Add 'ApiKeyRequiredToCorsPreflight'

[chillbirdo]

Describe your idea/feature/enhancement

The flag AddDefaultAuthorizerToCorsPreflight skips Authorizers for preflight methods, however, it does not skip the requirement of an API-Key (as far as the UsagePlan is linked to a key). Browsers do never add the X-API-Key Header to the preflight request.

At the moment I have no idea how to omit ApiKey requirement for the preflight requests other than switching them off in the console after each deploy. Pls give me a hint if it can be stated in the template somehow. Thanks.

Proposal

Either generally disable ApiKey Requirement for Preflight requests, or add a flag similar to AddDefaultAuthorizerToCorsPreflight, named something like ApiKeyRequiredToCorsPreflight.

Things to consider:

1. Will this require any updates to the SAM Spec
   Yes

Additional Details

[CoshUS]

SAM issue. Transferring to SAM repo.

[ConnorRobertson]

#1786 Issue was fixed here. You can add the property AddApiKeyRequiredToCorsPreflight to the Auth: section of the Api.