-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(apigateway): Changes to authorizer does not cause latest deployment to update #16554
Comments
Thanks for filing this issue @kamzil. This is indeed a bug on our Since this has a workaround, I'm marking this as a p2 and unassigning myself. We are unable to work on this immediately. |
I ran into this when trying to update the authorizer settings. A new deployment isn't created and I'm not sure how to represent the changes to the authorizer as a string so I can add to the logical id. @nija-at is there a way to hash the attributes of a construct? |
This was reported internally as well -
|
…23215) ---- Closes #16554 (formerly #22808) The Rest API deployment needs to depend on all authorizers attached to the API, so there is a new deployment if any of the authorizers change. This is similar to what is already done for `Method`s. Includes trivial change to integ test. Note - Because this will change the logical ID of existing deployments, this is technically a breaking change, so I am not sure if it requires a feature flag. ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
When you have an authorizer that has an imported Lambda from another stack set as handler (authorizerUri), and you change that ARN, authorizer will start failing with AuthorizerConfigurationException on requests to API endpoints that have that authorizer attached.
API Gateway logs reveal that the authorizer is still trying to invoke the Lambda with the old ARN, and fails because Lambda permission has already been replaced with one that contains the new ARN.
This is most likely because CDK won't create a new REST API deployment despite of updating the authorizerUri of the CfnAuthorizer construct.
Reproduction Steps
cdk deploy
your stackauthorizerLambdaFuncArn
to some other Lambda function's ARNAuthorizerConfigurationException
What did you expect to happen?
CDK should create a new deployment so that requests will be forwarded to the correct authorizer Lambda
What actually happened?
No new deployment created but Lambda Permission is updated, which leads to permission error.
Environment
Other
Workaround:
Add the following in your code:
This will cause CDK to create a new API deployment.
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: