput", + "version": "0.0.0" } }, "Default": { @@ -384,6 +440,90 @@ "fqn": "@aws-cdk/aws-apigateway.Method", "version": "0.0.0" } + }, + "auth": { + "id": "auth", + "path": "RequestAuthorizerInteg/MyRestApi/Default/auth", + "children": { + "Resource": { + "id": "Resource", + "path": "RequestAuthorizerInteg/MyRestApi/Default/auth/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::Resource", + "aws:cdk:cloudformation:props": { + "parentId": { + "Fn::GetAtt": [ + "MyRestApi2D1F47A9", + "RootResourceId" + ] + }, + "pathPart": "auth", + "restApiId": { + "Ref": "MyRestApi2D1F47A9" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-apigateway.CfnResource", + "version": "0.0.0" + } + }, + "ANY": { + "id": "ANY", + "path": "RequestAuthorizerInteg/MyRestApi/Default/auth/ANY", + "children": { + "Resource": { + "id": "Resource", + "path": "RequestAuthorizerInteg/MyRestApi/Default/auth/ANY/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::Method", + "aws:cdk:cloudformation:props": { + "httpMethod": "ANY", + "resourceId": { + "Ref": "MyRestApiauth918A22B9" + }, + "restApiId": { + "Ref": "MyRestApi2D1F47A9" + }, + "authorizationType": "CUSTOM", + "authorizerId": { + "Ref": "MySecondAuthorizer25A69B96" + }, + "integration": { + "type": "MOCK", + "requestTemplates": { + "application/json": "{ \"statusCode\": 200 }" + }, + "passthroughBehavior": "NEVER", + "integrationResponses": [ + { + "statusCode": "200" + } + ] + }, + "methodResponses": [ + { + "statusCode": "200" + } + ] + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-apigateway.CfnMethod", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-apigateway.Method", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-apigateway.Resource", + "version": "0.0.0" + } } }, "constructInfo": { @@ -474,17 +614,119 @@ "fqn": "@aws-cdk/aws-apigateway.RequestAuthorizer", "version": "0.0.0" } + }, + "MySecondAuthorizer": { + "id": "MySecondAuthorizer", + "path": "RequestAuthorizerInteg/MySecondAuthorizer", + "children": { + "Resource": { + "id": "Resource", + "path": "RequestAuthorizerInteg/MySecondAuthorizer/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGateway::Authorizer", + "aws:cdk:cloudformation:props": { + "name": "RequestAuthorizerIntegMySecondAuthorizerCCC4ECED", + "restApiId": { + "Ref": "MyRestApi2D1F47A9" + }, + "type": "REQUEST", + "authorizerUri": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + } + ] + } + ] + }, + ":apigateway:", + { + "Fn::Select": [ + 3, + { + "Fn::Split": [ + ":", + { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + } + ] + } + ] + }, + ":lambda:path/2015-03-31/functions/", + { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + }, + "/invocations" + ] + ] + }, + "identitySource": "method.request.header.Authorization,method.request.querystring.allow" + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-apigateway.CfnAuthorizer", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-apigateway.RequestAuthorizer", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "RequestAuthorizerInteg/BootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "RequestAuthorizerInteg/CheckBootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnRule", + "version": "0.0.0" + } } }, + "constructInfo": { + "fqn": "@aws-cdk/core.Stack", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.85" + "version": "10.1.189" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.ts b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.ts index 60ec86b2430a3..169355dad134f 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.ts +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.ts @@ -26,6 +26,11 @@ const authorizer = new RequestAuthorizer(stack, 'MyAuthorizer', { identitySources: [IdentitySource.header('Authorization'), IdentitySource.queryString('allow')], }); +const secondAuthorizer = new RequestAuthorizer(stack, 'MySecondAuthorizer', { + handler: authorizerFn, + identitySources: [IdentitySource.header('Authorization'), IdentitySource.queryString('allow')], +}); + restapi.root.addMethod('ANY', new MockIntegration({ integrationResponses: [ { statusCode: '200' }, @@ -40,3 +45,18 @@ restapi.root.addMethod('ANY', new MockIntegration({ ], authorizer, }); + +restapi.root.resourceForPath('auth').addMethod('ANY', new MockIntegration({ + integrationResponses: [ + { statusCode: '200' }, + ], + passthroughBehavior: PassthroughBehavior.NEVER, + requestTemplates: { + 'application/json': '{ "statusCode": 200 }', + }, +}), { + methodResponses: [ + { statusCode: '200' }, + ], + authorizer: secondAuthorizer, +}); diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.assets.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.assets.json index ce783b73b0f18..c72486df32a45 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.assets.