diff --git a/samtranslator/model/api/api_generator.py b/samtranslator/model/api/api_generator.py index c906c0e6e0..4949309d98 100644 --- a/samtranslator/model/api/api_generator.py +++ b/samtranslator/model/api/api_generator.py @@ -21,8 +21,9 @@ CorsProperties.__new__.__defaults__ = (None, None, _CORS_WILDCARD, None, False) AuthProperties = namedtuple("_AuthProperties", - ["Authorizers", "DefaultAuthorizer", "InvokeRole", "AddDefaultAuthorizerToCorsPreflight"]) -AuthProperties.__new__.__defaults__ = (None, None, None, True) + ["Authorizers", "DefaultAuthorizer", "InvokeRole", "AddDefaultAuthorizerToCorsPreflight", + "ApiKeyRequired"]) +AuthProperties.__new__.__defaults__ = (None, None, None, True, None) GatewayResponseProperties = ["ResponseParameters", "ResponseTemplates", "StatusCode"] @@ -115,6 +116,8 @@ def _construct_rest_api(self): if self.definition_uri: rest_api.BodyS3Location = self._construct_body_s3_dict() elif self.definition_body: + # # Post Process OpenApi Auth Settings + self.definition_body = self._openapi_auth_postprocess(self.definition_body) rest_api.Body = self.definition_body if self.name: @@ -308,13 +311,17 @@ def _add_auth(self): authorizers = self._get_authorizers(auth_properties.Authorizers, auth_properties.DefaultAuthorizer) if authorizers: - swagger_editor.add_authorizers(authorizers) + swagger_editor.add_authorizers_security_definitions(authorizers) self._set_default_authorizer(swagger_editor, authorizers, auth_properties.DefaultAuthorizer, auth_properties.AddDefaultAuthorizerToCorsPreflight) - # Assign the Swagger back to template + if auth_properties.ApiKeyRequired: + swagger_editor.add_apikey_security_definition() + self._set_default_apikey_required(swagger_editor) - self.definition_body = self._openapi_auth_postprocess(swagger_editor.swagger) + # Assign the Swagger back to template + # self.definition_body = self._openapi_auth_postprocess(swagger_editor.swagger) + self.definition_body = swagger_editor.swagger def _openapi_auth_postprocess(self, definition_body): """ @@ -523,6 +530,10 @@ def _set_default_authorizer(self, swagger_editor, authorizers, default_authorize swagger_editor.set_path_default_authorizer(path, default_authorizer, authorizers=authorizers, add_default_auth_to_preflight=add_default_auth_to_preflight) + def _set_default_apikey_required(self, swagger_editor): + for path in swagger_editor.iter_on_path(): + swagger_editor.set_path_default_apikey_required(path) + def _set_endpoint_configuration(self, rest_api, value): """ Sets endpoint configuration property of AWS::ApiGateway::RestApi resource diff --git a/samtranslator/model/eventsources/push.py b/samtranslator/model/eventsources/push.py index 14217806fb..23b43d2d52 100644 --- a/samtranslator/model/eventsources/push.py +++ b/samtranslator/model/eventsources/push.py @@ -123,9 +123,9 @@ class CloudWatchEvent(PushEventSource): resource_type = 'CloudWatchEvent' principal = 'events.amazonaws.com' property_types = { - 'Pattern': PropertyType(False, is_type(dict)), - 'Input': PropertyType(False, is_str()), - 'InputPath': PropertyType(False, is_str()) + 'Pattern': PropertyType(False, is_type(dict)), + 'Input': PropertyType(False, is_str()), + 'InputPath': PropertyType(False, is_str()) } def to_cloudformation(self, **kwargs): @@ -536,9 +536,9 @@ def _add_swagger_integration(self, api, function): if self.Auth: method_authorizer = self.Auth.get('Authorizer') + api_auth = api.get('Auth') if method_authorizer: - api_auth = api.get('Auth') api_authorizers = api_auth and api_auth.get('Authorizers') if method_authorizer != 'AWS_IAM': @@ -563,6 +563,16 @@ def _add_swagger_integration(self, api, function): 'is only a valid value when a DefaultAuthorizer on the API is specified.'.format( method=self.Method, path=self.Path)) + apikey_required_setting = self.Auth.get('ApiKeyRequired') + apikey_required_setting_is_false = apikey_required_setting is not None and not apikey_required_setting + if apikey_required_setting_is_false and not api_auth.get('ApiKeyRequired'): + raise InvalidEventException( + self.relative_id, + 'Unable to set ApiKeyRequired [False] on API method [{method}] for path [{path}] ' + 'because the related API does not specify any ApiKeyRequired.'.format( + method=self.Method, path=self.Path)) + + if method_authorizer or apikey_required_setting is not None: editor.add_auth_to_method(api=api, path=self.Path, method_name=self.Method, auth=self.Auth) if self.RequestModel: diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py index c823e2a6a0..2b61f509f1 100644 --- a/samtranslator/swagger/swagger.py +++ b/samtranslator/swagger/swagger.py @@ -160,9 +160,9 @@ def add_lambda_integration(self, path, method, integration_uri, path_dict = self.get_path(path) path_dict[method][self._X_APIGW_INTEGRATION] = { - 'type': 'aws_proxy', - 'httpMethod': 'POST', - 'uri': integration_uri + 'type': 'aws_proxy', + 'httpMethod': 'POST', + 'uri': integration_uri } method_auth_config = method_auth_config or {} @@ -389,7 +389,7 @@ def _make_cors_allowed_methods_for_path(self, path): # Allow-Methods is comma separated string return ','.join(allow_methods) - def add_authorizers(self, authorizers): + def add_authorizers_security_definitions(self, authorizers): """ Add Authorizer definitions to the securityDefinitions part of Swagger. @@ -400,11 +400,56 @@ def add_authorizers(self, authorizers): for authorizer_name, authorizer in authorizers.items(): self.security_definitions[authorizer_name] = authorizer.generate_swagger() + def