fix(apigateway): set authorization scope when authorization type is Cognito

[GavinZZ]

Issue # (if applicable)

Closes #29781

Reason for this change

Authorization scope is set even when the auth type is None. This will cause deployment failure

12:52:11 PM | CREATE_FAILED | AWS::ApiGateway::Method | ActionsApiGatewayI...oxyOPTIONS041B022A
Resource handler returned message: "Invalid Method authorization type specified. Authorization Scopes are only valid for COGNITO_USER_POOLS authorization type (Servic
e: ApiGateway, Status Code: 400, Request ID: f9c6357b-428e-42a8-884c-07b77939d165)" (RequestToken: bb8de2e9-37b7-ca15-9bd8-547bc7eea134, HandlerErrorCode: InvalidRequ
est)

Description of changes

Check when auth type is not Cognito, set auth scope to none. Not a breaking change because original templates cannot deploy.

Description of how you validated changes

All existing and new tests pass.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aaythapa]

Generally lgtm, just some clarifying questions

[aaythapa]

🚢

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 0ba8ff9
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[viktorvoltaire]

This wiped our scopes, even though we have const authorizer = new CognitoUserPoolsAuthorizer(.... having defined our default options like below wasn't a problem until this was merged. Its also a optional parameter that says

The authorizer will take care of setting the correct authorization type.

        defaultMethodOptions: {
          authorizer: authorizer,
          authorizationScopes: [
            "...."
          ],

This warning log was swallowed by CI/CD but still deployed

[Warning at ...] 'AuthorizationScopes' can only be set when 'AuthorizationType' sets 'COGNITO_USER_POOLS'. Default to ignore the values set in 'AuthorizationScopes'. [ack: @aws-cdk/aws-apigateway:invalidAuthScope]

[alfie-bends]

By utilizing authorizationTypeOption instead of authorizationType, you are now forcing people to implement an optional parameter for something was previously set by the authorizer, that was previously recommended to not be set explicitly. It is explicitly stated in the documentation, that the authorizer will set the authorizationType, see line 30 of this file. This is a breaking change.

[tibbing]

Yes, this just broke our prod environment after a dependabot update - it should be marked as a breaking change 🙁

[aws-cdk-automation]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.