fix(ci): add auth to API HTTP Gateway and Lambda Function Url (#1882)

Author: rubenfonseca

poetry.lock

@@ -59,6 +59,7 @@ pytest-xdist = "^3.1.0"
 aws-cdk-lib = "^2.62.2"
 "aws-cdk.aws-apigatewayv2-alpha" = "^2.38.1-alpha.0"
 "aws-cdk.aws-apigatewayv2-integrations-alpha" = "^2.38.1-alpha.0"
+"aws-cdk.aws-apigatewayv2-authorizers-alpha" = "^2.38.1-alpha.0"
 pytest-benchmark = "^4.0.0"
 python-snappy = "^0.6.1"
 mypy-boto3-appconfig = "^1.26.0"
@@ -81,6 +82,7 @@ importlib-metadata = "^6.0"
 ijson = "^3.2.0"
 typed-ast = { version = "^1.5.4", python = "< 3.8"}
 hvac = "^1.0.2"
+aws-requests-auth = "^0.4.3"
 
 [tool.poetry.extras]
 parser = ["pydantic"]

pyproject.toml

@@ -3,6 +3,7 @@
 from aws_cdk import CfnOutput
 from aws_cdk import aws_apigateway as apigwv1
 from aws_cdk import aws_apigatewayv2_alpha as apigwv2
+from aws_cdk import aws_apigatewayv2_authorizers_alpha as apigwv2authorizers
 from aws_cdk import aws_apigatewayv2_integrations_alpha as apigwv2integrations
 from aws_cdk import aws_ec2 as ec2
 from aws_cdk import aws_elasticloadbalancingv2 as elbv2
@@ -57,7 +58,12 @@ def _create_alb_listener(
         CfnOutput(self.stack, f"ALB{name}ListenerPort", value=str(port))
 
     def _create_api_gateway_http(self, function: Function):
-        apigw = apigwv2.HttpApi(self.stack, "APIGatewayHTTP", create_default_stage=True)
+        apigw = apigwv2.HttpApi(
+            self.stack,
+            "APIGatewayHTTP",
+            create_default_stage=True,
+            default_authorizer=apigwv2authorizers.HttpIamAuthorizer(),
+        )
         apigw.add_routes(
             path="/todos",
             methods=[apigwv2.HttpMethod.POST],
@@ -76,5 +82,5 @@ def _create_api_gateway_rest(self, function: Function):
 
     def _create_lambda_function_url(self, function: Function):
         # Maintenance: move auth to IAM when we create sigv4 builders
-        function_url = function.add_function_url(auth_type=FunctionUrlAuthType.NONE)
+        function_url = function.add_function_url(auth_type=FunctionUrlAuthType.AWS_IAM)
         CfnOutput(self.stack, "LambdaFunctionUrl", value=function_url.url)

tests/e2e/event_handler/infrastructure.py

@@ -5,6 +5,7 @@
 
 from aws_lambda_powertools.shared.cookies import Cookie
 from tests.e2e.utils import data_fetcher
+from tests.e2e.utils.auth import build_iam_auth
 
 
 @pytest.fixture
@@ -168,6 +169,7 @@ def test_api_gateway_http_headers_serializer(apigw_http_endpoint):
             method="POST",
             url=url,
             json={"body": body, "status_code": status_code, "headers": headers, "cookies": list(map(str, cookies))},
+            auth=build_iam_auth(url=url, aws_service="execute-api"),
         )
     )
 
@@ -204,6 +206,7 @@ def test_lambda_function_url_headers_serializer(lambda_function_url_endpoint):
             method="POST",
             url=url,
             json={"body": body, "status_code": status_code, "headers": headers, "cookies": list(map(str, cookies))},
+            auth=build_iam_auth(url=url, aws_service="lambda"),
         )
     )
 

tests/e2e/event_handler/test_header_serializer.py

@@ -2,6 +2,7 @@
 from requests import HTTPError, Request
 
 from tests.e2e.utils import data_fetcher
+from tests.e2e.utils.auth import build_iam_auth
 
 
 @pytest.fixture
@@ -45,6 +46,7 @@ def test_api_gateway_rest_trailing_slash(apigw_rest_endpoint):
             method="POST",
             url=url,
             json={"body": body},
+            auth=build_iam_auth(url=url, aws_service="lambda"),
         )
     )
 
@@ -65,6 +67,7 @@ def test_api_gateway_http_trailing_slash(apigw_http_endpoint):
                 method="POST",
                 url=url,
                 json={"body": body},
+                auth=build_iam_auth(url=url, aws_service="lambda"),
             )
         )
 
@@ -82,6 +85,7 @@ def test_lambda_function_url_trailing_slash(lambda_function_url_endpoint):
                 method="POST",
                 url=url,
                 json={"body": body},
+                auth=build_iam_auth(url=url, aws_service="lambda"),
             )
         )
 
@@ -99,5 +103,6 @@ def test_alb_url_trailing_slash(alb_multi_value_header_listener_endpoint):
                 method="POST",
                 url=url,
                 json={"body": body},
+                auth=build_iam_auth(url=url, aws_service="lambda"),
             )
         )

tests/e2e/event_handler/test_paths_ending_with_slash.py

@@ -0,0 +1,13 @@
+from urllib.parse import urlparse
+
+import boto3
+from aws_requests_auth.boto_utils import BotoAWSRequestsAuth
+
+
+def build_iam_auth(url: str, aws_service: str) -> BotoAWSRequestsAuth:
+    """Generates IAM auth keys for a given hostname and service.
+    This can be directly passed on to the requests library to authenticate the request.
+    """
+    hostname = urlparse(url).hostname
+    region = boto3.Session().region_name
+    return BotoAWSRequestsAuth(aws_host=hostname, aws_region=region, aws_service=aws_service)