Authorizers don't work with explicit ServerlessRestApi API resource

[keetonian]

Description:

Authorizers (at least default auth) does not work as expected when ServerlessRestApi is used as the name for a Serverless::Api.

This requires a deeper dive into how using the name ServerlessRestApi can affect SAM features. This is the name SAM uses for the implicit API, but this should behave the same as any other name if a customer doesn't use the implicit API.

You can avoid this bug in the meantime by not using the ServerlessRestApi name.

Steps to reproduce the issue:

1. Check out https://github.com/awslabs/serverless-application-model/blob/master/examples/2016-10-31/api_lambda_token_auth/template.yaml
2. Run bin/sam-translate.py on the file after changing MyApi to ServerlessRestApi
3. View transformed file

Observed result:
No auth is configured on paths

Expected result:
Auth should be configured on all of the paths.

[hawflau]

When parsing the template, SAM inserts an implicit API regardless it is needed or not, and removes if it is determined not needed afterwards. If an explicit API with logical ID "ServerlessRestApi" is defined and has API event sources referenced to it, SAM adds the corresponding path to the implicit API. When it checks whether the implicit API should be removed, because of the paths added, it determines the implicit API should not be removed. As a result, the explicit API with the same logical ID is dropped.

So, it's not only Authorizers not working with explicit API with logical ID "ServerlessRestApi", but also any properties defined under this explicit API resource. Note: HttpApi might have the same issue, not confirmed yet.

Potential fixes:

• Option 1: distinguish whether an API event source is referencing an explicit API with logical ID "ServerlessRestApi", then exclude it from being inserted into the implicit API
• Option 2: leave "ServerlessRestApi" as a reserved logicalID, add code to throw error if it is used, and make it clear in docs that it should not be used

Relevant code:

serverless-application-model/samtranslator/plugins/api/implicit_api_plugin.py

Lines 49 to 92 in aaa1d15

	def on_before_transform_template(self, template_dict):
	"""
	Hook method that gets called before the SAM template is processed.
	The template has pass the validation and is guaranteed to contain a non-empty "Resources" section.
	:param dict template_dict: Dictionary of the SAM template
	:return: Nothing
	"""
	template = SamTemplate(template_dict)
	# Temporarily add Serverless::Api resource corresponding to Implicit API to the template.
	# This will allow the processing code to work the same way for both Implicit & Explicit APIs
	# If there are no implicit APIs, we will remove from the template later.
	# If the customer has explicitly defined a resource with the id of "ServerlessRestApi",
	# capture it. If the template ends up not defining any implicit api's, instead of just
	# removing the "ServerlessRestApi" resource, we just restore what the author defined.
	self.existing_implicit_api_resource = copy.deepcopy(template.get(self.implicit_api_logical_id))
	template.set(self.implicit_api_logical_id, self._generate_implicit_api_resource())
	errors = []
	for logicalId, resource in template.iterate(
	{SamResourceType.Function.value, SamResourceType.StateMachine.value}
	):
	api_events = self._get_api_events(resource)
	condition = resource.condition
	if len(api_events) == 0:
	continue
	try:
	self._process_api_events(resource, api_events, template, condition)
	except InvalidEventException as ex:
	errors.append(InvalidResourceException(logicalId, ex.message))
	self._maybe_add_condition_to_implicit_api(template_dict)
	self._maybe_add_conditions_to_implicit_api_paths(template)
	self._maybe_remove_implicit_api(template)
	if len(errors) > 0:
	raise InvalidDocumentException(errors)

[aaythapa]

Fixing this issue in SAM transform would break backwards compatibility. Issue was addressed in SAM CLI through this PR which will send warnings when a reserved logical id is used.