Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to Detach Authorizer from HTTP API Route in AWS API Gateway #1822

Open
jasonlim-bandlab opened this issue Nov 13, 2024 · 8 comments
Open
Labels
area/docs Improvements or additions to documentation kind/bug Some behavior is incorrect or out of spec

Comments

@jasonlim-bandlab
Copy link

jasonlim-bandlab commented Nov 13, 2024

What happened?

Image

Based on the image above, we attempted to remove both authorizationType and authorizerId, expecting the route to detach the authorizer. However, upon checking in the console, the authorizer still appears to be attached. I might be missing something or doing it incorrectly. Could you please guide me on the correct steps to properly detach the authorizer from the route?

Example

import * as pulumi from "@pulumi/pulumi";
import * as awsNative from "@pulumi/aws-native";

const api = new awsNative.apigatewayv2.Api("my-api", {
    protocolType: "HTTP",
})
const authorizer = new awsNative.apigatewayv2.Authorizer("my-authorizer", {
    apiId: api.apiId,
    authorizerType: "JWT",
    identitySource: ["$request.header.Authorization"],
    name: "my-authorizer",
    jwtConfiguration: {
        audience: ["https://github.com/pulumi"],
        issuer: "https://token.actions.githubusercontent.com",
    },
});

const routeIntegration = new awsNative.apigatewayv2.Integration("test", {
    apiId: api.apiId,
    integrationType: "HTTP_PROXY",
    integrationUri: "https://example.com/{proxy}",
    integrationMethod: "ANY",
    payloadFormatVersion: "1.0",
});

new awsNative.apigatewayv2.Route("test", {
    apiId: api.apiId,
    routeKey: "ANY /example/{proxy+}",
    target: pulumi.interpolate`integrations/${routeIntegration.integrationId}`,
    authorizerId: authorizer.authorizerId,
    authorizationType: "JWT",
});

Output of pulumi about

Version 3.121.0
Go Version go1.22.4
Go Compiler gc

Plugins
KIND NAME VERSION
resource aws 6.56.1
resource aws-native 1.7.0
language nodejs unknown
resource random 4.16.7

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@jasonlim-bandlab jasonlim-bandlab added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 13, 2024
@flostadler
Copy link
Contributor

Hey @jasonlim-bandlab, sorry you're running into this issue!

Could you please attach a code example that helps us reproduce this? Thanks!

@flostadler flostadler added needs-repro Needs repro steps before it can be triaged or fixed awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Nov 13, 2024
@jasonlim-bandlab
Copy link
Author

jasonlim-bandlab commented Nov 14, 2024

@flostadler

args.routes.map((route) => {
    new awsNative.lambda.Permission(`${name}-permission-${route.method}-${route.path}`, {
        action: "lambda:InvokeFunction",
        functionName: route.handlerFunction.lambdaFunction.functionName.apply((name) => name || ""),
        principal: "apigateway.amazonaws.com",
        sourceArn: pulumi.interpolate`arn:aws:execute-api:${args.region}:${args.accountId}:${this.api.apiId}/*/${route.method}${route.path}`,
    });

    const routeIntegration = new awsNative.apigatewayv2.Integration(`${name}-${route.method}-${route.path}`, {
        apiId: this.api.apiId,
        integrationType: "AWS_PROXY",
        integrationUri: route.handlerFunction.lambdaFunction.arn,
        integrationMethod: route.method,
        payloadFormatVersion: "2.0",
    });

    new awsNative.apigatewayv2.Route(`${name}-route-${route.method}-${route.path}`, {
        apiId: this.api.apiId,
        routeKey: `${route.method} ${route.path}`,
        target: pulumi.interpolate`integrations/${routeIntegration.integrationId}`,
        authorizerId: route.isPublic ? undefined : authorizer.authorizerId,
        authorizationType: route.isPublic ? undefined : "JWT",
    });
});

This snippet above shows how each defined route is provisioned. I believe the authorizerId and authorizationType under apigatewayv2.Route might be of particular interest to you.

@pulumi-bot pulumi-bot added needs-triage Needs attention from the triage team and removed awaiting-feedback Blocked on input from the author labels Nov 14, 2024
@jasonlim-bandlab
Copy link
Author

@flostadler ,

Image

Due to the failure in detachment, the authorizer cannot be removed because it remains attached.

@flostadler
Copy link
Contributor

@jasonlim-bandlab do any errors occur when trying to remove the authorizer? I assume pulumi is showing that it's removing it, but the physical cloud resources still has it attached?
Generally, please attach error messages as text so it's easier for the maintainers to work with.

As a workaround you could try using the @pulumi/aws provider: https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/

@flostadler
Copy link
Contributor

flostadler commented Nov 14, 2024

@jasonlim-bandlab the issue is that you're setting the authorizationType of the route to undefined. AWS CloudFormation and AWS CloudControl, which this provider is built on, have a quirk that in order to remove the authorizer, you need to set the type to NONE instead.

I was able to repro your problem with this program (also edited the issue to the full repro instead):

import * as pulumi from "@pulumi/pulumi";
import * as awsNative from "@pulumi/aws-native";

const api = new awsNative.apigatewayv2.Api("my-api", {
    protocolType: "HTTP",
})
const authorizer = new awsNative.apigatewayv2.Authorizer("my-authorizer", {
    apiId: api.apiId,
    authorizerType: "JWT",
    identitySource: ["$request.header.Authorization"],
    name: "my-authorizer",
    jwtConfiguration: {
        audience: ["https://github.com/pulumi"],
        issuer: "https://token.actions.githubusercontent.com",
    },
});

const routeIntegration = new awsNative.apigatewayv2.Integration("test", {
    apiId: api.apiId,
    integrationType: "HTTP_PROXY",
    integrationUri: "https://example.com/{proxy}",
    integrationMethod: "ANY",
    payloadFormatVersion: "1.0",
});

new awsNative.apigatewayv2.Route("test", {
    apiId: api.apiId,
    routeKey: "ANY /example/{proxy+}",
    target: pulumi.interpolate`integrations/${routeIntegration.integrationId}`,
    authorizerId: authorizer.authorizerId,
    authorizationType: "JWT",
});

removing the authorizerId & authorizationType left the authorizer attached to the route, but when doing this instead it got correctly removed:

...
new awsNative.apigatewayv2.Route("test", {
    apiId: api.apiId,
    routeKey: "ANY /example/{proxy+}",
    target: pulumi.interpolate`integrations/${routeIntegration.integrationId}`,
    authorizationType: "NONE",
});

That being said, I agree that this is unexpected as do users in other ecosystems, see: aws/aws-cdk#20695.
I'll send an enhancement request to AWS and keep this issue open for a docs enhancement on our side.

@flostadler flostadler added area/docs Improvements or additions to documentation and removed needs-repro Needs repro steps before it can be triaged or fixed needs-triage Needs attention from the triage team labels Nov 14, 2024
@flostadler
Copy link
Contributor

Opened issue with AWS: aws-cloudformation/cloudformation-coverage-roadmap#2184

@jasonlim-bandlab
Copy link
Author

@flostadler, oh, thanks! It's working as expected now. I appreciate the tips and the effort in opening the ticket. Since my issue is resolved, should I go ahead and close it, or would it be better to wait for updates from AWS?

@flostadler
Copy link
Contributor

@jasonlim-bandlab let's keep it open. We should at least document this quirk on our end for now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/docs Improvements or additions to documentation kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Development

No branches or pull requests

3 participants