feat(cloudfront-origins): allow custom originPath for apigateway.RestApi constructs

[oieduardorabelo]

Current behavior

• the apigateway.RestApi splits the restApi.url and uses the stage name as originPath / "Origin path - optional" option in the CloudFront Origin by default

Issue / Limitation

• when using multiple Behaviors in my CloudFront Distribution:
  • S3 as the default behavior
  • Regional API Gateway as additional behavior and CloudFront Origin

My API Gateway receives an extra /<api-gateway-stage>/ in its event path and doesn't trigger the correct lambda integration.

The below CDK example reproduces the behavior mentioned above:

import * as cdk from "aws-cdk-lib";

const meLambda = new cdk.aws_lambda_nodejs.NodejsFunction(
  this,
  "meLambda",
  {
    entry: "handlers/me.ts",
  }
);

const s3_bucket = new cdk.aws_s3.Bucket(this, "somebucket");

const api = new cdk.aws_apigateway.RestApi(this, "somerestapi", {
      endpointConfiguration: {
        types: [apigw.EndpointType.REGIONAL],
      },
      defaultCorsPreflightOptions: {
        allowOrigins: ["*"],
      },
});
api.root
  .addResource("me")
  .addMethod("GET", new apigw.LambdaIntegration(meLambda));

const apiOrigin = new cdk.aws_cloudfront_origins.RestApiOrigin(api);

const cdn = new cdk.aws_cloudfront.Distribution(this, "websitecdn", {
    defaultBehavior: {
      origin: new cdk.aws_cloudfront_origins.S3Origin(s3_bucket),
      allowedMethods: cdk.aws_cloudfront.AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
      viewerProtocolPolicy: cdk.aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
    },
    additionalBehaviors: {
      "prod/*": {  // <<<---- The "prod/" is added in the CloudFront Origin Path, NOT DESIRED IS THIS CASE
        origin: apiOrigin,
        allowedMethods: cdk.aws_cloudfront.AllowedMethods.ALLOW_ALL,
        cachePolicy: cdk.aws_cloudfront.CachePolicy.CACHING_DISABLED,
        viewerProtocolPolicy: cdk.aws_cloudfront.ViewerProtocolPolicy.HTTPS_ONLY,
      },
    },
});

The above will have the following URLs:

• https://<api-gateway-url>/<api-gateway-stage>
• https://<cloudfront-distribution-url>/some-image.png => Default Behavior, S3 Bucket
• https://<cloudfront-distribution-url>/<api-gateway-stage> => API Gateway forward request

Because the CloudFront Origin created by RestApiOrigin appends the <api-gateway-stage> in its CloudFront Origin "Origin Path - optional" option, when using https://<cloudfront-distribution-url>/<api-gateway-stage>/me the API Gateway receives /<api-gateway-stage>/<api-gateway-stage>/me instead of /<api-gateway-stage>/me

Removing the "Origin Path - optional" value, fixes the problem.

Workaround

• To fix the problem described above, I need to use a custom cdk.aws_cloudfront_origins.HttpOrigin construct

Replace the apiOrigin construct in the example above by:

const apiOrigin = new origins.HttpOrigin(
  `${api.restApiId}.execute-api.${cdk.Aws.REGION}.${cdk.Aws.URL_SUFFIX}`,
  {
    originSslProtocols: [cloudfront.OriginSslPolicy.TLS_V1_2],
    protocolPolicy: cloudfront.OriginProtocolPolicy.HTTPS_ONLY,
  }
);

Solution

• This PR allows the customization of apigateway.RestApi by extending its props from cloudfront.OriginProps
• Allowing the consumer to pass a props.originPath to the RestApiOrigin class

[gitpod-io]

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

[TheRealAmazonKendra]

Thank you for your contribution! Overall this looks good. I just have a question inline. Additionally, please add an integ test to cover this change. I'm concerned about the potential testing gap given that your change wasn't picked up by a test. Not your fault, but I like to take every opportunity to improve our test coverage.

If, for any reason, running tests isn't feasible for you, please let me know and I can assist after you write the test case.

[TheRealAmazonKendra]

What is in OriginProps that isn't in OriginOptions and vice versa? I'm concerned this might break other languages even if it's fine in TypeScript.

[oieduardorabelo]

1. OriginProps extends OriginOptions and declares the originPath.

export interface OriginOptions {
  readonly connectionTimeout?: Duration;
  readonly connectionAttempts?: number;
  readonly customHeaders?: Record<string, string>;
  readonly originShieldRegion?: string;
  readonly originShieldEnabled?: boolean;
  readonly originId?: string;
}

export interface OriginProps extends OriginOptions {
  readonly originPath?: string;
}

2. OriginProps is used in other packages. Where OriginOptions is internal? (not sure)

[comcalvi]

since the only new property is optional, this should be non-breaking

[oieduardorabelo]

@TheRealAmazonKendra is the integ test case correct? I followed the instructions at INTEGRATION_TESTS.md and based it on aws-cloudfront-origins/test/integ.rest-api-origin.ts

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

Pull request has been modified.

[Naumel]

🔄

@aws-cdk/aws-cloudfront-origins: To re-run failed tests run: integ-runner --update-on-failed
@aws-cdk/aws-cloudfront-origins:     at main (/codebuild/output/src297086622/src/github.com/aws/aws-cdk/packages/@aws-cdk/integ-runner/lib/cli.js:164:19)
@aws-cdk/aws-cloudfront-origins: Error: integ-runner exited with error code 1
@aws-cdk/aws-cloudfront-origins: Tests failed. Total time (15.1s) | /codebuild/output/src297086622/src/github.com/aws/aws-cdk/node_modules/jest/bin/jest.js (11.9s) | integ-runner (3.2s)

[oieduardorabelo]

@Naumel 🟢

[comcalvi]

lgtm, leaving dnm so @TheRealAmazonKendra can take a look

[comcalvi]

since the only new property is optional, this should be non-breaking

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[oieduardorabelo]

PR not abandoned

Pull request has been modified.

[Naumel]

PR not abandoned

👍
Someone from the team has already reviewed and labeled the PR. I'll ping to check if they're available for a follow-up.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 8cc235a
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).