add_awsiam_security_definition(self): + """ + Adds AWS_IAM definition to the securityDefinitions part of Swagger. + Note: this method is idempotent + """ + + aws_iam_security_definition = { + 'AWS_IAM': { + 'x-amazon-apigateway-authtype': 'awsSigv4', + 'type': 'apiKey', + 'name': 'Authorization', + 'in': 'header' + } + } + + self.security_definitions = self.security_definitions or {} + + # Only add the security definition if it doesn't exist. This helps ensure + # that we minimize changes to the swagger in the case of user defined swagger + if 'AWS_IAM' not in self.security_definitions: + self.security_definitions.update(aws_iam_security_definition) + + def add_apikey_security_definition(self): + """ + Adds api_key definition to the securityDefinitions part of Swagger. + Note: this method is idempotent + """ + + api_key_security_definition = { + 'api_key': { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + + self.security_definitions = self.security_definitions or {} + + # Only add the security definition if it doesn't exist. This helps ensure + # that we minimize changes to the swagger in the case of user defined swagger + if 'api_key' not in self.security_definitions: + self.security_definitions.update(api_key_security_definition) + def set_path_default_authorizer(self, path, default_authorizer, authorizers, add_default_auth_to_preflight=True): """ - Sets the DefaultAuthorizer for each method on this path. The DefaultAuthorizer won't be set if an Authorizer - was defined at the Function/Path/Method level + Adds the default_authorizer to the security block for each method on this path unless an Authorizer + was defined at the Function/Path/Method level. This is intended to be used to set the + authorizer security restriction for all api methods based upon the default configured in the + Serverless API. :param string path: Path name :param string default_authorizer: Name of the authorizer to use as the default. Must be a key in the @@ -416,35 +461,170 @@ def set_path_default_authorizer(self, path, default_authorizer, authorizers, for method_name, method in self.get_path(path).items(): normalized_method_name = self._normalize_method_name(method_name) + # Excluding paramters section if normalized_method_name == "parameters": continue if add_default_auth_to_preflight or normalized_method_name != "options": - self.set_method_authorizer(path, method_name, default_authorizer, authorizers, - default_authorizer=default_authorizer, is_default=True) + normalized_method_name = self._normalize_method_name(method_name) + # It is possible that the method could have two definitions in a Fn::If block. + for method_definition in self.get_method_contents(self.get_path(path)[normalized_method_name]): + + # If no integration given, then we don't need to process this definition (could be AWS::NoValue) + if not self.method_definition_has_integration(method_definition): + continue + existing_security = method_definition.get('security', []) + authorizer_list = ['AWS_IAM'] + if authorizers: + authorizer_list.extend(authorizers.keys()) + authorizer_names = set(authorizer_list) + existing_non_authorizer_security = [] + existing_authorizer_security = [] + + # Split existing security into Authorizers and everything else + # (e.g. sigv4 (AWS_IAM), api_key (API Key/Usage Plans), NONE (marker for ignoring default)) + # We want to ensure only a single Authorizer security entry exists while keeping everything else + for security in existing_security: + if authorizer_names.isdisjoint(security.keys()): + existing_non_authorizer_security.append(security) + else: + existing_authorizer_security.append(security) + + none_idx = -1 + authorizer_security = [] + + # Check for an existing Authorizer before applying the default. It would be simpler + # if instead we applied the DefaultAuthorizer first and then simply + # overwrote it if necessary, however, the order in which things get + # applied (Function Api Events first; then Api Resource) complicates it. + # Check if Function/Path/Method specified 'NONE' for Authorizer + for idx, security in enumerate(existing_non_authorizer_security): + is_none = any(key == 'NONE' for key in security.keys()) + + if is_none: + none_idx = idx + break + + # NONE was found; remove it and don't add the DefaultAuthorizer + if none_idx > -1: + del existing_non_authorizer_security[none_idx] + + # Existing Authorizer found (defined at Function/Path/Method); use that instead of default + elif existing_authorizer_security: + authorizer_security = existing_authorizer_security + + # No existing Authorizer found; use default + else: + security_dict = {} + security_dict[default_authorizer] = [] + authorizer_security = [security_dict] + + security = existing_non_authorizer_security + authorizer_security + + if security: + method_definition['security'] = security + + # The first element of the method_definition['security'] should be AWS_IAM + # because authorizer_list = ['AWS_IAM'] is hardcoded above + if 'AWS_IAM' in method_definition['security'][0]: + self.add_awsiam_security_definition() + + def set_path_default_apikey_required(self, path): + """ + Add the ApiKey security as required for each method on this path unless ApiKeyRequired + was defined at the Function/Path/Method level. This is intended to be used to set the + apikey security restriction for all api methods based upon the default configured in the + Serverless API. + + :param