Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[@aws-cdk/aws-apigatewayv2] support authorizers for HTTP API #10534

Closed
2 tasks
Hugodby opened this issue Sep 25, 2020 · 38 comments
Closed
2 tasks

[@aws-cdk/aws-apigatewayv2] support authorizers for HTTP API #10534

Hugodby opened this issue Sep 25, 2020 · 38 comments
Labels
@aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. in-progress This issue is being actively worked on. p1

Comments

@Hugodby
Copy link

Hugodby commented Sep 25, 2020

I want to be able to add an authorizer when calling the addRoutes method. Similar to what is done in the apigateway construct: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.MethodOptions.html

Use Case

There are no straightforward to add an authorizer on HTTP API routes. This is an important security feature. Workaround are already available in blogposts: https://dev.to/martzcodes/token-authorizers-with-apigatewayv2-tricks-apigwv1-doesn-t-want-you-to-know-41jn

Proposed Solution

One solution would be to add an authorizer property on the addRoutes method:

const api = new HttpApi(this, 'Api', { .. });
const authorizer = new CfnAuthorizer(this, 'ApiAuthorizer', { ... });

api.addRoutes({
  path: '/route',
  methods: [ HttpMethod.GET ],
  integration: new LambdaProxyIntegration({ handler: Example }),
  authorizer: authorizer,
});
  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

@Hugodby Hugodby added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Sep 25, 2020
@github-actions github-actions bot added the @aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 label Sep 25, 2020
@nija-at
Copy link
Contributor

nija-at commented Sep 30, 2020

At the moment, we have no support for authorizers in APIGatewayV2. Marking this as a feature request for authorizers.

@nija-at nija-at changed the title [@aws-cdk/aws-apigatewayv2] addRoutes should support an authorizer [@aws-cdk/aws-apigatewayv2] support authorizers for HTTP API Sep 30, 2020
@nija-at nija-at added effort/medium Medium work item – several days of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Sep 30, 2020
@lielran
Copy link

lielran commented Oct 12, 2020

@nija-at what about Cognito authorizer?
I'm adding it to http API like this:

  private addAuthorizer(
        stack: Construct,
        httpApi: HttpApi,
        userPool: IUserPool,
        userPoolClientId: string,
    ): CfnAuthorizer {
        return new CfnAuthorizer(stack, 'CognitoAuthorizer', {
            name: 'CognitoAuthorizer',
            identitySource: ['$request.header.Authorization'],
            apiId: httpApi.httpApiId,
            authorizerType: 'JWT',
            jwtConfiguration: {
                audience: [userPoolClientId],
                issuer: `https://cognito-idp.${this.region}.amazonaws.com/${userPool.userPoolId}`,
            },
        });
    }

@iRoachie
Copy link
Contributor

iRoachie commented Oct 20, 2020

Working on this. Got something working, but you can't use L1 constructs as props, so I have to implement the Authorizer construct first.

@mbergkvist
Copy link

At the moment, we have no support for authorizers in APIGatewayV2. Marking this as a feature request for authorizers.

Will this include IAM authorizer?

@lielran
Copy link

lielran commented Oct 28, 2020

Will this include IAM authorizer?
@mbergkvist
you can change that to:
authorizerType: 'AWS_IAM',

@mbergkvist
Copy link

@lielran
With

new apiGw.CfnAuthorizer(this, 'IAM Authorizer', {
      apiId: httpApi.httpApiId,
      authorizerType: 'AWS_IAM',
      identitySource: ['$request.header.Authorization'],
      name: 'IAM Authorizer'
    })

I get Invalid request input. CreateAuthorizer input is missing authorizer type. when deploying.

@rtrive
Copy link

rtrive commented Nov 29, 2020

any updates on adding authorizer to http api route?

@haandol
Copy link

haandol commented Feb 4, 2021

below code works for me. (on cdk 1.83+)

interface RouteProps {
  api: apigwv2.IHttpApi
  authorizerType?: 'JWT' | 'AWS_IAM'
  authorizerId?: string
  routeId: string
  path: string
  method: apigwv2.HttpMethod
  handler: lambda.IFunction
}
protected addRoute(props: RouteProps) {
    if (props.authorizerType === 'JWT' && props.authorizerId === undefined) {
      throw Error('JWT authorizer requires authorizerId')
    } else if (props.authorizerType === 'AWS_IAM' && props.authorizerId !== undefined) {
      throw Error('IAM authorizer can not be configured with authorizerId')
    }

    const integration = new integrations.LambdaProxyIntegration({ handler: props.handler })
    const route = new apigwv2.HttpRoute(this, `${props.routeId}Route`, {
      httpApi: props.api,
      routeKey: apigwv2.HttpRouteKey.with(props.path, props.method),
      integration,
    })
    const routeCfn = route.node.defaultChild as apigwv2.CfnRoute
    routeCfn.authorizationType = props.authorizerType
    routeCfn.authorizerId = props.authorizerId
}

@iRoachie
Copy link
Contributor

iRoachie commented Feb 4, 2021

Sorry for the long pause guys! Will try to wrap up the PR this weekend.

@eikeon
Copy link

eikeon commented Feb 5, 2021

      throw Error('IAM authorizer can not be configured with authorizerId')

@haandol Does this mean this workaround doesn't work for the IAM authorizer case or that it just needs to be left undefined? (To attach an IAM authorizer with your addRoute above -- Guess I'm about to find out as I dig in)

@eikeon
Copy link

eikeon commented Feb 5, 2021

@lielran
With

new apiGw.CfnAuthorizer(this, 'IAM Authorizer', {
      apiId: httpApi.httpApiId,
      authorizerType: 'AWS_IAM',
      identitySource: ['$request.header.Authorization'],
      name: 'IAM Authorizer'
    })

I get Invalid request input. CreateAuthorizer input is missing authorizer type. when deploying.

Same. It looks like authorizerType: 'AWS_IAM' is set directly on the CfnRoute and doesn't involve a CfnAuthorizer (which doesn't list AWS_IAM as an option). @iRoachie, does the PR you're working on also deal with AWS_IAM case? Or just the two listed here: iRoachie@6db0e2d#diff-477ed79e2eac3fe55ede0a738ca3941bdc4cf84f6c60b5d28d15a028a452de56R11

@haandol
Copy link

haandol commented Feb 6, 2021

import * as cdk from '@aws-cdk/core'
import * as lambda from '@aws-cdk/aws-lambda'
import * as apigwv2 from '@aws-cdk/aws-apigatewayv2'
import * as integrations from '@aws-cdk/aws-apigatewayv2-integrations'

interface RouteProps {
  api: apigwv2.IHttpApi
  authorizerType?: 'JWT' | 'AWS_IAM'
  authorizerId?: string
  routeId: string
  path: string
  method: apigwv2.HttpMethod
  handler: lambda.IFunction
}

export abstract class BaseApiStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props)
  }

  protected addRoute(props: RouteProps) {
    if (props.authorizerType === 'JWT' && props.authorizerId === undefined) {
      throw Error('JWT authorizer requires authorizerId')
    } else if (props.authorizerType === 'AWS_IAM' && props.authorizerId !== undefined) {
      throw Error('IAM authorizer can not be configured with authorizerId')
    }

    const integration = new integrations.LambdaProxyIntegration({ handler: props.handler })
    const route = new apigwv2.HttpRoute(this, `${props.routeId}Route`, {
      httpApi: props.api,
      routeKey: apigwv2.HttpRouteKey.with(props.path, props.method),
      integration,
    })
    const routeCfn = route.node.defaultChild as apigwv2.CfnRoute
    routeCfn.authorizationType = props.authorizerType
    routeCfn.authorizerId = props.authorizerId
  }
}
export class AdminStack extends BaseApiStack {
...

    this.addRoute({
      api: props.api,
      authorizerType: 'JWT',
      authorizerId: props.authorizerId,
      routeId: 'AdminPresignUrlClothes',
      path: '/admin/clothes/upload',
      method: apigwv2.HttpMethod.GET,
      handler: adminClothes.presignUrlClothesFunction,
    })
    this.addRoute({
      api: props.api,
      authorizerType: 'AWS_IAM',
      routeId: 'AdminUpdatelothes',
      path: '/admin/clothes',
      method: apigwv2.HttpMethod.PUT,
      handler: adminClothes.updateClothesFunction,
    })
}

here is my whole base-stack.ts.
@eikeon you can not create AWS_IAM authorizer for HTTP API because it is built-in. you can check it out on your API Gateway Console.
and in the same manner, you can not set authorizer_id to AWS_IAM typed route.

@iRoachie
Copy link
Contributor

iRoachie commented Feb 6, 2021

@eikeon The PR i'm working on is for JWT authorizers, but the framework should be set to add in IAM after.

As @haandol said, AWS_IAM is not an authorizer type, but simply is the REQUEST (lambda) type that returns a policy document

@eikeon
Copy link

eikeon commented Feb 9, 2021

@iRoachie and @haandol Thank you! I was just arriving there after trying to apply the work around and reading the docs; definitely getting a bit confused with the two different authorizerType's (one on the authorizer and one on the route) :| Was hoping to have some shiny L2 support to utilize but looks like I'm mostly there re: the bits to add.

mergify bot pushed a commit that referenced this issue Feb 10, 2021
…10972)

Part 1 of the work needed to make #10534 happen.

- Also not sure if a partial L2 is possible as I didn't implement all the properties.
- Also not sure if I should rename it to just `Authorizer` (wasn't sure if it clashed with v1 authorizers)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@iRoachie
Copy link
Contributor

Hey all, we just merged #10972 which introduces support for JWT authorizers, and a convenience cognito user pool authorizer. Just the REQUEST authorizer needed to completely close this ticket

@ADringer
Copy link

ADringer commented Feb 16, 2021

Would this allow us to add the authorizer to the $default route? Currently we have an api with just $default route defined, and using the console manually add the JWT authorizer. Would be good to be able to do this via the cdk, but can't see a way of setting it on default integration?

@iRoachie
Copy link
Contributor

iRoachie commented Feb 16, 2021

Yes @ADringer, you can actually add it to the API itself and it will apply to all routes https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-apigatewayv2/lib/http/api.ts#L210-L218

Edit: This isn't possible yet

@inception-cto
Copy link

inception-cto commented Feb 16, 2021

Hi @iRoachie ,

Note: Using aws-cdk 1.89.0

I am trying to implement the "REQUEST" authorizer type and I cannot get to work properly.

export class CustomHttpApi extends apigatewayv2.HttpApi {
  public readonly authorizer: apigatewayv2.CfnAuthorizer;

  constructor(scope: cdk.Construct, id: string, props?: CustomHttpApiProps) {
   
    const region = props?.region || "us-east-1";
    const lambdaAuthorizerUri = `arn:aws:apigateway:${region}:lambda:path/2015-03-31/functions/${props?.lambdaAuthorizerArn}/invocations`;
   
    // ========================================================================
    // Resources: HTTP API
    // ========================================================================
    // Initialization
    super(scope, id, {
      description: props?.description,
      apiName: props?.apiName
    });

    // ========================================================================
    // Resources: HTTP Authorizer
    // ========================================================================
    this.authorizer = new apigatewayv2.CfnAuthorizer(
      this,
      "lambda-header-authorizer",
      {
        apiId: this.httpApiId,
        authorizerPayloadFormatVersion: "2.0",
        authorizerResultTtlInSeconds: cdk.Duration.seconds(120).toSeconds(),
        authorizerType: "REQUEST",
        enableSimpleResponses: true,
        authorizerUri: lambdaAuthorizerUri,
        identitySource: ["$request.header.Authorization"],
        name: "token-authorizer",
      }
    );
  }


  public addLambdaRoute(props: {
    lambdaFn: lambda.Function;
    method: HttpMethod;
    path: string;
    protected: boolean;
  }) {
    //  Step 1: Add the Lambda Handler Proxy Integration
    const integration = new LambdaProxyIntegration({
      handler: props.lambdaFn,
      payloadFormatVersion: PayloadFormatVersion.VERSION_2_0,
    });

    // Step 2: Add the Route
    const route = new apigatewayv2.HttpRoute(
      this,
      `route-lambda-${props.lambdaFn.node.id}`,
      {
        httpApi: this,
        integration: integration,
        routeKey: apigatewayv2.HttpRouteKey.with(props.path, props.methods[0]),
      }
    );

    if (props.protected) {
      route.node.children.map((child) => {
      const routeCfn = route.node.defaultChild as apigatewayv2.CfnRoute;
      routeCfn.authorizationType = this.authorizer.authorizerType;
      routeCfn.authorizerId = this.authorizer.ref;
      });
    }
}

The Authorizer is deployed properly but it is not attached to any of the APIs. Am I missing anything?

Any help is greatly appreciated.

NovakGu pushed a commit to NovakGu/aws-cdk that referenced this issue Feb 18, 2021
…ws#10972)

Part 1 of the work needed to make aws#10534 happen.

- Also not sure if a partial L2 is possible as I didn't implement all the properties.
- Also not sure if I should rename it to just `Authorizer` (wasn't sure if it clashed with v1 authorizers)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@eikeon
Copy link

eikeon commented Feb 25, 2021

Hey all, we just merged #10972 which introduces support for JWT authorizers, and a convenience cognito user pool authorizer. Just the REQUEST authorizer needed to completely close this ticket

Anything in the works for the REQUEST authorizer bit to look at? About to revisit adding such AUTH to an API; could align with whatever might be in the works etc.

/me starts by looking at previous merge request as it was mentioned "but the framework should be set to add in IAM after."

@iRoachie
Copy link
Contributor

@eikeon I made the PR, it's waiting for review #13181

@eikeon
Copy link

eikeon commented Feb 25, 2021

Thank you; that helps re: - Lambda Authorizers

I'm trying to use the built in AWS_IAM authorizationType -- which as you mentioned before isn't an authorizer and so perhaps is out of scope for this ticket?

It seems like this higher level construct could support it and have it translate to setting the right bits for the built in case.

It's looking like the following is all I need to add to the route re: AWS_IAM case:

        routes.forEach((r) => {
            const routeCfn = r.node.defaultChild as api.CfnRoute;
            routeCfn.authorizationType = "AWS_IAM";
        });

... basically this bit: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-access-control-iam.html

And then separately add the IAM policies: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html

@iRoachie
Copy link
Contributor

@eikeon Oh okay I see what you mean now. Apologies if I was confused earlier. It should be relatively easy to add in another PR.

@eikeon
Copy link

eikeon commented Feb 25, 2021

@eikeon Oh okay I see what you mean now. Apologies if I was confused earlier. It should be relatively easy to add in another PR.

No worries; thank you for all the PRs! 🎉

@eikeon
Copy link

eikeon commented Mar 29, 2021

Now to figure out is there's a way to set routeCfn.authorizationType = "AWS_IAM"; but for the HttpApi's default integration

@jeznag
Copy link

jeznag commented May 11, 2021

I'm finding that HttpJwtAuthorizer isn't working as the defaultAuthorizer for an HTTP API.

Example:

        const authorizer = new HttpJwtAuthorizer({
            jwtAudience: ['https://okra.au.auth0.com/api/v2/'],
            jwtIssuer: 'https://okra.au.auth0.com',
            authorizerName: 'apolloAuthorizer'
        })

        const publicApi = new HttpApi(this, 'apollo-proxy-api-public', {
            defaultDomainMapping: {
                domainName: apiDomainName,
            },
            defaultIntegration: new HttpAlbIntegration({
                listener: this.props.apolloListener,
                vpcLink: this.vpcLink
            }),
            defaultAuthorizer: authorizer,
            defaultAuthorizationScopes: ['okra:internal'],
        })

        publicApi.addRoutes({
            integration: new HttpAlbIntegration({
                listener: this.props.apolloListener,
                vpcLink: this.vpcLink
            }),
            path: '/',
            authorizer,
        });

With this config, if I open the root URL (/) in my browser, I get a 401 error. But if I try any other URL, there is no authorization. Also when I deployed without the addRoutes config, there was no authorizer visible in the console but after I did addRoutes, it appears.

mergify bot pushed a commit that referenced this issue May 17, 2021
Second part of #10534

Had to make small changes to `authorizerType` that route expects, since Route and Authorizer enums are not the same. See #10534 (comment). 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
BenChaimberg added a commit that referenced this issue May 18, 2021
commit 35a6202
Author: Ben Chaimberg <[email protected]>
Date:   Tue May 18 10:18:39 2021 -0700

    move supported conditions to function-base and minor name changes

commit 7c6c217
Author: Ben Chaimberg <[email protected]>
Date:   Mon May 17 20:23:55 2021 -0700

    remove extraneous whitespace

commit 02cf427
Author: Ben Chaimberg <[email protected]>
Date:   Mon May 17 17:31:01 2021 -0700

    add conditions snippet to README

commit 8ebf049
Author: Ben Chaimberg <[email protected]>
Date:   Mon May 17 17:22:25 2021 -0700

    format README

commit af2be84
Merge: ea53bcc 8856482
Author: Ben Chaimberg <[email protected]>
Date:   Mon May 17 17:19:14 2021 -0700

