diff --git a/packages/@aws-cdk/aws-apigatewayv2-alpha/lib/http/api.ts b/packages/@aws-cdk/aws-apigatewayv2-alpha/lib/http/api.ts index 8f052e80c993a..b6d2f6cef2dc8 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-alpha/lib/http/api.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-alpha/lib/http/api.ts @@ -17,11 +17,29 @@ import { DomainMappingOptions } from '../common/stage'; export interface IHttpApi extends IApi { /** * The identifier of this API Gateway HTTP API. + * * @attribute * @deprecated - use apiId instead */ readonly httpApiId: string; + /** + * Default Authorizer applied to all routes in the gateway. + * + * @attribute + * @default - no default authorizer + */ + readonly defaultAuthorizer?: IHttpRouteAuthorizer; + + /** + * Default OIDC scopes attached to all routes in the gateway, unless explicitly configured on the route. + * The scopes are used with a COGNITO_USER_POOLS authorizer to authorize the method invocation. + * + * @attribute + * @default - no default authorization scopes + */ + readonly defaultAuthorizationScopes?: string[]; + /** * Metric for the number of client-side errors captured in a given period. * @@ -125,14 +143,15 @@ export interface HttpApiProps { readonly disableExecuteApiEndpoint?: boolean; /** - * Default Authorizer to applied to all routes in the gateway + * Default Authorizer applied to all routes in the gateway. * - * @default - No authorizer + * @default - no default authorizer */ readonly defaultAuthorizer?: IHttpRouteAuthorizer; /** * Default OIDC scopes attached to all routes in the gateway, unless explicitly configured on the route. + * The scopes are used with a COGNITO_USER_POOLS authorizer to authorize the method invocation. * * @default - no default authorization scopes */ @@ -340,8 +359,8 @@ export class HttpApi extends HttpApiBase { private readonly _apiEndpoint: string; - private readonly defaultAuthorizer?: IHttpRouteAuthorizer; - private readonly defaultAuthorizationScopes?: string[]; + public readonly defaultAuthorizer?: IHttpRouteAuthorizer; + public readonly defaultAuthorizationScopes?: string[]; constructor(scope: Construct, id: string, props?: HttpApiProps) { super(scope, id); diff --git a/packages/@aws-cdk/aws-apigatewayv2-alpha/lib/http/route.ts b/packages/@aws-cdk/aws-apigatewayv2-alpha/lib/http/route.ts index b7aab0663a2a3..e508ad99a8a0b 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-alpha/lib/http/route.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-alpha/lib/http/route.ts @@ -193,7 +193,8 @@ export class HttpRoute extends Resource implements IHttpRoute { scope: this, }); - this.authBindResult = props.authorizer?.bind({ + const authorizer = props.authorizer ?? this.httpApi.defaultAuthorizer; + this.authBindResult = authorizer?.bind({ route: this, scope: this.httpApi instanceof Construct ? this.httpApi : this, // scope under the API if it's not imported }); @@ -204,10 +205,10 @@ export class HttpRoute extends Resource implements IHttpRoute { let authorizationScopes = this.authBindResult?.authorizationScopes; - if (this.authBindResult && props.authorizationScopes) { + if (this.authBindResult && (props.authorizationScopes || this.httpApi.defaultAuthorizationScopes)) { authorizationScopes = Array.from(new Set([ ...authorizationScopes ?? [], - ...props.authorizationScopes, + ...props.authorizationScopes ?? this.httpApi.defaultAuthorizationScopes ?? [], ])); } diff --git a/packages/@aws-cdk/aws-apigatewayv2-alpha/test/http/route.test.ts b/packages/@aws-cdk/aws-apigatewayv2-alpha/test/http/route.test.ts index ab350186a0afa..d1f3da2d22eff 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-alpha/test/http/route.test.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-alpha/test/http/route.test.ts @@ -329,6 +329,96 @@ describe('HttpRoute', () => { }); }); + test('can create route without an authorizer when api has defaultAuthorizer', () => { + const stack = new Stack(); + + const authorizer = new DummyAuthorizer(); + const httpApi = new HttpApi(stack, 'HttpApi', { + defaultAuthorizer: authorizer, + defaultAuthorizationScopes: ['read:books'], + }); + + const route = new HttpRoute(stack, 'HttpRoute', { + httpApi, + integration: new DummyIntegration(), + routeKey: HttpRouteKey.with('/books', HttpMethod.GET), + }); + + Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Integration', { + ApiId: stack.resolve(httpApi.apiId), + IntegrationType: 'HTTP_PROXY', + PayloadFormatVersion: '2.0', + IntegrationUri: 'some-uri', + }); + + Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Authorizer', 1); + Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Route', { + AuthorizerId: stack.resolve(authorizer.bind({ scope: stack, route: route }).authorizerId), + AuthorizationType: 'JWT', + AuthorizationScopes: ['read:books'], + }); + }); + + test('authorizationScopes can be applied to route without authorizer when api has defaultAuthorizer', () => { + const stack = new Stack(); + + const authorizer = new DummyAuthorizer(); + const httpApi = new HttpApi(stack, 'HttpApi', { + defaultAuthorizer: authorizer, + }); + + const route = new HttpRoute(stack, 'HttpRoute', { + httpApi, + integration: new DummyIntegration(), + routeKey: HttpRouteKey.with('/books', HttpMethod.GET), + authorizationScopes: ['read:books'], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Integration', { + ApiId: stack.resolve(httpApi.apiId), + IntegrationType: 'HTTP_PROXY', + PayloadFormatVersion: '2.0', + IntegrationUri: 'some-uri', + }); + + Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Authorizer', 1); + Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Route', { + AuthorizerId: stack.resolve(authorizer.bind({ scope: stack, route: route }).authorizerId), + AuthorizationType: 'JWT', + AuthorizationScopes: ['read:books'], + }); + }); + + test('defaultAuthorizationScopes can be applied to route', () => { + const stack = new Stack(); + + const authorizer = new DummyAuthorizer(); + const httpApi = new HttpApi(stack, 'HttpApi', { + defaultAuthorizationScopes: ['read:books'], + }); + + const route = new HttpRoute(stack, 