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.assets.json @@ -1,5 +1,5 @@ { - "version": "20.0.0", + "version": "22.0.0", "files": { "fec8e8354e12687c5a4b843b4e269741f53dec634946869b276f7fd1017845c3": { "source": { @@ -14,7 +14,7 @@ } } }, - "ca126ba9a02884a8dc3612e63dc5ab11b76fc4f7b3e1901d9081bac728c3a32a": { + "5fdd271d3e3ca8dcde2fe1c2529c3b6fc2527c7812e6edcf239bf1ad6043152b": { "source": { "path": "TokenAuthorizerIAMRoleInteg.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ca126ba9a02884a8dc3612e63dc5ab11b76fc4f7b3e1901d9081bac728c3a32a.json", + "objectKey": "5fdd271d3e3ca8dcde2fe1c2529c3b6fc2527c7812e6edcf239bf1ad6043152b.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json index 504a0d98e04e0..6c0415656d799 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json @@ -233,7 +233,7 @@ "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, - "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb": { + "MyRestApiDeploymentB555B582694e8eb3fdb7b5f988ba347d35601979": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { @@ -242,6 +242,8 @@ "Description": "Automatically created by the RestApi construct" }, "DependsOn": [ + "MyAuthorizerauthorizerInvokePolicy0F88B8E1", + "MyAuthorizer6575980E", "MyRestApiANY05143F93" ] }, @@ -252,7 +254,7 @@ "Ref": "MyRestApi2D1F47A9" }, "DeploymentId": { - "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb" + "Ref": "MyRestApiDeploymentB555B582694e8eb3fdb7b5f988ba347d35601979" }, "StageName": "prod" }, diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/cdk.out b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/cdk.out index 588d7b269d34f..145739f539580 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"20.0.0"} \ No newline at end of file +{"version":"22.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/iamtokenauthorizerDefaultTestDeployAssert87D47FBB.assets.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/iamtokenauthorizerDefaultTestDeployAssert87D47FBB.assets.json index af6ca95e1f7b1..5be62c8213017 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/iamtokenauthorizerDefaultTestDeployAssert87D47FBB.assets.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/iamtokenauthorizerDefaultTestDeployAssert87D47FBB.assets.json @@ -1,5 +1,5 @@ { - "version": "20.0.0", + "version": "22.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/integ.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/integ.json index e65f7fb12db53..be0cefd589916 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/integ.json @@ -1,11 +1,12 @@ { - "version": "20.0.0", + "version": "22.0.0", "testCases": { "iam-token-authorizer/DefaultTest": { "stacks": [ "TokenAuthorizerIAMRoleInteg" ], - "assertionStack": "iam-token-authorizer/DefaultTest/DeployAssert" + "assertionStack": "iam-token-authorizer/DefaultTest/DeployAssert", + "assertionStackName": "iamtokenauthorizerDefaultTestDeployAssert87D47FBB" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/manifest.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/manifest.json index 2f3929acac683..4ccd364f7a5d0 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/manifest.json @@ -1,12 +1,6 @@ { - "version": "20.0.0", + "version": "22.0.0", "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, "TokenAuthorizerIAMRoleInteg.assets": { "type": "cdk:asset-manifest", "properties": { @@ -23,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ca126ba9a02884a8dc3612e63dc5ab11b76fc4f7b3e1901d9081bac728c3a32a.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5fdd271d3e3ca8dcde2fe1c2529c3b6fc2527c7812e6edcf239bf1ad6043152b.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -90,7 +84,7 @@ "/TokenAuthorizerIAMRoleInteg/MyRestApi/Deployment/Resource": [ { "type": "aws:cdk:logicalId", - "data": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb" + "data": "MyRestApiDeploymentB555B582694e8eb3fdb7b5f988ba347d35601979" } ], "/TokenAuthorizerIAMRoleInteg/MyRestApi/DeploymentStage.prod/Resource": [ @@ -122,6 +116,15 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } + ], + "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb": [ + { + "type": "aws:cdk:logicalId", + "data": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } ] }, "displayName": "TokenAuthorizerIAMRoleInteg" @@ -172,6 +175,12 @@ ] }, "displayName": "iam-token-authorizer/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/tree.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/tree.json index f3b5869471ce3..6d0f5f9394ca3 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/tree.json @@ -4,14 +4,6 @@ "id": "App", "path": "", "children": { - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" - } - }, "TokenAuthorizerIAMRoleInteg": { "id": "TokenAuthorizerIAMRoleInteg", "path": "TokenAuthorizerIAMRoleInteg", @@ -24,6 +16,14 @@ "id": "ServiceRole", "path": "TokenAuthorizerIAMRoleInteg/MyAuthorizerFunction/ServiceRole", "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "TokenAuthorizerIAMRoleInteg/MyAuthorizerFunction/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "TokenAuthorizerIAMRoleInteg/MyAuthorizerFunction/ServiceRole/Resource", @@ -77,8 +77,8 @@ "id": "Stage", "path": "TokenAuthorizerIAMRoleInteg/MyAuthorizerFunction/Code/Stage", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.AssetStaging", + "version": "0.0.0" } }, "AssetBucket": { @@ -132,6 +132,14 @@ "id": "authorizerRole", "path": "TokenAuthorizerIAMRoleInteg/authorizerRole", "children": { + "ImportauthorizerRole": { + "id": "ImportauthorizerRole", + "path": "TokenAuthorizerIAMRoleInteg/authorizerRole/ImportauthorizerRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "TokenAuthorizerIAMRoleInteg/authorizerRole/Resource", @@ -329,6 +337,14 @@ "id": "CloudWatchRole", "path": "TokenAuthorizerIAMRoleInteg/MyRestApi/CloudWatchRole", "children": { + "ImportCloudWatchRole": { + "id": "ImportCloudWatchRole", + "path": "TokenAuthorizerIAMRoleInteg/MyRestApi/CloudWatchRole/ImportCloudWatchRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "TokenAuthorizerIAMRoleInteg/MyRestApi/CloudWatchRole/Resource", @@ -434,7 +450,7 @@ "Ref": "MyRestApi2D1F47A9" }, "deploymentId": { - "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb" + "Ref": "MyRestApiDeploymentB555B582694e8eb3fdb7b5f988ba347d35601979" }, "stageName": "prod" } @@ -454,8 +470,8 @@ "id": "Endpoint", "path": "TokenAuthorizerIAMRoleInteg/MyRestApi/Endpoint", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.CfnOutput", + "version": "0.0.0" } }, "Default": { @@ -527,11 +543,27 @@ "fqn": "@aws-cdk/aws-apigateway.RestApi", "version": "0.0.0" } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "TokenAuthorizerIAMRoleInteg/BootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "TokenAuthorizerIAMRoleInteg/CheckBootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnRule", + "version": "0.0.0" + } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.Stack", + "version": "0.0.0" } }, "iam-token-authorizer": { @@ -547,15 +579,33 @@ "path": "iam-token-authorizer/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.85" + "version": "10.1.168" } }, "DeployAssert": { "id": "DeployAssert", "path": "iam-token-authorizer/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "iam-token-authorizer/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "iam-token-authorizer/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnRule", + "version": "0.0.0" + } + } + }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.Stack", + "version": "0.0.0" } } }, @@ -569,11 +619,19 @@ "fqn": "@aws-cdk/integ-tests.IntegTest", "version": "0.0.0" } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.168" + } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "@aws-cdk/core.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.assets.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.assets.json index 02ff71cc0d01f..144db7309dc98 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.assets.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.assets.json @@ -1,5 +1,5 @@ { - "version": "21.0.0", + "version": "22.0.0", "files": { "fec8e8354e12687c5a4b843b4e269741f53dec634946869b276f7fd1017845c3": { "source": { @@ -14,7 +14,7 @@ } } }, - "d48b90b340d35b9bc726b78e652d17148e2449f6f756e4377428635071f68d09": { + "3ef3f0473a2312add1b6eeec16180f638b07d97828baa8745a05728ef3a87074": { "source": { "path": "TokenAuthorizerInteg.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d48b90b340d35b9bc726b78e652d17148e2449f6f756e4377428635071f68d09.json", + "objectKey": "3ef3f0473a2312add1b6eeec16180f638b07d97828baa8745a05728ef3a87074.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json index 3d2e9d31fafd1..a226c574ab92c 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json @@ -208,7 +208,7 @@ "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, - "MyRestApiDeploymentB555B582464879c8d1f9fcce2500f142532cdaec": { + "MyRestApiDeploymentB555B5822d29e7cc325d84a3264c658c75a9d43a": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { @@ -217,6 +217,7 @@ "Description": "Automatically created by the RestApi construct" }, "DependsOn": [ + "MyAuthorizer6575980E", "MyRestApiANY05143F93", "MyRestApiOPTIONS43BD7BF4" ] @@ -228,7 +229,7 @@ "Ref": "MyRestApi2D1F47A9" }, "DeploymentId": { - "Ref": "MyRestApiDeploymentB555B582464879c8d1f9fcce2500f142532cdaec" + "Ref": "MyRestApiDeploymentB555B5822d29e7cc325d84a3264c658c75a9d43a" }, "StageName": "prod" }, diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/apigwtokenauthDefaultTestDeployAssert2CF60E05.assets.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/apigwtokenauthDefaultTestDeployAssert2CF60E05.assets.json index 5ff8adbfac7a7..db76c4d9514d0 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/apigwtokenauthDefaultTestDeployAssert2CF60E05.assets.