Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(apigateway): Changes to authorizer does not cause latest deployment to update #16554

Closed
kamzil opened this issue Sep 20, 2021 · 4 comments · Fixed by #23215
Closed

(apigateway): Changes to authorizer does not cause latest deployment to update #16554

kamzil opened this issue Sep 20, 2021 · 4 comments · Fixed by #23215
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@kamzil
Copy link

kamzil commented Sep 20, 2021

When you have an authorizer that has an imported Lambda from another stack set as handler (authorizerUri), and you change that ARN, authorizer will start failing with AuthorizerConfigurationException on requests to API endpoints that have that authorizer attached.

API Gateway logs reveal that the authorizer is still trying to invoke the Lambda with the old ARN, and fails because Lambda permission has already been replaced with one that contains the new ARN.

This is most likely because CDK won't create a new REST API deployment despite of updating the authorizerUri of the CfnAuthorizer construct.

Reproduction Steps

  1. Add a new Lambda, REST API, authorizer and method to your stack. Authorizer Lambda should already exist in another stack:
    // Lambda that should be served via your API
    const yourLambda = new lambda.Function(...)

    // Authorizer that uses a Lambda from another stack
    const authorizerLambdaFuncArn = 'authorizer-lambda-arn-goes-here'
    const someAuthorizer = new TokenAuthorizer(this, 'SomeAuthorizer', {
      authorizerName: 'someAuthorizer',
      handler: Function.fromFunctionArn(this, 'SomeAuthorizerFunction', authorizerLambdaFuncArn),
    })

    // REST API
    const restApi = new RestApi(this, 'SomeApi', {
      restApiName: 'some-api',
    })

    // API method configured with your Lambda and the authorizer
    restApi.root.addMethod('GET', new LambdaIntegration(yourLambda), {
      authorizationType: AuthorizationType.CUSTOM,
      authorizer: someAuthorizer,
    })
  1. cdk deploy your stack
  2. Requests to your API endpoint should successfully pass to the authorizer
  3. Change authorizerLambdaFuncArn to some other Lambda function's ARN
  4. Repeat step 2
  5. Requests to your API endpoint should now return AuthorizerConfigurationException

What did you expect to happen?

CDK should create a new deployment so that requests will be forwarded to the correct authorizer Lambda

What actually happened?

No new deployment created but Lambda Permission is updated, which leads to permission error.

Environment

  • CDK CLI Version : 1.123.0
  • Framework Version: 1.123.0
  • Node.js Version: v14.17.5
  • OS : MacOS 10.15.7
  • Language (Version): TypeScript 4.3.5

Other

Workaround:

Add the following in your code:

    if (restApi.latestDeployment) {
      restApi.latestDeployment.addToLogicalId({
        someAuthorizerFunctionArn: authorizerLambdaFuncArn,
      })
    }

This will cause CDK to create a new API deployment.

This is 🐛 Bug Report
@kamzil kamzil added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 20, 2021
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Sep 20, 2021
@peterwoodworth peterwoodworth removed the @aws-cdk/aws-lambda Related to AWS Lambda label Sep 20, 2021
@peterwoodworth peterwoodworth assigned nija-at and unassigned nija-at Sep 20, 2021
@peterwoodworth peterwoodworth added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Sep 20, 2021
@peterwoodworth peterwoodworth changed the title (@aws-cdk/apigateway): Changing LambdaAuthorizer/TokenAuthorizer function ARN will cause AuthorizerConfigurationException (apigateway): Changing LambdaAuthorizer/TokenAuthorizer function ARN will cause AuthorizerConfigurationException Sep 20, 2021
@nija-at nija-at changed the title (apigateway): Changing LambdaAuthorizer/TokenAuthorizer function ARN will cause AuthorizerConfigurationException (apigateway): Changes to authorizer does not cause latest deployment to update Sep 23, 2021
@nija-at
Copy link
Contributor

nija-at commented Sep 23, 2021

Thanks for filing this issue @kamzil. This is indeed a bug on our apigateway module.

Since this has a workaround, I'm marking this as a p2 and unassigning myself. We are unable to work on this immediately.

@nija-at nija-at added effort/small Small work item – less than a day of effort p2 and removed needs-triage This issue or PR still needs to be triaged. labels Sep 23, 2021
@nija-at nija-at removed their assignment Sep 23, 2021
@jonathan-kosgei
Copy link

jonathan-kosgei commented Nov 12, 2021
edited
Loading

I ran into this when trying to update the authorizer settings. A new deployment isn't created and I'm not sure how to represent the changes to the authorizer as a string so I can add to the logical id.

@nija-at is there a way to hash the attributes of a construct?

@peterwoodworth
Copy link
Contributor

This was reported internally as well -

The cause is that the deploy? property is only able to pick up the changes to the AWS::ApiGateway::Method resource when there is a change in the template definition of the resource. That is if the LogicalID of the AWS::Lambda::Alias changes thus changing the Uri property of the 'AWS::ApiGateway::Method' resource in the template definition. - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apitgateway-method-integration.html#cfn-apigateway-method-integration-uri
It is not able to pick up the changes if the LogicalID of the AWS::Lambda::Alias does not change, but still the value of the Uri property of the AWS::ApiGateway::Method resource changes. This can happen when AWS::Lambda::Alias resource undergoes replacement update due to a change only in the property Name.
The issue is being caused as the deploy? property only checks the hash of the template definition of the AWS::ApiGateway resources (serialized CloudFormation JSON of CfnRestApi) but not the actual values of the properties of the resources. This is as seen here -

aws-cdk/packages/@aws-cdk/aws-apigateway/lib/deployment.ts

Line 165 in 9f9fe8a

private calculateLogicalId() {

@shawnsparks shawnsparks mentioned this issue Dec 21, 2022
Closed
@peterwoodworth peterwoodworth mentioned this issue Dec 21, 2022
Merged
4 tasks
@mergify mergify bot closed this as completed in #23215 Feb 15, 2023
mergify bot pushed a commit that referenced this issue Feb 15, 2023
@cecheta
fix(apigateway): rest api deployment does not depend on authorizers (#…
12e13c1 
…23215)

----

Closes #16554 (formerly #22808)

The Rest API deployment needs to depend on all authorizers attached to the API, so there is a new deployment if any of the authorizers change. This is similar to what is already done for `Method`s. Includes trivial change to integ test.

Note - Because this will change the logical ID of existing deployments, this is technically a breaking change, so I am not sure if it requires a feature flag.

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Construct Runtime Dependencies:

* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(apigateway): rest api deployment does not depend on authorizers
4 participants
@kamzil @jonathan-kosgei @nija-at @peterwoodworth