    Merge branch 'master' of github.com:aws/aws-cdk into chaimber/lambda_perm_cond

commit ea53bcc
Merge: 988b66c 1a695e2
Author: Ben Chaimberg <[email protected]>
Date:   Mon May 17 17:16:10 2021 -0700

    Merge branch 'chaimber/lambda_perm_cond' of github.com:aws/aws-cdk into chaimber/lambda_perm_cond

commit 988b66c
Author: Ben Chaimberg <[email protected]>
Date:   Mon May 17 17:10:48 2021 -0700

    add documentation for Permission to README

commit 8856482
Author: Elad Ben-Israel <[email protected]>
Date:   Mon May 17 23:19:30 2021 +0300

    chore: set license of eslint-plugin-cdk (#14720)

    Fixes #14594

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit b70a5fa
Author: Carter Van Deuren <[email protected]>
Date:   Mon May 17 11:29:47 2021 -0700

    docs(kinesis): correct grantRead and grantWrite comments (#14707)

    This commit swaps the comments for `grantRead` and `grantWrite` so that the comments match the permissions being granted.

    No extra verification was done for this change, as it only effects comments.

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit f65d826
Author: Jared Short <[email protected]>
Date:   Mon May 17 13:38:57 2021 -0400

    docs(stepfunctions-tasks): fix integration patterns of step-function-task docs (#14722)

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 50d486a
Author: Adam Wong <[email protected]>
Date:   Mon May 17 10:12:49 2021 -0700

    feat(stepfunctions): Add support for ResultSelector (#14648)

    ### Description

    Adds support for `ResultSelector`. [ResultSelector](https://docs.aws.amazon.com/step-functions/latest/dg/input-output-inputpath-params.html#input-output-resultselector) was added to ASL in August 2020 and is currently missing coverage in CDK.

    This change exposes a new `resultSelector` field to Task, Map, and Parallel state props. This is a JSON object that functions similarly to `Parameters` but where `$` refers to the state's raw result instead of the state input. This allows you to reshape the result without using extra Pass states.

    The implementation mimics what exists for Parameters. I'm not convinced we need extra types here.

    #### Example

    ```ts
    new tasks.LambdaInvoke(this, 'Invoke Handler', {
      lambdaFunction: fn,
      resultSelector: {
        lambdaOutput: sfn.JsonPath.stringAt('$.Payload'),
        invokeRequestId: sfn.JsonPath.stringAt('$.SdkResponseMetadata.RequestId'),
        staticValue: 'foo',
      },
    })
    ```

    Which produces the following ASL:

    ```json
    {
      "Type": "Task",
      "Resource": "arn:aws:states:::lambda:invoke",
      "Parameters": {
        "FunctionName": ${functionName},
        "Payload.$": "$"
      },
      "ResultSelector": {
          "lambdaOutput.$": "$.Payload",
          "invokeRequestId.$": "$.SdkResponseMetadata.RequestId",
          "staticValue": "foo",
      },
      "Next": ${nextState}
    }
    ```

    ### Testing
    * Unit tests for Map, Task, and Parallel states to include `resultSelector`
    * Unit test with ResultSelector for `LambdaInvoke` state updated to include `resultSelector`
    * Updated LambdaInvoke integ test to use ResultSelector for one of the states. Executed state machine manually through the AWS console to ensure the example actually works too.

    Closes #9904

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 4da78f6
Author: Kyle Roach <[email protected]>
Date:   Mon May 17 12:45:39 2021 -0400

    feat(apigatewayv2): http api - lambda authorizer (#13181)

    Second part of #10534

    Had to make small changes to `authorizerType` that route expects, since Route and Authorizer enums are not the same. See #10534 (comment).

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 49d18ab
Author: Austin Yattoni <[email protected]>
Date:   Mon May 17 11:18:49 2021 -0500

    fix(lambda): unable to access SingletonFunction vpc connections (#14533)

    fixes #6261

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 8154e91
Author: Nick Lynch <[email protected]>
Date:   Mon May 17 15:29:02 2021 +0100

    chore: skip Go proxy for lambda-go integ tests (#14727)

    Privacy-conscious users and/or organizations may choose to skip sending all
    package requests to the Google proxy (as is default). Some corporate
    environments may block network access to proxy.golang.org altogether.