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/apigwtokenauthDefaultTestDeployAssert2CF60E05.assets.json @@ -1,20 +1,20 @@ { - "version": "21.0.0", + "version": "22.0.0", "files": { - "456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136": { + "382ba2a8fd0a13f6782aec5543e465f988f5c100f35ed20f90cd96b8ee53f674": { "source": { - "path": "asset.456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136.bundle", + "path": "asset.382ba2a8fd0a13f6782aec5543e465f988f5c100f35ed20f90cd96b8ee53f674.bundle", "packaging": "zip" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136.zip", + "objectKey": "382ba2a8fd0a13f6782aec5543e465f988f5c100f35ed20f90cd96b8ee53f674.zip", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } }, - "663a8c1a16f9e427d0ecfe2215cb471b582dfce87e95f6bbf85d32c371692ece": { + "52fafe59d21141477256755bcebd4385222337a65ba87eac0399ec8dc24a2702": { "source": { "path": "apigwtokenauthDefaultTestDeployAssert2CF60E05.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "663a8c1a16f9e427d0ecfe2215cb471b582dfce87e95f6bbf85d32c371692ece.json", + "objectKey": "52fafe59d21141477256755bcebd4385222337a65ba87eac0399ec8dc24a2702.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/apigwtokenauthDefaultTestDeployAssert2CF60E05.template.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/apigwtokenauthDefaultTestDeployAssert2CF60E05.template.json index e1e122baa02da..1883011cbabbf 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/apigwtokenauthDefaultTestDeployAssert2CF60E05.template.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/apigwtokenauthDefaultTestDeployAssert2CF60E05.template.json @@ -19,7 +19,7 @@ "Payload": "{\"method\":\"GET\",\"authorization\":\"allow\"}" }, "flattenResponse": "false", - "salt": "1665080757293" + "salt": "1670026030165" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" @@ -199,7 +199,7 @@ "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" }, - "S3Key": "456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136.zip" + "S3Key": "382ba2a8fd0a13f6782aec5543e465f988f5c100f35ed20f90cd96b8ee53f674.zip" }, "Timeout": 120, "Handler": "index.handler", @@ -230,7 +230,7 @@ "Payload": "{\"method\":\"GET\",\"authorization\":\"deny\"}" }, "flattenResponse": "false", - "salt": "1665080757294" + "salt": "1670026030166" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" @@ -269,7 +269,7 @@ "Payload": "{\"method\":\"OPTIONS\"}" }, "flattenResponse": "false", - "salt": "1665080757295" + "salt": "1670026030167" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/asset.456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136.bundle/index.js b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/asset.382ba2a8fd0a13f6782aec5543e465f988f5c100f35ed20f90cd96b8ee53f674.bundle/index.js similarity index 82% rename from packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/asset.456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136.bundle/index.js rename to packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/asset.382ba2a8fd0a13f6782aec5543e465f988f5c100f35ed20f90cd96b8ee53f674.bundle/index.js index afcb0cbcfe30a..ffbf23bc9533f 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/asset.456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136.bundle/index.js +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/asset.382ba2a8fd0a13f6782aec5543e465f988f5c100f35ed20f90cd96b8ee53f674.bundle/index.js @@ -1,3 +1,4 @@ +"use strict"; var __create = Object.create; var __defProp = Object.defineProperty; var __getOwnPropDesc = Object.getOwnPropertyDescriptor; @@ -25,7 +26,9 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru // lib/assertions/providers/lambda-handler/index.ts var lambda_handler_exports = {}; __export(lambda_handler_exports, { - handler: () => handler + handler: () => handler, + isComplete: () => isComplete, + onTimeout: () => onTimeout }); module.exports = __toCommonJS(lambda_handler_exports); @@ -385,6 +388,7 @@ var StringLikeRegexpMatch = class extends Matcher { // lib/assertions/providers/lambda-handler/base.ts var https = __toESM(require("https")); var url = __toESM(require("url")); +var AWS = __toESM(require("aws-sdk")); var CustomResourceHandler = class { constructor(event, context) { this.event = event; @@ -403,8 +407,18 @@ var CustomResourceHandler = class { } async handle() { try { - const response = await this.processEvent(this.event.ResourceProperties); - return response; + if ("stateMachineArn" in this.event.ResourceProperties) { + const req = { + stateMachineArn: this.event.ResourceProperties.stateMachineArn, + name: this.event.RequestId, + input: JSON.stringify(this.event) + }; + await this.startExecution(req); + return; + } else { + const response = await this.processEvent(this.event.ResourceProperties); + return response; + } } catch (e) { console.log(e); throw e; @@ -412,6 +426,25 @@ var CustomResourceHandler = class { clearTimeout(this.timeout); } } + async handleIsComplete() { + try { + const result = await this.processEvent(this.event.ResourceProperties); + return result; + } catch (e) { + console.log(e); + return; + } finally { + clearTimeout(this.timeout); + } + } + async startExecution(req) { + try { + const sfn = new AWS.StepFunctions(); + await sfn.startExecution(req).promise(); + } finally { + clearTimeout(this.timeout); + } + } respond(response) { if (this.timedOut) { return; @@ -443,6 +476,8 @@ var CustomResourceHandler = class { request2.end(); } catch (e) { reject(e); + } finally { + clearTimeout(this.timeout); } }); } @@ -564,12 +599,12 @@ function flatten(object) { } var AwsApiCallHandler = class extends CustomResourceHandler { async processEvent(request2) { - const AWS = require("aws-sdk"); - console.log(`AWS SDK VERSION: ${AWS.VERSION}`); - if (!Object.prototype.hasOwnProperty.call(AWS, request2.service)) { - throw Error(`Service ${request2.service} does not exist in AWS SDK version ${AWS.VERSION}.