diff --git a/samtranslator/model/apigateway.py b/samtranslator/model/apigateway.py index d1ea0c2b1d..428ac1972f 100644 --- a/samtranslator/model/apigateway.py +++ b/samtranslator/model/apigateway.py @@ -270,11 +270,19 @@ def _is_missing_identity_source(self, identity): query_strings = identity.get("QueryStrings") stage_variables = identity.get("StageVariables") context = identity.get("Context") + ttl = identity.get("ReauthorizeEvery") - if not headers and not query_strings and not stage_variables and not context: - return True + required_properties_missing = not headers and not query_strings and not stage_variables and not context + + try: + ttl_int = int(ttl) + # this will catch if ttl is None and not convertable to an int + except TypeError: + # previous behavior before trying to read ttl + return required_properties_missing - return False + # If we can resolve ttl, attempt to see if things are valid + return ttl_int > 0 and required_properties_missing def generate_swagger(self): authorizer_type = self._get_type() @@ -314,7 +322,9 @@ def generate_swagger(self): swagger[APIGATEWAY_AUTHORIZER_KEY]["authorizerCredentials"] = function_invoke_role if self._get_function_payload_type() == "REQUEST": - swagger[APIGATEWAY_AUTHORIZER_KEY]["identitySource"] = self._get_identity_source() + identity_source = self._get_identity_source() + if identity_source: + swagger[APIGATEWAY_AUTHORIZER_KEY]["identitySource"] = self._get_identity_source() # Authorizer Validation Expression is only allowed on COGNITO_USER_POOLS and LAMBDA_TOKEN is_lambda_token_authorizer = authorizer_type == "LAMBDA" and self._get_function_payload_type() == "TOKEN" diff --git a/tests/model/test_api.py b/tests/model/test_api.py index 627bda3d5c..708b83a5a5 100644 --- a/tests/model/test_api.py +++ b/tests/model/test_api.py @@ -14,6 +14,100 @@ def test_create_oauth2_auth(self): def test_create_authorizer_fails_with_string_authorization_scopes(self): with pytest.raises(InvalidResourceException): - auth = ApiGatewayAuthorizer( - api_logical_id="logicalId", name="authName", authorization_scopes="invalid_scope" + ApiGatewayAuthorizer(api_logical_id="logicalId", name="authName", authorization_scopes="invalid_scope") + + def test_create_authorizer_fails_with_missing_identity_values_and_not_cached(self): + with pytest.raises(InvalidResourceException): + ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": 10}, + function_payload_type="REQUEST", + ) + + def test_create_authorizer_fails_with_empty_identity(self): + with pytest.raises(InvalidResourceException): + ApiGatewayAuthorizer( + api_logical_id="logicalId", name="authName", identity={}, function_payload_type="REQUEST" ) + + def test_create_authorizer_doesnt_fail_with_identity_reauthorization_every_as_zero(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": 0}, + function_payload_type="REQUEST", + ) + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_non_integer_identity(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": [], "Headers": ["Accept"]}, + function_payload_type="REQUEST", + ) + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_identity_intrinsic_is_valid_with_headers(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "Headers": ["Accept"]}, + function_payload_type="REQUEST", + ) + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_identity_intrinsic_is_invalid_if_no_querystring_stagevariables_context_headers( + self, + ): + with pytest.raises(InvalidResourceException): + ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}}, + function_payload_type="REQUEST", + ) + + def test_create_authorizer_with_identity_intrinsic_is_valid_with_context(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "Context": ["Accept"]}, + function_payload_type="REQUEST", + ) + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_identity_intrinsic_is_valid_with_stage_variables(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "StageVariables": ["Stage"]}, + function_payload_type="REQUEST", + ) + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_identity_intrinsic_is_valid_with_query_strings(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": {"FN:If": ["isProd", 10, 0]}, "QueryStrings": ["AQueryString"]}, + function_payload_type="REQUEST", + ) + + self.assertIsNotNone(auth) + + def test_create_authorizer_with_identity_ReauthorizeEvery_asNone_valid_with_query_strings(self): + auth = ApiGatewayAuthorizer( + api_logical_id="logicalId", + name="authName", + identity={"ReauthorizeEvery": None, "QueryStrings": ["AQueryString"]}, + function_payload_type="REQUEST", + ) + + self.assertIsNotNone(auth) diff --git a/tests/translator/input/api_with_auth_all_minimum.yaml b/tests/translator/input/api_with_auth_all_minimum.yaml index 399df76126..5066b20d9b 100644 --- a/tests/translator/input/api_with_auth_all_minimum.yaml +++ b/tests/translator/input/api_with_auth_all_minimum.yaml @@ -32,6 +32,20 @@ Resources: Identity: Headers: - Authorization1 + + MyApiWithNotCachedLambdaRequestAuth: + Type: "AWS::Serverless::Api" + Properties: + StageName: Prod + Auth: + DefaultAuthorizer: MyLambdaRequestAuth + Authorizers: + MyLambdaRequestAuth: + FunctionPayloadType: REQUEST + FunctionArn: !GetAtt MyAuthFn.Arn + Identity: + ReauthorizeEvery: 0 + MyAuthFn: Type: AWS::Serverless::Function Properties: @@ -81,6 +95,13 @@ Resources: RestApiId: !Ref MyApiWithLambdaRequestAuth Method: any Path: /any/lambda-request + LambdaNotCachedRequest: + Type: Api + Properties: + RestApiId: !Ref MyApiWithNotCachedLambdaRequestAuth + Method: get + Path: /not-cached-lambda-request + MyUserPool: Type: AWS::Cognito::UserPool Properties: diff --git a/tests/translator/input/api_with_identity_intrinsic.yaml b/tests/translator/input/api_with_identity_intrinsic.yaml new file mode 100644 index 0000000000..2afc3d679a --- /dev/null +++ b/tests/translator/input/api_with_identity_intrinsic.yaml @@ -0,0 +1,22 @@ +AWSTemplateFormatVersion: "2010-09-09" +Transform: AWS::Serverless-2016-10-31 + +Conditions: + isProd: true + + +Resources: + APIGateway: + Type: 'AWS::Serverless::Api' + Properties: + StageName: Prod + Auth: + DefaultAuthorizer: SomeAuthorizer + Authorizers: + SomeAuthorizer: + FunctionPayloadType: REQUEST + FunctionArn: SomeArn + Identity: + Headers: + - Accept + ReauthorizeEvery: !If [isProd, 3600, 0] \ No newline at end of file diff --git a/tests/translator/output/api_with_auth_all_minimum.json b/tests/translator/output/api_with_auth_all_minimum.json index 186f6c50d2..a64255ce5a 100644 --- a/tests/translator/output/api_with_auth_all_minimum.json +++ b/tests/translator/output/api_with_auth_all_minimum.json @@ -1,22 +1,221 @@ { "Resources": { + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognito": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/any/cognito": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + { + "Fn::GetAtt": [ + "MyUserPool", + "Arn" + ] + } + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } + } + } + }, + "MyApiWithLambdaRequestAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithLambdaRequestAuthDeployment6a32cc7f63" + }, + "RestApiId": { + "Ref": "MyApiWithLambdaRequestAuth" + }, + "StageName": "Prod" + } + }, + "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" + } + } + ] + } + } + }, + "MyApiWithLambdaRequestAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/any/lambda-request": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + }, + "/lambda-request": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "identitySource": "method.request.header.Authorization1", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } + } + ] + } + }, + "x-amazon-apigateway-authtype": "custom" + } + } + } + } + }, + "MyApiWithLambdaTokenAuthDeployment03cc3fd4fd": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithLambdaTokenAuth" + }, + "Description": "RestApi deployment id: 03cc3fd4fd00e795fb067f94da06cb2fcfe95d3b", + "StageName": "Stage" + } + }, + "MyApiWithCognitoAuthDeploymentdcc28e4b5f": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "Description": "RestApi deployment id: dcc28e4b5f8fbdb114c4da86eae5deddc368c60e", + "StageName": "Stage" + } + }, "MyUserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { + "UsernameAttributes": [ + "email" + ], "UserPoolName": "UserPoolName", "Policies": { "PasswordPolicy": { "MinimumLength": 8 } }, - "UsernameAttributes": [ - "email" - ], "Schema": [ { "AttributeDataType": "String", - "Name": "email", - "Required": false + "Required": false, + "Name": "email" } ] } @@ -24,11 +223,11 @@ "MyAuthFn": { "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "index.handler", "Code": { "S3Bucket": "bucket", "S3Key": "key" }, - "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "MyAuthFnRole", @@ -38,63 +237,31 @@ "Runtime": "nodejs12.x", "Tags": [ { - "Key": "lambda:createdBy", - "Value": "SAM" + "Value": "SAM", + "Key": "lambda:createdBy" } ] } }, - "MyAuthFnRole": { - "Type": "AWS::IAM::Role", + "MyFnLambdaRequestAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" } } ] - }, - "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] - } - }, - "MyFn": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": "bucket", - "S3Key": "key" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "MyFnRole", - "Arn" - ] - }, - "Runtime": "nodejs12.x", - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + } } }, "MyFnRole": { @@ -121,234 +288,61 @@ ], "Tags": [ { - "Key": "lambda:createdBy", - "Value": "SAM" + "Value": "SAM", + "Key": "lambda:createdBy" } ] } }, - "MyFnCognitoAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", - { - "__ApiId__": { - "Ref": "MyApiWithCognitoAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaRequestAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaTokenAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, "MyFnCognitoPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFn" }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognito", { + "__Stage__": "*", "__ApiId__": { "Ref": "MyApiWithCognitoAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaRequestPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" - }, - "__Stage__": "*" + } } ] } } }, - "MyFnLambdaTokenPermissionProd": { - "Type": "AWS::Lambda::Permission", + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeploymentdcc28e4b5f" }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyApiWithCognitoAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "swagger": "2.0", - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/cognito": { - "get": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuth": [] - } - ] - } - }, - "/any/cognito": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuth": [] - } - ] - } - } - }, - "securityDefinitions": { - "MyCognitoAuth": { - "type": "apiKey", - "name": "Authorization", - "in": "header", - "x-amazon-apigateway-authtype": "cognito_user_pools", - "x-amazon-apigateway-authorizer": { - "type": "cognito_user_pools", - "providerARNs": [ - { - "Fn::GetAtt": [ - "MyUserPool", - "Arn" - ] - } - ] - } - } - } - } - } - }, - "MyApiWithCognitoAuthDeploymentdcc28e4b5f": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "Description": "RestApi deployment id: dcc28e4b5f8fbdb114c4da86eae5deddc368c60e", "RestApiId": { "Ref": "MyApiWithCognitoAuth" }, - "StageName": "Stage" + "StageName": "Prod" } }, - "MyApiWithCognitoAuthProdStage": { + "MyApiWithNotCachedLambdaRequestAuthProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithCognitoAuthDeploymentdcc28e4b5f" + "Ref": "MyApiWithNotCachedLambdaRequestAuthDeployment444f67cd7c" }, "RestApiId": { - "Ref": "MyApiWithCognitoAuth" + "Ref": "MyApiWithNotCachedLambdaRequestAuth" }, "StageName": "Prod" } }, - "MyApiWithLambdaTokenAuth": { + "MyApiWithNotCachedLambdaRequestAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -356,49 +350,33 @@ } }, "paths": { - "/lambda-token": { + "/not-cached-lambda-request": { "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuth": [] - } - ] - } - }, - "/any/lambda-token": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { "type": "aws_proxy", - "httpMethod": "POST", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaTokenAuth": [] + "MyLambdaRequestAuth": [] } - ] + ], + "responses": {} } } }, + "swagger": "2.0", "securityDefinitions": { - "MyLambdaTokenAuth": { - "type": "apiKey", - "name": "Authorization", + "MyLambdaRequestAuth": { "in": "header", - "x-amazon-apigateway-authtype": "custom", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", + "type": "request", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -412,49 +390,91 @@ } ] } - } + }, + "x-amazon-apigateway-authtype": "custom" } } } } }, - "MyApiWithLambdaTokenAuthDeployment03cc3fd4fd": { - "Type": "AWS::ApiGateway::Deployment", + "MyFnLambdaTokenAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "Description": "RestApi deployment id: 03cc3fd4fd00e795fb067f94da06cb2fcfe95d3b", - "RestApiId": { - "Ref": "MyApiWithLambdaTokenAuth" + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" }, - "StageName": "Stage" + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" + } + } + ] + } } }, - "MyApiWithLambdaTokenAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", + "MyFnCognitoAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "DeploymentId": { - "Ref": "MyApiWithLambdaTokenAuthDeployment03cc3fd4fd" - }, - "RestApiId": { - "Ref": "MyApiWithLambdaTokenAuth" + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" }, - "StageName": "Prod" + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } } }, - "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { + "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Fn::GetAtt": [ "MyAuthFn", "Arn" ] }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" + } + } + ] + } + } + }, + "MyFnLambdaTokenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", + { + "__Stage__": "*", "__ApiId__": { "Ref": "MyApiWithLambdaTokenAuth" } @@ -463,11 +483,31 @@ } } }, - "MyApiWithLambdaRequestAuth": { + "MyFnLambdaRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" + } + } + ] + } + } + }, + "MyApiWithLambdaTokenAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -475,49 +515,49 @@ } }, "paths": { - "/lambda-request": { + "/lambda-token": { "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } }, - "/any/lambda-request": { + "/any/lambda-token": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } } }, + "swagger": "2.0", "securityDefinitions": { - "MyLambdaRequestAuth": { - "type": "apiKey", - "name": "Unused", + "MyLambdaTokenAuth": { "in": "header", - "x-amazon-apigateway-authtype": "custom", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "request", + "type": "token", "authorizerUri": { "Fn::Sub": [ "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -530,9 +570,9 @@ } } ] - }, - "identitySource": "method.request.header.Authorization1" - } + } + }, + "x-amazon-apigateway-authtype": "custom" } } } @@ -541,47 +581,131 @@ "MyApiWithLambdaRequestAuthDeployment6a32cc7f63": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 6a32cc7f63485b93190f441a47da57f43de6a532", "RestApiId": { "Ref": "MyApiWithLambdaRequestAuth" }, + "Description": "RestApi deployment id: 6a32cc7f63485b93190f441a47da57f43de6a532", "StageName": "Stage" } }, - "MyApiWithLambdaRequestAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiWithLambdaRequestAuthDeployment6a32cc7f63" - }, - "RestApiId": { - "Ref": "MyApiWithLambdaRequestAuth" - }, - "StageName": "Prod" - } - }, - "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { + "MyApiWithNotCachedLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Fn::GetAtt": [ "MyAuthFn", "Arn" ] }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + } + } + ] + } + } + }, + "MyFnLambdaNotCachedRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/not-cached-lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" } } ] } } + }, + "MyAuthFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithLambdaTokenAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithLambdaTokenAuthDeployment03cc3fd4fd" + }, + "RestApiId": { + "Ref": "MyApiWithLambdaTokenAuth" + }, + "StageName": "Prod" + } + }, + "MyApiWithNotCachedLambdaRequestAuthDeployment444f67cd7c": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + }, + "Description": "RestApi deployment id: 444f67cd7c6475a698a0101480ba99b498325e90", + "StageName": "Stage" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } } } -} \ No newline at end of file +} diff --git a/tests/translator/output/api_with_identity_intrinsic.json b/tests/translator/output/api_with_identity_intrinsic.json new file mode 100644 index 0000000000..32c8b8eaaf --- /dev/null +++ b/tests/translator/output/api_with_identity_intrinsic.json @@ -0,0 +1,90 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Conditions": { + "isProd": true + }, + "Resources": { + "APIGateway": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": {}, + "swagger": "2.0", + "securityDefinitions": { + "SomeAuthorizer": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "authorizerResultTtlInSeconds": { + "Fn::If": [ + "isProd", + 3600, + 0 + ] + }, + "identitySource": "method.request.header.Accept", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "SomeArn" + } + ] + } + }, + "x-amazon-apigateway-authtype": "custom" + } + } + } + } + }, + "APIGatewaySomeAuthorizerAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "SomeArn", + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "APIGateway" + } + } + ] + } + } + }, + "APIGatewayDeploymenta119f04c8a": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "APIGateway" + }, + "Description": "RestApi deployment id: a119f04c8aba206b5b7db5f232f013b816fe6447", + "StageName": "Stage" + } + }, + "APIGatewayProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "APIGatewayDeploymenta119f04c8a" + }, + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Prod" + } + } + } +} diff --git a/tests/translator/output/aws-cn/api_with_auth_all_minimum.json b/tests/translator/output/aws-cn/api_with_auth_all_minimum.json index b9e408189c..b90828c4a3 100644 --- a/tests/translator/output/aws-cn/api_with_auth_all_minimum.json +++ b/tests/translator/output/aws-cn/api_with_auth_all_minimum.json @@ -1,22 +1,215 @@ { "Resources": { + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognito": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/any/cognito": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + { + "Fn::GetAtt": [ + "MyUserPool", + "Arn" + ] + } + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithNotCachedLambdaRequestAuthDeployment234e92eab4": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + }, + "Description": "RestApi deployment id: 234e92eab4e4c590ad261ddd55775c1edcc2972f", + "StageName": "Stage" + } + }, + "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" + } + } + ] + } + } + }, + "MyApiWithLambdaRequestAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/any/lambda-request": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + }, + "/lambda-request": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "identitySource": "method.request.header.Authorization1", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } + } + ] + } + }, + "x-amazon-apigateway-authtype": "custom" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, "MyUserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { + "UsernameAttributes": [ + "email" + ], "UserPoolName": "UserPoolName", "Policies": { "PasswordPolicy": { "MinimumLength": 8 } }, - "UsernameAttributes": [ - "email" - ], "Schema": [ { "AttributeDataType": "String", - "Name": "email", - "Required": false + "Required": false, + "Name": "email" } ] } @@ -24,11 +217,11 @@ "MyAuthFn": { "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "index.handler", "Code": { "S3Bucket": "bucket", "S3Key": "key" }, - "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "MyAuthFnRole", @@ -38,63 +231,31 @@ "Runtime": "nodejs12.x", "Tags": [ { - "Key": "lambda:createdBy", - "Value": "SAM" + "Value": "SAM", + "Key": "lambda:createdBy" } ] } }, - "MyAuthFnRole": { - "Type": "AWS::IAM::Role", + "MyFnLambdaRequestAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" } } ] - }, - "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] - } - }, - "MyFn": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": "bucket", - "S3Key": "key" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "MyFnRole", - "Arn" - ] - }, - "Runtime": "nodejs12.x", - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + } } }, "MyFnRole": { @@ -121,242 +282,61 @@ ], "Tags": [ { - "Key": "lambda:createdBy", - "Value": "SAM" + "Value": "SAM", + "Key": "lambda:createdBy" } ] } }, - "MyFnCognitoAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", - { - "__ApiId__": { - "Ref": "MyApiWithCognitoAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaRequestAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaTokenAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, "MyFnCognitoPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFn" }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognito", { + "__Stage__": "*", "__ApiId__": { "Ref": "MyApiWithCognitoAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaRequestPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaTokenPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyApiWithCognitoAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "swagger": "2.0", - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/cognito": { - "get": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuth": [] - } - ] - } - }, - "/any/cognito": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuth": [] - } - ] } } - }, - "securityDefinitions": { - "MyCognitoAuth": { - "type": "apiKey", - "name": "Authorization", - "in": "header", - "x-amazon-apigateway-authtype": "cognito_user_pools", - "x-amazon-apigateway-authorizer": { - "type": "cognito_user_pools", - "providerARNs": [ - { - "Fn::GetAtt": [ - "MyUserPool", - "Arn" - ] - } - ] - } - } - } - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" ] } } }, - "MyApiWithCognitoAuthDeployment5d6fbaaea5": { - "Type": "AWS::ApiGateway::Deployment", + "MyApiWithCognitoAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { - "Description": "RestApi deployment id: 5d6fbaaea5286fd32d64239db8b7f2247cb3f2b5", + "DeploymentId": { + "Ref": "MyApiWithCognitoAuthDeployment5d6fbaaea5" + }, "RestApiId": { "Ref": "MyApiWithCognitoAuth" }, - "StageName": "Stage" + "StageName": "Prod" } }, - "MyApiWithCognitoAuthProdStage": { + "MyApiWithNotCachedLambdaRequestAuthProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithCognitoAuthDeployment5d6fbaaea5" + "Ref": "MyApiWithNotCachedLambdaRequestAuthDeployment234e92eab4" }, "RestApiId": { - "Ref": "MyApiWithCognitoAuth" + "Ref": "MyApiWithNotCachedLambdaRequestAuth" }, "StageName": "Prod" } }, - "MyApiWithLambdaTokenAuth": { + "MyApiWithNotCachedLambdaRequestAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -364,49 +344,33 @@ } }, "paths": { - "/lambda-token": { + "/not-cached-lambda-request": { "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuth": [] - } - ] - } - }, - "/any/lambda-token": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { "type": "aws_proxy", - "httpMethod": "POST", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaTokenAuth": [] + "MyLambdaRequestAuth": [] } - ] + ], + "responses": {} } } }, + "swagger": "2.0", "securityDefinitions": { - "MyLambdaTokenAuth": { - "type": "apiKey", - "name": "Authorization", + "MyLambdaRequestAuth": { "in": "header", - "x-amazon-apigateway-authtype": "custom", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", + "type": "request", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -420,57 +384,109 @@ } ] } - } + }, + "x-amazon-apigateway-authtype": "custom" } } }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" } } }, "MyApiWithLambdaTokenAuthDeployment79a03805ba": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 79a03805ba3abc1f005e1282f19bb79af68b4f96", "RestApiId": { "Ref": "MyApiWithLambdaTokenAuth" }, + "Description": "RestApi deployment id: 79a03805ba3abc1f005e1282f19bb79af68b4f96", "StageName": "Stage" } }, - "MyApiWithLambdaTokenAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", + "MyFnLambdaTokenAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "DeploymentId": { - "Ref": "MyApiWithLambdaTokenAuthDeployment79a03805ba" + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" }, - "RestApiId": { - "Ref": "MyApiWithLambdaTokenAuth" + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" + } + } + ] + } + } + }, + "MyFnCognitoAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" }, - "StageName": "Prod" + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } } }, - "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { + "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Fn::GetAtt": [ "MyAuthFn", "Arn" ] }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" + } + } + ] + } + } + }, + "MyFnLambdaTokenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", + { + "__Stage__": "*", "__ApiId__": { "Ref": "MyApiWithLambdaTokenAuth" } @@ -479,11 +495,31 @@ } } }, - "MyApiWithLambdaRequestAuth": { + "MyFnLambdaRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" + } + } + ] + } + } + }, + "MyApiWithLambdaTokenAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -491,49 +527,49 @@ } }, "paths": { - "/lambda-request": { + "/lambda-token": { "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } }, - "/any/lambda-request": { + "/any/lambda-token": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } } }, + "swagger": "2.0", "securityDefinitions": { - "MyLambdaRequestAuth": { - "type": "apiKey", - "name": "Unused", + "MyLambdaTokenAuth": { "in": "header", - "x-amazon-apigateway-authtype": "custom", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "request", + "type": "token", "authorizerUri": { "Fn::Sub": [ "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -546,30 +582,20 @@ } } ] - }, - "identitySource": "method.request.header.Authorization1" - } + } + }, + "x-amazon-apigateway-authtype": "custom" } } }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - } - } - }, - "MyApiWithLambdaRequestAuthDeployment12aa7114ad": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "Description": "RestApi deployment id: 12aa7114ad8cd8aaeffd832e49f6f8aa8b6c2062", - "RestApiId": { - "Ref": "MyApiWithLambdaRequestAuth" }, - "StageName": "Stage" + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } } }, "MyApiWithLambdaRequestAuthProdStage": { @@ -584,28 +610,134 @@ "StageName": "Prod" } }, - "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { + "MyApiWithNotCachedLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Fn::GetAtt": [ "MyAuthFn", "Arn" ] }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + } + } + ] + } + } + }, + "MyFnLambdaNotCachedRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/not-cached-lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" } } ] } } + }, + "MyApiWithLambdaRequestAuthDeployment12aa7114ad": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithLambdaRequestAuth" + }, + "Description": "RestApi