fix(events): additional plaintext header are not set on eventbridge connection

[RaphaelManke]

Fixes: #21855

While creating a Eventbridge connection to make api calls to an external api one sometimes have to add additional header parameters like Content-Type = application/json
These additional headers can be either be a secret value or a plaintext value specified at deploy time.
The connection class provides a HttpParameter class that alows you to set a static/unsecure/plaintext value for a header key

const connection = new Connection(this, "connection", {
  authorization: Authorization.apiKey( "authorization", secret.secretValue),
  headerParameters: {
    "Content-Type": HttpParameter.fromString("application/json"),
  },
});

This should lead to api calls made with the connection have a Header present with key/value "Content-Type": "application/json",

The actual behavior was prior to this Fix that the header wasn't present in the api calls made with this connection.

While debugging the issue I used the following aws cli commands to check what has been deployed by cdk/cloudformation

aws events describe-connection --name <name-of-the-connection>

which result was similair to this

{
    "ConnectionArn": "arn:aws:events:eu-west-1:XXXXXXX:connection/SomeConnection/0848ec46-413a-4d40-8834-XXXXXX",
    "Name": "SomeConnection",
    "ConnectionState": "AUTHORIZED",
    "AuthorizationType": "API_KEY",
    "SecretArn": "arn:aws:secretsmanager:eu-west-1:XXXXXXX:secret:events!connection/SomeSecret/1e74cbb0-dfc6-4b77-a49f-b204e6b74a46-XXXXXX",
    "AuthParameters": {
        "ApiKeyAuthParameters": {
            "ApiKeyName": "authorization"
        },
        "InvocationHttpParameters": {
            "HeaderParameters": [
                {
                    "Key": "Content-Type",
                    "IsValueSecret": true
                }
            ]
        }
    },
    "CreationTime": "2022-08-29T16:57:35+02:00",
    "LastModifiedTime": "2022-08-29T16:57:35+02:00",
    "LastAuthorizedTime": "2022-08-29T16:57:35+02:00"
}

Which indicates that the header value is not set because it is treated as secret value and needs to be provided by the referenced secret.

Then i checked the Cloudformation spec
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-events-connection-parameter.html
There it is indicated that there is the property isValueSecret which indicates if the value is a secret or not.

The next step was to check why cdk generates a template that doesn't work and thereby checked the HttpParameter class.
This class is responsible for generating the AWS::Events::Connection Parameter properties.
I noticed that only the HttpParameter.fromSecret() sets the isValueSecret flag.
But it seems to be the case that for this property the default value is true by cloudformation, so omiting this attribute in the _render function results to isValueSecret: true at deploy time.

After that i explicity set the value to false for the case the user specifies a plaintext value throught the HttpParameter.fromString() method.

To make sure the correct values are deployed by cloudformation I added a integration test including an assertion that the deployed connection has the correct isValueSecret flag set and the value for the header is set.

---

All Submissions:

• Have you followed the guidelines in our Contributing guide?

Adding new Unconventional Dependencies:

• This PR adds new unconventional dependencies following the process described here

New Features

• Have you added the new feature to an integration test?
  • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[TheRealAmazonKendra]

Please make sure that your PR title confirms to the conventional commit standard (fix, feat, chore) and that it is written in a style that will reflect correctly in the change log (See Contributing Guide, Pull Requests).

Additionally, please make sure that your PR body describes the problem the PR is solving, and the design approach and alternatives considered. Explain why the PR solves the problem. A link to an issue is helpful, but does not replace an explanation of your thought process.

Lastly, we need an integration test for this change.

[TheRealAmazonKendra]

Why will this always be false? This PR needs context.

[RaphaelManke]

Yes this value needs to be set to false to indicate the provided value is not secret. Since this is the render method from the HttpParameter.fromString() the value is always treated as not secret. If you like to provide a secret value you have to use the HttpParameter.fromSecret() method.
The default value for isValueSecret seams to be true if not provided. See the updated PR description or linked issue.

[TheRealAmazonKendra]

Hit the wrong button and didn't put this into request changes.

Pull request has been modified.

[TheRealAmazonKendra]

Putting this back in request changes since there are still some things to be addressed.

Pull request has been modified.

[TheRealAmazonKendra]

Needs merge conflicts resolved.

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: af59ed6
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).