aws_apigatewayv2.CfnRoute: CDK doesn't detach authorizer properly

[m1n9o]

Describe the bug

I defined the router with authorizer like below and deployed it. Everything is fine, I could see the JWT authorizer attached on my route.

aws_apigatewayv2.CfnRoute(
    scope=self,
    id=f"Route{method}{path}",
    api_id=self.get_api_id(),
    route_key=f'{method} {path}',
    target=f'integrations/{integration.ref}',
    authorization_type=self.auth.type,
    authorizer_id=self.auth.auth_id
)

2. However, when I wanted to get rid of the authorizer and removed the parameters like below and deployed it once again. I could see there is no JWT authorizer attached to my route in the synthesized template, however, I could observe authorizer was still attached to the route on the AWS console, see screenshot below.

aws_apigatewayv2.CfnRoute(
    scope=self,
    id=f"Route{method}{path}",
    api_id=self.get_api_id(),
    route_key=f'{method} {path}',
    target=f'integrations/{integration.ref}'
)

When the deployment is run through the command line it actually detects that the route has a changed config and goes to update but then the update does nothing

Expected Behavior

CDK should be able to detach JWT authorizer.

Current Behavior

Even though we can see the correct changes in CFN, it can't detach the authorizer as expected.

Reproduction Steps

1. Invoke aws_apigatewayv2.CfnRoute to define route with the authorizer and deploy.
2. Invoke aws_apigatewayv2.CfnRoute to define route without authorizer on same route as above and deploy.
3. You will see authorizer is still attached on the route.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.20.0

Framework Version

No response

Node.js Version

v16.3.0

OS

MacOs

Language

Python

Language Version

3.10.4

Other information

No response

[tmokmss]

You have to explicitly set AuthorizationType: 'NONE' to detach an existing authorizer. That is how CloudFormation for apigatewayv2 works. You can also check L2 implementation:)

aws-cdk/packages/@aws-cdk/aws-apigatewayv2/lib/http/authorizer.ts

Lines 259 to 265 in 45e4e43

	export class HttpNoneAuthorizer implements IHttpRouteAuthorizer {
	public bind(_: HttpRouteAuthorizerBindOptions): HttpRouteAuthorizerConfig {
	return {
	authorizationType: 'NONE',
	};
	}
	}

[peterwoodworth]

Thanks @tmokmss, you're right!

@m1n9o, our L1 resources (prefixed with Cfn) are directly imported from Cfn and are identical to CloudFormation resources. So, this isn't something the CDK can do anything about. you'll have to explicitly set authorizer type to none as tmokmss mentioned

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[m1n9o]

Much appreciated! @tmokmss @peterwoodworth
It finally works after my few attempts.

1. Given that authorizer_id, and authorization_type of aws_apigatewayv2.CfnRoute is None by default, I first tried to remove these two params. And deployed it, JWT was still there, I need to detach it manually.
2. Then I explicitly set authorization_type = None, and it didn't detach it either.
3. Then I explicitly set authorization_type = 'NONE', and it did detach the authorizer.

[tmokmss]

@m1n9o Ah sorry for misleading suggestion! I'll fix my comment above 🙏

[m1n9o]

@m1n9o Ah sorry for misleading suggestion! I'll fix my comment above 🙏

No misleading at all, I just want to attach my attempts. 😄 Much appreciate your suggestion! 😉