From 5d2896b93f33edcee1b59a1d82f1d18e468b0010 Mon Sep 17 00:00:00 2001 From: Jacob Fuss Date: Thu, 22 Jul 2021 09:42:23 -0500 Subject: [PATCH 1/6] Revert "Revert "Issue 1508 remove check requiring identity ... (#1577)" (#2038)" This reverts commit ed3c28335aedce127f2b2738788b61851de62700. --- samtranslator/model/apigateway.py | 7 +- tests/model/test_api.py | 15 ++ .../input/api_with_auth_all_minimum.yaml | 21 +++ .../output/api_with_auth_all_minimum.json | 78 +++++---- .../aws-cn/api_with_auth_all_minimum.json | 148 ++++++++++++++++++ 5 files changed, 240 insertions(+), 29 deletions(-) diff --git a/samtranslator/model/apigateway.py b/samtranslator/model/apigateway.py index d1ea0c2b1..d983314d7 100644 --- a/samtranslator/model/apigateway.py +++ b/samtranslator/model/apigateway.py @@ -270,8 +270,9 @@ def _is_missing_identity_source(self, identity): query_strings = identity.get("QueryStrings") stage_variables = identity.get("StageVariables") context = identity.get("Context") + ttl = identity.get("ReauthorizeEvery") - if not headers and not query_strings and not stage_variables and not context: + if (ttl is None or int(ttl) > 0) and not headers and not query_strings and not stage_variables and not context: return True return False @@ -314,7 +315,9 @@ def generate_swagger(self): swagger[APIGATEWAY_AUTHORIZER_KEY]["authorizerCredentials"] = function_invoke_role if self._get_function_payload_type() == "REQUEST": - swagger[APIGATEWAY_AUTHORIZER_KEY]["identitySource"] = self._get_identity_source() + identity_source = self._get_identity_source() + if identity_source: + swagger[APIGATEWAY_AUTHORIZER_KEY]["identitySource"] = self._get_identity_source() # Authorizer Validation Expression is only allowed on COGNITO_USER_POOLS and LAMBDA_TOKEN is_lambda_token_authorizer = authorizer_type == "LAMBDA" and self._get_function_payload_type() == "TOKEN" diff --git a/tests/model/test_api.py b/tests/model/test_api.py index 627bda3d5..8bc871ee7 100644 --- a/tests/model/test_api.py +++ b/tests/model/test_api.py @@ -17,3 +17,18 @@ def test_create_authorizer_fails_with_string_authorization_scopes(self): auth = ApiGatewayAuthorizer( api_logical_id="logicalId", name="authName", authorization_scopes="invalid_scope" ) + + def test_create_authorizer_fails_with_missing_identity_values_and_not_cached(self): + with pytest.raises(InvalidResourceException): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": 10}, + function_payload_type="REQUEST", + ) + + def test_create_authorizer_fails_with_empty_identity(self): + with pytest.raises(InvalidResourceException): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", name="authName", identity={}, function_payload_type="REQUEST" + ) diff --git a/tests/translator/input/api_with_auth_all_minimum.yaml b/tests/translator/input/api_with_auth_all_minimum.yaml index 399df7612..5066b20d9 100644 --- a/tests/translator/input/api_with_auth_all_minimum.yaml +++ b/tests/translator/input/api_with_auth_all_minimum.yaml @@ -32,6 +32,20 @@ Resources: Identity: Headers: - Authorization1 + + MyApiWithNotCachedLambdaRequestAuth: + Type: "AWS::Serverless::Api" + Properties: + StageName: Prod + Auth: + DefaultAuthorizer: MyLambdaRequestAuth + Authorizers: + MyLambdaRequestAuth: + FunctionPayloadType: REQUEST + FunctionArn: !GetAtt MyAuthFn.Arn + Identity: + ReauthorizeEvery: 0 + MyAuthFn: Type: AWS::Serverless::Function Properties: @@ -81,6 +95,13 @@ Resources: RestApiId: !Ref MyApiWithLambdaRequestAuth Method: any Path: /any/lambda-request + LambdaNotCachedRequest: + Type: Api + Properties: + RestApiId: !Ref MyApiWithNotCachedLambdaRequestAuth + Method: get + Path: /not-cached-lambda-request + MyUserPool: Type: AWS::Cognito::UserPool Properties: diff --git a/tests/translator/output/api_with_auth_all_minimum.json b/tests/translator/output/api_with_auth_all_minimum.json index 186f6c50d..b9e408189 100644 --- a/tests/translator/output/api_with_auth_all_minimum.json +++ b/tests/translator/output/api_with_auth_all_minimum.json @@ -64,7 +64,7 @@ ] }, "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ], "Tags": [ { @@ -117,7 +117,7 @@ ] }, "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ], "Tags": [ { @@ -137,7 +137,7 @@ "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", { "__ApiId__": { "Ref": "MyApiWithCognitoAuth" @@ -158,7 +158,7 @@ "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", { "__ApiId__": { "Ref": "MyApiWithLambdaRequestAuth" @@ -179,7 +179,7 @@ "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", { "__ApiId__": { "Ref": "MyApiWithLambdaTokenAuth" @@ -200,7 +200,7 @@ "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognito", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognito", { "__ApiId__": { "Ref": "MyApiWithCognitoAuth" @@ -221,7 +221,7 @@ "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", { "__ApiId__": { "Ref": "MyApiWithLambdaRequestAuth" @@ -242,7 +242,7 @@ "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", { "__ApiId__": { "Ref": "MyApiWithLambdaTokenAuth" @@ -271,7 +271,7 @@ "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, "responses": {}, @@ -288,7 +288,7 @@ "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, "responses": {}, @@ -319,13 +319,21 @@ } } } + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] } } }, - "MyApiWithCognitoAuthDeploymentdcc28e4b5f": { + "MyApiWithCognitoAuthDeployment5d6fbaaea5": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: dcc28e4b5f8fbdb114c4da86eae5deddc368c60e", + "Description": "RestApi deployment id: 5d6fbaaea5286fd32d64239db8b7f2247cb3f2b5", "RestApiId": { "Ref": "MyApiWithCognitoAuth" }, @@ -336,7 +344,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithCognitoAuthDeploymentdcc28e4b5f" + "Ref": "MyApiWithCognitoAuthDeployment5d6fbaaea5" }, "RestApiId": { "Ref": "MyApiWithCognitoAuth" @@ -362,7 +370,7 @@ "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, "responses": {}, @@ -379,7 +387,7 @@ "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, "responses": {}, @@ -401,7 +409,7 @@ "type": "token", "authorizerUri": { "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": { "Fn::GetAtt": [ @@ -415,13 +423,21 @@ } } } + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] } } }, - "MyApiWithLambdaTokenAuthDeployment03cc3fd4fd": { + "MyApiWithLambdaTokenAuthDeployment79a03805ba": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 03cc3fd4fd00e795fb067f94da06cb2fcfe95d3b", + "Description": "RestApi deployment id: 79a03805ba3abc1f005e1282f19bb79af68b4f96", "RestApiId": { "Ref": "MyApiWithLambdaTokenAuth" }, @@ -432,7 +448,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithLambdaTokenAuthDeployment03cc3fd4fd" + "Ref": "MyApiWithLambdaTokenAuthDeployment79a03805ba" }, "RestApiId": { "Ref": "MyApiWithLambdaTokenAuth" @@ -453,7 +469,7 @@ "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApiWithLambdaTokenAuth" @@ -481,7 +497,7 @@ "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, "responses": {}, @@ -498,7 +514,7 @@ "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, "responses": {}, @@ -520,7 +536,7 @@ "type": "request", "authorizerUri": { "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": { "Fn::GetAtt": [ @@ -535,13 +551,21 @@ } } } + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] } } }, - "MyApiWithLambdaRequestAuthDeployment6a32cc7f63": { + "MyApiWithLambdaRequestAuthDeployment12aa7114ad": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 6a32cc7f63485b93190f441a47da57f43de6a532", + "Description": "RestApi deployment id: 12aa7114ad8cd8aaeffd832e49f6f8aa8b6c2062", "RestApiId": { "Ref": "MyApiWithLambdaRequestAuth" }, @@ -552,7 +576,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithLambdaRequestAuthDeployment6a32cc7f63" + "Ref": "MyApiWithLambdaRequestAuthDeployment12aa7114ad" }, "RestApiId": { "Ref": "MyApiWithLambdaRequestAuth" @@ -573,7 +597,7 @@ "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApiWithLambdaRequestAuth" diff --git a/tests/translator/output/aws-cn/api_with_auth_all_minimum.json b/tests/translator/output/aws-cn/api_with_auth_all_minimum.json index b9e408189..e6c6b3126 100644 --- a/tests/translator/output/aws-cn/api_with_auth_all_minimum.json +++ b/tests/translator/output/aws-cn/api_with_auth_all_minimum.json @@ -21,8 +21,25 @@ ] } }, +<<<<<<< HEAD "MyAuthFn": { "Type": "AWS::Lambda::Function", +======= + "MyApiWithNotCachedLambdaRequestAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuthDeployment234e92eab4" + }, + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + }, + "StageName": "Prod" + } + }, + "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", +>>>>>>> parent of ed3c283... Revert "Issue 1508 remove check requiring identity ... (#1577)" (#2038) "Properties": { "Code": { "S3Bucket": "bucket", @@ -169,8 +186,36 @@ } } }, +<<<<<<< HEAD "MyFnLambdaTokenAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", +======= + "MyApiWithNotCachedLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + } + } + ] + } + } + }, + "MyApiWithLambdaTokenAuthDeploymenta48b731095": { + "Type": "AWS::ApiGateway::Deployment", +>>>>>>> parent of ed3c283... Revert "Issue 1508 remove check requiring identity ... (#1577)" (#2038) "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { @@ -190,8 +235,23 @@ } } }, +<<<<<<< HEAD "MyFnCognitoPermissionProd": { "Type": "AWS::Lambda::Permission", +======= + "MyApiWithNotCachedLambdaRequestAuthDeployment234e92eab4": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + }, + "Description": "RestApi deployment id: 234e92eab4e4c590ad261ddd55775c1edcc2972f", + "StageName": "Stage" + } + }, + "MyFnLambdaTokenPermissionProd": { + "Type": "AWS::Lambda::Permission", +>>>>>>> parent of ed3c283... Revert "Issue 1508 remove check requiring identity ... (#1577)" (#2038) "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { @@ -330,6 +390,7 @@ } } }, +<<<<<<< HEAD "MyApiWithCognitoAuthDeployment5d6fbaaea5": { "Type": "AWS::ApiGateway::Deployment", "Properties": { @@ -350,6 +411,27 @@ "Ref": "MyApiWithCognitoAuth" }, "StageName": "Prod" +======= + "MyFnLambdaNotCachedRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/not-cached-lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + } + } + ] + } +>>>>>>> parent of ed3c283... Revert "Issue 1508 remove check requiring identity ... (#1577)" (#2038) } }, "MyApiWithLambdaTokenAuth": { @@ -606,6 +688,72 @@ ] } } + }, + "MyApiWithNotCachedLambdaRequestAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/not-cached-lambda-request": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } + } + ] + }, + "authorizerResultTtlInSeconds": 0 + }, + "x-amazon-apigateway-authtype": "custom" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } } } } \ No newline at end of file From 201e4a5b9f3d9cef87f40f6509eb595074ffe6f9 Mon Sep 17 00:00:00 2001 From: Jacob Fuss Date: Thu, 22 Jul 2021 11:00:36 -0500 Subject: [PATCH 2/6] Update implementation to support intrinsics/ add more tests to validate changes --- samtranslator/model/apigateway.py | 15 +- tests/model/test_api.py | 71 +- .../input/api_with_identity_intrinsic.yaml | 22 + .../output/api_with_auth_all_minimum.json | 702 ++++++++++-------- .../output/api_with_identity_intrinsic.json | 89 +++ .../aws-cn/api_with_auth_all_minimum.json | 148 ---- .../aws-cn/api_with_identity_intrinsic.json | 98 +++ .../aws-us-gov/api_with_auth_all_minimum.json | 688 ++++++++++------- .../api_with_identity_intrinsic.json | 98 +++ tests/translator/test_translator.py | 1 + 10 files changed, 1203 insertions(+), 729 deletions(-) create mode 100644 tests/translator/input/api_with_identity_intrinsic.yaml create mode 100644 tests/translator/output/api_with_identity_intrinsic.json create mode 100644 tests/translator/output/aws-cn/api_with_identity_intrinsic.json create mode 100644 tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json diff --git a/samtranslator/model/apigateway.py b/samtranslator/model/apigateway.py index d983314d7..5d2480bfb 100644 --- a/samtranslator/model/apigateway.py +++ b/samtranslator/model/apigateway.py @@ -272,7 +272,20 @@ def _is_missing_identity_source(self, identity): context = identity.get("Context") ttl = identity.get("ReauthorizeEvery") - if (ttl is None or int(ttl) > 0) and not headers and not query_strings and not stage_variables and not context: + required_properties_missing = not headers and not query_strings and not stage_variables and not context + + try: + int(ttl) + # this will catch if ttl is None and not convertable to an int + except TypeError: + # previous behavior before trying to read ttl + if required_properties_missing: + return True + + return False + + # If we can resolve ttl, attempt to see if things are valid + if (ttl is None or int(ttl) > 0) and required_properties_missing: return True return False diff --git a/tests/model/test_api.py b/tests/model/test_api.py index 8bc871ee7..e2a08aea7 100644 --- a/tests/model/test_api.py +++ b/tests/model/test_api.py @@ -14,13 +14,13 @@ def test_create_oauth2_auth(self): def test_create_authorizer_fails_with_string_authorization_scopes(self): with pytest.raises(InvalidResourceException): - auth = ApiGatewayAuthorizer( + ApiGatewayAuthorizer( api_logical_id="logicalId", name="authName", authorization_scopes="invalid_scope" ) def test_create_authorizer_fails_with_missing_identity_values_and_not_cached(self): with pytest.raises(InvalidResourceException): - auth = ApiGatewayAuthorizer( + ApiGatewayAuthorizer( api_logical_id="logicalId", name="authName", identity={"ReauthorizeEvery": 10}, @@ -29,6 +29,71 @@ def test_create_authorizer_fails_with_missing_identity_values_and_not_cached(sel def test_create_authorizer_fails_with_empty_identity(self): with pytest.raises(InvalidResourceException): - auth = ApiGatewayAuthorizer( + ApiGatewayAuthorizer( api_logical_id="logicalId", name="authName", identity={}, function_payload_type="REQUEST" ) + + def test_create_authorizer_fails_with_missing_identity_values_and_not_cached(self): + with pytest.raises(InvalidResourceException): + ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": 10}, + function_payload_type="REQUEST", + ) + + def test_create_authorizer_fails_with_empty_identity(self): + with pytest.raises(InvalidResourceException): + ApiGatewayAuthorizer( + api_logical_id="logicalId", name="authName", identity={}, function_payload_type="REQUEST" + ) + + def test_create_authorizer_with_non_integer_identity(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", name="authName", identity={"ReauthorizeEvery": [], "Headers": ["Accept"]}, function_payload_type="REQUEST" + ) + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_identity_intrinsic_is_valid_with_headers(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", name="authName", identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "Headers": ["Accept"]}, function_payload_type="REQUEST" + ) + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_identity_intrinsic_is_invalid_if_no_querystring_stagevariables_context_headers(self): + with pytest.raises(InvalidResourceException): + ApiGatewayAuthorizer( + api_logical_id="logicalId", name="authName", identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}}, function_payload_type="REQUEST" + ) + + def test_create_authorizer_with_identity_intrinsic_is_valid_with_context(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", name="authName", identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "Context": ["Accept"]}, function_payload_type="REQUEST") + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_identity_intrinsic_is_valid_with_stage_variables(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", name="authName", + identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "StageVariables": ["Stage"]}, + function_payload_type="REQUEST") + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_identity_intrinsic_is_valid_with_query_strings(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", name="authName", + identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "QueryStrings": ["AQueryString"]}, + function_payload_type="REQUEST") + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_identity_ReauthorizeEvery_asNone_valid_with_query_strings(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", name="authName", + identity={"ReauthorizeEvery": None, "QueryStrings": ["AQueryString"]}, + function_payload_type="REQUEST") + + self.assertIsNotNone(auth) diff --git a/tests/translator/input/api_with_identity_intrinsic.yaml b/tests/translator/input/api_with_identity_intrinsic.yaml new file mode 100644 index 000000000..2afc3d679 --- /dev/null +++ b/tests/translator/input/api_with_identity_intrinsic.yaml @@ -0,0 +1,22 @@ +AWSTemplateFormatVersion: "2010-09-09" +Transform: AWS::Serverless-2016-10-31 + +Conditions: + isProd: true + + +Resources: + APIGateway: + Type: 'AWS::Serverless::Api' + Properties: + StageName: Prod + Auth: + DefaultAuthorizer: SomeAuthorizer + Authorizers: + SomeAuthorizer: + FunctionPayloadType: REQUEST + FunctionArn: SomeArn + Identity: + Headers: + - Accept + ReauthorizeEvery: !If [isProd, 3600, 0] \ No newline at end of file diff --git a/tests/translator/output/api_with_auth_all_minimum.json b/tests/translator/output/api_with_auth_all_minimum.json index b9e408189..f6570f17c 100644 --- a/tests/translator/output/api_with_auth_all_minimum.json +++ b/tests/translator/output/api_with_auth_all_minimum.json @@ -1,37 +1,16 @@ { "Resources": { - "MyUserPool": { - "Type": "AWS::Cognito::UserPool", - "Properties": { - "UserPoolName": "UserPoolName", - "Policies": { - "PasswordPolicy": { - "MinimumLength": 8 - } - }, - "UsernameAttributes": [ - "email" - ], - "Schema": [ - { - "AttributeDataType": "String", - "Name": "email", - "Required": false - } - ] - } - }, - "MyAuthFn": { + "MyFunction": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { - "S3Bucket": "bucket", - "S3Key": "key" + "S3Bucket": "sam-demo-bucket", + "S3Key": "thumbnails.zip" }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ - "MyAuthFnRole", + "MyFunctionRole", "Arn" ] }, @@ -44,7 +23,7 @@ ] } }, - "MyAuthFnRole": { + "MyFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -64,7 +43,7 @@ ] }, "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ], "Tags": [ { @@ -74,73 +53,125 @@ ] } }, - "MyFn": { - "Type": "AWS::Lambda::Function", + "MyFunctionWithNoAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "Code": { - "S3Bucket": "bucket", - "S3Key": "key" + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "MyFnRole", - "Arn" + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + { + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" + } ] + } + } + }, + "MyFunctionWithCognitoMultipleUserPoolsAuthorizerAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" }, - "Runtime": "nodejs12.x", - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognitomultiple", + { + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" + } + ] + } } }, - "MyFnRole": { - "Type": "AWS::IAM::Role", + "MyFunctionWithDefaultAuthorizerAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/default", { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] - } + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" } ] + } + } + }, + "MyFunctionWithLambdaRequestAuthorizerAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" }, - "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdarequest", + { + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" + } + ] + } + } + }, + "MyFunctionWithLambdaTokenAuthorizerAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdatoken", + { + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" + } + ] + } } }, - "MyFnCognitoAnyMethodPermissionProd": { + "MyFunctionWithLambdaTokenNoneAuthorizerAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdatokennone", { "__ApiId__": { - "Ref": "MyApiWithCognitoAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -148,20 +179,20 @@ } } }, - "MyFnLambdaRequestAnyMethodPermissionProd": { + "MyFunctionWithNoAuthorizerAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/noauth", { "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -169,20 +200,20 @@ } } }, - "MyFnLambdaTokenAnyMethodPermissionProd": { + "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -190,20 +221,20 @@ } } }, - "MyFnCognitoPermissionProd": { + "MyFunctionWithLambdaTokenAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognito", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", { "__ApiId__": { - "Ref": "MyApiWithCognitoAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -211,20 +242,20 @@ } } }, - "MyFnLambdaRequestPermissionProd": { + "MyFunctionWithLambdaTokenNoneAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -232,20 +263,20 @@ } } }, - "MyFnLambdaTokenPermissionProd": { + "MyFunctionWithLambdaRequestAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -253,7 +284,28 @@ } } }, - "MyApiWithCognitoAuth": { + "MyFunctionWithDefaultAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + { + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" + } + ] + } + } + }, + "MyApi": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { @@ -265,268 +317,305 @@ } }, "paths": { - "/cognito": { + "/": { "get": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { - "MyCognitoAuth": [] + "NONE": [] + }, + { + "api_key": [] } ] } }, - "/any/cognito": { + "/any/noauth": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { - "MyCognitoAuth": [] + "NONE": [] + }, + { + "api_key": [] } ] } - } - }, - "securityDefinitions": { - "MyCognitoAuth": { - "type": "apiKey", - "name": "Authorization", - "in": "header", - "x-amazon-apigateway-authtype": "cognito_user_pools", - "x-amazon-apigateway-authorizer": { - "type": "cognito_user_pools", - "providerARNs": [ + }, + "/users": { + "post": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ { - "Fn::GetAtt": [ - "MyUserPool", - "Arn" - ] + "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] } ] - } - } - } - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" - ] - } - } - }, - "MyApiWithCognitoAuthDeployment5d6fbaaea5": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "Description": "RestApi deployment id: 5d6fbaaea5286fd32d64239db8b7f2247cb3f2b5", - "RestApiId": { - "Ref": "MyApiWithCognitoAuth" - }, - "StageName": "Stage" - } - }, - "MyApiWithCognitoAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiWithCognitoAuthDeployment5d6fbaaea5" - }, - "RestApiId": { - "Ref": "MyApiWithCognitoAuth" - }, - "StageName": "Prod" - } - }, - "MyApiWithLambdaTokenAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "swagger": "2.0", - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/lambda-token": { + }, "get": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { "MyLambdaTokenAuth": [] + }, + { + "api_key": [] + } + ] + }, + "patch": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] + } + ] + }, + "delete": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyLambdaRequestAuth": [] + }, + { + "api_key": [] + } + ] + }, + "put": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyCognitoAuth": [] + }, + { + "api_key": [] } ] } }, - "/any/lambda-token": { + "/any/cognitomultiple": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { - "MyLambdaTokenAuth": [] + "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] } ] } - } - }, - "securityDefinitions": { - "MyLambdaTokenAuth": { - "type": "apiKey", - "name": "Authorization", - "in": "header", - "x-amazon-apigateway-authtype": "custom", - "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": { - "Fn::GetAtt": [ - "MyAuthFn", - "Arn" - ] - } - } - ] - } + }, + "/any/lambdatoken": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyLambdaTokenAuth": [] + }, + { + "api_key": [] + } + ] } - } - } - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" - ] - } - } - }, - "MyApiWithLambdaTokenAuthDeployment79a03805ba": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "Description": "RestApi deployment id: 79a03805ba3abc1f005e1282f19bb79af68b4f96", - "RestApiId": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "StageName": "Stage" - } - }, - "MyApiWithLambdaTokenAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiWithLambdaTokenAuthDeployment79a03805ba" - }, - "RestApiId": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "StageName": "Prod" - } - }, - "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Fn::GetAtt": [ - "MyAuthFn", - "Arn" - ] - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" + }, + "/any/lambdatokennone": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] + } + ] } - } - ] - } - } - }, - "MyApiWithLambdaRequestAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "swagger": "2.0", - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/lambda-request": { - "get": { + }, + "/any/lambdarequest": { + "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { "MyLambdaRequestAuth": [] + }, + { + "api_key": [] } ] } }, - "/any/lambda-request": { + "/any/default": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] + "MyCognitoAuth": [] + }, + { + "api_key": [] } ] } } }, "securityDefinitions": { + "MyCognitoAuth": { + "type": "apiKey", + "name": "MyAuthorizationHeader", + "in": "header", + "x-amazon-apigateway-authtype": "cognito_user_pools", + "x-amazon-apigateway-authorizer": { + "type": "cognito_user_pools", + "providerARNs": [ + "arn:aws:1" + ], + "identityValidationExpression": "myauthvalidationexpression" + } + }, + "MyCognitoAuthMultipleUserPools": { + "type": "apiKey", + "name": "MyAuthorizationHeader2", + "in": "header", + "x-amazon-apigateway-authtype": "cognito_user_pools", + "x-amazon-apigateway-authorizer": { + "type": "cognito_user_pools", + "providerARNs": [ + "arn:aws:2", + "arn:aws:3" + ], + "identityValidationExpression": "myauthvalidationexpression2" + } + }, + "MyLambdaTokenAuth": { + "type": "apiKey", + "name": "MyCustomAuthHeader", + "in": "header", + "x-amazon-apigateway-authtype": "custom", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "arn:aws" + } + ] + }, + "authorizerResultTtlInSeconds": 20, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" + } + }, + "MyLambdaTokenAuthNoneFunctionInvokeRole": { + "type": "apiKey", + "name": "Authorization", + "in": "header", + "x-amazon-apigateway-authtype": "custom", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "arn:aws" + } + ] + }, + "authorizerResultTtlInSeconds": 0 + } + }, "MyLambdaRequestAuth": { "type": "apiKey", "name": "Unused", @@ -536,71 +625,96 @@ "type": "request", "authorizerUri": { "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { - "__FunctionArn__": { - "Fn::GetAtt": [ - "MyAuthFn", - "Arn" - ] - } + "__FunctionArn__": "arn:aws" } ] }, - "identitySource": "method.request.header.Authorization1" + "authorizerResultTtlInSeconds": 0, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4" } + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" - ] } } }, - "MyApiWithLambdaRequestAuthDeployment12aa7114ad": { + "MyApiDeployment563edb7c42": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 12aa7114ad8cd8aaeffd832e49f6f8aa8b6c2062", + "Description": "RestApi deployment id: 563edb7c42f90929db0861af12bcd8046b8cb057", "RestApiId": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApi" }, "StageName": "Stage" } }, - "MyApiWithLambdaRequestAuthProdStage": { + "MyApiProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithLambdaRequestAuthDeployment12aa7114ad" + "Ref": "MyApiDeployment563edb7c42" }, "RestApiId": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApi" }, "StageName": "Prod" } }, - "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { + "MyApiMyLambdaTokenAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", - "FunctionName": { - "Fn::GetAtt": [ - "MyAuthFn", - "Arn" + "FunctionName": "arn:aws", + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApi" + } + } ] - }, + } + } + }, + "MyApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": "arn:aws", + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApi" + } + } + ] + } + } + }, + "MyApiMyLambdaRequestAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": "arn:aws", "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApi" } } ] diff --git a/tests/translator/output/api_with_identity_intrinsic.json b/tests/translator/output/api_with_identity_intrinsic.json new file mode 100644 index 000000000..18bfd68ad --- /dev/null +++ b/tests/translator/output/api_with_identity_intrinsic.json @@ -0,0 +1,89 @@ +{ "AWSTemplateFormatVersion": "2010-09-09", + "Conditions": { + "isProd": true + }, + "Resources": { + "APIGateway": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "swagger": "2.0", + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": {}, + "securityDefinitions": { + "SomeAuthorizer": { + "type": "apiKey", + "name": "Unused", + "in": "header", + "x-amazon-apigateway-authtype": "custom", + "x-amazon-apigateway-authorizer": { + "type": "request", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "SomeArn" + } + ] + }, + "authorizerResultTtlInSeconds": { + "Fn::If": [ + "isProd", + 3600, + 0 + ] + }, + "identitySource": "method.request.header.Accept" + } + } + } + } + } + }, + "APIGatewayDeployment09cf6f1593": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "Description": "RestApi deployment id: 09cf6f15938fb43d44759986383f7d1304187288", + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Stage" + } + }, + "APIGatewayProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "APIGatewayDeployment09cf6f1593" + }, + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Prod" + } + }, + "APIGatewaySomeAuthorizerAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": "SomeArn", + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "APIGateway" + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_auth_all_minimum.json b/tests/translator/output/aws-cn/api_with_auth_all_minimum.json index e6c6b3126..b9e408189 100644 --- a/tests/translator/output/aws-cn/api_with_auth_all_minimum.json +++ b/tests/translator/output/aws-cn/api_with_auth_all_minimum.json @@ -21,25 +21,8 @@ ] } }, -<<<<<<< HEAD "MyAuthFn": { "Type": "AWS::Lambda::Function", -======= - "MyApiWithNotCachedLambdaRequestAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiWithNotCachedLambdaRequestAuthDeployment234e92eab4" - }, - "RestApiId": { - "Ref": "MyApiWithNotCachedLambdaRequestAuth" - }, - "StageName": "Prod" - } - }, - "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", ->>>>>>> parent of ed3c283... Revert "Issue 1508 remove check requiring identity ... (#1577)" (#2038) "Properties": { "Code": { "S3Bucket": "bucket", @@ -186,36 +169,8 @@ } } }, -<<<<<<< HEAD "MyFnLambdaTokenAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", -======= - "MyApiWithNotCachedLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": { - "Fn::GetAtt": [ - "MyAuthFn", - "Arn" - ] - }, - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", - { - "__ApiId__": { - "Ref": "MyApiWithNotCachedLambdaRequestAuth" - } - } - ] - } - } - }, - "MyApiWithLambdaTokenAuthDeploymenta48b731095": { - "Type": "AWS::ApiGateway::Deployment", ->>>>>>> parent of ed3c283... Revert "Issue 1508 remove check requiring identity ... (#1577)" (#2038) "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { @@ -235,23 +190,8 @@ } } }, -<<<<<<< HEAD "MyFnCognitoPermissionProd": { "Type": "AWS::Lambda::Permission", -======= - "MyApiWithNotCachedLambdaRequestAuthDeployment234e92eab4": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithNotCachedLambdaRequestAuth" - }, - "Description": "RestApi deployment id: 234e92eab4e4c590ad261ddd55775c1edcc2972f", - "StageName": "Stage" - } - }, - "MyFnLambdaTokenPermissionProd": { - "Type": "AWS::Lambda::Permission", ->>>>>>> parent of ed3c283... Revert "Issue 1508 remove check requiring identity ... (#1577)" (#2038) "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { @@ -390,7 +330,6 @@ } } }, -<<<<<<< HEAD "MyApiWithCognitoAuthDeployment5d6fbaaea5": { "Type": "AWS::ApiGateway::Deployment", "Properties": { @@ -411,27 +350,6 @@ "Ref": "MyApiWithCognitoAuth" }, "StageName": "Prod" -======= - "MyFnLambdaNotCachedRequestPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": { - "Ref": "MyFn" - }, - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/not-cached-lambda-request", - { - "__Stage__": "*", - "__ApiId__": { - "Ref": "MyApiWithNotCachedLambdaRequestAuth" - } - } - ] - } ->>>>>>> parent of ed3c283... Revert "Issue 1508 remove check requiring identity ... (#1577)" (#2038) } }, "MyApiWithLambdaTokenAuth": { @@ -688,72 +606,6 @@ ] } } - }, - "MyApiWithNotCachedLambdaRequestAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/not-cached-lambda-request": { - "get": { - "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", - "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "security": [ - { - "MyLambdaRequestAuth": [] - } - ], - "responses": {} - } - } - }, - "swagger": "2.0", - "securityDefinitions": { - "MyLambdaRequestAuth": { - "in": "header", - "type": "apiKey", - "name": "Unused", - "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": { - "Fn::GetAtt": [ - "MyAuthFn", - "Arn" - ] - } - } - ] - }, - "authorizerResultTtlInSeconds": 0 - }, - "x-amazon-apigateway-authtype": "custom" - } - } - }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" - ] - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - } - } } } } \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_identity_intrinsic.json b/tests/translator/output/aws-cn/api_with_identity_intrinsic.json new file mode 100644 index 000000000..86c1058c9 --- /dev/null +++ b/tests/translator/output/aws-cn/api_with_identity_intrinsic.json @@ -0,0 +1,98 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Conditions": { + "isProd": true + }, + "Resources": { + "APIGateway": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "swagger": "2.0", + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": {}, + "securityDefinitions": { + "SomeAuthorizer": { + "type": "apiKey", + "name": "Unused", + "in": "header", + "x-amazon-apigateway-authtype": "custom", + "x-amazon-apigateway-authorizer": { + "type": "request", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "SomeArn" + } + ] + }, + "authorizerResultTtlInSeconds": { + "Fn::If": [ + "isProd", + 3600, + 0 + ] + }, + "identitySource": "method.request.header.Accept" + } + } + } + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + } + } + }, + "APIGatewayDeploymenta268f45fbc": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "Description": "RestApi deployment id: a268f45fbc6c09ab30f64915bd9ebfc4088f93e1", + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Stage" + } + }, + "APIGatewayProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "APIGatewayDeploymenta268f45fbc" + }, + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Prod" + } + }, + "APIGatewaySomeAuthorizerAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": "SomeArn", + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "APIGateway" + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json b/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json index 9b583ee6f..9cc7479c5 100644 --- a/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json +++ b/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json @@ -1,37 +1,16 @@ { "Resources": { - "MyUserPool": { - "Type": "AWS::Cognito::UserPool", - "Properties": { - "UserPoolName": "UserPoolName", - "Policies": { - "PasswordPolicy": { - "MinimumLength": 8 - } - }, - "UsernameAttributes": [ - "email" - ], - "Schema": [ - { - "AttributeDataType": "String", - "Name": "email", - "Required": false - } - ] - } - }, - "MyAuthFn": { + "MyFunction": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { - "S3Bucket": "bucket", - "S3Key": "key" + "S3Bucket": "sam-demo-bucket", + "S3Key": "thumbnails.zip" }, "Handler": "index.handler", "Role": { "Fn::GetAtt": [ - "MyAuthFnRole", + "MyFunctionRole", "Arn" ] }, @@ -44,7 +23,7 @@ ] } }, - "MyAuthFnRole": { + "MyFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -74,73 +53,104 @@ ] } }, - "MyFn": { - "Type": "AWS::Lambda::Function", + "MyFunctionWithNoAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "Code": { - "S3Bucket": "bucket", - "S3Key": "key" + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "MyFnRole", - "Arn" + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + { + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" + } ] + } + } + }, + "MyFunctionWithCognitoMultipleUserPoolsAuthorizerAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" }, - "Runtime": "nodejs12.x", - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognitomultiple", + { + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" + } + ] + } } }, - "MyFnRole": { - "Type": "AWS::IAM::Role", + "MyFunctionWithDefaultAuthorizerAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/default", { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] - } + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" } ] + } + } + }, + "MyFunctionWithLambdaRequestAuthorizerAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" }, - "ManagedPolicyArns": [ - "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdarequest", + { + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" + } + ] + } } }, - "MyFnCognitoAnyMethodPermissionProd": { + "MyFunctionWithLambdaTokenAuthorizerAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdatoken", { "__ApiId__": { - "Ref": "MyApiWithCognitoAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -148,20 +158,20 @@ } } }, - "MyFnLambdaRequestAnyMethodPermissionProd": { + "MyFunctionWithLambdaTokenNoneAuthorizerAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdatokennone", { "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -169,20 +179,20 @@ } } }, - "MyFnLambdaTokenAnyMethodPermissionProd": { + "MyFunctionWithNoAuthorizerAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/noauth", { "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -190,20 +200,20 @@ } } }, - "MyFnCognitoPermissionProd": { + "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognito", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { "__ApiId__": { - "Ref": "MyApiWithCognitoAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -211,20 +221,20 @@ } } }, - "MyFnLambdaRequestPermissionProd": { + "MyFunctionWithLambdaTokenAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", { "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -232,20 +242,20 @@ } } }, - "MyFnLambdaTokenPermissionProd": { + "MyFunctionWithLambdaTokenNoneAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { - "Ref": "MyFn" + "Ref": "MyFunction" }, "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" + "Ref": "MyApi" }, "__Stage__": "*" } @@ -253,7 +263,49 @@ } } }, - "MyApiWithCognitoAuth": { + "MyFunctionWithLambdaRequestAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + { + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" + } + ] + } + } + }, + "MyFunctionWithDefaultAuthorizerPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "MyFunction" + }, + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + { + "__ApiId__": { + "Ref": "MyApi" + }, + "__Stage__": "*" + } + ] + } + } + }, + "MyApi": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { @@ -265,268 +317,305 @@ } }, "paths": { - "/cognito": { + "/": { "get": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { - "MyCognitoAuth": [] + "NONE": [] + }, + { + "api_key": [] } ] } }, - "/any/cognito": { + "/any/noauth": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { - "MyCognitoAuth": [] + "NONE": [] + }, + { + "api_key": [] } ] } - } - }, - "securityDefinitions": { - "MyCognitoAuth": { - "type": "apiKey", - "name": "Authorization", - "in": "header", - "x-amazon-apigateway-authtype": "cognito_user_pools", - "x-amazon-apigateway-authorizer": { - "type": "cognito_user_pools", - "providerARNs": [ + }, + "/users": { + "post": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyCognitoAuthMultipleUserPools": [] + }, { - "Fn::GetAtt": [ - "MyUserPool", - "Arn" - ] + "api_key": [] } ] - } - } - } - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" - ] - } - } - }, - "MyApiWithCognitoAuthDeployment492f1347b1": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "Description": "RestApi deployment id: 492f1347b1194457232f0e99ced4a86954fdeec9", - "RestApiId": { - "Ref": "MyApiWithCognitoAuth" - }, - "StageName": "Stage" - } - }, - "MyApiWithCognitoAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiWithCognitoAuthDeployment492f1347b1" - }, - "RestApiId": { - "Ref": "MyApiWithCognitoAuth" - }, - "StageName": "Prod" - } - }, - "MyApiWithLambdaTokenAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "swagger": "2.0", - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/lambda-token": { + }, "get": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { "MyLambdaTokenAuth": [] + }, + { + "api_key": [] + } + ] + }, + "patch": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] + } + ] + }, + "delete": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyLambdaRequestAuth": [] + }, + { + "api_key": [] + } + ] + }, + "put": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyCognitoAuth": [] + }, + { + "api_key": [] } ] } }, - "/any/lambda-token": { + "/any/cognitomultiple": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { - "MyLambdaTokenAuth": [] + "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] } ] } - } - }, - "securityDefinitions": { - "MyLambdaTokenAuth": { - "type": "apiKey", - "name": "Authorization", - "in": "header", - "x-amazon-apigateway-authtype": "custom", - "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": { - "Fn::GetAtt": [ - "MyAuthFn", - "Arn" - ] - } - } - ] - } + }, + "/any/lambdatoken": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyLambdaTokenAuth": [] + }, + { + "api_key": [] + } + ] } - } - } - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" - ] - } - } - }, - "MyApiWithLambdaTokenAuthDeployment5f3dce4e5c": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "Description": "RestApi deployment id: 5f3dce4e5c196ff885a155dd8cc0ffeebd5b93b1", - "RestApiId": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "StageName": "Stage" - } - }, - "MyApiWithLambdaTokenAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiWithLambdaTokenAuthDeployment5f3dce4e5c" - }, - "RestApiId": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "StageName": "Prod" - } - }, - "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Fn::GetAtt": [ - "MyAuthFn", - "Arn" - ] - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" + }, + "/any/lambdatokennone": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "type": "aws_proxy", + "httpMethod": "POST", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + } + }, + "responses": {}, + "security": [ + { + "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] + } + ] } - } - ] - } - } - }, - "MyApiWithLambdaRequestAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "swagger": "2.0", - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/lambda-request": { - "get": { + }, + "/any/lambdarequest": { + "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { "MyLambdaRequestAuth": [] + }, + { + "api_key": [] } ] } }, - "/any/lambda-request": { + "/any/default": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { "type": "aws_proxy", "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } }, "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] + "MyCognitoAuth": [] + }, + { + "api_key": [] } ] } } }, "securityDefinitions": { + "MyCognitoAuth": { + "type": "apiKey", + "name": "MyAuthorizationHeader", + "in": "header", + "x-amazon-apigateway-authtype": "cognito_user_pools", + "x-amazon-apigateway-authorizer": { + "type": "cognito_user_pools", + "providerARNs": [ + "arn:aws:1" + ], + "identityValidationExpression": "myauthvalidationexpression" + } + }, + "MyCognitoAuthMultipleUserPools": { + "type": "apiKey", + "name": "MyAuthorizationHeader2", + "in": "header", + "x-amazon-apigateway-authtype": "cognito_user_pools", + "x-amazon-apigateway-authorizer": { + "type": "cognito_user_pools", + "providerARNs": [ + "arn:aws:2", + "arn:aws:3" + ], + "identityValidationExpression": "myauthvalidationexpression2" + } + }, + "MyLambdaTokenAuth": { + "type": "apiKey", + "name": "MyCustomAuthHeader", + "in": "header", + "x-amazon-apigateway-authtype": "custom", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "arn:aws" + } + ] + }, + "authorizerResultTtlInSeconds": 20, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" + } + }, + "MyLambdaTokenAuthNoneFunctionInvokeRole": { + "type": "apiKey", + "name": "Authorization", + "in": "header", + "x-amazon-apigateway-authtype": "custom", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "arn:aws" + } + ] + }, + "authorizerResultTtlInSeconds": 0 + } + }, "MyLambdaRequestAuth": { "type": "apiKey", "name": "Unused", @@ -538,17 +627,19 @@ "Fn::Sub": [ "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { - "__FunctionArn__": { - "Fn::GetAtt": [ - "MyAuthFn", - "Arn" - ] - } + "__FunctionArn__": "arn:aws" } ] }, - "identitySource": "method.request.header.Authorization1" + "authorizerResultTtlInSeconds": 0, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4" } + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, @@ -562,45 +653,76 @@ } } }, - "MyApiWithLambdaRequestAuthDeployment468dce6129": { + "MyApiDeployment275e8e0d8c": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 468dce61296ac92bf536be6fc55751d9553dbc4b", + "Description": "RestApi deployment id: 275e8e0d8cf3a111a995e674cad920e51ff02de7", "RestApiId": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApi" }, "StageName": "Stage" } }, - "MyApiWithLambdaRequestAuthProdStage": { + "MyApiProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithLambdaRequestAuthDeployment468dce6129" + "Ref": "MyApiDeployment275e8e0d8c" }, "RestApiId": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApi" }, "StageName": "Prod" } }, - "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { + "MyApiMyLambdaTokenAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", - "FunctionName": { - "Fn::GetAtt": [ - "MyAuthFn", - "Arn" + "FunctionName": "arn:aws", + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApi" + } + } ] - }, + } + } + }, + "MyApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": "arn:aws", + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApi" + } + } + ] + } + } + }, + "MyApiMyLambdaRequestAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": "arn:aws", "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApi" } } ] diff --git a/tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json b/tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json new file mode 100644 index 000000000..d33424323 --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json @@ -0,0 +1,98 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Conditions": { + "isProd": true + }, + "Resources": { + "APIGateway": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "swagger": "2.0", + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": {}, + "securityDefinitions": { + "SomeAuthorizer": { + "type": "apiKey", + "name": "Unused", + "in": "header", + "x-amazon-apigateway-authtype": "custom", + "x-amazon-apigateway-authorizer": { + "type": "request", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "SomeArn" + } + ] + }, + "authorizerResultTtlInSeconds": { + "Fn::If": [ + "isProd", + 3600, + 0 + ] + }, + "identitySource": "method.request.header.Accept" + } + } + } + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + } + } + }, + "APIGatewayDeployment6a5b3a7036": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "Description": "RestApi deployment id: 6a5b3a7036e3315b4572de9f418d31c49d52786d", + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Stage" + } + }, + "APIGatewayProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "APIGatewayDeployment6a5b3a7036" + }, + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Prod" + } + }, + "APIGatewaySomeAuthorizerAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": "SomeArn", + "Principal": "apigateway.amazonaws.com", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "APIGateway" + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/tests/translator/test_translator.py b/tests/translator/test_translator.py index 0db19f45a..b0193c2ae 100644 --- a/tests/translator/test_translator.py +++ b/tests/translator/test_translator.py @@ -316,6 +316,7 @@ class TestTranslatorEndToEnd(AbstractTestTranslator): "api_with_gateway_responses_minimal", "api_with_gateway_responses_implicit", "api_with_gateway_responses_string_status_code", + "api_with_identity_intrinsic", "api_cache", "api_with_access_log_setting", "api_with_canary_setting", From 3aa20140e81a2375d912db6b86cdad37c89adc24 Mon Sep 17 00:00:00 2001 From: Jacob Fuss Date: Mon, 26 Jul 2021 16:01:35 -0500 Subject: [PATCH 3/6] Fixing hashes for py2 --- .../output/api_with_auth_all_minimum.json | 1034 ++++++++-------- .../output/api_with_identity_intrinsic.json | 73 +- .../aws-cn/api_with_auth_all_minimum.json | 782 +++++++----- .../aws-cn/api_with_identity_intrinsic.json | 78 +- .../aws-us-gov/api_with_auth_all_minimum.json | 1062 +++++++++-------- .../api_with_identity_intrinsic.json | 64 +- 6 files changed, 1611 insertions(+), 1482 deletions(-) diff --git a/tests/translator/output/api_with_auth_all_minimum.json b/tests/translator/output/api_with_auth_all_minimum.json index f6570f17c..a64255ce5 100644 --- a/tests/translator/output/api_with_auth_all_minimum.json +++ b/tests/translator/output/api_with_auth_all_minimum.json @@ -1,315 +1,348 @@ { "Resources": { - "MyFunction": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": "sam-demo-bucket", - "S3Key": "thumbnails.zip" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "MyFunctionRole", - "Arn" - ] - }, - "Runtime": "nodejs12.x", - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] - } - }, - "MyFunctionRole": { - "Type": "AWS::IAM::Role", + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognito": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/any/cognito": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} } } - ] - }, - "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" + }, + "swagger": "2.0", + "securityDefinitions": { + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + { + "Fn::GetAtt": [ + "MyUserPool", + "Arn" + ] + } + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } } - ] + } } }, - "MyFunctionWithNoAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithLambdaRequestAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "DeploymentId": { + "Ref": "MyApiWithLambdaRequestAuthDeployment6a32cc7f63" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } - ] - } + "RestApiId": { + "Ref": "MyApiWithLambdaRequestAuth" + }, + "StageName": "Prod" } }, - "MyFunctionWithCognitoMultipleUserPoolsAuthorizerAnyMethodPermissionProd": { + "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { - "Ref": "MyFunction" + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognitomultiple", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" + "Ref": "MyApiWithLambdaTokenAuth" + } } ] } } }, - "MyFunctionWithDefaultAuthorizerAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithLambdaRequestAuth": { + "Type": "AWS::ApiGateway::RestApi", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/default", - { - "__ApiId__": { - "Ref": "MyApi" + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/any/lambda-request": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + }, + "/lambda-request": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "identitySource": "method.request.header.Authorization1", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } + } + ] + } }, - "__Stage__": "*" + "x-amazon-apigateway-authtype": "custom" } - ] + } } } }, - "MyFunctionWithLambdaRequestAuthorizerAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithLambdaTokenAuthDeployment03cc3fd4fd": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "RestApiId": { + "Ref": "MyApiWithLambdaTokenAuth" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdarequest", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } - ] - } + "Description": "RestApi deployment id: 03cc3fd4fd00e795fb067f94da06cb2fcfe95d3b", + "StageName": "Stage" } }, - "MyFunctionWithLambdaTokenAuthorizerAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithCognitoAuthDeploymentdcc28e4b5f": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdatoken", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } - ] - } + "Description": "RestApi deployment id: dcc28e4b5f8fbdb114c4da86eae5deddc368c60e", + "StageName": "Stage" } }, - "MyFunctionWithLambdaTokenNoneAuthorizerAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyUserPool": { + "Type": "AWS::Cognito::UserPool", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "UsernameAttributes": [ + "email" + ], + "UserPoolName": "UserPoolName", + "Policies": { + "PasswordPolicy": { + "MinimumLength": 8 + } }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdatokennone", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } - ] - } + "Schema": [ + { + "AttributeDataType": "String", + "Required": false, + "Name": "email" + } + ] } }, - "MyFunctionWithNoAuthorizerAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyAuthFn": { + "Type": "AWS::Lambda::Function", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/noauth", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } + "Role": { + "Fn::GetAtt": [ + "MyAuthFnRole", + "Arn" ] - } + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } }, - "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { + "MyFnLambdaRequestAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { - "Ref": "MyFunction" + "Ref": "MyFn" }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", { + "__Stage__": "*", "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" + "Ref": "MyApiWithLambdaRequestAuth" + } } ] } } }, - "MyFunctionWithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyFnRole": { + "Type": "AWS::IAM::Role", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } } ] - } + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } }, - "MyFunctionWithLambdaTokenNoneAuthorizerPermissionProd": { + "MyFnCognitoPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { - "Ref": "MyFunction" + "Ref": "MyFn" }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognito", { + "__Stage__": "*", "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" + "Ref": "MyApiWithCognitoAuth" + } } ] } } }, - "MyFunctionWithLambdaRequestAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeploymentdcc28e4b5f" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } - ] - } + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "StageName": "Prod" } }, - "MyFunctionWithDefaultAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithNotCachedLambdaRequestAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "DeploymentId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuthDeployment444f67cd7c" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } - ] - } + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + }, + "StageName": "Prod" } }, - "MyApi": { + "MyApiWithNotCachedLambdaRequestAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -317,409 +350,362 @@ } }, "paths": { - "/": { + "/not-cached-lambda-request": { "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "NONE": [] - }, - { - "api_key": [] - } - ] - } - }, - "/any/noauth": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "NONE": [] - }, - { - "api_key": [] - } - ] - } - }, - "/users": { - "post": { - "x-amazon-apigateway-integration": { "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuthMultipleUserPools": [] - }, - { - "api_key": [] - } - ] - }, - "get": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuth": [] - }, - { - "api_key": [] - } - ] - }, - "patch": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuthNoneFunctionInvokeRole": [] - }, - { - "api_key": [] - } - ] - }, - "delete": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, "security": [ { "MyLambdaRequestAuth": [] - }, - { - "api_key": [] } - ] + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "authorizerResultTtlInSeconds": 0, + "authorizerUri": { + "Fn::Sub": [ + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } + } + ] + } }, - "put": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuth": [] - }, - { - "api_key": [] - } - ] + "x-amazon-apigateway-authtype": "custom" + } + } + } + } + }, + "MyFnLambdaTokenAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" + } + } + ] + } + } + }, + "MyFnCognitoAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" } - }, - "/any/cognitomultiple": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuthMultipleUserPools": [] - }, - { - "api_key": [] - } - ] + } + ] + } + } + }, + "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" } - }, - "/any/lambdatoken": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuth": [] - }, - { - "api_key": [] - } - ] + } + ] + } + } + }, + "MyFnLambdaTokenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" } - }, - "/any/lambdatokennone": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuthNoneFunctionInvokeRole": [] - }, - { - "api_key": [] - } - ] + } + ] + } + } + }, + "MyFnLambdaRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" } - }, - "/any/lambdarequest": { - "x-amazon-apigateway-any-method": { + } + ] + } + } + }, + "MyApiWithLambdaTokenAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/lambda-token": { + "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] - }, - { - "api_key": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } }, - "/any/default": { + "/any/lambda-token": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyCognitoAuth": [] - }, - { - "api_key": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } } }, + "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { - "type": "apiKey", - "name": "MyAuthorizationHeader", - "in": "header", - "x-amazon-apigateway-authtype": "cognito_user_pools", - "x-amazon-apigateway-authorizer": { - "type": "cognito_user_pools", - "providerARNs": [ - "arn:aws:1" - ], - "identityValidationExpression": "myauthvalidationexpression" - } - }, - "MyCognitoAuthMultipleUserPools": { - "type": "apiKey", - "name": "MyAuthorizationHeader2", - "in": "header", - "x-amazon-apigateway-authtype": "cognito_user_pools", - "x-amazon-apigateway-authorizer": { - "type": "cognito_user_pools", - "providerARNs": [ - "arn:aws:2", - "arn:aws:3" - ], - "identityValidationExpression": "myauthvalidationexpression2" - } - }, "MyLambdaTokenAuth": { - "type": "apiKey", - "name": "MyCustomAuthHeader", "in": "header", - "x-amazon-apigateway-authtype": "custom", - "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "arn:aws" - } - ] - }, - "authorizerResultTtlInSeconds": 20, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" - } - }, - "MyLambdaTokenAuthNoneFunctionInvokeRole": { "type": "apiKey", "name": "Authorization", - "in": "header", - "x-amazon-apigateway-authtype": "custom", "x-amazon-apigateway-authorizer": { "type": "token", "authorizerUri": { "Fn::Sub": [ "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { - "__FunctionArn__": "arn:aws" - } - ] - }, - "authorizerResultTtlInSeconds": 0 - } - }, - "MyLambdaRequestAuth": { - "type": "apiKey", - "name": "Unused", - "in": "header", - "x-amazon-apigateway-authtype": "custom", - "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "arn:aws" + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } } ] - }, - "authorizerResultTtlInSeconds": 0, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4" - } - }, - "api_key": { - "type": "apiKey", - "name": "x-api-key", - "in": "header" + } + }, + "x-amazon-apigateway-authtype": "custom" } } } } }, - "MyApiDeployment563edb7c42": { + "MyApiWithLambdaRequestAuthDeployment6a32cc7f63": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 563edb7c42f90929db0861af12bcd8046b8cb057", "RestApiId": { - "Ref": "MyApi" + "Ref": "MyApiWithLambdaRequestAuth" }, + "Description": "RestApi deployment id: 6a32cc7f63485b93190f441a47da57f43de6a532", "StageName": "Stage" } }, - "MyApiProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiDeployment563edb7c42" - }, - "RestApiId": { - "Ref": "MyApi" - }, - "StageName": "Prod" - } - }, - "MyApiMyLambdaTokenAuthAuthorizerPermission": { + "MyApiWithNotCachedLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", - "FunctionName": "arn:aws", "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + }, "SourceArn": { "Fn::Sub": [ "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { - "Ref": "MyApi" + "Ref": "MyApiWithNotCachedLambdaRequestAuth" } } ] } } }, - "MyApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { + "MyFnLambdaNotCachedRequestPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", - "FunctionName": "arn:aws", "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/not-cached-lambda-request", { + "__Stage__": "*", "__ApiId__": { - "Ref": "MyApi" + "Ref": "MyApiWithNotCachedLambdaRequestAuth" } } ] } } }, - "MyApiMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "MyAuthFnRole": { + "Type": "AWS::IAM::Role", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": "arn:aws", - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ { - "__ApiId__": { - "Ref": "MyApi" + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] } } ] - } + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithLambdaTokenAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithLambdaTokenAuthDeployment03cc3fd4fd" + }, + "RestApiId": { + "Ref": "MyApiWithLambdaTokenAuth" + }, + "StageName": "Prod" + } + }, + "MyApiWithNotCachedLambdaRequestAuthDeployment444f67cd7c": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + }, + "Description": "RestApi deployment id: 444f67cd7c6475a698a0101480ba99b498325e90", + "StageName": "Stage" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } } } -} \ No newline at end of file +} diff --git a/tests/translator/output/api_with_identity_intrinsic.json