`); + const AWS2 = require("aws-sdk"); + console.log(`AWS SDK VERSION: ${AWS2.VERSION}`); + if (!Object.prototype.hasOwnProperty.call(AWS2, request2.service)) { + throw Error(`Service ${request2.service} does not exist in AWS SDK version ${AWS2.VERSION}.`); } - const service = new AWS[request2.service](); + const service = new AWS2[request2.service](); const response = await service[request2.api](request2.parameters && decode(request2.parameters)).promise(); console.log(`SDK response received ${JSON.stringify(response)}`); delete response.ResponseMetadata; @@ -579,11 +614,26 @@ var AwsApiCallHandler = class extends CustomResourceHandler { const flatData = { ...flatten(respond) }; - const resp = request2.flattenResponse === "true" ? flatData : respond; + let resp = respond; + if (request2.outputPaths) { + resp = filterKeys(flatData, request2.outputPaths); + } else if (request2.flattenResponse === "true") { + resp = flatData; + } console.log(`Returning result ${JSON.stringify(resp)}`); return resp; } }; +function filterKeys(object, searchStrings) { + return Object.entries(object).reduce((filteredObject, [key, value]) => { + for (const searchString of searchStrings) { + if (key.startsWith(`apiCallResponse.${searchString}`)) { + filteredObject[key] = value; + } + } + return filteredObject; + }, {}); +} function isJsonString(value) { try { return JSON.parse(value); @@ -609,9 +659,13 @@ async function handler(event, context) { return; } const result = await provider.handle(); - const actualPath = event.ResourceProperties.actualPath; - const actual = actualPath ? result[`apiCallResponse.${actualPath}`] : result.apiCallResponse; - if ("expected" in event.ResourceProperties) { + if ("stateMachineArn" in event.ResourceProperties) { + console.info('Found "stateMachineArn", waiter statemachine started'); + return; + } else if ("expected" in event.ResourceProperties) { + console.info('Found "expected", testing assertions'); + const actualPath = event.ResourceProperties.actualPath; + const actual = actualPath ? result[`apiCallResponse.${actualPath}`] : result.apiCallResponse; const assertion = new AssertionHandler({ ...event, ResourceProperties: { @@ -653,6 +707,62 @@ async function handler(event, context) { } return; } +async function onTimeout(timeoutEvent) { + const isCompleteRequest = JSON.parse(JSON.parse(timeoutEvent.Cause).errorMessage); + const provider = createResourceHandler(isCompleteRequest, standardContext); + await provider.respond({ + status: "FAILED", + reason: "Operation timed out: " + JSON.stringify(isCompleteRequest) + }); +} +async function isComplete(event, context) { + console.log(`Event: ${JSON.stringify({ ...event, ResponseURL: "..." })}`); + const provider = createResourceHandler(event, context); + try { + const result = await provider.handleIsComplete(); + const actualPath = event.ResourceProperties.actualPath; + if (result) { + const actual = actualPath ? result[`apiCallResponse.${actualPath}`] : result.apiCallResponse; + if ("expected" in event.ResourceProperties) { + const assertion = new AssertionHandler({ + ...event, + ResourceProperties: { + ServiceToken: event.ServiceToken, + actual, + expected: event.ResourceProperties.expected + } + }, context); + const assertionResult = await assertion.handleIsComplete(); + if (!(assertionResult == null ? void 0 : assertionResult.failed)) { + await provider.respond({ + status: "SUCCESS", + reason: "OK", + data: { + ...assertionResult, + ...result + } + }); + return; + } else { + console.log(`Assertion Failed: ${JSON.stringify(assertionResult)}`); + throw new Error(JSON.stringify(event)); + } + } + await provider.respond({ + status: "SUCCESS", + reason: "OK", + data: result + }); + } else { + console.log("No result"); + throw new Error(JSON.stringify(event)); + } + return; + } catch (e) { + console.log(e); + throw new Error(JSON.stringify(event)); + } +} function createResourceHandler(event, context) { if (event.ResourceType.startsWith(SDK_RESOURCE_TYPE_PREFIX)) { return new AwsApiCallHandler(event, context); @@ -662,7 +772,12 @@ function createResourceHandler(event, context) { throw new Error(`Unsupported resource type "${event.ResourceType}`); } } +var standardContext = { + getRemainingTimeInMillis: () => 9e4 +}; // Annotate the CommonJS export names for ESM import in node: 0 && (module.exports = { - handler + handler, + isComplete, + onTimeout }); diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/cdk.out b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/cdk.out index 8ecc185e9dbee..145739f539580 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"21.0.0"} \ No newline at end of file +{"version":"22.