API Gateway: CDK fails to attach a cognito user pool authorizer to the construct

[sdpoueme]

Describe the bug

After defining a Cognito HalAuthorizer in openapi yaml (security Schema and endpoint) and attempting to correlate that with a CognitoUserPoolAuthorizer created in an API Gateway construct, the follow error results:

RuntimeError: Error: Resolution error: Resolution error: Resolution error: Authorizer (xxxxxxStack/xxxApiDevConstruct/HalAuthorizer) must be attached to a RestApi.
Object creation stack:

Expected Behavior

The Authorizer should be attached to the REST API and the CDK deployment should succeed.

Current Behavior

CDK fails to attach the Cognito Authorizer and the Rest API creation is inconsistent.

Reproduction Steps

1. Create a Cognito Authorizer in CDK and attach it to the API Gateway

authorizer = apigateway.CognitoUserPoolsAuthorizer(self, "myAuthorizer", cognito_user_pools=[user_pool]) 

See #7377, which is related to the same issue but mention a case where separate stacks are used.

Possible Solution

The bug seems to be in CognitoUserPoolsAuthorizer object and related to the following lines:

api_gateway_to_lambda = OpenApiGatewayToLambda(self,
                                                       id="OpenApiGatewayToLambda",
                                                       api_integrations=[api_integration],
                                                       api_definition_asset=api_definition_asset,
                                                       api_gateway_props=rest_api_base_props)

Additional Information/Context

No response

CDK CLI Version

2.130.0 (build bd6e5ee)

Framework Version

Python 3.11.2

Node.js Version

N/A

OS

MacOS

Language

Python 3.11.2

Language Version

Python 3.11.2

Other information

No response

[pahud]

Hi

I won't be able to reproduce this from the provided reproduction steps. Are you able to provide more details about your code with least required properties so I can reproduce this in my environment?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[ruvimrd]

Some simple replication code:

const userPool = UserPool.fromUserPoolArn(this, "userPool", <userPoolArn>);
const authorizer = new CognitoUserPoolsAuthorizer(this, "testAuthorizer", {
  cognitoUserPools: [userPool],
});

const api = new LambdaRestApi(this, "testRestAPI", props, {
  handler: this.function,
  proxy: false,
  defaultMethodOptions: {
    authorizer: authorizer,
    authorizationType: AuthorizationType.COGNITO
  }
});

This should give the same error as above.

It seems like this is running into a similar issue as #7377 because adding authorizer._attachToApi(api) fixes it.

[pahud]

Closing in favor of #7377

Feel free to reopen if there's any concern.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[rmjwilbur]

@pahud - I've run into the same issue where I've added a RestApi and a CognitoUserPoolsAuthorizer in the same stack, but haven't used the authorizer yet, and don't intend to in this stack.

I get the Authorizer must be attached to a RestApi error and adding authorizer._attachToApi(restApi) resolves it.

It would be nice to have the option of including restApiId as a prop when creating the authorizer, ie:

const authorizer = new CognitoUserPoolsAuthorizer(scope, id, { cognitoUserPools: [userPool], restApiId });