string path: Path name + """ + + for method_name, _ in self.get_path(path).items(): + # Excluding paramters section + if method_name == "parameters": + continue + + normalized_method_name = self._normalize_method_name(method_name) + # It is possible that the method could have two definitions in a Fn::If block. + for method_definition in self.get_method_contents(self.get_path(path)[normalized_method_name]): + + # If no integration given, then we don't need to process this definition (could be AWS::NoValue) + if not self.method_definition_has_integration(method_definition): + continue + + existing_security = method_definition.get('security', []) + apikey_security_names = set(['api_key', 'api_key_false']) + existing_non_apikey_security = [] + existing_apikey_security = [] + apikey_security = [] + + # Split existing security into ApiKey and everything else + # (e.g. sigv4 (AWS_IAM), authorizers, NONE (marker for ignoring default authorizer)) + # We want to ensure only a single ApiKey security entry exists while keeping everything else + for security in existing_security: + if apikey_security_names.isdisjoint(security.keys()): + existing_non_apikey_security.append(security) + else: + existing_apikey_security.append(security) + + # Check for an existing method level ApiKey setting before applying the default. It would be simpler + # if instead we applied the default first and then simply + # overwrote it if necessary, however, the order in which things get + # applied (Function Api Events first; then Api Resource) complicates it. + # Check if Function/Path/Method specified 'False' for ApiKeyRequired + apikeyfalse_idx = -1 + for idx, security in enumerate(existing_apikey_security): + is_none = any(key == 'api_key_false' for key in security.keys()) + + if is_none: + apikeyfalse_idx = idx + break + + # api_key_false was found; remove it and don't add default api_key security setting + if apikeyfalse_idx > -1: + del existing_apikey_security[apikeyfalse_idx] + + # No existing ApiKey setting found or it's already set to the default + else: + security_dict = {} + security_dict['api_key'] = [] + apikey_security = [security_dict] + + security = existing_non_apikey_security + apikey_security + + if security != existing_security: + method_definition['security'] = security def add_auth_to_method(self, path, method_name, auth, api): """ - Adds auth settings for this path/method. Auth settings currently consist solely of Authorizers - but this method will eventually include setting other auth settings such as API Key, - Resource Policy, etc. + Adds auth settings for this path/method. Auth settings currently consist of Authorizers and ApiKeyRequired + but this method will eventually include setting other auth settings such as Resource Policy, etc. + This is used to configure the security for individual functions. :param string path: Path name :param string method_name: Method name - :param dict auth: Auth configuration such as Authorizers, ApiKey, ResourcePolicy (only Authorizers supported - currently) + :param dict auth: Auth configuration such as Authorizers, ApiKeyRequired, ResourcePolicy + (Authorizers and ApiKeyRequired supported currently) :param dict api: Reference to the related Api's properties as defined in the template. """ method_authorizer = auth and auth.get('Authorizer') if method_authorizer: - api_auth = api.get('Auth') - api_authorizers = api_auth and api_auth.get('Authorizers') - default_authorizer = api_auth and api_auth.get('DefaultAuthorizer') + self._set_method_authorizer(path, method_name, method_authorizer) + + method_apikey_required = auth and auth.get('ApiKeyRequired') + if method_apikey_required is not None: + self._set_method_apikey_handling(path, method_name, method_apikey_required) - self.set_method_authorizer(path, method_name, method_authorizer, api_authorizers, default_authorizer) + def _set_method_authorizer(self, path, method_name, authorizer_name): + """ + Adds the authorizer_name to the security block for each method on this path. + This is used to configure the authorizer for individual functions. - def set_method_authorizer(self, path, method_name, authorizer_name, authorizers, default_authorizer, - is_default=False): + :param string path: Path name + :param string method_name: Method name + :param string authorizer_name: Name of the authorizer to use. Must be a key in the + authorizers param. + """ normalized_method_name = self._normalize_method_name(method_name) # It is possible that the method could have two definitions in a Fn::If block. for method_definition in self.get_method_contents(self.get_path(path)[normalized_method_name]): @@ -452,82 +632,63 @@ def set_method_authorizer(self, path, method_name, authorizer_name, authorizers, # If no integration given, then we don't need to process this definition (could be AWS::NoValue) if not self.method_definition_has_integration(method_definition): continue + existing_security = method_definition.get('security', []) - # TEST: [{'sigv4': []}, {'api_key': []}]) - authorizer_list = ['AWS_IAM'] - if authorizers: - authorizer_list.extend(authorizers.keys()) - authorizer_names = set(authorizer_list) - existing_non_authorizer_security = [] - existing_authorizer_security = [] - - # Split existing security into Authorizers and everything else - # (e.g. sigv4 (AWS_IAM), api_key (API Key/Usage Plans), NONE (marker for ignoring default)) - # We want to ensure only a single Authorizer security entry exists