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/integ.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/integ.json index e967d654f2819..080bde5b55794 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "21.0.0", + "version": "22.0.0", "testCases": { "apigw-token-auth/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/manifest.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/manifest.json index d2bf3e547ad21..975ac0a9e56f4 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/manifest.json @@ -1,12 +1,6 @@ { - "version": "21.0.0", + "version": "22.0.0", "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, "TokenAuthorizerInteg.assets": { "type": "cdk:asset-manifest", "properties": { @@ -23,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d48b90b340d35b9bc726b78e652d17148e2449f6f756e4377428635071f68d09.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3ef3f0473a2312add1b6eeec16180f638b07d97828baa8745a05728ef3a87074.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -84,7 +78,7 @@ "/TokenAuthorizerInteg/MyRestApi/Deployment/Resource": [ { "type": "aws:cdk:logicalId", - "data": "MyRestApiDeploymentB555B582464879c8d1f9fcce2500f142532cdaec" + "data": "MyRestApiDeploymentB555B5822d29e7cc325d84a3264c658c75a9d43a" } ], "/TokenAuthorizerInteg/MyRestApi/DeploymentStage.prod/Resource": [ @@ -140,6 +134,15 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } + ], + "MyRestApiDeploymentB555B582464879c8d1f9fcce2500f142532cdaec": [ + { + "type": "aws:cdk:logicalId", + "data": "MyRestApiDeploymentB555B582464879c8d1f9fcce2500f142532cdaec", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } ] }, "displayName": "TokenAuthorizerInteg" @@ -160,7 +163,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/663a8c1a16f9e427d0ecfe2215cb471b582dfce87e95f6bbf85d32c371692ece.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/52fafe59d21141477256755bcebd4385222337a65ba87eac0399ec8dc24a2702.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -257,6 +260,12 @@ ] }, "displayName": "apigw-token-auth/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/tree.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/tree.json index 2dc4bcb660eab..74b779ad07db7 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/tree.json @@ -4,14 +4,6 @@ "id": "App", "path": "", "children": { - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.108" - } - }, "TokenAuthorizerInteg": { "id": "TokenAuthorizerInteg", "path": "TokenAuthorizerInteg", @@ -24,6 +16,14 @@ "id": "ServiceRole", "path": "TokenAuthorizerInteg/MyAuthorizerFunction/ServiceRole", "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "TokenAuthorizerInteg/MyAuthorizerFunction/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "TokenAuthorizerInteg/MyAuthorizerFunction/ServiceRole/Resource", @@ -276,6 +276,14 @@ "id": "CloudWatchRole", "path": "TokenAuthorizerInteg/MyRestApi/CloudWatchRole", "children": { + "ImportCloudWatchRole": { + "id": "ImportCloudWatchRole", + "path": "TokenAuthorizerInteg/MyRestApi/CloudWatchRole/ImportCloudWatchRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "TokenAuthorizerInteg/MyRestApi/CloudWatchRole/Resource", @@ -381,7 +389,7 @@ "Ref": "MyRestApi2D1F47A9" }, "deploymentId": { - "Ref": "MyRestApiDeploymentB555B582464879c8d1f9fcce2500f142532cdaec" + "Ref": "MyRestApiDeploymentB555B5822d29e7cc325d84a3264c658c75a9d43a" }, "stageName": "prod" } @@ -543,6 +551,14 @@ "id": "ServiceRole", "path": "TokenAuthorizerInteg/InvokeFunction/ServiceRole", "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "TokenAuthorizerInteg/InvokeFunction/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "@aws-cdk/core.Resource", + "version": "0.0.0" + } + }, "Resource": { "id": "Resource", "path": "TokenAuthorizerInteg/InvokeFunction/ServiceRole/Resource", @@ -658,7 +674,23 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.108" + "version": "10.1.168" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "TokenAuthorizerInteg/BootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "TokenAuthorizerInteg/CheckBootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnRule", + "version": "0.0.0" } } }, @@ -680,7 +712,7 @@ "path": "apigw-token-auth/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.108" + "version": "10.1.168" } }, "DeployAssert": { @@ -700,7 +732,7 @@ "path": "apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke3deec958b1e945795e38da5fc2f86753/SdkProvider/AssertionsProvider", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.108" + "version": "10.1.168" } } }, @@ -780,7 +812,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.108" + "version": "10.1.168" } }, "LambdaInvoke8e1b9f979f2329abf1ed6574d33d391a": { @@ -796,7 +828,7 @@ "path": "apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke8e1b9f979f2329abf1ed6574d33d391a/SdkProvider/AssertionsProvider", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.108" + "version": "10.1.168" } } }, @@ -858,7 +890,7 @@ "path": "apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke0532e3d95b2a56b147278c621e5800c4/SdkProvider/AssertionsProvider", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.108" + "version": "10.1.168" } } }, @@ -906,6 +938,22 @@ "fqn": "@aws-cdk/integ-tests.LambdaInvokeFunction", "version": "0.0.0" } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "apigw-token-auth/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "apigw-token-auth/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnRule", + "version": "0.0.0" + } } }, "constructInfo": { @@ -924,6 +972,14 @@ "fqn": "@aws-cdk/integ-tests.IntegTest", "version": "0.0.0" } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.168" + } } }, "constructInfo": { diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts b/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts index 54bc61807c662..cef396426d377 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts @@ -524,4 +524,129 @@ describe('lambda authorizer', () => { expect(() => stack.resolve(auth.authorizerArn)).toThrow(/must be attached to a RestApi/); }); + + test('rest api depends on the token authorizer when @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId is enabled', () => { + const stack = new Stack(); + stack.node.setContext('@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId', true); + + const func = new lambda.Function(stack, 'myfunction', { + handler: 'handler', + code: lambda.Code.fromInline('foo'), + runtime: lambda.Runtime.NODEJS_18_X, + }); + + const auth = new TokenAuthorizer(stack, 'myauthorizer', { + handler: func, + }); + + const restApi = new RestApi(stack, 'myrestapi'); + restApi.root.addMethod('ANY', undefined, { + authorizer: auth, + authorizationType: AuthorizationType.CUSTOM, + }); + + const template = Template.fromStack(stack); + + const authorizerId = Object.keys(template.findResources('AWS::ApiGateway::Authorizer'))[0]; + const deployment = Object.values(template.findResources('AWS::ApiGateway::Deployment'))[0]; + + expect(deployment.DependsOn).toEqual(expect.arrayContaining([authorizerId])); + }); + + test('rest api depends on the request authorizer when @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId is enabled', () => { + const stack = new Stack(); + stack.node.setContext('@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId', true); + + const func = new lambda.Function(stack, 'myfunction', { + handler: 'handler', + code: lambda.Code.fromInline('foo'), + runtime: lambda.Runtime.NODEJS_14_X, + }); + + const auth = new RequestAuthorizer(stack, 'myauthorizer', { + handler: func, + resultsCacheTtl: Duration.seconds(0), + identitySources: [], + }); + + const restApi = new RestApi(stack, 'myrestapi'); + restApi.root.addMethod('ANY', undefined, { + authorizer: auth, + authorizationType: AuthorizationType.CUSTOM, + }); + + const template = Template.fromStack(stack); + + const authorizerId = Object.keys(template.findResources('AWS::ApiGateway::Authorizer'))[0]; + const deployment = Object.values(template.findResources('AWS::ApiGateway::Deployment'))[0]; + + expect(deployment.DependsOn).toEqual(expect.arrayContaining([authorizerId])); + }); + + test('a new deployment is created when a lambda function changes name and @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId is enabled', () => { + const createApiTemplate = (lambdaFunctionName: string) => { + const stack = new Stack(); + stack.node.setContext('@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId', true); + + const func = new lambda.Function(stack, 'myfunction', { + handler: 'handler', + functionName: lambdaFunctionName, + code: lambda.Code.fromInline('foo'), + runtime: lambda.Runtime.NODEJS_18_X, + }); + + const auth = new RequestAuthorizer(stack, 'myauthorizer', { + handler: func, + resultsCacheTtl: Duration.seconds(0), + identitySources: [], + }); + + const restApi = new RestApi(stack, 'myrestapi'); + restApi.root.addMethod('ANY', undefined, { + authorizer: auth, + authorizationType: AuthorizationType.CUSTOM, + }); + + return Template.fromStack(stack); + }; + + const oldTemplate = createApiTemplate('foo'); + const newTemplate = createApiTemplate('bar'); + + const oldDeploymentId = Object.keys(oldTemplate.findResources('AWS::ApiGateway::Deployment'))[0]; + const newDeploymentId = Object.keys(newTemplate.findResources('AWS::ApiGateway::Deployment'))[0]; + + expect(oldDeploymentId).not.toEqual(newDeploymentId); + }); + + test('a new deployment is created when an imported lambda function changes name and @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId is enabled', () => { + const createApiTemplate = (lambdaFunctionName: string) => { + const stack = new Stack(); + stack.node.setContext('@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId', true); + + const func = lambda.Function.fromFunctionName(stack, 'myfunction', lambdaFunctionName); + + const auth = new RequestAuthorizer(stack, 'myauthorizer', { + handler: func, + resultsCacheTtl: Duration.seconds(0), + identitySources: [], + }); + + const restApi = new RestApi(stack, 'myrestapi'); + restApi.root.addMethod('ANY', undefined, { + authorizer: auth, + authorizationType: AuthorizationType.CUSTOM, + }); + + return Template.fromStack(stack); + }; + + const oldTemplate = createApiTemplate('foo'); + const newTemplate = createApiTemplate('bar'); + + const oldDeploymentId = Object.keys(oldTemplate.findResources('AWS::ApiGateway::Deployment'))[0]; + const newDeploymentId = Object.keys(newTemplate.findResources('AWS::ApiGateway::Deployment'))[0]; + + expect(oldDeploymentId).not.toEqual(newDeploymentId); + }); }); diff --git a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md index f8111a0022ce9..a74f43eb4b276 100644 --- a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md +++ b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md @@ -43,6 +43,7 @@ Flags come in three types: | [@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy](#aws-cdkaws-s3serveraccesslogsusebucketpolicy) | Use S3 Bucket Policy instead of ACLs for Server Access Logging | 2.59.0 | (fix) | | [@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName](#aws-cdkaws-iamimportedrolestacksafedefaultpolicyname) | Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in. | 2.60.0 | (fix) | | [@aws-cdk/customresources:installLatestAwsSdkDefault](#aws-cdkcustomresourcesinstalllatestawssdkdefault) | Whether to install the latest SDK by default in AwsCustomResource | 2.60.0 | (default) | +| [@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId](#aws-cdkaws-apigatewayauthorizerchangedeploymentlogicalid) | Include authorizer configuration in the calculation of the API deployment logical ID. | V2NEXT | (fix) | | [@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup](#aws-cdkaws-codedeployremovealarmsfromdeploymentgroup) | Remove CloudWatch alarms from deployment group | V2NEXT | (fix) | | [@aws-cdk/aws-rds:databaseProxyUniqueResourceName](#aws-cdkaws-rdsdatabaseproxyuniqueresourcename) | Use unique resource name for Database Proxy | V2NEXT | (fix) | @@ -80,7 +81,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-route53-patters:useCertificate": true, "@aws-cdk/customresources:installLatestAwsSdkDefault": false, "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true, - "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true } } ``` @@ -782,6 +784,22 @@ flag on a resource-by-resource basis to enable it if necessary. **Compatibility with old behavior:** Set installLatestAwsSdk: true on all resources that need it. +### @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId + +*Include authorizer configuration in the calculation of the API deployment logical ID.* (fix) + +The logical ID of the AWS::ApiGateway::Deployment resource is calculated by hashing +the API configuration, including methods, and resources, etc. Enable this feature flag +to also include the configuration of any authorizer attached to the API in the +calculation, so any changes made to an authorizer will create a new deployment. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + + ### @aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup *Remove CloudWatch alarms from deployment group* (fix) diff --git a/packages/@aws-cdk/cx-api/lib/features.ts b/packages/@aws-cdk/cx-api/lib/features.ts index 469bcdcd2d93d..bd4c9a44f3610 100644 --- a/packages/@aws-cdk/cx-api/lib/features.ts +++ b/packages/@aws-cdk/cx-api/lib/features.ts @@ -80,6 +80,7 @@ export const ROUTE53_PATTERNS_USE_CERTIFICATE = '@aws-cdk/aws-route53-patters:us export const AWS_CUSTOM_RESOURCE_LATEST_SDK_DEFAULT = '@aws-cdk/customresources:installLatestAwsSdkDefault'; export const DATABASE_PROXY_UNIQUE_RESOURCE_NAME = '@aws-cdk/aws-rds:databaseProxyUniqueResourceName'; export const CODEDEPLOY_REMOVE_ALARMS_FROM_DEPLOYMENT_GROUP = '@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup'; +export const APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID = '@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId'; export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// @@ -659,6 +660,19 @@ export const FLAGS: Record = { introducedIn: { v2: 'V2NEXT' }, recommendedValue: true, }, + + [APIGATEWAY_AUTHORIZER_CHANGE_DEPLOYMENT_LOGICAL_ID]: { + type: FlagType.BugFix, + summary: 'Include authorizer configuration in the calculation of the API deployment logical ID.', + detailsMd: ` + The logical ID of the AWS::ApiGateway::Deployment resource is calculated by hashing + the API configuration, including methods, and resources, etc. Enable this feature flag + to also include the configuration of any authorizer attached to the API in the + calculation, so any changes made to an authorizer will create a new deployment. + `, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + }, }; const CURRENT_MV = 'v2';