feat(apigatewayv2): http api - IAM authorizer support #17519
Conversation
|
|
github-actions
bot
added
the
@aws-cdk/aws-apigatewayv2
|
Hi @ChenKuanSun can you take a look? |
|
Looking at the docs it is unclear to me how to just turn on IAM for the whole API. Also I don't understand why it's not an "authorizer", as in the Rest API gateway. Personally I think that the use case of bringing your own policy/role is more often the case then the "grantInvoke", but that's a gut feeling. Currently I'm solving this problem with: |
nija-at
changed the title
mergify
bot
dismissed
nija-at’s stale review
Pull request has been modified.
@bracki Good point. Since my initial PR, Nija has suggested adding |
| @@ -61,9 +85,14 @@ export class HttpRouteKey { | |||
| if (path !== '/' && (!path.startsWith('/') || path.endsWith('/'))) { | |||
| throw new Error('A route path must always start with a "/" and not end with a "/"'); | |||
| } | |||
| return new HttpRouteKey(`${method ?? HttpMethod.ANY} ${path}`, path); | |||
| const keyMethod = method ?? HttpMethod.ANY; | |||
| return new HttpRouteKey(keyMethod, `${keyMethod} ${path}`, path); | |||
There was a problem hiding this comment.
[minor] Now that key can be derived from the other two attributes, I would remove it from the constructor to make it cleaner and avoid mistakes.
There was a problem hiding this comment.
I've now simplified this section so that it's cleaner and easier to avoid mistakes. As far as I can see, HTTP API has only the $default and METHOD /path/here formats for key, so this should work. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-routes.html
Let me know whether this change works for you.
mergify
bot
dismissed
otaviomacedo’s stale review
Pull request has been modified.
|
@otaviomacedo I got a notification for the following message but I can't find it anywhere to reply to it. I'll respond here in the comments:
Right now I've allowed grantInvoke to configure IAM via authorizer by implementing the authorizer in the main package. But yes, I can see that this makes the IAM authorizer the odd one out. It seems to me that if the IAM authorizer must be in the other package, the circular dependency arises from adding the authorizer automatically when the user calls grantInvoke. If we resolve this conflict by removing the route's responsibility to configure IAM authorization, we can relocate the IAM authorizer and there will be no circular dependency problem. All things being equal, I'd prefer to remove the route's responsibility to configure IAM from grantInvoke as it could simplify the Lazy props. What do you think? |
I agree. So, two questions:
|
@otaviomacedo We'd require that the user specify the authorizer they want in the construct's props as they do now.
It would look the same as it does now in the README, however, it differs in one case: When the user omits the IAM authorizer and calls |
|
Yes, the only downside is that, if someone provides a different authorizer, |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Fixes aws#15123 See also: [@nija-at's comments on `grantInvoke`](aws#14853 (comment)), aws#10534 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes #15123
See also: @nija-at's comments on
grantInvoke, #10534By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license