while keeping everything else - for security in existing_security: - if authorizer_names.isdisjoint(security.keys()): - existing_non_authorizer_security.append(security) - else: - existing_authorizer_security.append(security) - none_idx = -1 - authorizer_security = [] + security_dict = {} + security_dict[authorizer_name] = [] + authorizer_security = [security_dict] - # If this is the Api-level DefaultAuthorizer we need to check for an - # existing Authorizer before applying the default. It would be simpler - # if instead we applied the DefaultAuthorizer first and then simply - # overwrote it if necessary, however, the order in which things get - # applied (Function Api Events first; then Api Resource) complicates it. - if is_default: - # Check if Function/Path/Method specified 'NONE' for Authorizer - for idx, security in enumerate(existing_non_authorizer_security): - is_none = any(key == 'NONE' for key in security.keys()) + # This assumes there are no autorizers already configured in the existing security block + security = existing_security + authorizer_security - if is_none: - none_idx = idx - break + if security: + method_definition['security'] = security - # NONE was found; remove it and don't add the DefaultAuthorizer - if none_idx > -1: - del existing_non_authorizer_security[none_idx] + # The first element of the method_definition['security'] should be AWS_IAM + # because authorizer_list = ['AWS_IAM'] is hardcoded above + if 'AWS_IAM' in method_definition['security'][0]: + self.add_awsiam_security_definition() - # Existing Authorizer found (defined at Function/Path/Method); use that instead of default - elif existing_authorizer_security: - authorizer_security = existing_authorizer_security + def _set_method_apikey_handling(self, path, method_name, apikey_required): + """ + Adds the apikey setting to the security block for each method on this path. + This is used to configure the authorizer for individual functions. - # No existing Authorizer found; use default - else: - security_dict = {} - security_dict[authorizer_name] = [] - authorizer_security = [security_dict] + :param string path: Path name + :param string method_name: Method name + :param bool apikey_required: Whether the apikey security is required + """ + normalized_method_name = self._normalize_method_name(method_name) + # It is possible that the method could have two definitions in a Fn::If block. + for method_definition in self.get_method_contents(self.get_path(path)[normalized_method_name]): + + # If no integration given, then we don't need to process this definition (could be AWS::NoValue) + if not self.method_definition_has_integration(method_definition): + continue + + existing_security = method_definition.get('security', []) - # This is a Function/Path/Method level Authorizer; simply set it + if apikey_required: + # We want to enable apikey required security + security_dict = {} + security_dict['api_key'] = [] + apikey_security = [security_dict] + self.add_apikey_security_definition() else: + # The method explicitly does NOT require apikey and there is an API default + # so let's add a marker 'api_key_false' so that we don't incorrectly override + # with the api default security_dict = {} - security_dict[authorizer_name] = [] - authorizer_security = [security_dict] + security_dict['api_key_false'] = [] + apikey_security = [security_dict] - security = existing_non_authorizer_security + authorizer_security + # This assumes there are no autorizers already configured in the existing security block + security = existing_security + apikey_security - if security: + if security != existing_security: method_definition['security'] = security - # The first element of the method_definition['security'] should be AWS_IAM - # because authorizer_list = ['AWS_IAM'] is hardcoded above - if 'AWS_IAM' in method_definition['security'][0]: - aws_iam_security_definition = { - 'AWS_IAM': { - 'x-amazon-apigateway-authtype': 'awsSigv4', - 'type': 'apiKey', - 'name': 'Authorization', - 'in': 'header' - } - } - if not self.security_definitions: - self.security_definitions = aws_iam_security_definition - elif 'AWS_IAM' not in self.security_definitions: - self.security_definitions.update(aws_iam_security_definition) - def add_request_model_to_method(self, path, method_name, request_model): """ Adds request model body parameter for this path/method. diff --git a/tests/swagger/test_swagger.py b/tests/swagger/test_swagger.py index e3771e87bf..907e091cb8 100644 --- a/tests/swagger/test_swagger.py +++ b/tests/swagger/test_swagger.py @@ -131,6 +131,7 @@ def test_must_not_fail_on_bad_path(self): self.assertTrue(self.editor.has_path("badpath")) self.assertFalse(self.editor.has_path("badpath", "somemethod")) + class TestSwaggerEditor_has_integration(TestCase): def setUp(self): @@ -725,6 +726,7 @@ def test_allow_credentials_is_skipped_with_false_value(self): actual = options_config[_X_INTEGRATION]["responses"]["default"]["responseParameters"] self.assertEqual(expected, actual) + class TestSwaggerEditor_make_cors_allowed_methods_for_path(TestCase): def setUp(self): @@ -1112,4 +1114,120 @@ def test_must_add_body_parameter_to_method_openapi_required_true(self): } } - self.assertEqual(expected, editor.swagger['paths']['/foo']['get']['requestBody']) \ No newline at end of file + self.assertEqual(expected, editor.swagger['paths']['/foo']['get']['requestBody']) + +class TestSwaggerEditor_add_auth(TestCase): + + def