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 3bca822
Author: Nick Lynch <[email protected]>
Date:   Mon May 17 11:47:57 2021 +0100

    chore(msk): add ignore-assets pragma to cluster integ test (#14725)

    The MSK module relies on custom resources, which in turn create a Lambda
    function with assets. The way the current (lerna/yarn) build works includes
    the .ts file (as well as the .d.ts and .js) files in the asset bundle. Using the
    new `nozem` build (correctly) only includes the .d.ts and .js files, leading to a
    different asset hash.

    Since we don't care about the actual hash anyway, adding the ignore-assets
    pragma so this test can pass with either build tool.

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit fb0977a
Merge: 1effc9f df89694
Author: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Date:   Sat May 15 00:59:26 2021 +0000

    chore(merge-back): 1.104.0 (#14708)

    See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/1.104.0/CHANGELOG.md)

commit df89694
Merge: 44d3383 1effc9f
Author: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Date:   Sat May 15 00:33:23 2021 +0000

    Merge branch 'master' into merge-back/1.104.0

commit 1effc9f
Author: Hsing-Hui Hsu <[email protected]>
Date:   Fri May 14 15:18:14 2021 -0700

    docs(ecs): add contributing guide (#14672)

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 44d3383
Merge: bc13a66 aaa0d05
Author: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Date:   Fri May 14 21:59:31 2021 +0000

    chore(release): 1.104.0 (#14706)

    See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/1.104.0/CHANGELOG.md)

commit aaa0d05
Author: Neta Nir <[email protected]>
Date:   Fri May 14 14:33:52 2021 -0700

    Update CHANGELOG.md

commit 0328b03
Author: AWS CDK Team <[email protected]>
Date:   Fri May 14 21:30:07 2021 +0000

    chore(release): 1.104.0

commit 348e11e
Author: Madeline Kusters <[email protected]>
Date:   Fri May 14 14:27:19 2021 -0700

    fix(ecs): Classes FargateService and Ec2Service have no defaultChild (#14691)

    * fix(ecs): Class FargateService has no defaultChild

    fixes #14665

    * update unit tests

commit 1a695e2
Merge: 84045fd d82de05
Author: Ben Chaimberg <[email protected]>
Date:   Fri May 14 11:45:50 2021 -0700

    Merge branch 'master' into chaimber/lambda_perm_cond

commit d82de05
Author: Bryan Pan <[email protected]>
Date:   Thu May 13 08:48:46 2021 -0700

    chore(appsync): rds data source service integration with grantDataApi (#14671)

    Utilize the `grantDataApi` from RDS to complete service integration.

    Fixes: #13189

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 8296623
Author: Hsing-Hui Hsu <[email protected]>
Date:   Thu May 13 08:22:23 2021 -0700

    test(ecs-patterns): update l3 fargate integ tests (#14668)

    This adds integ tests for NLB fargate services -- previously, there were
    duplicate ALB fargate services being spun up. Also gives integ test
    stacks unique names.

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit b240f6e
Author: Nick Lynch <[email protected]>
Date:   Thu May 13 14:21:05 2021 +0100

    feat(cloudwatch): GraphWidget supports period and statistic (#14679)

    Dashboard metric widgets support overridding/setting both period and stat on the
    widget as a whole. This is often useful in combination with `MathExpression`
    metrics.

    Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/CloudWatch-Dashboard-Body-Structure.html#CloudWatch-Dashboard-Properties-Metric-Widget-Object

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 3063818
Author: Madeline Kusters <[email protected]>
Date:   Thu May 13 02:29:45 2021 -0700

    fix(events-targets): circular dependency when adding a KMS-encrypted SQS queue  (#14638)

    fixes #11158

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 9d97b7d
Author: Mitchell Valine <[email protected]>
Date:   Thu May 13 02:01:08 2021 -0700

    chore: init templates use node jest environment (#14632)

    Remove usage of the `jsdom` test environment in init templates to speed
    up unit testing by default.

