Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apigateway: Can't override authorization_type on child resource if parent resource uses a custom authorizer #29658

Closed
kvncp opened this issue Mar 31, 2024 · 5 comments
Closed

apigateway: Can't override authorization_type on child resource if parent resource uses a custom authorizer #29658

kvncp opened this issue Mar 31, 2024 · 5 comments
Assignees
@tim-finnigan
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. duplicate This issue is a duplicate.

Comments

@kvncp
Copy link

kvncp commented Mar 31, 2024
edited
Loading

Describe the bug

When setting the default authorization method on an API gateway resource to CUSTOM, the CDK logic prevents overriding this authorization on child resources to anything other than a Custom resource.

Attempts to override the authorizer type will fail with the message "Error: ApigwBugStack/api/Default/unauthenticated_endpoint/GET - Authorization type is set to NONE which is different from what is required by the authorizer [CUSTOM]"

Expected Behavior

It should be possible to override a child resource with a different authorization type.

Current Behavior

CDK failed with the error mentioned in the description.

Reproduction Steps

fake_lambda = aws_lambda.Function(
            self,
            "lambda",
            code=aws_lambda.Code.from_inline("..."),
            handler="handler",
            runtime=aws_lambda.Runtime.PYTHON_3_10,
        )

        api = aws_apigateway.RestApi(
            self,
            "api",
            default_method_options=aws_apigateway.MethodOptions(
                authorization_type=aws_apigateway.AuthorizationType.CUSTOM,
                authorizer=aws_apigateway.TokenAuthorizer(
                    self, "auth", handler=fake_lambda
                ),
            ),
        )

        # Works as expected, inherit authorization from api
        api.root.add_resource("authenticated_endpoint").add_method(
            "GET", integration=aws_apigateway.HttpIntegration("http://www.example.com")
        )

        noauth_method = api.root.add_resource("unauthenticated_endpoint").add_method(
            "GET",
            integration=aws_apigateway.HttpIntegration("http://www.example.com"),
            # This does not work, but should:
            # authorization_type=aws_apigateway.AuthorizationType.NONE,
        )
        # This workaround does work, showing this is a CDK problem, not a CF or API GW problem.
        noauth_method.node.default_child.add_property_override("AuthorizationType", "NONE")

This repro can be found here: https://github.com/kvncp/cdk-repro/blob/main/apigw-bug/apigw_bug/apigw_bug_stack.py

Possible Solution

When setting the authorization_type on a child resource, CDK should not fail if a custom authorizer was set on a parent resource.

Additional Information/Context

No response

CDK CLI Version

2.134

Framework Version

No response

Node.js Version

20.0.0

OS

OSX 12.2

Language

Python

Language Version

3.10

Other information

No response
@kvncp kvncp added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 31, 2024
@github-actions github-actions bot added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Mar 31, 2024
This was referenced Apr 1, 2024
Closed
Closed
Closed
@tim-finnigan tim-finnigan self-assigned this Apr 1, 2024
@tim-finnigan
Copy link

Thanks for reporting this issue. It looks like it may be a duplicate of #8827, can you confirm?

@tim-finnigan tim-finnigan added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Apr 1, 2024
@kcp-chewie kcp-chewie mentioned this issue Apr 2, 2024
Closed
@kcp-chewie
Copy link
Contributor

kcp-chewie commented Apr 2, 2024
edited
Loading

@tim-finnigan yep, looks like a duplicate to me!

Edit: I'm also kvncp - work vs personal accounts :)

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Apr 2, 2024
@tim-finnigan tim-finnigan added the duplicate This issue is a duplicate. label Apr 2, 2024
@tim-finnigan
Copy link

Thanks for confirming, I'll close this in favor of tracking the other issue.

@tim-finnigan tim-finnigan closed this as not planned Won't fix, can't repro, duplicate, stale Apr 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 2, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tim-finnigan tim-finnigan

Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. duplicate This issue is a duplicate.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kvncp @aws-cdk-automation @tim-finnigan @kcp-chewie