Merge branch 'main' into iot-actions-iotevents

package.json

@@ -18,7 +18,7 @@
   "devDependencies": {
     "@types/prettier": "2.6.0",
     "@yarnpkg/lockfile": "^1.1.0",
-    "cdk-generate-synthetic-examples": "^0.1.12",
+    "cdk-generate-synthetic-examples": "^0.1.14",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.10",

packages/@aws-cdk/aws-apigatewayv2-authorizers/README.md

@@ -28,6 +28,7 @@
   - [IAM Authorizers](#iam-authorizers)
 - [WebSocket APIs](#websocket-apis)
   - [Lambda Authorizer](#lambda-authorizer)
+  - [IAM Authorizers](#iam-authorizer)
 
 ## Introduction
 
@@ -256,3 +257,42 @@ new apigwv2.WebSocketApi(this, 'WebSocketApi', {
   },
 });
 ```
+
+### IAM Authorizer
+
+IAM authorizers can be used to allow identity-based access to your WebSocket API.
+
+```ts
+import { WebSocketIamAuthorizer } from '@aws-cdk/aws-apigatewayv2-authorizers';
+import { WebSocketLambdaIntegration } from '@aws-cdk/aws-apigatewayv2-integrations';
+
+// This function handles your connect route
+declare const connectHandler: lambda.Function;
+
+const webSocketApi = new apigwv2.WebSocketApi(this, 'WebSocketApi');
+
+webSocketApi.addRoute('$connect', {
+  integration: new WebSocketLambdaIntegration('Integration', connectHandler),
+  authorizer: new WebSocketIamAuthorizer()
+});
+
+// Create an IAM user (identity)
+const user = new iam.User(this, 'User');
+
+const webSocketArn = Stack.of(this).formatArn({
+  service: 'execute-api',
+  resource: webSocketApi.apiId,
+});
+
+// Grant access to the IAM user
+user.attachInlinePolicy(new iam.Policy(this, 'AllowInvoke', {
+  statements: [
+    new iam.PolicyStatement({
+      actions: ['execute-api:Invoke'],
+      effect: iam.Effect.ALLOW,
+      resources: [webSocketArn],
+    }),
+  ],
+}));
+
+```

packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/websocket/iam.ts

@@ -0,0 +1,19 @@
+import {
+  WebSocketAuthorizerType,
+  WebSocketRouteAuthorizerBindOptions,
+  WebSocketRouteAuthorizerConfig,
+  IWebSocketRouteAuthorizer,
+} from '@aws-cdk/aws-apigatewayv2';
+
+/**
+ * Authorize WebSocket API Routes with IAM
+ */
+export class WebSocketIamAuthorizer implements IWebSocketRouteAuthorizer {
+  public bind(
+    _options: WebSocketRouteAuthorizerBindOptions,
+  ): WebSocketRouteAuthorizerConfig {
+    return {
+      authorizationType: WebSocketAuthorizerType.IAM,
+    };
+  }
+}

packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/websocket/index.ts

@@ -1 +1,2 @@
 export * from './lambda';
+export * from './iam';

packages/@aws-cdk/aws-apigatewayv2-authorizers/package.json

@@ -86,6 +86,7 @@
     "@aws-cdk/integ-runner": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
     "@types/aws-lambda": "^8.10.101",
+    "@aws-cdk/integ-tests": "0.0.0",
     "@types/jest": "^27.5.2"
   },
   "dependencies": {

packages/@aws-cdk/aws-apigatewayv2-authorizers/test/websocket/iam.integ.snapshot/ApiGatewayV2WebSocketIamTestDefaultTestDeployAssert2B412D7B.template.json

@@ -0,0 +1 @@
+{}

packages/@aws-cdk/aws-apigatewayv2-authorizers/test/websocket/iam.integ.snapshot/IntegApiGatewayV2Iam.template.json

@@ -0,0 +1,226 @@
+{
+ "Resources": {
+  "User00B015A1": {
+   "Type": "AWS::IAM::User"
+  },
+  "UserAccessEC42ADF7": {
+   "Type": "AWS::IAM::AccessKey",
+   "Properties": {
+    "UserName": {
+     "Ref": "User00B015A1"
+    }
+   }
+  },
+  "authfunctionServiceRoleFCB72198": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "authfunction96361832": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "exports.handler = () => {return true}"