b/tests/translator/output/api_with_identity_intrinsic.json index 18bfd68ad..32c8b8eaa 100644 --- a/tests/translator/output/api_with_identity_intrinsic.json +++ b/tests/translator/output/api_with_identity_intrinsic.json @@ -1,4 +1,5 @@ -{ "AWSTemplateFormatVersion": "2010-09-09", +{ + "AWSTemplateFormatVersion": "2010-09-09", "Conditions": { "isProd": true }, @@ -7,7 +8,6 @@ "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -15,22 +15,14 @@ } }, "paths": {}, + "swagger": "2.0", "securityDefinitions": { "SomeAuthorizer": { + "in": "header", "type": "apiKey", "name": "Unused", - "in": "header", - "x-amazon-apigateway-authtype": "custom", "x-amazon-apigateway-authorizer": { "type": "request", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "SomeArn" - } - ] - }, "authorizerResultTtlInSeconds": { "Fn::If": [ "isProd", @@ -38,20 +30,47 @@ 0 ] }, - "identitySource": "method.request.header.Accept" - } + "identitySource": "method.request.header.Accept", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "SomeArn" + } + ] + } + }, + "x-amazon-apigateway-authtype": "custom" } } } } }, - "APIGatewayDeployment09cf6f1593": { + "APIGatewaySomeAuthorizerAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "SomeArn", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "APIGateway" + } + } + ] + } + } + }, + "APIGatewayDeploymenta119f04c8a": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 09cf6f15938fb43d44759986383f7d1304187288", "RestApiId": { "Ref": "APIGateway" }, + "Description": "RestApi deployment id: a119f04c8aba206b5b7db5f232f013b816fe6447", "StageName": "Stage" } }, @@ -59,31 +78,13 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "APIGatewayDeployment09cf6f1593" + "Ref": "APIGatewayDeploymenta119f04c8a" }, "RestApiId": { "Ref": "APIGateway" }, "StageName": "Prod" } - }, - "APIGatewaySomeAuthorizerAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": "SomeArn", - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", - { - "__ApiId__": { - "Ref": "APIGateway" - } - } - ] - } - } } } -} \ No newline at end of file +} diff --git a/tests/translator/output/aws-cn/api_with_auth_all_minimum.json b/tests/translator/output/aws-cn/api_with_auth_all_minimum.json index b9e408189..b90828c4a 100644 --- a/tests/translator/output/aws-cn/api_with_auth_all_minimum.json +++ b/tests/translator/output/aws-cn/api_with_auth_all_minimum.json @@ -1,22 +1,215 @@ { "Resources": { + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognito": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/any/cognito": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + { + "Fn::GetAtt": [ + "MyUserPool", + "Arn" + ] + } + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithNotCachedLambdaRequestAuthDeployment234e92eab4": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + }, + "Description": "RestApi deployment id: 234e92eab4e4c590ad261ddd55775c1edcc2972f", + "StageName": "Stage" + } + }, + "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" + } + } + ] + } + } + }, + "MyApiWithLambdaRequestAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/any/lambda-request": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + }, + "/lambda-request": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "identitySource": "method.request.header.Authorization1", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } + } + ] + } + }, + "x-amazon-apigateway-authtype": "custom" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, "MyUserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { + "UsernameAttributes": [ + "email" + ], "UserPoolName": "UserPoolName", "Policies": { "PasswordPolicy": { "MinimumLength": 8 } }, - "UsernameAttributes": [ - "email" - ], "Schema": [ { "AttributeDataType": "String", - "Name": "email", - "Required": false + "Required": false, + "Name": "email" } ] } @@ -24,11 +217,11 @@ "MyAuthFn": { "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "index.handler", "Code": { "S3Bucket": "bucket", "S3Key": "key" }, - "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "MyAuthFnRole", @@ -38,63 +231,31 @@ "Runtime": "nodejs12.x", "Tags": [ { - "Key": "lambda:createdBy", - "Value": "SAM" + "Value": "SAM", + "Key": "lambda:createdBy" } ] } }, - "MyAuthFnRole": { - "Type": "AWS::IAM::Role", + "MyFnLambdaRequestAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" } } ] - }, - "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] - } - }, - "MyFn": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": "bucket", - "S3Key": "key" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "MyFnRole", - "Arn" - ] - }, - "Runtime": "nodejs12.x", - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + } } }, "MyFnRole": { @@ -121,242 +282,61 @@ ], "Tags": [ { - "Key": "lambda:createdBy", - "Value": "SAM" + "Value": "SAM", + "Key": "lambda:createdBy" } ] } }, - "MyFnCognitoAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", - { - "__ApiId__": { - "Ref": "MyApiWithCognitoAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaRequestAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaTokenAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, "MyFnCognitoPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFn" }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognito", { + "__Stage__": "*", "__ApiId__": { "Ref": "MyApiWithCognitoAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaRequestPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaTokenPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyApiWithCognitoAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "swagger": "2.0", - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/cognito": { - "get": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuth": [] - } - ] - } - }, - "/any/cognito": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuth": [] - } - ] } } - }, - "securityDefinitions": { - "MyCognitoAuth": { - "type": "apiKey", - "name": "Authorization", - "in": "header", - "x-amazon-apigateway-authtype": "cognito_user_pools", - "x-amazon-apigateway-authorizer": { - "type": "cognito_user_pools", - "providerARNs": [ - { - "Fn::GetAtt": [ - "MyUserPool", - "Arn" - ] - } - ] - } - } - } - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" ] } } }, - "MyApiWithCognitoAuthDeployment5d6fbaaea5": { - "Type": "AWS::ApiGateway::Deployment", + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { - "Description": "RestApi deployment id: 5d6fbaaea5286fd32d64239db8b7f2247cb3f2b5", + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeployment5d6fbaaea5" + }, "RestApiId": { "Ref": "MyApiWithCognitoAuth" }, - "StageName": "Stage" + "StageName": "Prod" } }, - "MyApiWithCognitoAuthProdStage": { + "MyApiWithNotCachedLambdaRequestAuthProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithCognitoAuthDeployment5d6fbaaea5" + "Ref": "MyApiWithNotCachedLambdaRequestAuthDeployment234e92eab4" }, "RestApiId": { - "Ref": "MyApiWithCognitoAuth" + "Ref": "MyApiWithNotCachedLambdaRequestAuth" }, "StageName": "Prod" } }, - "MyApiWithLambdaTokenAuth": { + "MyApiWithNotCachedLambdaRequestAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -364,49 +344,33 @@ } }, "paths": { - "/lambda-token": { + "/not-cached-lambda-request": { "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuth": [] - } - ] - } - }, - "/any/lambda-token": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { "type": "aws_proxy", - "httpMethod": "POST", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaTokenAuth": [] + "MyLambdaRequestAuth": [] } - ] + ], + "responses": {} } } }, + "swagger": "2.0", "securityDefinitions": { - "MyLambdaTokenAuth": { - "type": "apiKey", - "name": "Authorization", + "MyLambdaRequestAuth": { "in": "header", - "x-amazon-apigateway-authtype": "custom", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", + "type": "request", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -420,57 +384,109 @@ } ] } - } + }, + "x-amazon-apigateway-authtype": "custom" } } }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" } } }, "MyApiWithLambdaTokenAuthDeployment79a03805ba": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 79a03805ba3abc1f005e1282f19bb79af68b4f96", "RestApiId": { "Ref": "MyApiWithLambdaTokenAuth" }, + "Description": "RestApi deployment id: 79a03805ba3abc1f005e1282f19bb79af68b4f96", "StageName": "Stage" } }, - "MyApiWithLambdaTokenAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", + "MyFnLambdaTokenAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "DeploymentId": { - "Ref": "MyApiWithLambdaTokenAuthDeployment79a03805ba" + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" }, - "RestApiId": { - "Ref": "MyApiWithLambdaTokenAuth" + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" + } + } + ] + } + } + }, + "MyFnCognitoAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" }, - "StageName": "Prod" + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } } }, - "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { + "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Fn::GetAtt": [ "MyAuthFn", "Arn" ] }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" + } + } + ] + } + } + }, + "MyFnLambdaTokenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", + { + "__Stage__": "*", "__ApiId__": { "Ref": "MyApiWithLambdaTokenAuth" } @@ -479,11 +495,31 @@ } } }, - "MyApiWithLambdaRequestAuth": { + "MyFnLambdaRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" + } + } + ] + } + } + }, + "MyApiWithLambdaTokenAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -491,49 +527,49 @@ } }, "paths": { - "/lambda-request": { + "/lambda-token": { "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } }, - "/any/lambda-request": { + "/any/lambda-token": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } } }, + "swagger": "2.0", "securityDefinitions": { - "MyLambdaRequestAuth": { - "type": "apiKey", - "name": "Unused", + "MyLambdaTokenAuth": { "in": "header", - "x-amazon-apigateway-authtype": "custom", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "request", + "type": "token", "authorizerUri": { "Fn::Sub": [ "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -546,30 +582,20 @@ } } ] - }, - "identitySource": "method.request.header.Authorization1" - } + } + }, + "x-amazon-apigateway-authtype": "custom" } } }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - } - } - }, - "MyApiWithLambdaRequestAuthDeployment12aa7114ad": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "Description": "RestApi deployment id: 12aa7114ad8cd8aaeffd832e49f6f8aa8b6c2062", - "RestApiId": { - "Ref": "MyApiWithLambdaRequestAuth" }, - "StageName": "Stage" + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } } }, "MyApiWithLambdaRequestAuthProdStage": { @@ -584,28 +610,134 @@ "StageName": "Prod" } }, - "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { + "MyApiWithNotCachedLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Fn::GetAtt": [ "MyAuthFn", "Arn" ] }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + } + } + ] + } + } + }, + "MyFnLambdaNotCachedRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/not-cached-lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" } } ] } } + }, + "MyApiWithLambdaRequestAuthDeployment12aa7114ad": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithLambdaRequestAuth" + }, + "Description": "RestApi deployment id: 12aa7114ad8cd8aaeffd832e49f6f8aa8b6c2062", + "StageName": "Stage" + } + }, + "MyAuthFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithLambdaTokenAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithLambdaTokenAuthDeployment79a03805ba" + }, + "RestApiId": { + "Ref": "MyApiWithLambdaTokenAuth" + }, + "StageName": "Prod" + } + }, + "MyApiWithCognitoAuthDeployment5d6fbaaea5": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "Description": "RestApi deployment id: 5d6fbaaea5286fd32d64239db8b7f2247cb3f2b5", + "StageName": "Stage" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } } } } \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_identity_intrinsic.json b/tests/translator/output/aws-cn/api_with_identity_intrinsic.json index 86c1058c9..84b61b86c 100644 --- a/tests/translator/output/aws-cn/api_with_identity_intrinsic.json +++ b/tests/translator/output/aws-cn/api_with_identity_intrinsic.json @@ -8,7 +8,6 @@ "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -16,22 +15,14 @@ } }, "paths": {}, + "swagger": "2.0", "securityDefinitions": { "SomeAuthorizer": { + "in": "header", "type": "apiKey", "name": "Unused", - "in": "header", - "x-amazon-apigateway-authtype": "custom", "x-amazon-apigateway-authorizer": { "type": "request", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "SomeArn" - } - ] - }, "authorizerResultTtlInSeconds": { "Fn::If": [ "isProd", @@ -39,49 +30,36 @@ 0 ] }, - "identitySource": "method.request.header.Accept" - } + "identitySource": "method.request.header.Accept", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "SomeArn" + } + ] + } + }, + "x-amazon-apigateway-authtype": "custom" } } }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - } - } - }, - "APIGatewayDeploymenta268f45fbc": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "Description": "RestApi deployment id: a268f45fbc6c09ab30f64915bd9ebfc4088f93e1", - "RestApiId": { - "Ref": "APIGateway" - }, - "StageName": "Stage" - } - }, - "APIGatewayProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "APIGatewayDeploymenta268f45fbc" }, - "RestApiId": { - "Ref": "APIGateway" - }, - "StageName": "Prod" + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } } }, "APIGatewaySomeAuthorizerAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", - "FunctionName": "SomeArn", "Principal": "apigateway.amazonaws.com", + "FunctionName": "SomeArn", "SourceArn": { "Fn::Sub": [ "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", @@ -93,6 +71,28 @@ ] } } + }, + "APIGatewayProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "APIGatewayDeployment2621a8c79f" + }, + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Prod" + } + }, + "APIGatewayDeployment2621a8c79f": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "APIGateway" + }, + "Description": "RestApi deployment id: 2621a8c79f8f26195374aad642039f511d020a75", + "StageName": "Stage" + } } } } \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json b/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json index 9cc7479c5..16b4cfc02 100644 --- a/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json +++ b/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json @@ -1,733 +1,743 @@ { "Resources": { - "MyFunction": { - "Type": "AWS::Lambda::Function", + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", "Properties": { - "Code": { - "S3Bucket": "sam-demo-bucket", - "S3Key": "thumbnails.zip" + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognito": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/any/cognito": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + { + "Fn::GetAtt": [ + "MyUserPool", + "Arn" + ] + } + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "MyFunctionRole", - "Arn" + "EndpointConfiguration": { + "Types": [ + "REGIONAL" ] }, - "Runtime": "nodejs12.x", - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } } }, - "MyFunctionRole": { - "Type": "AWS::IAM::Role", + "MyApiWithLambdaRequestAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] - } - } - ] + "DeploymentId": { + "Ref": "MyApiWithLambdaRequestAuthDeployment468dce6129" }, - "ManagedPolicyArns": [ - "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + "RestApiId": { + "Ref": "MyApiWithLambdaRequestAuth" + }, + "StageName": "Prod" } }, - "MyFunctionWithNoAuthorizerPermissionProd": { + "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { - "Ref": "MyFunction" + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" + "Ref": "MyApiWithLambdaTokenAuth" + } } ] } } }, - "MyFunctionWithCognitoMultipleUserPoolsAuthorizerAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithLambdaRequestAuth": { + "Type": "AWS::ApiGateway::RestApi", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognitomultiple", - { - "__ApiId__": { - "Ref": "MyApi" + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/any/lambda-request": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + }, + "/lambda-request": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "identitySource": "method.request.header.Authorization1", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } + } + ] + } }, - "__Stage__": "*" + "x-amazon-apigateway-authtype": "custom" } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" } } }, - "MyFunctionWithDefaultAuthorizerAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithCognitoAuthDeployment492f1347b1": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/default", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } - ] - } + "Description": "RestApi deployment id: 492f1347b1194457232f0e99ced4a86954fdeec9", + "StageName": "Stage" } }, - "MyFunctionWithLambdaRequestAuthorizerAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyUserPool": { + "Type": "AWS::Cognito::UserPool", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "UsernameAttributes": [ + "email" + ], + "UserPoolName": "UserPoolName", + "Policies": { + "PasswordPolicy": { + "MinimumLength": 8 + } }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdarequest", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } - ] - } + "Schema": [ + { + "AttributeDataType": "String", + "Required": false, + "Name": "email" + } + ] } }, - "MyFunctionWithLambdaTokenAuthorizerAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyAuthFn": { + "Type": "AWS::Lambda::Function", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdatoken", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } + "Role": { + "Fn::GetAtt": [ + "MyAuthFnRole", + "Arn" ] - } + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } }, - "MyFunctionWithLambdaTokenNoneAuthorizerAnyMethodPermissionProd": { + "MyFnLambdaRequestAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { - "Ref": "MyFunction" + "Ref": "MyFn" }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambdatokennone", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", { + "__Stage__": "*", "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" + "Ref": "MyApiWithLambdaRequestAuth" + } } ] } } }, - "MyFunctionWithNoAuthorizerAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithNotCachedLambdaRequestAuthDeploymentd3b8858811": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/noauth", + "Description": "RestApi deployment id: d3b8858811d6c42be45490ba4d1ca059821cf4fd", + "StageName": "Stage" + } + }, + "MyFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } } ] - } + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } }, - "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { + "MyFnCognitoPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { - "Ref": "MyFunction" + "Ref": "MyFn" }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognito", { + "__Stage__": "*", "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" + "Ref": "MyApiWithCognitoAuth" + } } ] } } }, - "MyFunctionWithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithLambdaTokenAuthDeployment5f3dce4e5c": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "RestApiId": { + "Ref": "MyApiWithLambdaTokenAuth" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", - { - "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" - } - ] - } + "Description": "RestApi deployment id: 5f3dce4e5c196ff885a155dd8cc0ffeebd5b93b1", + "StageName": "Stage" } }, - "MyFunctionWithLambdaTokenNoneAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFunction" + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeployment492f1347b1" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", - { - "__ApiId__": { - "Ref": "MyApi" + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "StageName": "Prod" + } + }, + "MyApiWithNotCachedLambdaRequestAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuthDeploymentd3b8858811" + }, + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + }, + "StageName": "Prod" + } + }, + "MyApiWithNotCachedLambdaRequestAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/not-cached-lambda-request": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "authorizerResultTtlInSeconds": 0, + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } + } + ] + } }, - "__Stage__": "*" + "x-amazon-apigateway-authtype": "custom" } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" } } }, - "MyFunctionWithLambdaRequestAuthorizerPermissionProd": { + "MyFnLambdaTokenAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { - "Ref": "MyFunction" + "Ref": "MyFn" }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", { + "__Stage__": "*", "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" + "Ref": "MyApiWithLambdaTokenAuth" + } } ] } } }, - "MyFunctionWithDefaultAuthorizerPermissionProd": { + "MyFnCognitoAnyMethodPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { - "Ref": "MyFunction" + "Ref": "MyFn" }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", { + "__Stage__": "*", "__ApiId__": { - "Ref": "MyApi" - }, - "__Stage__": "*" + "Ref": "MyApiWithCognitoAuth" + } } ] } } }, - "MyApi": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "swagger": "2.0", - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/": { - "get": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "NONE": [] - }, - { - "api_key": [] - } - ] - } - }, - "/any/noauth": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "NONE": [] - }, - { - "api_key": [] - } - ] - } - }, - "/users": { - "post": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuthMultipleUserPools": [] - }, - { - "api_key": [] - } - ] - }, - "get": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuth": [] - }, - { - "api_key": [] - } - ] - }, - "patch": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuthNoneFunctionInvokeRole": [] - }, - { - "api_key": [] - } - ] - }, - "delete": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaRequestAuth": [] - }, - { - "api_key": [] - } - ] - }, - "put": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuth": [] - }, - { - "api_key": [] - } - ] + "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" } - }, - "/any/cognitomultiple": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuthMultipleUserPools": [] - }, - { - "api_key": [] - } - ] + } + ] + } + } + }, + "MyFnLambdaTokenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" } - }, - "/any/lambdatoken": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuth": [] - }, - { - "api_key": [] - } - ] + } + ] + } + } + }, + "MyFnLambdaRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" } - }, - "/any/lambdatokennone": { - "x-amazon-apigateway-any-method": { + } + ] + } + } + }, + "MyApiWithLambdaTokenAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/lambda-token": { + "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuthNoneFunctionInvokeRole": [] - }, - { - "api_key": [] - } - ] - } - }, - "/any/lambdarequest": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { "type": "aws_proxy", - "httpMethod": "POST", "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] - }, - { - "api_key": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } }, - "/any/default": { + "/any/lambda-token": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyCognitoAuth": [] - }, - { - "api_key": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } } }, + "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { - "type": "apiKey", - "name": "MyAuthorizationHeader", - "in": "header", - "x-amazon-apigateway-authtype": "cognito_user_pools", - "x-amazon-apigateway-authorizer": { - "type": "cognito_user_pools", - "providerARNs": [ - "arn:aws:1" - ], - "identityValidationExpression": "myauthvalidationexpression" - } - }, - "MyCognitoAuthMultipleUserPools": { - "type": "apiKey", - "name": "MyAuthorizationHeader2", - "in": "header", - "x-amazon-apigateway-authtype": "cognito_user_pools", - "x-amazon-apigateway-authorizer": { - "type": "cognito_user_pools", - "providerARNs": [ - "arn:aws:2", - "arn:aws:3" - ], - "identityValidationExpression": "myauthvalidationexpression2" - } - }, "MyLambdaTokenAuth": { - "type": "apiKey", - "name": "MyCustomAuthHeader", "in": "header", - "x-amazon-apigateway-authtype": "custom", - "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "arn:aws" - } - ] - }, - "authorizerResultTtlInSeconds": 20, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" - } - }, - "MyLambdaTokenAuthNoneFunctionInvokeRole": { "type": "apiKey", "name": "Authorization", - "in": "header", - "x-amazon-apigateway-authtype": "custom", "x-amazon-apigateway-authorizer": { "type": "token", "authorizerUri": { "Fn::Sub": [ "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { - "__FunctionArn__": "arn:aws" + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } } ] - }, - "authorizerResultTtlInSeconds": 0 - } - }, - "MyLambdaRequestAuth": { - "type": "apiKey", - "name": "Unused", - "in": "header", - "x-amazon-apigateway-authtype": "custom", - "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "arn:aws" - } - ] - }, - "authorizerResultTtlInSeconds": 0, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4" - } - }, - "api_key": { - "type": "apiKey", - "name": "x-api-key", - "in": "header" + } + }, + "x-amazon-apigateway-authtype": "custom" } } }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - } - } - }, - "MyApiDeployment275e8e0d8c": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "Description": "RestApi deployment id: 275e8e0d8cf3a111a995e674cad920e51ff02de7", - "RestApiId": { - "Ref": "MyApi" - }, - "StageName": "Stage" - } - }, - "MyApiProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiDeployment275e8e0d8c" - }, - "RestApiId": { - "Ref": "MyApi" }, - "StageName": "Prod" + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } } }, - "MyApiMyLambdaTokenAuthAuthorizerPermission": { + "MyApiWithNotCachedLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", - "FunctionName": "arn:aws", "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + }, "SourceArn": { "Fn::Sub": [ "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { - "Ref": "MyApi" + "Ref": "MyApiWithNotCachedLambdaRequestAuth" } } ] } } }, - "MyApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { + "MyFnLambdaNotCachedRequestPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", - "FunctionName": "arn:aws", "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/not-cached-lambda-request", { + "__Stage__": "*", "__ApiId__": { - "Ref": "MyApi" + "Ref": "MyApiWithNotCachedLambdaRequestAuth" } } ] } } }, - "MyApiMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "MyApiWithLambdaRequestAuthDeployment468dce6129": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": "arn:aws", - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "RestApiId": { + "Ref": "MyApiWithLambdaRequestAuth" + }, + "Description": "RestApi deployment id: 468dce61296ac92bf536be6fc55751d9553dbc4b", + "StageName": "Stage" + } + }, + "MyAuthFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ { - "__ApiId__": { - "Ref": "MyApi" + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] } } ] - } + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithLambdaTokenAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithLambdaTokenAuthDeployment5f3dce4e5c" + }, + "RestApiId": { + "Ref": "MyApiWithLambdaTokenAuth" + }, + "StageName": "Prod" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } } } -} \ No newline at end of file +} diff --git a/tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json b/tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json index d33424323..098ebbf10 100644 --- a/tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json +++ b/tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json @@ -8,7 +8,6 @@ "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -16,22 +15,14 @@ } }, "paths": {}, + "swagger": "2.0", "securityDefinitions": { "SomeAuthorizer": { + "in": "header", "type": "apiKey", "name": "Unused", - "in": "header", - "x-amazon-apigateway-authtype": "custom", "x-amazon-apigateway-authorizer": { "type": "request", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "SomeArn" - } - ] - }, "authorizerResultTtlInSeconds": { "Fn::If": [ "isProd", @@ -39,49 +30,46 @@ 0 ] }, - "identitySource": "method.request.header.Accept" - } + "identitySource": "method.request.header.Accept", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "SomeArn" + } + ] + } + }, + "x-amazon-apigateway-authtype": "custom" } } }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" } } }, - "APIGatewayDeployment6a5b3a7036": { + "APIGatewayDeploymentbbcece046c": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 6a5b3a7036e3315b4572de9f418d31c49d52786d", "RestApiId": { "Ref": "APIGateway" }, + "Description": "RestApi deployment id: bbcece046c6ecd35f10c6ba88cf762d87ef35e8a", "StageName": "Stage" } }, - "APIGatewayProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "APIGatewayDeployment6a5b3a7036" - }, - "RestApiId": { - "Ref": "APIGateway" - }, - "StageName": "Prod" - } - }, "APIGatewaySomeAuthorizerAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", - "FunctionName": "SomeArn", "Principal": "apigateway.amazonaws.com", + "FunctionName": "SomeArn", "SourceArn": { "Fn::Sub": [ "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", @@ -93,6 +81,18 @@ ] } } + }, + "APIGatewayProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "APIGatewayDeploymentbbcece046c" + }, + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Prod" + } } } -} \ No newline at end of file +} From 87a0805c4eb675b94c175fb0c1228e3f0abb1010 Mon Sep 17 00:00:00 2001 From: Jacob Fuss Date: Mon, 26 Jul 2021 16:22:55 -0500 Subject: [PATCH 4/6] Run make black --- samtranslator/model/apigateway.py | 2 +- tests/model/test_api.py | 47 ++++++++++++++++++++++--------- 2 files changed, 34 insertions(+), 15 deletions(-) diff --git a/samtranslator/model/apigateway.py b/samtranslator/model/apigateway.py index 5d2480bfb..1f9c0ac52 100644 --- a/samtranslator/model/apigateway.py +++ b/samtranslator/model/apigateway.py @@ -280,7 +280,7 @@ def _is_missing_identity_source(self, identity): except TypeError: # previous behavior before trying to read ttl if required_properties_missing: - return True + return True return False diff --git a/tests/model/test_api.py b/tests/model/test_api.py index e2a08aea7..f01f26bcb 100644 --- a/tests/model/test_api.py +++ b/tests/model/test_api.py @@ -14,9 +14,7 @@ def test_create_oauth2_auth(self): def test_create_authorizer_fails_with_string_authorization_scopes(self): with pytest.raises(InvalidResourceException): - ApiGatewayAuthorizer( - api_logical_id="logicalId", name="authName", authorization_scopes="invalid_scope" - ) + ApiGatewayAuthorizer(api_logical_id="logicalId", name="authName", authorization_scopes="invalid_scope") def test_create_authorizer_fails_with_missing_identity_values_and_not_cached(self): with pytest.raises(InvalidResourceException): @@ -50,50 +48,71 @@ def test_create_authorizer_fails_with_empty_identity(self): def test_create_authorizer_with_non_integer_identity(self): auth = ApiGatewayAuthorizer( - api_logical_id="logicalId", name="authName", identity={"ReauthorizeEvery": [], "Headers": ["Accept"]}, function_payload_type="REQUEST" + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": [], "Headers": ["Accept"]}, + function_payload_type="REQUEST", ) self.assertIsNotNone(auth) def test_create_authorizer_with_identity_intrinsic_is_valid_with_headers(self): auth = ApiGatewayAuthorizer( - api_logical_id="logicalId", name="authName", identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "Headers": ["Accept"]}, function_payload_type="REQUEST" + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "Headers": ["Accept"]}, + function_payload_type="REQUEST", ) self.assertIsNotNone(auth) - def test_create_authorizer_with_identity_intrinsic_is_invalid_if_no_querystring_stagevariables_context_headers(self): + def test_create_authorizer_with_identity_intrinsic_is_invalid_if_no_querystring_stagevariables_context_headers( + self, + ): with pytest.raises(InvalidResourceException): ApiGatewayAuthorizer( - api_logical_id="logicalId", name="authName", identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}}, function_payload_type="REQUEST" + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}}, + function_payload_type="REQUEST", ) def test_create_authorizer_with_identity_intrinsic_is_valid_with_context(self): auth = ApiGatewayAuthorizer( - api_logical_id="logicalId", name="authName", identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "Context": ["Accept"]}, function_payload_type="REQUEST") + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "Context": ["Accept"]}, + function_payload_type="REQUEST", + ) self.assertIsNotNone(auth) def test_create_authorizer_with_identity_intrinsic_is_valid_with_stage_variables(self): auth = ApiGatewayAuthorizer( - api_logical_id="logicalId", name="authName", + api_logical_id="logicalId", + name="authName", identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "StageVariables": ["Stage"]}, - function_payload_type="REQUEST") + function_payload_type="REQUEST", + ) self.assertIsNotNone(auth) def test_create_authorizer_with_identity_intrinsic_is_valid_with_query_strings(self): auth = ApiGatewayAuthorizer( - api_logical_id="logicalId", name="authName", + api_logical_id="logicalId", + name="authName", identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "QueryStrings": ["AQueryString"]}, - function_payload_type="REQUEST") + function_payload_type="REQUEST", + ) self.assertIsNotNone(auth) def test_create_authorizer_with_identity_ReauthorizeEvery_asNone_valid_with_query_strings(self): auth = ApiGatewayAuthorizer( - api_logical_id="logicalId", name="authName", + api_logical_id="logicalId", + name="authName", identity={"ReauthorizeEvery": None, "QueryStrings": ["AQueryString"]}, - function_payload_type="REQUEST") + function_payload_type="REQUEST", + ) self.assertIsNotNone(auth) From 5f29f93e5113ecb6a223396ca4cb0cba4bea76ee Mon Sep 17 00:00:00 2001 From: Jacob Fuss Date: Tue, 27 Jul 2021 10:08:14 -0500 Subject: [PATCH 5/6] Handle pr feedback --- samtranslator/model/apigateway.py | 12 +++--------- tests/model/test_api.py | 15 --------------- 2 files changed, 3 insertions(+), 24 deletions(-) diff --git a/samtranslator/model/apigateway.py b/samtranslator/model/apigateway.py index 1f9c0ac52..428ac1972 100644 --- a/samtranslator/model/apigateway.py +++ b/samtranslator/model/apigateway.py @@ -275,20 +275,14 @@ def _is_missing_identity_source(self, identity): required_properties_missing = not headers and not query_strings and not stage_variables and not context try: - int(ttl) + ttl_int = int(ttl) # this will catch if ttl is None and not convertable to an int except TypeError: # previous behavior before trying to read ttl - if required_properties_missing: - return True - - return False + return required_properties_missing # If we can resolve ttl, attempt to see if things are valid - if (ttl is None or int(ttl) > 0) and required_properties_missing: - return True - - return False + return ttl_int > 0 and required_properties_missing def generate_swagger(self): authorizer_type = self._get_type() diff --git a/tests/model/test_api.py b/tests/model/test_api.py index f01f26bcb..44c742815 100644 --- a/tests/model/test_api.py +++ b/tests/model/test_api.py @@ -31,21 +31,6 @@ def test_create_authorizer_fails_with_empty_identity(self): api_logical_id="logicalId", name="authName", identity={}, function_payload_type="REQUEST" ) - def test_create_authorizer_fails_with_missing_identity_values_and_not_cached(self): - with pytest.raises(InvalidResourceException): - ApiGatewayAuthorizer( - api_logical_id="logicalId", - name="authName", - identity={"ReauthorizeEvery": 10}, - function_payload_type="REQUEST", - ) - - def test_create_authorizer_fails_with_empty_identity(self): - with pytest.raises(InvalidResourceException): - ApiGatewayAuthorizer( - api_logical_id="logicalId", name="authName", identity={}, function_payload_type="REQUEST" - ) - def test_create_authorizer_with_non_integer_identity(self): auth = ApiGatewayAuthorizer( api_logical_id="logicalId", From d04a5885a505812aa0d6e6db9cf6247deee712f0 Mon Sep 17 00:00:00 2001 From: Jacob Fuss Date: Tue, 27 Jul 2021 10:24:22 -0500 Subject: [PATCH 6/6] Add another unit tests to cover the original issue --- tests/model/test_api.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/model/test_api.py b/tests/model/test_api.py index 44c742815..708b83a5a 100644 --- a/tests/model/test_api.py +++ b/tests/model/test_api.py @@ -31,6 +31,16 @@ def test_create_authorizer_fails_with_empty_identity(self): api_logical_id="logicalId", name="authName", identity={}, function_payload_type="REQUEST" ) + def test_create_authorizer_doesnt_fail_with_identity_reauthorization_every_as_zero(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": 0}, + function_payload_type="REQUEST", + ) + + self.assertIsNotNone(auth) + def test_create_authorizer_with_non_integer_identity(self): auth = ApiGatewayAuthorizer( api_logical_id="logicalId",