deployment id: 12aa7114ad8cd8aaeffd832e49f6f8aa8b6c2062", + "StageName": "Stage" + } + }, + "MyAuthFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithLambdaTokenAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithLambdaTokenAuthDeployment79a03805ba" + }, + "RestApiId": { + "Ref": "MyApiWithLambdaTokenAuth" + }, + "StageName": "Prod" + } + }, + "MyApiWithCognitoAuthDeployment5d6fbaaea5": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "Description": "RestApi deployment id: 5d6fbaaea5286fd32d64239db8b7f2247cb3f2b5", + "StageName": "Stage" + } + }, + "MyFn": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFnRole", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } } } } \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_identity_intrinsic.json b/tests/translator/output/aws-cn/api_with_identity_intrinsic.json new file mode 100644 index 0000000000..84b61b86c7 --- /dev/null +++ b/tests/translator/output/aws-cn/api_with_identity_intrinsic.json @@ -0,0 +1,98 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Conditions": { + "isProd": true + }, + "Resources": { + "APIGateway": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": {}, + "swagger": "2.0", + "securityDefinitions": { + "SomeAuthorizer": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "authorizerResultTtlInSeconds": { + "Fn::If": [ + "isProd", + 3600, + 0 + ] + }, + "identitySource": "method.request.header.Accept", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "SomeArn" + } + ] + } + }, + "x-amazon-apigateway-authtype": "custom" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "APIGatewaySomeAuthorizerAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "SomeArn", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "APIGateway" + } + } + ] + } + } + }, + "APIGatewayProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "APIGatewayDeployment2621a8c79f" + }, + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Prod" + } + }, + "APIGatewayDeployment2621a8c79f": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "APIGateway" + }, + "Description": "RestApi deployment id: 2621a8c79f8f26195374aad642039f511d020a75", + "StageName": "Stage" + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json b/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json index 9b583ee6f2..16b4cfc027 100644 --- a/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json +++ b/tests/translator/output/aws-us-gov/api_with_auth_all_minimum.json @@ -1,22 +1,227 @@ { "Resources": { + "MyApiWithCognitoAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/cognito": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + }, + "/any/cognito": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyCognitoAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "Authorization", + "x-amazon-apigateway-authorizer": { + "providerARNs": [ + { + "Fn::GetAtt": [ + "MyUserPool", + "Arn" + ] + } + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithLambdaRequestAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithLambdaRequestAuthDeployment468dce6129" + }, + "RestApiId": { + "Ref": "MyApiWithLambdaRequestAuth" + }, + "StageName": "Prod" + } + }, + "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" + } + } + ] + } + } + }, + "MyApiWithLambdaRequestAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/any/lambda-request": { + "x-amazon-apigateway-any-method": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + }, + "/lambda-request": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" + } + }, + "security": [ + { + "MyLambdaRequestAuth": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "identitySource": "method.request.header.Authorization1", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + } + } + ] + } + }, + "x-amazon-apigateway-authtype": "custom" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithCognitoAuthDeployment492f1347b1": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithCognitoAuth" + }, + "Description": "RestApi deployment id: 492f1347b1194457232f0e99ced4a86954fdeec9", + "StageName": "Stage" + } + }, "MyUserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { + "UsernameAttributes": [ + "email" + ], "UserPoolName": "UserPoolName", "Policies": { "PasswordPolicy": { "MinimumLength": 8 } }, - "UsernameAttributes": [ - "email" - ], "Schema": [ { "AttributeDataType": "String", - "Name": "email", - "Required": false + "Required": false, + "Name": "email" } ] } @@ -24,11 +229,11 @@ "MyAuthFn": { "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "index.handler", "Code": { "S3Bucket": "bucket", "S3Key": "key" }, - "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "MyAuthFnRole", @@ -38,63 +243,41 @@ "Runtime": "nodejs12.x", "Tags": [ { - "Key": "lambda:createdBy", - "Value": "SAM" + "Value": "SAM", + "Key": "lambda:createdBy" } ] } }, - "MyAuthFnRole": { - "Type": "AWS::IAM::Role", + "MyFnLambdaRequestAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" } } ] - }, - "ManagedPolicyArns": [ - "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + } } }, - "MyFn": { - "Type": "AWS::Lambda::Function", + "MyApiWithNotCachedLambdaRequestAuthDeploymentd3b8858811": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Code": { - "S3Bucket": "bucket", - "S3Key": "key" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "MyFnRole", - "Arn" - ] + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" }, - "Runtime": "nodejs12.x", - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ] + "Description": "RestApi deployment id: d3b8858811d6c42be45490ba4d1ca059821cf4fd", + "StageName": "Stage" } }, "MyFnRole": { @@ -121,222 +304,40 @@ ], "Tags": [ { - "Key": "lambda:createdBy", - "Value": "SAM" + "Value": "SAM", + "Key": "lambda:createdBy" } ] } }, - "MyFnCognitoAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", - { - "__ApiId__": { - "Ref": "MyApiWithCognitoAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaRequestAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-request", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaTokenAnyMethodPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, "MyFnCognitoPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFn" }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/cognito", { + "__Stage__": "*", "__ApiId__": { "Ref": "MyApiWithCognitoAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaRequestPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyFnLambdaTokenPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { - "Ref": "MyFn" - }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaTokenAuth" - }, - "__Stage__": "*" - } - ] - } - } - }, - "MyApiWithCognitoAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "swagger": "2.0", - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/cognito": { - "get": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuth": [] - } - ] - } - }, - "/any/cognito": { - "x-amazon-apigateway-any-method": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyCognitoAuth": [] - } - ] - } - } - }, - "securityDefinitions": { - "MyCognitoAuth": { - "type": "apiKey", - "name": "Authorization", - "in": "header", - "x-amazon-apigateway-authtype": "cognito_user_pools", - "x-amazon-apigateway-authorizer": { - "type": "cognito_user_pools", - "providerARNs": [ - { - "Fn::GetAtt": [ - "MyUserPool", - "Arn" - ] - } - ] } } - } - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" ] } } }, - "MyApiWithCognitoAuthDeployment492f1347b1": { + "MyApiWithLambdaTokenAuthDeployment5f3dce4e5c": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 492f1347b1194457232f0e99ced4a86954fdeec9", "RestApiId": { - "Ref": "MyApiWithCognitoAuth" + "Ref": "MyApiWithLambdaTokenAuth" }, + "Description": "RestApi deployment id: 5f3dce4e5c196ff885a155dd8cc0ffeebd5b93b1", "StageName": "Stage" } }, @@ -352,61 +353,56 @@ "StageName": "Prod" } }, - "MyApiWithLambdaTokenAuth": { + "MyApiWithNotCachedLambdaRequestAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuthDeploymentd3b8858811" + }, + "RestApiId": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + }, + "StageName": "Prod" + } + }, + "MyApiWithNotCachedLambdaRequestAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { "Ref": "AWS::StackName" - } - }, - "paths": { - "/lambda-token": { - "get": { - "x-amazon-apigateway-integration": { - "type": "aws_proxy", - "httpMethod": "POST", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" - } - }, - "responses": {}, - "security": [ - { - "MyLambdaTokenAuth": [] - } - ] - } - }, - "/any/lambda-token": { - "x-amazon-apigateway-any-method": { + } + }, + "paths": { + "/not-cached-lambda-request": { + "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaTokenAuth": [] + "MyLambdaRequestAuth": [] } - ] + ], + "responses": {} } } }, + "swagger": "2.0", "securityDefinitions": { - "MyLambdaTokenAuth": { - "type": "apiKey", - "name": "Authorization", + "MyLambdaRequestAuth": { "in": "header", - "x-amazon-apigateway-authtype": "custom", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", + "type": "request", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -420,57 +416,99 @@ } ] } - } + }, + "x-amazon-apigateway-authtype": "custom" } } }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" } } }, - "MyApiWithLambdaTokenAuthDeployment5f3dce4e5c": { - "Type": "AWS::ApiGateway::Deployment", + "MyFnLambdaTokenAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "Description": "RestApi deployment id: 5f3dce4e5c196ff885a155dd8cc0ffeebd5b93b1", - "RestApiId": { - "Ref": "MyApiWithLambdaTokenAuth" + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" }, - "StageName": "Stage" + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/lambda-token", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaTokenAuth" + } + } + ] + } } }, - "MyApiWithLambdaTokenAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", + "MyFnCognitoAnyMethodPermissionProd": { + "Type": "AWS::Lambda::Permission", "Properties": { - "DeploymentId": { - "Ref": "MyApiWithLambdaTokenAuthDeployment5f3dce4e5c" - }, - "RestApiId": { - "Ref": "MyApiWithLambdaTokenAuth" + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" }, - "StageName": "Prod" + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/*/any/cognito", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithCognitoAuth" + } + } + ] + } } }, - "MyApiWithLambdaTokenAuthMyLambdaTokenAuthAuthorizerPermission": { + "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Fn::GetAtt": [ "MyAuthFn", "Arn" ] }, - "Principal": "apigateway.amazonaws.com", "SourceArn": { "Fn::Sub": [ "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" + } + } + ] + } + } + }, + "MyFnLambdaTokenPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-token", + { + "__Stage__": "*", "__ApiId__": { "Ref": "MyApiWithLambdaTokenAuth" } @@ -479,11 +517,31 @@ } } }, - "MyApiWithLambdaRequestAuth": { + "MyFnLambdaRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithLambdaRequestAuth" + } + } + ] + } + } + }, + "MyApiWithLambdaTokenAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { - "swagger": "2.0", "info": { "version": "1.0", "title": { @@ -491,49 +549,49 @@ } }, "paths": { - "/lambda-request": { + "/lambda-token": { "get": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } }, - "/any/lambda-request": { + "/any/lambda-token": { "x-amazon-apigateway-any-method": { "x-amazon-apigateway-integration": { - "type": "aws_proxy", "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFn.Arn}/invocations" } }, - "responses": {}, "security": [ { - "MyLambdaRequestAuth": [] + "MyLambdaTokenAuth": [] } - ] + ], + "responses": {} } } }, + "swagger": "2.0", "securityDefinitions": { - "MyLambdaRequestAuth": { - "type": "apiKey", - "name": "Unused", + "MyLambdaTokenAuth": { "in": "header", - "x-amazon-apigateway-authtype": "custom", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "request", + "type": "token", "authorizerUri": { "Fn::Sub": [ "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -546,66 +604,140 @@ } } ] - }, - "identitySource": "method.request.header.Authorization1" - } + } + }, + "x-amazon-apigateway-authtype": "custom" } } }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithNotCachedLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Fn::GetAtt": [ + "MyAuthFn", + "Arn" + ] + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + } + } + ] + } + } + }, + "MyFnLambdaNotCachedRequestPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFn" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/not-cached-lambda-request", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithNotCachedLambdaRequestAuth" + } + } + ] } } }, "MyApiWithLambdaRequestAuthDeployment468dce6129": { "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Description": "RestApi deployment id: 468dce61296ac92bf536be6fc55751d9553dbc4b", "RestApiId": { "Ref": "MyApiWithLambdaRequestAuth" }, + "Description": "RestApi deployment id: 468dce61296ac92bf536be6fc55751d9553dbc4b", "StageName": "Stage" } }, - "MyApiWithLambdaRequestAuthProdStage": { + "MyAuthFnRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithLambdaTokenAuthProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithLambdaRequestAuthDeployment468dce6129" + "Ref": "MyApiWithLambdaTokenAuthDeployment5f3dce4e5c" }, "RestApiId": { - "Ref": "MyApiWithLambdaRequestAuth" + "Ref": "MyApiWithLambdaTokenAuth" }, "StageName": "Prod" } }, - "MyApiWithLambdaRequestAuthMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "MyFn": { + "Type": "AWS::Lambda::Function", "Properties": { - "Action": "lambda:InvokeFunction", - "FunctionName": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { "Fn::GetAtt": [ - "MyAuthFn", + "MyFnRole", "Arn" ] }, - "Principal": "apigateway.amazonaws.com", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", - { - "__ApiId__": { - "Ref": "MyApiWithLambdaRequestAuth" - } - } - ] - } + "Runtime": "nodejs12.x", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } } } -} \ No newline at end of file +} diff --git a/tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json b/tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json new file mode 100644 index 0000000000..098ebbf10e --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_with_identity_intrinsic.json @@ -0,0 +1,98 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Conditions": { + "isProd": true + }, + "Resources": { + "APIGateway": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": {}, + "swagger": "2.0", + "securityDefinitions": { + "SomeAuthorizer": { + "in": "header", + "type": "apiKey", + "name": "Unused", + "x-amazon-apigateway-authorizer": { + "type": "request", + "authorizerResultTtlInSeconds": { + "Fn::If": [ + "isProd", + 3600, + 0 + ] + }, + "identitySource": "method.request.header.Accept", + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "SomeArn" + } + ] + } + }, + "x-amazon-apigateway-authtype": "custom" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "APIGatewayDeploymentbbcece046c": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "APIGateway" + }, + "Description": "RestApi deployment id: bbcece046c6ecd35f10c6ba88cf762d87ef35e8a", + "StageName": "Stage" + } + }, + "APIGatewaySomeAuthorizerAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "SomeArn", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "APIGateway" + } + } + ] + } + } + }, + "APIGatewayProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "APIGatewayDeploymentbbcece046c" + }, + "RestApiId": { + "Ref": "APIGateway" + }, + "StageName": "Prod" + } + } + } +} diff --git a/tests/translator/test_translator.py b/tests/translator/test_translator.py index 0db19f45a8..b0193c2ae9 100644 --- a/tests/translator/test_translator.py +++ b/tests/translator/test_translator.py @@ -316,6 +316,7 @@ class TestTranslatorEndToEnd(AbstractTestTranslator): "api_with_gateway_responses_minimal", "api_with_gateway_responses_implicit", "api_with_gateway_responses_string_status_code", + "api_with_identity_intrinsic", "api_cache", "api_with_access_log_setting", "api_with_canary_setting",