+    },
+    "Role": {
+     "Fn::GetAtt": [
+      "authfunctionServiceRoleFCB72198",
+      "Arn"
+     ]
+    },
+    "Handler": "index.handler",
+    "Runtime": "nodejs14.x"
+   },
+   "DependsOn": [
+    "authfunctionServiceRoleFCB72198"
+   ]
+  },
+  "WebSocketApi34BCF99B": {
+   "Type": "AWS::ApiGatewayV2::Api",
+   "Properties": {
+    "Name": "WebSocketApi",
+    "ProtocolType": "WEBSOCKET",
+    "RouteSelectionExpression": "$request.body.action"
+   }
+  },
+  "WebSocketApiconnectRouteWebSocketLambdaIntegrationPermission76CD86C6": {
+   "Type": "AWS::Lambda::Permission",
+   "Properties": {
+    "Action": "lambda:InvokeFunction",
+    "FunctionName": {
+     "Fn::GetAtt": [
+      "authfunction96361832",
+      "Arn"
+     ]
+    },
+    "Principal": "apigateway.amazonaws.com",
+    "SourceArn": {
+     "Fn::Join": [
+      "",
+      [
+       "arn:",
+       {
+        "Ref": "AWS::Partition"
+       },
+       ":execute-api:",
+       {
+        "Ref": "AWS::Region"
+       },
+       ":",
+       {
+        "Ref": "AWS::AccountId"
+       },
+       ":",
+       {
+        "Ref": "WebSocketApi34BCF99B"
+       },
+       "/*/*$connect"
+      ]
+     ]
+    }
+   }
+  },
+  "WebSocketApiconnectRouteWebSocketLambdaIntegration3D2B13DD": {
+   "Type": "AWS::ApiGatewayV2::Integration",
+   "Properties": {
+    "ApiId": {
+     "Ref": "WebSocketApi34BCF99B"
+    },
+    "IntegrationType": "AWS_PROXY",
+    "IntegrationUri": {
+     "Fn::Join": [
+      "",
+      [
+       "arn:",
+       {
+        "Ref": "AWS::Partition"
+       },
+       ":apigateway:",
+       {
+        "Ref": "AWS::Region"
+       },
+       ":lambda:path/2015-03-31/functions/",
+       {
+        "Fn::GetAtt": [
+         "authfunction96361832",
+         "Arn"
+        ]
+       },
+       "/invocations"
+      ]
+     ]
+    }
+   }
+  },
+  "WebSocketApiconnectRoute846149DD": {
+   "Type": "AWS::ApiGatewayV2::Route",
+   "Properties": {
+    "ApiId": {
+     "Ref": "WebSocketApi34BCF99B"
+    },
+    "RouteKey": "$connect",
+    "AuthorizationType": "AWS_IAM",
+    "Target": {
+     "Fn::Join": [
+      "",
+      [
+       "integrations/",
+       {
+        "Ref": "WebSocketApiconnectRouteWebSocketLambdaIntegration3D2B13DD"
+       }
+      ]
+     ]
+    }
+   }
+  },
+  "AllowInvoke767865EA": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "execute-api:Invoke",
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":execute-api:",
+          {
+           "Ref": "AWS::Region"
+          },
+          ":",
+          {
+           "Ref": "AWS::AccountId"
+          },
+          ":",
+          {
+           "Ref": "WebSocketApi34BCF99B"
+          }
+         ]
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "AllowInvoke767865EA",
+    "Users": [
+     {
+      "Ref": "User00B015A1"
+     }
+    ]
+   }
+  }
+ },
+ "Outputs": {
+  "TESTACCESSKEYID": {
+   "Value": {
+    "Ref": "UserAccessEC42ADF7"
+   }
+  },
+  "TESTSECRETACCESSKEY": {
+   "Value": {
+    "Fn::GetAtt": [
+     "UserAccessEC42ADF7",
+     "SecretAccessKey"
+    ]
+   }
+  },
+  "TESTREGION": {
+   "Value": {
+    "Ref": "AWS::Region"
+   }
+  }
+ }
+}

packages/@aws-cdk/aws-apigatewayv2-authorizers/test/websocket/iam.integ.snapshot/integ.json

@@ -0,0 +1,11 @@
+{
+  "version": "20.0.0",
+  "testCases": {
+    "ApiGatewayV2WebSocketIamTest/DefaultTest": {
+      "stacks": [
+        "IntegApiGatewayV2Iam"
+      ],
+      "assertionStack": "ApiGatewayV2WebSocketIamTestDefaultTestDeployAssert2B412D7B"
+    }
+  }
+}