    Testing: ran cdk init --language=(typescript|javascript) against local build of
    CLI then ran yarn test to verify that the testing config was valid and jest correctly
    used the node environment.

    fix: #14630

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 282d242
Author: Adam Ruka <[email protected]>
Date:   Thu May 13 00:37:33 2021 -0700

    chore(custom-resources): import the AWSLambda package explicitly (#14643)

    When linking the aws-cdk repository to a CDK app using the `link-all.sh` script,
    if the app uses `ts-node`,
    the Lambda code in the @aws-cdk/custom-resources package gets picked up by the TypeScript compiler.
    That code relied on the `aws-lambda` package being implicitly available,
    but that would cause `ts-node` to fail.
    Add an explicit import of it in the code -
    I checked the only difference in the generated JS code is the sourceMappingUrl,
    so it shouldn't make a difference at runtime,
    but allows `ts-node` to load that file successfully.

    Fixes #11627

    ----

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

commit 9a4d624
Author: Oliver Bowman <[email protected]>
Date:   Thu May 13 07:40:55 2021 +0100

    docs(lambda-nodejs): Example for esbuild missing comma in property (#13520)

    ----
    Example under esbuild appears to be missing comma.

    *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@iRoachie
Copy link
Contributor

@eikeon I just opened #14853 for iam authorizers. Would love your feedback

@eikeon
Copy link

eikeon commented May 24, 2021

@iRoachie Looks good and +1 for the CDK doc linking to the relevant documentation re: some examples.

Looks like I'l be able to retire my workaround soon. Thank you!

PS: One thing I've run across -- how to apply an HttpIamAuthorizer to the default route?

@jaredtbates
Copy link

I'm running into an issue too where I'm unable to set the defaultAuthorizer to an HttpLambdaAuthorizer. Any thoughts?

@iRoachie
Copy link
Contributor

@computerwizjared @jeznag I found the issue with the default authorizer. Here's the PR #14904

Thanks for reporting

mergify bot pushed a commit that referenced this issue Jun 3, 2021
…authorizer (#14904)

The default authorizer worked by passing the authorizer config to routes in the api by the addRoutes method.

We completely forgot about the use case of the default integration, so currently using default integration + default authorizer does not create an authorizer.

This PR fixes the bug and allows using default authorizer + default integration as expected.

Reported by #10534 (comment)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@iRoachie
Copy link
Contributor

iRoachie commented Jun 3, 2021

@computerwizjared @jeznag the fix just landed in master. Should be available in the next release.

@eikeon
Copy link

eikeon commented Jun 9, 2021

Now to figure out is there's a way to set routeCfn.authorizationType = "AWS_IAM"; but for the HttpApi's default integration

As far as I can tell there's no way to set this for the default route case yet? (and am unsure if CloudFormation underneath supports it)

@iRoachie
Copy link
Contributor

iRoachie commented Jun 9, 2021

@eikeon waiting on review for #14853

The default case is handled - https://github.com/aws/aws-cdk/pull/14853/files#diff-bd5f262e88889ac7224d414c05765806bf9a20d2c12d45f6db521f2d4c05f8ebR29-R46

hollanddd pushed a commit to hollanddd/aws-cdk that referenced this issue Aug 26, 2021
Second part of aws#10534

Had to make small changes to `authorizerType` that route expects, since Route and Authorizer enums are not the same. See aws#10534 (comment). 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
hollanddd pushed a commit to hollanddd/aws-cdk that referenced this issue Aug 26, 2021
…authorizer (aws#14904)

The default authorizer worked by passing the authorizer config to routes in the api by the addRoutes method.

We completely forgot about the use case of the default integration, so currently using default integration + default authorizer does not create an authorizer.

This PR fixes the bug and allows using default authorizer + default integration as expected.

Reported by aws#10534 (comment)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@nija-at
Copy link
Contributor

nija-at commented Sep 2, 2021

Closing this overall issue since we have a few authorizers built.

@iRoachie - let's open separate issues per authorizer going forward.

@nija-at nija-at closed this as completed Sep 2, 2021
@github-actions
Copy link

github-actions bot commented Sep 2, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

mergify bot pushed a commit that referenced this issue Dec 17, 2021
Fixes #15123

See also: [@nija-at's comments on `grantInvoke`](#14853 (comment)), #10534

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
Fixes aws#15123

See also: [@nija-at's comments on `grantInvoke`](aws#14853 (comment)), aws#10534

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. in-progress This issue is being actively worked on. p1
Projects
None yet
Development

Successfully merging a pull request may close this issue.