'HttpRoute', { + httpApi, + integration: new DummyIntegration(), + routeKey: HttpRouteKey.with('/books', HttpMethod.GET), + authorizer, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Integration', { + ApiId: stack.resolve(httpApi.apiId), + IntegrationType: 'HTTP_PROXY', + PayloadFormatVersion: '2.0', + IntegrationUri: 'some-uri', + }); + + Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Authorizer', 1); + Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Route', { + AuthorizerId: stack.resolve(authorizer.bind({ scope: stack, route: route }).authorizerId), + AuthorizationType: 'JWT', + AuthorizationScopes: ['read:books'], + }); + }); + test('can attach additional scopes to a route with an authorizer attached', () => { const stack = new Stack(); const httpApi = new HttpApi(stack, 'HttpApi'); diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/AuthorizerInteg.assets.json b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/AuthorizerInteg.assets.json index b1fa6727810e1..08bff1e7a6f72 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/AuthorizerInteg.assets.json +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/AuthorizerInteg.assets.json @@ -27,7 +27,7 @@ } } }, - "d494d0e4b4be2192ea2cc4c56ea29fa7d0f23e45c006cb05eedae57d8a42cf78": { + "1392f7df97b60ac420a8ba97f1d6ac2f6e984a168d85bb763108846d396c6553": { "source": { "path": "AuthorizerInteg.template.json", "packaging": "file" @@ -35,7 +35,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d494d0e4b4be2192ea2cc4c56ea29fa7d0f23e45c006cb05eedae57d8a42cf78.json", + "objectKey": "1392f7df97b60ac420a8ba97f1d6ac2f6e984a168d85bb763108846d396c6553.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/AuthorizerInteg.template.json b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/AuthorizerInteg.template.json index 57ae669b6f247..002fb57113411 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/AuthorizerInteg.template.json +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/AuthorizerInteg.template.json @@ -1,5 +1,58 @@ { "Resources": { + "authfunctionServiceRoleFCB72198": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "authfunction96361832": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "d7d3785243d748927f2a8d6edcecf909f96191df27a815e305aaeba98bcd2c64.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "authfunctionServiceRoleFCB72198", + "Arn" + ] + }, + "Runtime": "nodejs18.x" + }, + "DependsOn": [ + "authfunctionServiceRoleFCB72198" + ] + }, "MyHttpApi8AEAAC21": { "Type": "AWS::ApiGatewayV2::Api", "Properties": { @@ -173,58 +226,101 @@ } } }, - "authfunctionServiceRoleFCB72198": { - "Type": "AWS::IAM::Role", + "MyHttpApiWithDefaultAuthorizerE08800A1": { + "Type": "AWS::ApiGatewayV2::Api", "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" + "Name": "MyHttpApiWithDefaultAuthorizer", + "ProtocolType": "HTTP" + } + }, + "MyHttpApiWithDefaultAuthorizerDefaultStage7A9EE9B6": { + "Type": "AWS::ApiGatewayV2::Stage", + "Properties": { + "ApiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] + "AutoDeploy": true, + "StageName": "$default" } }, - "authfunction96361832": { - "Type": "AWS::Lambda::Function", + "MyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer9D407E65": { + "Type": "AWS::ApiGatewayV2::Authorizer", "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "d7d3785243d748927f2a8d6edcecf909f96191df27a815e305aaeba98bcd2c64.zip" + "ApiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" }, - "Handler": "index.handler", - "Role": { + "AuthorizerPayloadFormatVersion": "2.0", + "AuthorizerResultTtlInSeconds": 300, + "AuthorizerType": "REQUEST", + "AuthorizerUri": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":apigateway:", + { + "Ref": "AWS::Region" + }, + ":lambda:path/2015-03-31/functions/", + { + "Fn::GetAtt": [ + "authfunction96361832", + "Arn" + ] + }, + "/invocations" + ] + ] + }, + "EnableSimpleResponses": true, + "IdentitySource": [ + "$request.header.X-API-Key" + ], + "Name": "my-simple-authorizer" + } + }, + "MyHttpApiWithDefaultAuthorizerAuthorizerIntegMyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer1BC6EA35Permission700DB59D": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { "Fn::GetAtt": [ - "authfunctionServiceRoleFCB72198", + "authfunction96361832", "Arn" ] }, - "Runtime": "nodejs18.x" - }, - "DependsOn": [ - "authfunctionServiceRoleFCB72198" - ] + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "/authorizers/", + { + "Ref": "MyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer9D407E65" + } + ] + ] + } + } }, "lambdaServiceRole494E4CA6": { "Type": "AWS::IAM::Role", @@ -278,6 +374,83 @@ "DependsOn": [ "lambdaServiceRole494E4CA6" ] + }, + "RouteRootIntegration1CF58575": { + "Type": "AWS::ApiGatewayV2::Integration", + "Properties": { + "ApiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "IntegrationType": "AWS_PROXY", + "IntegrationUri": { + "Fn::GetAtt": [ + "lambda8B5974B5", + "Arn" + ] + }, + "PayloadFormatVersion": "2.0" + } + }, + "RouteRootIntegrationPermissionC2C15701": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "lambda8B5974B5", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "/*/*/v1/mything/{proxy+}" + ] + ] + } + } + }, + "RouteA67450D2": { + "Type": "AWS::ApiGatewayV2::Route", + "Properties": { + "ApiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "AuthorizationType": "CUSTOM", + "AuthorizerId": { + "Ref": "MyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer9D407E65" + }, + "RouteKey": "ANY /v1/mything/{proxy+}", + "Target": { + "Fn::Join": [ + "", + [ + "integrations/", + { + "Ref": "RouteRootIntegration1CF58575" + } + ] + ] + } + } } }, "Outputs": { @@ -302,6 +475,28 @@ ] ] } + }, + "URLWithDefaultAuthorizer": { + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + ".execute-api.", + { + "Ref": "AWS::Region" + }, + ".", + { + "Ref": "AWS::URLSuffix" + }, + "/" + ] + ] + } } }, "Parameters": { diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/manifest.json b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/manifest.json index d32c16945289f..9636d2c7f226b 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/manifest.json @@ -14,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "AuthorizerInteg.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d494d0e4b4be2192ea2cc4c56ea29fa7d0f23e45c006cb05eedae57d8a42cf78.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/1392f7df97b60ac420a8ba97f1d6ac2f6e984a168d85bb763108846d396c6553.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -33,6 +34,18 @@ "AuthorizerInteg.assets" ], "metadata": { + "/AuthorizerInteg/auth-function/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "authfunctionServiceRoleFCB72198" + } + ], + "/AuthorizerInteg/auth-function/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "authfunction96361832" + } + ], "/AuthorizerInteg/MyHttpApi/Resource": [ { "type": "aws:cdk:logicalId", @@ -75,16 +88,28 @@ "data": "MyHttpApiAuthorizerIntegMyHttpApiLambdaAuthorizerB89228D7Permission82260331" } ], - "/AuthorizerInteg/auth-function/ServiceRole/Resource": [ + "/AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/Resource": [ { "type": "aws:cdk:logicalId", - "data": "authfunctionServiceRoleFCB72198" + "data": "MyHttpApiWithDefaultAuthorizerE08800A1" } ], - "/AuthorizerInteg/auth-function/Resource": [ + "/AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/DefaultStage/Resource": [ { "type": "aws:cdk:logicalId", - "data": "authfunction96361832" + "data": "MyHttpApiWithDefaultAuthorizerDefaultStage7A9EE9B6" + } + ], + "/AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/LambdaDefaultAuthorizer/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer9D407E65" + } + ], + "/AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/AuthorizerIntegMyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer1BC6EA35-Permission": [ + { + "type": "aws:cdk:logicalId", + "data": "MyHttpApiWithDefaultAuthorizerAuthorizerIntegMyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer1BC6EA35Permission700DB59D" } ], "/AuthorizerInteg/lambda/ServiceRole/Resource": [ @@ -99,12 +124,36 @@ "data": "lambda8B5974B5" } ], + "/AuthorizerInteg/Route/RootIntegration/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "RouteRootIntegration1CF58575" + } + ], + "/AuthorizerInteg/Route/RootIntegration-Permission": [ + { + "type": "aws:cdk:logicalId", + "data": "RouteRootIntegrationPermissionC2C15701" + } + ], + "/AuthorizerInteg/Route/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "RouteA67450D2" + } + ], "/AuthorizerInteg/URL": [ { "type": "aws:cdk:logicalId", "data": "URL" } ], + "/AuthorizerInteg/URLWithDefaultAuthorizer": [ + { + "type": "aws:cdk:logicalId", + "data": "URLWithDefaultAuthorizer" + } + ], "/AuthorizerInteg/BootstrapVersion": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/tree.json b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/tree.json index f1f64644ef4af..996df67fee0c0 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.js.snapshot/tree.json @@ -8,6 +8,126 @@ "id": "AuthorizerInteg", "path": "AuthorizerInteg", "children": { + "auth-function": { + "id": "auth-function", + "path": "AuthorizerInteg/auth-function", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "AuthorizerInteg/auth-function/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "AuthorizerInteg/auth-function/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/auth-function/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Code": { + "id": "Code", + "path": "AuthorizerInteg/auth-function/Code", + "children": { + "Stage": { + "id": "Stage", + "path": "AuthorizerInteg/auth-function/Code/Stage", + "constructInfo": { + "fqn": "aws-cdk-lib.AssetStaging", + "version": "0.0.0" + } + }, + "AssetBucket": { + "id": "AssetBucket", + "path": "AuthorizerInteg/auth-function/Code/AssetBucket", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_s3_assets.Asset", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/auth-function/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "s3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "s3Key": "d7d3785243d748927f2a8d6edcecf909f96191df27a815e305aaeba98bcd2c64.zip" + }, + "handler": "index.handler", + "role": { + "Fn::GetAtt": [ + "authfunctionServiceRoleFCB72198", + "Arn" + ] + }, + "runtime": "nodejs18.x" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, "MyHttpApi": { "id": "MyHttpApi", "path": "AuthorizerInteg/MyHttpApi", @@ -51,7 +171,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-apigatewayv2-alpha.HttpStage", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -89,7 +209,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-apigatewayv2-alpha.HttpIntegration", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -172,7 +292,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-apigatewayv2-alpha.HttpRoute", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -229,7 +349,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-apigatewayv2-alpha.HttpAuthorizer", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -283,127 +403,165 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-apigatewayv2-alpha.HttpApi", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, - "auth-function": { - "id": "auth-function", - "path": "AuthorizerInteg/auth-function", + "MyHttpApiWithDefaultAuthorizer": { + "id": "MyHttpApiWithDefaultAuthorizer", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer", "children": { - "ServiceRole": { - "id": "ServiceRole", - "path": "AuthorizerInteg/auth-function/ServiceRole", + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Api", + "aws:cdk:cloudformation:props": { + "name": "MyHttpApiWithDefaultAuthorizer", + "protocolType": "HTTP" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigatewayv2.CfnApi", + "version": "0.0.0" + } + }, + "DefaultStage": { + "id": "DefaultStage", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/DefaultStage", "children": { - "ImportServiceRole": { - "id": "ImportServiceRole", - "path": "AuthorizerInteg/auth-function/ServiceRole/ImportServiceRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, "Resource": { "id": "Resource", - "path": "AuthorizerInteg/auth-function/ServiceRole/Resource", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/DefaultStage/Resource", "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Stage", "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" + "apiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" }, - "managedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] + "autoDeploy": true, + "stageName": "$default" } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "fqn": "aws-cdk-lib.aws_apigatewayv2.CfnStage", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, - "Code": { - "id": "Code", - "path": "AuthorizerInteg/auth-function/Code", + "LambdaDefaultAuthorizer": { + "id": "LambdaDefaultAuthorizer", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/LambdaDefaultAuthorizer", "children": { - "Stage": { - "id": "Stage", - "path": "AuthorizerInteg/auth-function/Code/Stage", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "AssetBucket": { - "id": "AssetBucket", - "path": "AuthorizerInteg/auth-function/Code/AssetBucket", + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/LambdaDefaultAuthorizer/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Authorizer", + "aws:cdk:cloudformation:props": { + "apiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "authorizerPayloadFormatVersion": "2.0", + "authorizerResultTtlInSeconds": 300, + "authorizerType": "REQUEST", + "authorizerUri": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":apigateway:", + { + "Ref": "AWS::Region" + }, + ":lambda:path/2015-03-31/functions/", + { + "Fn::GetAtt": [ + "authfunction96361832", + "Arn" + ] + }, + "/invocations" + ] + ] + }, + "enableSimpleResponses": true, + "identitySource": [ + "$request.header.X-API-Key" + ], + "name": "my-simple-authorizer" + } + }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", + "fqn": "aws-cdk-lib.aws_apigatewayv2.CfnAuthorizer", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, - "Resource": { - "id": "Resource", - "path": "AuthorizerInteg/auth-function/Resource", + "AuthorizerIntegMyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer1BC6EA35-Permission": { + "id": "AuthorizerIntegMyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer1BC6EA35-Permission", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/AuthorizerIntegMyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer1BC6EA35-Permission", "attributes": { - "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:type": "AWS::Lambda::Permission", "aws:cdk:cloudformation:props": { - "code": { - "s3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "s3Key": "d7d3785243d748927f2a8d6edcecf909f96191df27a815e305aaeba98bcd2c64.zip" - }, - "handler": "index.handler", - "role": { + "action": "lambda:InvokeFunction", + "functionName": { "Fn::GetAtt": [ - "authfunctionServiceRoleFCB72198", + "authfunction96361832", "Arn" ] }, - "runtime": "nodejs18.x" + "principal": "apigateway.amazonaws.com", + "sourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "/authorizers/", + { + "Ref": "MyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer9D407E65" + } + ] + ] + } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.Function", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -527,6 +685,127 @@ "version": "0.0.0" } }, + "Route": { + "id": "Route", + "path": "AuthorizerInteg/Route", + "children": { + "RootIntegration": { + "id": "RootIntegration", + "path": "AuthorizerInteg/Route/RootIntegration", + "children": { + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/Route/RootIntegration/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Integration", + "aws:cdk:cloudformation:props": { + "apiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "integrationType": "AWS_PROXY", + "integrationUri": { + "Fn::GetAtt": [ + "lambda8B5974B5", + "Arn" + ] + }, + "payloadFormatVersion": "2.0" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigatewayv2.CfnIntegration", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "RootIntegration-Permission": { + "id": "RootIntegration-Permission", + "path": "AuthorizerInteg/Route/RootIntegration-Permission", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Permission", + "aws:cdk:cloudformation:props": { + "action": "lambda:InvokeFunction", + "functionName": { + "Fn::GetAtt": [ + "lambda8B5974B5", + "Arn" + ] + }, + "principal": "apigateway.amazonaws.com", + "sourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "/*/*/v1/mything/{proxy+}" + ] + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/Route/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Route", + "aws:cdk:cloudformation:props": { + "apiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "authorizationType": "CUSTOM", + "authorizerId": { + "Ref": "MyHttpApiWithDefaultAuthorizerLambdaDefaultAuthorizer9D407E65" + }, + "routeKey": "ANY /v1/mything/{proxy+}", + "target": { + "Fn::Join": [ + "", + [ + "integrations/", + { + "Ref": "RouteRootIntegration1CF58575" + } + ] + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_apigatewayv2.CfnRoute", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, "URL": { "id": "URL", "path": "AuthorizerInteg/URL", @@ -535,6 +814,14 @@ "version": "0.0.0" } }, + "URLWithDefaultAuthorizer": { + "id": "URLWithDefaultAuthorizer", + "path": "AuthorizerInteg/URLWithDefaultAuthorizer", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnOutput", + "version": "0.0.0" + } + }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "AuthorizerInteg/BootstrapVersion", diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.ts b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.ts index 0cf9f20f4a71a..3b6da9a8ee8e4 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.lambda.ts @@ -1,5 +1,5 @@ import * as path from 'path'; -import { HttpApi, HttpMethod } from '@aws-cdk/aws-apigatewayv2-alpha'; +import { HttpApi, HttpMethod, HttpRoute, HttpRouteKey } from '@aws-cdk/aws-apigatewayv2-alpha'; import { HttpLambdaIntegration } from '@aws-cdk/aws-apigatewayv2-integrations-alpha'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import { App, Stack, CfnOutput } from 'aws-cdk-lib'; @@ -15,8 +15,6 @@ import { HttpLambdaAuthorizer, HttpLambdaResponseType } from '../../lib'; const app = new App(); const stack = new Stack(app, 'AuthorizerInteg'); -const httpApi = new HttpApi(stack, 'MyHttpApi'); - const authHandler = new lambda.Function(stack, 'auth-function', { runtime: lambda.Runtime.NODEJS_18_X, handler: 'index.handler', @@ -29,6 +27,17 @@ const authorizer = new HttpLambdaAuthorizer('LambdaAuthorizer', authHandler, { responseTypes: [HttpLambdaResponseType.SIMPLE], }); +const defaultAuthorizer = new HttpLambdaAuthorizer('LambdaDefaultAuthorizer', authHandler, { + authorizerName: 'my-simple-authorizer', + identitySource: ['$request.header.X-API-Key'], + responseTypes: [HttpLambdaResponseType.SIMPLE], +}); + +const httpApi = new HttpApi(stack, 'MyHttpApi'); +const httpApiWithDefaultAuthorizer = new HttpApi(stack, 'MyHttpApiWithDefaultAuthorizer', { + defaultAuthorizer, +}); + const handler = new lambda.Function(stack, 'lambda', { runtime: lambda.Runtime.NODEJS_18_X, handler: 'index.handler', @@ -42,6 +51,15 @@ httpApi.addRoutes({ authorizer, }); +new HttpRoute(stack, 'Route', { + httpApi: httpApiWithDefaultAuthorizer, + routeKey: HttpRouteKey.with('/v1/mything/{proxy+}', HttpMethod.ANY), + integration: new HttpLambdaIntegration('RootIntegration', handler), +}); + new CfnOutput(stack, 'URL', { value: httpApi.url!, }); +new CfnOutput(stack, 'URLWithDefaultAuthorizer', { + value: httpApiWithDefaultAuthorizer.url!, +}); \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/AuthorizerInteg.assets.json b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/AuthorizerInteg.assets.json index 2f81bb685edcc..523c011b3c99d 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/AuthorizerInteg.assets.json +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/AuthorizerInteg.assets.json @@ -14,7 +14,7 @@ } } }, - "0847c0b726780e7b084297b7c2323b91c608e241e019e9d3e0bf62fcfd673c8d": { + "8e1b12f5d12c6de951105961b92d6c971a32d4cbbc394e1542bcbedf77450978": { "source": { "path": "AuthorizerInteg.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "0847c0b726780e7b084297b7c2323b91c608e241e019e9d3e0bf62fcfd673c8d.json", + "objectKey": "8e1b12f5d12c6de951105961b92d6c971a32d4cbbc394e1542bcbedf77450978.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/AuthorizerInteg.template.json b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/AuthorizerInteg.template.json index 10025f453c775..e3d22ec70cf41 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/AuthorizerInteg.template.json +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/AuthorizerInteg.template.json @@ -1,5 +1,119 @@ { "Resources": { + "userpool0AC4AA96": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] + }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "SmsVerificationMessage": "The verification code to your new account is {####}", + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "userpoolUserPoolAuthorizerClient6A7486E8": { + "Type": "AWS::Cognito::UserPoolClient", + "Properties": { + "AllowedOAuthFlows": [ + "implicit", + "code" + ], + "AllowedOAuthFlowsUserPoolClient": true, + "AllowedOAuthScopes": [ + "profile", + "phone", + "email", + "openid", + "aws.cognito.signin.user.admin" + ], + "CallbackURLs": [ + "https://example.com" + ], + "SupportedIdentityProviders": [ + "COGNITO" + ], + "UserPoolId": { + "Ref": "userpool0AC4AA96" + } + } + }, + "userpoolForDefaultAuthorizerDFBE8E74": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "AccountRecoverySetting": { + "RecoveryMechanisms": [ + { + "Name": "verified_phone_number", + "Priority": 1 + }, + { + "Name": "verified_email", + "Priority": 2 + } + ] + }, + "AdminCreateUserConfig": { + "AllowAdminCreateUserOnly": true + }, + "EmailVerificationMessage": "The verification code to your new account is {####}", + "EmailVerificationSubject": "Verify your new account", + "SmsVerificationMessage": "The verification code to your new account is {####}", + "VerificationMessageTemplate": { + "DefaultEmailOption": "CONFIRM_WITH_CODE", + "EmailMessage": "The verification code to your new account is {####}", + "EmailSubject": "Verify your new account", + "SmsMessage": "The verification code to your new account is {####}" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "userpoolForDefaultAuthorizerUserPoolAuthorizerClient3AA110E7": { + "Type": "AWS::Cognito::UserPoolClient", + "Properties": { + "AllowedOAuthFlows": [ + "implicit", + "code" + ], + "AllowedOAuthFlowsUserPoolClient": true, + "AllowedOAuthScopes": [ + "profile", + "phone", + "email", + "openid", + "aws.cognito.signin.user.admin" + ], + "CallbackURLs": [ + "https://example.com" + ], + "SupportedIdentityProviders": [ + "COGNITO" + ], + "UserPoolId": { + "Ref": "userpoolForDefaultAuthorizerDFBE8E74" + } + } + }, "MyHttpApi8AEAAC21": { "Type": "AWS::ApiGatewayV2::Api", "Properties": { @@ -129,61 +243,56 @@ "Name": "UserPoolAuthorizer" } }, - "userpool0AC4AA96": { - "Type": "AWS::Cognito::UserPool", + "MyHttpApiWithDefaultAuthorizerE08800A1": { + "Type": "AWS::ApiGatewayV2::Api", "Properties": { - "AccountRecoverySetting": { - "RecoveryMechanisms": [ - { - "Name": "verified_phone_number", - "Priority": 1 - }, - { - "Name": "verified_email", - "Priority": 2 - } - ] - }, - "AdminCreateUserConfig": { - "AllowAdminCreateUserOnly": true + "Name": "MyHttpApiWithDefaultAuthorizer", + "ProtocolType": "HTTP" + } + }, + "MyHttpApiWithDefaultAuthorizerDefaultStage7A9EE9B6": { + "Type": "AWS::ApiGatewayV2::Stage", + "Properties": { + "ApiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" }, - "EmailVerificationMessage": "The verification code to your new account is {####}", - "EmailVerificationSubject": "Verify your new account", - "SmsVerificationMessage": "The verification code to your new account is {####}", - "VerificationMessageTemplate": { - "DefaultEmailOption": "CONFIRM_WITH_CODE", - "EmailMessage": "The verification code to your new account is {####}", - "EmailSubject": "Verify your new account", - "SmsMessage": "The verification code to your new account is {####}" - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" + "AutoDeploy": true, + "StageName": "$default" + } }, - "userpoolUserPoolAuthorizerClient6A7486E8": { - "Type": "AWS::Cognito::UserPoolClient", + "MyHttpApiWithDefaultAuthorizerUserPoolDefaultAuthorizerF10D4FFF": { + "Type": "AWS::ApiGatewayV2::Authorizer", "Properties": { - "AllowedOAuthFlows": [ - "implicit", - "code" - ], - "AllowedOAuthFlowsUserPoolClient": true, - "AllowedOAuthScopes": [ - "profile", - "phone", - "email", - "openid", - "aws.cognito.signin.user.admin" - ], - "CallbackURLs": [ - "https://example.com" - ], - "SupportedIdentityProviders": [ - "COGNITO" + "ApiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "AuthorizerType": "JWT", + "IdentitySource": [ + "$request.header.Authorization" ], - "UserPoolId": { - "Ref": "userpool0AC4AA96" - } + "JwtConfiguration": { + "Audience": [ + { + "Ref": "userpoolForDefaultAuthorizerUserPoolAuthorizerClient3AA110E7" + } + ], + "Issuer": { + "Fn::Join": [ + "", + [ + "https://cognito-idp.", + { + "Ref": "AWS::Region" + }, + ".amazonaws.com/", + { + "Ref": "userpoolForDefaultAuthorizerDFBE8E74" + } + ] + ] + } + }, + "Name": "UserPoolDefaultAuthorizer" } }, "lambdaServiceRole494E4CA6": { @@ -238,6 +347,87 @@ "DependsOn": [ "lambdaServiceRole494E4CA6" ] + }, + "RouteRootIntegration1CF58575": { + "Type": "AWS::ApiGatewayV2::Integration", + "Properties": { + "ApiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "IntegrationType": "AWS_PROXY", + "IntegrationUri": { + "Fn::GetAtt": [ + "lambda8B5974B5", + "Arn" + ] + }, + "PayloadFormatVersion": "2.0" + } + }, + "RouteRootIntegrationPermissionC2C15701": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "lambda8B5974B5", + "Arn" + ] + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "/*/*/v1/mything/{proxy+}" + ] + ] + } + } + }, + "RouteA67450D2": { + "Type": "AWS::ApiGatewayV2::Route", + "Properties": { + "ApiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "AuthorizationScopes": [ + "scope1", + "scope2" + ], + "AuthorizationType": "JWT", + "AuthorizerId": { + "Ref": "MyHttpApiWithDefaultAuthorizerUserPoolDefaultAuthorizerF10D4FFF" + }, + "RouteKey": "ANY /v1/mything/{proxy+}", + "Target": { + "Fn::Join": [ + "", + [ + "integrations/", + { + "Ref": "RouteRootIntegration1CF58575" + } + ] + ] + } + } } }, "Parameters": { diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/manifest.json b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/manifest.json index e49fb7a2dec7c..85761c96e101e 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/manifest.json @@ -14,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "AuthorizerInteg.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0847c0b726780e7b084297b7c2323b91c608e241e019e9d3e0bf62fcfd673c8d.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8e1b12f5d12c6de951105961b92d6c971a32d4cbbc394e1542bcbedf77450978.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -33,6 +34,30 @@ "AuthorizerInteg.assets" ], "metadata": { + "/AuthorizerInteg/userpool/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "userpool0AC4AA96" + } + ], + "/AuthorizerInteg/userpool/UserPoolAuthorizerClient/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "userpoolUserPoolAuthorizerClient6A7486E8" + } + ], + "/AuthorizerInteg/userpoolForDefaultAuthorizer/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "userpoolForDefaultAuthorizerDFBE8E74" + } + ], + "/AuthorizerInteg/userpoolForDefaultAuthorizer/UserPoolAuthorizerClient/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "userpoolForDefaultAuthorizerUserPoolAuthorizerClient3AA110E7" + } + ], "/AuthorizerInteg/MyHttpApi/Resource": [ { "type": "aws:cdk:logicalId", @@ -69,16 +94,22 @@ "data": "MyHttpApiUserPoolAuthorizer8754262B" } ], - "/AuthorizerInteg/userpool/Resource": [ + "/AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/Resource": [ { "type": "aws:cdk:logicalId", - "data": "userpool0AC4AA96" + "data": "MyHttpApiWithDefaultAuthorizerE08800A1" } ], - "/AuthorizerInteg/userpool/UserPoolAuthorizerClient/Resource": [ + "/AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/DefaultStage/Resource": [ { "type": "aws:cdk:logicalId", - "data": "userpoolUserPoolAuthorizerClient6A7486E8" + "data": "MyHttpApiWithDefaultAuthorizerDefaultStage7A9EE9B6" + } + ], + "/AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/UserPoolDefaultAuthorizer/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyHttpApiWithDefaultAuthorizerUserPoolDefaultAuthorizerF10D4FFF" } ], "/AuthorizerInteg/lambda/ServiceRole/Resource": [ @@ -93,6 +124,24 @@ "data": "lambda8B5974B5" } ], + "/AuthorizerInteg/Route/RootIntegration/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "RouteRootIntegration1CF58575" + } + ], + "/AuthorizerInteg/Route/RootIntegration-Permission": [ + { + "type": "aws:cdk:logicalId", + "data": "RouteRootIntegrationPermissionC2C15701" + } + ], + "/AuthorizerInteg/Route/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "RouteA67450D2" + } + ], "/AuthorizerInteg/BootstrapVersion": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/tree.json b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/tree.json index dbcc561a94515..7dd213178bc9c 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.js.snapshot/tree.json @@ -8,6 +8,188 @@ "id": "AuthorizerInteg", "path": "AuthorizerInteg", "children": { + "userpool": { + "id": "userpool", + "path": "AuthorizerInteg/userpool", + "children": { + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/userpool/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true + }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "smsVerificationMessage": "The verification code to your new account is {####}", + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + }, + "UserPoolAuthorizerClient": { + "id": "UserPoolAuthorizerClient", + "path": "AuthorizerInteg/userpool/UserPoolAuthorizerClient", + "children": { + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/userpool/UserPoolAuthorizerClient/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolClient", + "aws:cdk:cloudformation:props": { + "allowedOAuthFlows": [ + "implicit", + "code" + ], + "allowedOAuthFlowsUserPoolClient": true, + "allowedOAuthScopes": [ + "profile", + "phone", + "email", + "openid", + "aws.cognito.signin.user.admin" + ], + "callbackUrLs": [ + "https://example.com" + ], + "supportedIdentityProviders": [ + "COGNITO" + ], + "userPoolId": { + "Ref": "userpool0AC4AA96" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + }, + "userpoolForDefaultAuthorizer": { + "id": "userpoolForDefaultAuthorizer", + "path": "AuthorizerInteg/userpoolForDefaultAuthorizer", + "children": { + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/userpoolForDefaultAuthorizer/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:props": { + "accountRecoverySetting": { + "recoveryMechanisms": [ + { + "name": "verified_phone_number", + "priority": 1 + }, + { + "name": "verified_email", + "priority": 2 + } + ] + }, + "adminCreateUserConfig": { + "allowAdminCreateUserOnly": true + }, + "emailVerificationMessage": "The verification code to your new account is {####}", + "emailVerificationSubject": "Verify your new account", + "smsVerificationMessage": "The verification code to your new account is {####}", + "verificationMessageTemplate": { + "defaultEmailOption": "CONFIRM_WITH_CODE", + "emailMessage": "The verification code to your new account is {####}", + "emailSubject": "Verify your new account", + "smsMessage": "The verification code to your new account is {####}" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + }, + "UserPoolAuthorizerClient": { + "id": "UserPoolAuthorizerClient", + "path": "AuthorizerInteg/userpoolForDefaultAuthorizer/UserPoolAuthorizerClient", + "children": { + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/userpoolForDefaultAuthorizer/UserPoolAuthorizerClient/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolClient", + "aws:cdk:cloudformation:props": { + "allowedOAuthFlows": [ + "implicit", + "code" + ], + "allowedOAuthFlowsUserPoolClient": true, + "allowedOAuthScopes": [ + "profile", + "phone", + "email", + "openid", + "aws.cognito.signin.user.admin" + ], + "callbackUrLs": [ + "https://example.com" + ], + "supportedIdentityProviders": [ + "COGNITO" + ], + "userPoolId": { + "Ref": "userpoolForDefaultAuthorizerDFBE8E74" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + }, "MyHttpApi": { "id": "MyHttpApi", "path": "AuthorizerInteg/MyHttpApi", @@ -23,8 +205,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_apigatewayv2.CfnApi", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "DefaultStage": { @@ -45,14 +227,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_apigatewayv2.CfnStage", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-apigatewayv2-alpha.HttpStage", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "GET--": { @@ -83,14 +265,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_apigatewayv2.CfnIntegration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-apigatewayv2-alpha.HttpIntegration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "RootIntegratin-Permission": { @@ -134,8 +316,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "Resource": { @@ -166,14 +348,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_apigatewayv2.CfnRoute", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-apigatewayv2-alpha.HttpRoute", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "UserPoolAuthorizer": { @@ -219,111 +401,126 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_apigatewayv2.CfnAuthorizer", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-apigatewayv2-alpha.HttpAuthorizer", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-apigatewayv2-alpha.HttpApi", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, - "userpool": { - "id": "userpool", - "path": "AuthorizerInteg/userpool", + "MyHttpApiWithDefaultAuthorizer": { + "id": "MyHttpApiWithDefaultAuthorizer", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer", "children": { "Resource": { "id": "Resource", - "path": "AuthorizerInteg/userpool/Resource", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/Resource", "attributes": { - "aws:cdk:cloudformation:type": "AWS::Cognito::UserPool", + "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Api", "aws:cdk:cloudformation:props": { - "accountRecoverySetting": { - "recoveryMechanisms": [ - { - "name": "verified_phone_number", - "priority": 1 + "name": "MyHttpApiWithDefaultAuthorizer", + "protocolType": "HTTP" + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + }, + "DefaultStage": { + "id": "DefaultStage", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/DefaultStage", + "children": { + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/DefaultStage/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Stage", + "aws:cdk:cloudformation:props": { + "apiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" }, - { - "name": "verified_email", - "priority": 2 - } - ] - }, - "adminCreateUserConfig": { - "allowAdminCreateUserOnly": true + "autoDeploy": true, + "stageName": "$default" + } }, - "emailVerificationMessage": "The verification code to your new account is {####}", - "emailVerificationSubject": "Verify your new account", - "smsVerificationMessage": "The verification code to your new account is {####}", - "verificationMessageTemplate": { - "defaultEmailOption": "CONFIRM_WITH_CODE", - "emailMessage": "The verification code to your new account is {####}", - "emailSubject": "Verify your new account", - "smsMessage": "The verification code to your new account is {####}" + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cognito.CfnUserPool", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, - "UserPoolAuthorizerClient": { - "id": "UserPoolAuthorizerClient", - "path": "AuthorizerInteg/userpool/UserPoolAuthorizerClient", + "UserPoolDefaultAuthorizer": { + "id": "UserPoolDefaultAuthorizer", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/UserPoolDefaultAuthorizer", "children": { "Resource": { "id": "Resource", - "path": "AuthorizerInteg/userpool/UserPoolAuthorizerClient/Resource", + "path": "AuthorizerInteg/MyHttpApiWithDefaultAuthorizer/UserPoolDefaultAuthorizer/Resource", "attributes": { - "aws:cdk:cloudformation:type": "AWS::Cognito::UserPoolClient", + "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Authorizer", "aws:cdk:cloudformation:props": { - "allowedOAuthFlows": [ - "implicit", - "code" - ], - "allowedOAuthFlowsUserPoolClient": true, - "allowedOAuthScopes": [ - "profile", - "phone", - "email", - "openid", - "aws.cognito.signin.user.admin" - ], - "callbackUrLs": [ - "https://example.com" - ], - "supportedIdentityProviders": [ - "COGNITO" + "apiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "authorizerType": "JWT", + "identitySource": [ + "$request.header.Authorization" ], - "userPoolId": { - "Ref": "userpool0AC4AA96" - } + "jwtConfiguration": { + "audience": [ + { + "Ref": "userpoolForDefaultAuthorizerUserPoolAuthorizerClient3AA110E7" + } + ], + "issuer": { + "Fn::Join": [ + "", + [ + "https://cognito-idp.", + { + "Ref": "AWS::Region" + }, + ".amazonaws.com/", + { + "Ref": "userpoolForDefaultAuthorizerDFBE8E74" + } + ] + ] + } + }, + "name": "UserPoolDefaultAuthorizer" } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cognito.CfnUserPoolClient", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cognito.UserPoolClient", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cognito.UserPool", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "lambda": { @@ -338,8 +535,8 @@ "id": "ImportServiceRole", "path": "AuthorizerInteg/lambda/ServiceRole/ImportServiceRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "Resource": { @@ -377,14 +574,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "Code": { @@ -395,22 +592,22 @@ "id": "Stage", "path": "AuthorizerInteg/lambda/Code/Stage", "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "AssetBucket": { "id": "AssetBucket", "path": "AuthorizerInteg/lambda/Code/AssetBucket", "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "Resource": { @@ -436,36 +633,161 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" + } + }, + "Route": { + "id": "Route", + "path": "AuthorizerInteg/Route", + "children": { + "RootIntegration": { + "id": "RootIntegration", + "path": "AuthorizerInteg/Route/RootIntegration", + "children": { + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/Route/RootIntegration/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Integration", + "aws:cdk:cloudformation:props": { + "apiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "integrationType": "AWS_PROXY", + "integrationUri": { + "Fn::GetAtt": [ + "lambda8B5974B5", + "Arn" + ] + }, + "payloadFormatVersion": "2.0" + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + }, + "RootIntegration-Permission": { + "id": "RootIntegration-Permission", + "path": "AuthorizerInteg/Route/RootIntegration-Permission", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Permission", + "aws:cdk:cloudformation:props": { + "action": "lambda:InvokeFunction", + "functionName": { + "Fn::GetAtt": [ + "lambda8B5974B5", + "Arn" + ] + }, + "principal": "apigateway.amazonaws.com", + "sourceArn": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":execute-api:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":", + { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "/*/*/v1/mything/{proxy+}" + ] + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + }, + "Resource": { + "id": "Resource", + "path": "AuthorizerInteg/Route/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ApiGatewayV2::Route", + "aws:cdk:cloudformation:props": { + "apiId": { + "Ref": "MyHttpApiWithDefaultAuthorizerE08800A1" + }, + "authorizationScopes": [ + "scope1", + "scope2" + ], + "authorizationType": "JWT", + "authorizerId": { + "Ref": "MyHttpApiWithDefaultAuthorizerUserPoolDefaultAuthorizerF10D4FFF" + }, + "routeKey": "ANY /v1/mything/{proxy+}", + "target": { + "Fn::Join": [ + "", + [ + "integrations/", + { + "Ref": "RouteRootIntegration1CF58575" + } + ] + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "AuthorizerInteg/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "AuthorizerInteg/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } }, "Tree": { @@ -478,8 +800,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.2.70" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.ts b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.ts index d29c652ac3f2e..c1ad9bed4c523 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-authorizers-alpha/test/http/integ.user-pool.ts @@ -1,5 +1,5 @@ import * as path from 'path'; -import { HttpApi, HttpMethod } from '@aws-cdk/aws-apigatewayv2-alpha'; +import { HttpApi, HttpMethod, HttpRoute, HttpRouteKey } from '@aws-cdk/aws-apigatewayv2-alpha'; import { HttpLambdaIntegration } from '@aws-cdk/aws-apigatewayv2-integrations-alpha'; import * as cognito from 'aws-cdk-lib/aws-cognito'; import * as lambda from 'aws-cdk-lib/aws-lambda'; @@ -16,11 +16,17 @@ import { HttpUserPoolAuthorizer } from '../../lib'; const app = new App(); const stack = new Stack(app, 'AuthorizerInteg'); -const httpApi = new HttpApi(stack, 'MyHttpApi'); - const userPool = new cognito.UserPool(stack, 'userpool'); +const userPoolForDefaultAuthorizer = new cognito.UserPool(stack, 'userpoolForDefaultAuthorizer'); const authorizer = new HttpUserPoolAuthorizer('UserPoolAuthorizer', userPool); +const defaultAuthorizer = new HttpUserPoolAuthorizer('UserPoolDefaultAuthorizer', userPoolForDefaultAuthorizer); + +const httpApi = new HttpApi(stack, 'MyHttpApi'); +const httpApiWithDefaultAuthorizer = new HttpApi(stack, 'MyHttpApiWithDefaultAuthorizer', { + defaultAuthorizer, + defaultAuthorizationScopes: ['scope1', 'scope2'], +}); const handler = new lambda.Function(stack, 'lambda', { runtime: lambda.Runtime.NODEJS_18_X, @@ -34,3 +40,9 @@ httpApi.addRoutes({ integration: new HttpLambdaIntegration('RootIntegratin', handler), authorizer, }); + +new HttpRoute(stack, 'Route', { + httpApi: httpApiWithDefaultAuthorizer, + routeKey: HttpRouteKey.with('/v1/mything/{proxy+}', HttpMethod.ANY), + integration: new HttpLambdaIntegration('RootIntegration', handler), +}); \ No newline at end of file