Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(apigatewayv2-integrations): in case of multiple routes, only one execute permission is created #18716

Merged
merged 2 commits into from
Mar 8, 2022

Conversation

otaviomacedo
Copy link
Contributor

@otaviomacedo otaviomacedo commented Jan 28, 2022

When multiple routes are defined for a single lambda integration, only one of
the routes gets permission to execute the function. This is because the
permissions are added when the integration is bound to the route, which happens
only once per integration.

Split the _bindToRoute workflow into two parts:

  1. The actual bind, followed by the creation of an HttpIntegration. We keep
    doing this only once per integration.
  2. A post-bind step, that happens for every route.

In the case of HttpLambdaIntegration, adding the permission has been moved to
the post bind step. All other integrations remain the same.

Fixes #18201.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the @aws-cdk/aws-apigatewayv2-integrations Related to AWS APIGatewayv2 Integrations label Jan 28, 2022
@otaviomacedo otaviomacedo requested a review from a team January 28, 2022 14:35
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jan 28, 2022
@jhogstrom
Copy link

Will this work for WebSocketApi and WebSocketRouteOptions/aws_apigatewayv2_integrations.WebSocketLambdaIntegration as well? I am not familiar enough with the code to determine that... I just spent several hours trying to figure out why my $disconnect and $default routes were inaccessible (having defined them with the same integration pointing to the same lambda function), so just trying to help out :)

@otaviomacedo
Copy link
Contributor Author

Will this work for WebSocketApi and WebSocketRouteOptions/aws_apigatewayv2_integrations.WebSocketLambdaIntegration as well? I am not familiar enough with the code to determine that... I just spent several hours trying to figure out why my $disconnect and $default routes were inaccessible (having defined them with the same integration pointing to the same lambda function), so just trying to help out :)

No, this is specific to HttpApi. But that's a good reminder to look at the situation with WebSocketApi.

Copy link
Contributor

@kaizencc kaizencc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I think it is a good call out that we should check and at least test for similar behavior in websocket integrations as well

@mergify
Copy link
Contributor

mergify bot commented Mar 8, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@gitpod-io
Copy link

gitpod-io bot commented Mar 8, 2022

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 06c35e5
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 1e352ca into master Mar 8, 2022
@mergify mergify bot deleted the otaviom/multiple-permissions branch March 8, 2022 15:58
@mergify
Copy link
Contributor

mergify bot commented Mar 8, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

TheRealAmazonKendra pushed a commit to TheRealAmazonKendra/aws-cdk that referenced this pull request Mar 11, 2022
…execute permission is created (aws#18716)

When multiple routes are defined for a single lambda integration, only one of
the routes gets permission to execute the function. This is because the
permissions are added when the integration is bound to the route, which happens
only once per integration.

Split the `_bindToRoute` workflow into two parts:

1. The actual bind, followed by the creation of an `HttpIntegration`. We keep
doing this only once per integration.
2. A post-bind step, that happens for every route. 

In the case of `HttpLambdaIntegration`, adding the permission has been moved to
the post bind step. All other integrations remain the same.

Fixes aws#18201.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-apigatewayv2-integrations Related to AWS APIGatewayv2 Integrations contribution/core This is a PR that came from AWS.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(apigatewayv2): IAM Permissions not being created for Api Gateway to access http lambda integration
4 participants