(aws-apigateway): incorrect cross-region/partition LambdaAuthorizer references

[aisamu]

What is the problem?

The existing ARN reference mechanism used by the TokenAuthorizer only allows pointing to lambdas on the same account.

Both the partition and the region are being incorrectly inferred from the stack where the reference itself was defined instead from what it refers to.

More concretely:

const stack = new cdk.Stack(app, "TestStack", {
  env: { region: "REGION-A" },
});

const fn = lambda.Function.fromFunctionArn(
  stack,
  "AnExternalFunction",
  "arn:aws:lambda:REGION-B:someaccount:function:name"
);

cdk.Stack.of(fn).region refers to REGION-A, not the desired/expected REGION-B.

Reproduction Steps

Given the following Stack

Stack

import * as cdk from "@aws-cdk/core";
import * as lambda from "@aws-cdk/aws-lambda";
import * as apigateway from "@aws-cdk/aws-apigateway";

const app = new cdk.App();

const stack = new cdk.Stack(app, "Example", {
  env: { region: "us-east-2" },
});

const authorizerFunctionArn = cdk.Arn.format(
  {
    service: "lambda",
    resource: "function",
    resourceName: "example-authorizer",
    arnFormat: cdk.ArnFormat.COLON_RESOURCE_NAME,
    region: "us-east-1",
  },
  stack
);

const authorizerFunction = lambda.Function.fromFunctionArn(
  stack,
  "AuthorizerFunction",
  authorizerFunctionArn
);

const api = new apigateway.RestApi(stack, "API", {
  cloudWatchRole: false,
  endpointTypes: [apigateway.EndpointType.REGIONAL],
});

const authorizer = new apigateway.TokenAuthorizer(stack, "Authorizer", {
  handler: authorizerFunction,
});

api.root.addResource("test").addMethod(
  "GET",
  new apigateway.MockIntegration({
    integrationResponses: [
      {
        statusCode: "200",
        responseTemplates: {
          "application/json": '{ "message": "It works!"}',
        },
      },
    ],
    passthroughBehavior: apigateway.PassthroughBehavior.NEVER,
    requestTemplates: {
      "application/json": '{ "statusCode": 200 }',
    },
  }),
  { authorizer, methodResponses: [{ statusCode: "200" }] }
);

What did you expect to happen?

The authorizerUri should be set us-east-1

After manually editing the Authorizer on the console:

$> aws apigateway get-authorizers --rest-api-id xxxxxxxxxx --region "us-east-2" | jq

{
  "items": [
    {
      "id": "xxxxxxxxxx",
      "name": "ExampleAuthorizer9D85B54E",
      "type": "TOKEN",
      "authType": "custom",
      "authorizerUri": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:zzzzzzzzzz:function:example-function/invocations",
      "identitySource": "method.request.header.Authorization",
      "authorizerResultTtlInSeconds": 300
    }
  ]
}

What actually happened?

The authorizerUri was set to the incorrect region (e.g. us-east-2)

$> aws apigateway get-authorizers --rest-api-id xxxxxxxxxx --region "us-east-2" | jq

{
  "items": [
    {
      "id": "xxxxxxxxxx",
      "name": "ExampleAuthorizer9D85B54E",
      "type": "TOKEN",
      "authType": "custom",
      "authorizerUri": "arn:aws:apigateway:us-east-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:zzzzzzzzzz:function:example-authorizer/invocations",
      "identitySource": "method.request.header.Authorization"
    }
  ]
}

CDK CLI Version

1.137.0

Framework Version

No response

Node.js Version

v12.22.9

OS

mass Big Sur 11.6.1

Language

Typescript

Language Version

TypeScript (4.5.4)

Other information

Co-authored-by: Sam Hewitt sam@stedi.com
Co-authored-by: Cameron Sumpter cameron@stedi.com

[shooit]

@ryparker @otaviomacedo how could we help expedite review of #18444 that is associated with this issue? This bug is blocking our team's multi-region deployments due to the authorizer being in a single region.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.