setUp(self): + + self.original_swagger = { + "swagger": "2.0", + "paths": { + "/foo": { + "get": { + _X_INTEGRATION: { + "a": "b" + } + }, + "post":{ + _X_INTEGRATION: { + "a": "b" + } + } + }, + "/bar": { + "get": { + _X_INTEGRATION: { + "a": "b" + } + } + }, + } + } + + self.editor = SwaggerEditor(self.original_swagger) + + def test_add_apikey_security_definition_is_added(self): + expected = { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + + self.editor.add_apikey_security_definition() + self.assertIn('securityDefinitions', self.editor.swagger) + self.assertIn('api_key', self.editor.swagger["securityDefinitions"]) + self.assertEqual(expected, self.editor.swagger["securityDefinitions"]['api_key']) + + def test_must_add_default_apikey_to_all_paths(self): + expected = [{ + "api_key": [] + }] + path = "/foo" + + + self.editor.set_path_default_apikey_required(path) + methods = self.editor.swagger["paths"][path] + for method in methods: + self.assertEqual(expected, methods[method]["security"]) + + def test_add_default_apikey_to_all_paths_correctly_handles_method_level_settings(self): + self.original_swagger = { + "swagger": "2.0", + "paths": { + "/foo": { + "apikeyfalse": { + _X_INTEGRATION: { + "a": "b" + }, + "security":[ + {"api_key_false":[]} + ] + }, + "apikeytrue": { + _X_INTEGRATION: { + "a": "b" + }, + "security":[ + {"api_key":[]} + ] + }, + "apikeydefault":{ + _X_INTEGRATION: { + "a": "b" + } + } + }, + } + } + + self.editor = SwaggerEditor(self.original_swagger) + api_key_exists = [{ + "api_key": [] + }] + path = "/foo" + + self.editor.set_path_default_apikey_required(path) + self.assertEqual([], self.editor.swagger["paths"][path]['apikeyfalse']["security"]) + self.assertEqual(api_key_exists, self.editor.swagger["paths"][path]['apikeytrue']["security"]) + self.assertEqual(api_key_exists, self.editor.swagger["paths"][path]['apikeydefault']["security"]) + + def test_set_method_apikey_handling_apikeyrequired_false(self): + expected = [{ + "api_key_false": [] + }] + path = "/bar" + method = "get" + + self.editor._set_method_apikey_handling(path, method, False) + self.assertEqual(expected, self.editor.swagger["paths"][path][method]["security"]) + + def test_set_method_apikey_handling_apikeyrequired_true(self): + expected = [{ + "api_key": [] + }] + path = "/bar" + method = "get" + + self.editor._set_method_apikey_handling(path, method, True) + self.assertEqual(expected, self.editor.swagger["paths"][path][method]["security"]) diff --git a/tests/translator/input/api_with_apikey_default_override.yaml b/tests/translator/input/api_with_apikey_default_override.yaml new file mode 100644 index 0000000000..53a94e3b62 --- /dev/null +++ b/tests/translator/input/api_with_apikey_default_override.yaml @@ -0,0 +1,51 @@ +Resources: + MyApiWithAuth: + Type: "AWS::Serverless::Api" + Properties: + StageName: Prod + Auth: + ApiKeyRequired: true + + MyFunctionWithApiKeyRequiredDefault: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + MyApiWithApiKeyRequiredDefault: + Type: Api + Properties: + RestApiId: !Ref MyApiWithAuth + Path: /ApiKeyDefault + Method: get + MyFunctionWithApiKeyRequiredTrue: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + MyApiWithApiKeyRequiredTrue: + Type: Api + Properties: + RestApiId: !Ref MyApiWithAuth + Path: /ApiKeyTrue + Method: get + Auth: + ApiKeyRequired: true + MyFunctionWithApiKeyRequiredFalse: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + MyApiWithApiKeyRequiredFalse: + Type: Api + Properties: + RestApiId: !Ref MyApiWithAuth + Path: /ApiKeyFalse + Method: get + Auth: + ApiKeyRequired: false diff --git a/tests/translator/input/api_with_apikey_required.yaml b/tests/translator/input/api_with_apikey_required.yaml new file mode 100644 index 0000000000..e5c562c916 --- /dev/null +++ b/tests/translator/input/api_with_apikey_required.yaml @@ -0,0 +1,21 @@ +Resources: + MyApiWithoutAuth: + Type: "AWS::Serverless::Api" + Properties: + StageName: Prod + + MyFunctionWithApiKeyRequired: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + MyApiWithApiKeyRequired: + Type: Api + Properties: + RestApiId: !Ref MyApiWithoutAuth + Path: /ApiKeyRequiredTrue + Method: get + Auth: + ApiKeyRequired: true diff --git a/tests/translator/input/api_with_apikey_required_openapi_3.yaml b/tests/translator/input/api_with_apikey_required_openapi_3.yaml new file mode 100644 index 0000000000..95d7727c58 --- /dev/null +++ b/tests/translator/input/api_with_apikey_required_openapi_3.yaml @@ -0,0 +1,22 @@ +Resources: + MyApiWithoutAuth: + Type: "AWS::Serverless::Api" + Properties: + StageName: Prod + OpenApiVersion: '3.0.1' + + MyFunctionWithApiKeyRequired: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + MyApiWithApiKeyRequired: + Type: Api + Properties: + RestApiId: !Ref MyApiWithoutAuth + Path: /ApiKeyRequiredTrue + Method: get + Auth: + ApiKeyRequired: true diff --git a/tests/translator/input/api_with_auth_all_maximum.yaml b/tests/translator/input/api_with_auth_all_maximum.yaml index 89c94fdc7e..e3dbd397b3 100644 --- a/tests/translator/input/api_with_auth_all_maximum.yaml +++ b/tests/translator/input/api_with_auth_all_maximum.yaml @@ -5,6 +5,7 @@ Resources: StageName: Prod Auth: DefaultAuthorizer: MyCognitoAuth + ApiKeyRequired: true Authorizers: MyCognitoAuth: UserPoolArn: arn:aws:1 diff --git a/tests/translator/input/api_with_auth_all_maximum_openapi_3.yaml b/tests/translator/input/api_with_auth_all_maximum_openapi_3.yaml index 8cab3cd48c..bb236464fe 100644 --- a/tests/translator/input/api_with_auth_all_maximum_openapi_3.yaml +++ b/tests/translator/input/api_with_auth_all_maximum_openapi_3.yaml @@ -6,6 +6,7 @@ Resources: OpenApiVersion: '3.0.1' Auth: DefaultAuthorizer: MyCognitoAuth + ApiKeyRequired: true Authorizers: MyCognitoAuth: UserPoolArn: arn:aws:1 diff --git a/tests/translator/input/globals_for_api.yaml b/tests/translator/input/globals_for_api.yaml index 5d3a956322..92aca3703e 100644 --- a/tests/translator/input/globals_for_api.yaml +++ b/tests/translator/input/globals_for_api.yaml @@ -8,6 +8,7 @@ Globals: Authorizers: MyCognitoAuth: UserPoolArn: !GetAtt MyUserPool.Arn + ApiKeyRequired: true Variables: SomeVar: Value diff --git a/tests/translator/input/implicit_api_with_auth_and_conditions_max.yaml b/tests/translator/input/implicit_api_with_auth_and_conditions_max.yaml index 61d2751a21..3c0ac05049 100644 --- a/tests/translator/input/implicit_api_with_auth_and_conditions_max.yaml +++ b/tests/translator/input/implicit_api_with_auth_and_conditions_max.yaml @@ -161,4 +161,6 @@ Resources: Type: Api Properties: Path: /users - Method: put \ No newline at end of file + Method: put + Auth: + ApiKeyRequired: true \ No newline at end of file diff --git a/tests/translator/output/api_with_apikey_default_override.json b/tests/translator/output/api_with_apikey_default_override.json new file mode 100644 index 0000000000..03f6db829a --- /dev/null +++ b/tests/translator/output/api_with_apikey_default_override.json @@ -0,0 +1,363 @@ +{ + "Resources": { + "MyApiWithAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithAuthDeployment054e605502" + }, + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrue": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredTrueRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefault": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredDefaultRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyApiWithAuthDeployment054e605502": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "Description": "RestApi deployment id: 054e60550295973114b1bc4384d00c8b641ea20f", + "StageName": "Stage" + } + }, + "MyFunctionWithApiKeyRequiredFalse": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredFalseRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredFalseRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyApiWithAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyFalse": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredFalse.Arn}/invocations" + } + }, + "security": [], + "responses": {} + } + }, + "/ApiKeyTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredTrue.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + }, + "/ApiKeyDefault": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredDefault.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + } + } + } + } + } \ No newline at end of file diff --git a/tests/translator/output/api_with_apikey_required.json b/tests/translator/output/api_with_apikey_required.json new file mode 100644 index 0000000000..b864a2dcc8 --- /dev/null +++ b/tests/translator/output/api_with_apikey_required.json @@ -0,0 +1,155 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeployment3ab9d13134" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithoutAuthDeployment3ab9d13134": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 3ab9d13134bf550e275a303c6987801dfb7f9d7b", + "StageName": "Stage" + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/api_with_apikey_required_openapi_3.json b/tests/translator/output/api_with_apikey_required_openapi_3.json new file mode 100644 index 0000000000..e913e63751 --- /dev/null +++ b/tests/translator/output/api_with_apikey_required_openapi_3.json @@ -0,0 +1,156 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "openapi": "3.0.1", + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + } + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeployment741383c56d" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithoutAuthDeployment741383c56d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 741383c56de0cab1f561223582a9259cf165b42f" + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/api_with_auth_all_maximum.json b/tests/translator/output/api_with_auth_all_maximum.json index 61b4a6b398..3701420314 100644 --- a/tests/translator/output/api_with_auth_all_maximum.json +++ b/tests/translator/output/api_with_auth_all_maximum.json @@ -1,39 +1,41 @@ { "Resources": { "MyFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, - "Handler": "index.handler", + }, "Role": { "Fn::GetAtt": [ - "MyFunctionRole", + "MyFunctionRole", "Arn" ] - }, - "Runtime": "nodejs8.10", - "Tags": [{ - "Value": "SAM", - "Key": "lambda:createdBy" - }] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -41,16 +43,16 @@ ] } } - }, + }, "MyApiMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -59,20 +61,20 @@ ] } } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -80,20 +82,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -101,20 +103,20 @@ ] } } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -122,20 +124,20 @@ ] } } - }, + }, "MyFunctionWithNoAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -143,210 +145,242 @@ ] } } - }, + }, "MyFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [{ - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } } - }] + ] } } - }, + }, "MyApi": { - "Type": "AWS::ApiGateway::RestApi", + "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { "info": { - "version": "1.0", + "version": "1.0", "title": { "Ref": "AWS::StackName" } - }, + }, "paths": { "/": { "get": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "NONE": [] - }], + }, + "security": [ + { + "NONE": [] + }, + { + "api_key": [] + } + ], "responses": {} } - }, + }, "/users": { "put": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuth": [] - }], + }, + "security": [ + { + "MyCognitoAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "post": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuthMultipleUserPools": [] - }], + }, + "security": [ + { + "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "patch": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaTokenAuthNoneFunctionInvokeRole": [] - }], + }, + "security": [ + { + "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "delete": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaRequestAuth": [] - }], + }, + "security": [ + { + "MyLambdaRequestAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} } } - }, - "swagger": "2.0", + }, + "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { - "in": "header", - "type": "apiKey", - "name": "Authorization", + "in": "header", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 0, + "type": "token", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] } - }, + }, "x-amazon-apigateway-authtype": "custom" - }, + }, "MyCognitoAuthMultipleUserPools": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader2", + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader2", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", + "identityValidationExpression": "myauthvalidationexpression2", "providerARNs": [ - "arn:aws:2", + "arn:aws:2", "arn:aws:3" - ], + ], "type": "cognito_user_pools" - }, + }, "x-amazon-apigateway-authtype": "cognito_user_pools" - }, - "MyLambdaTokenAuth": { - "in": "header", - "type": "apiKey", - "name": "MyCustomAuthHeader", + }, + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + }, "x-amazon-apigateway-authtype": "custom" - }, - "MyLambdaRequestAuth": { - "in": "header", - "type": "apiKey", - "name": "Unused", + }, + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader", + "x-amazon-apigateway-authorizer": { + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" + }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } } } - }, + }, "MyApiMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -355,20 +389,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -376,20 +410,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -397,30 +431,20 @@ ] } } - }, - "MyApiDeployment22f365e69f": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: 22f365e69fd10c36975a60c0b715eb1340f4b5e6", - "StageName": "Stage" - } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -428,16 +452,26 @@ ] } } - }, + }, + "MyApiDeployment0cec4886a5": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: 0cec4886a504a36373a7cbd8952ec7aa9643bfbd", + "StageName": "Stage" + } + }, "MyApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -446,32 +480,32 @@ ] } } - }, + }, "MyApiProdStage": { - "Type": "AWS::ApiGateway::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeployment22f365e69f" - }, + "Ref": "MyApiDeployment0cec4886a5" + }, "RestApiId": { "Ref": "MyApi" - }, + }, "StageName": "Prod" } - }, + }, "MyFunctionWithNoAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -479,20 +513,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } diff --git a/tests/translator/output/api_with_auth_all_maximum_openapi_3.json b/tests/translator/output/api_with_auth_all_maximum_openapi_3.json index 1968c4ec00..ff6efcd6f9 100644 --- a/tests/translator/output/api_with_auth_all_maximum_openapi_3.json +++ b/tests/translator/output/api_with_auth_all_maximum_openapi_3.json @@ -170,6 +170,15 @@ } } }, + "MyApiDeployment959b43a9ef": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: 959b43a9efc3347ee417e242c5f936bbd40ef663" + } + }, "MyApi": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -193,6 +202,9 @@ "security": [ { "NONE": [] + }, + { + "api_key": [] } ], "responses": {} @@ -210,6 +222,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -225,6 +240,9 @@ "security": [ { "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] } ], "responses": {} @@ -240,6 +258,9 @@ "security": [ { "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] } ], "responses": {} @@ -255,6 +276,9 @@ "security": [ { "MyLambdaRequestAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -264,19 +288,6 @@ "openapi": "3.0.1", "components": { "securitySchemes": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { "in": "header", "type": "apiKey", @@ -309,13 +320,14 @@ }, "x-amazon-apigateway-authtype": "cognito_user_pools" }, - "MyLambdaTokenAuth": { + "MyLambdaRequestAuth": { "in": "header", "type": "apiKey", - "name": "MyCustomAuthHeader", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -324,19 +336,30 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" }, "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaRequestAuth": { + "MyCognitoAuth": { "in": "header", "type": "apiKey", - "name": "Unused", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -345,9 +368,15 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } } @@ -453,20 +482,11 @@ } } }, - "MyApiDeployment18e0cddfbf": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: 18e0cddfbf74ca986461d5a484b9eedd934a6423" - } - }, "MyApiProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeployment18e0cddfbf" + "Ref": "MyApiDeployment959b43a9ef" }, "RestApiId": { "Ref": "MyApi" diff --git a/tests/translator/output/aws-cn/api_with_apikey_default_override.json b/tests/translator/output/aws-cn/api_with_apikey_default_override.json new file mode 100644 index 0000000000..31e38efe95 --- /dev/null +++ b/tests/translator/output/aws-cn/api_with_apikey_default_override.json @@ -0,0 +1,371 @@ +{ + "Resources": { + "MyApiWithAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithAuthDeployment12e3363002" + }, + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrue": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredTrueRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefault": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredDefaultRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyApiWithAuthDeployment12e3363002": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "Description": "RestApi deployment id: 12e33630022574b70be75950554db06d81af114d", + "StageName": "Stage" + } + }, + "MyFunctionWithApiKeyRequiredFalse": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredFalseRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredFalseRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyApiWithAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyFalse": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredFalse.Arn}/invocations" + } + }, + "security": [], + "responses": {} + } + }, + "/ApiKeyTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredTrue.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + }, + "/ApiKeyDefault": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredDefault.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_apikey_required.json b/tests/translator/output/aws-cn/api_with_apikey_required.json new file mode 100644 index 0000000000..65a966df63 --- /dev/null +++ b/tests/translator/output/aws-cn/api_with_apikey_required.json @@ -0,0 +1,163 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuthDeploymentcc6d6fc40a": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: cc6d6fc40a37188fe0115a039b24e397dc149478", + "StageName": "Stage" + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeploymentcc6d6fc40a" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json b/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json new file mode 100644 index 0000000000..0ecfb136d8 --- /dev/null +++ b/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json @@ -0,0 +1,164 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuthDeployment859a8b8388": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 859a8b8388c863dbda96b384cefea4ac988f5f81" + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "openapi": "3.0.1", + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeployment859a8b8388" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_auth_all_maximum.json b/tests/translator/output/aws-cn/api_with_auth_all_maximum.json index 781c9b8bef..b74a6965e7 100644 --- a/tests/translator/output/aws-cn/api_with_auth_all_maximum.json +++ b/tests/translator/output/aws-cn/api_with_auth_all_maximum.json @@ -1,39 +1,41 @@ { "Resources": { "MyFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, - "Handler": "index.handler", + }, "Role": { "Fn::GetAtt": [ - "MyFunctionRole", + "MyFunctionRole", "Arn" ] - }, - "Runtime": "nodejs8.10", - "Tags": [{ - "Value": "SAM", - "Key": "lambda:createdBy" - }] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -41,16 +43,16 @@ ] } } - }, + }, "MyApiMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -59,20 +61,20 @@ ] } } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -80,20 +82,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -101,30 +103,20 @@ ] } } - }, - "MyApiDeployment8401165542": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: 8401165542e94cea0086026b427b10c966b84f1d", - "StageName": "Stage" - } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -132,20 +124,20 @@ ] } } - }, + }, "MyFunctionWithNoAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -153,218 +145,250 @@ ] } } - }, + }, "MyFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [{ - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } } - }] + ] } } - }, + }, "MyApi": { - "Type": "AWS::ApiGateway::RestApi", + "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { "info": { - "version": "1.0", + "version": "1.0", "title": { "Ref": "AWS::StackName" } - }, + }, "paths": { "/": { "get": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "NONE": [] - }], + }, + "security": [ + { + "NONE": [] + }, + { + "api_key": [] + } + ], "responses": {} } - }, + }, "/users": { "put": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuth": [] - }], + }, + "security": [ + { + "MyCognitoAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "post": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuthMultipleUserPools": [] - }], + }, + "security": [ + { + "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "patch": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaTokenAuthNoneFunctionInvokeRole": [] - }], + }, + "security": [ + { + "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "delete": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaRequestAuth": [] - }], + }, + "security": [ + { + "MyLambdaRequestAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} } } - }, - "swagger": "2.0", + }, + "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { - "in": "header", - "type": "apiKey", - "name": "Authorization", + "in": "header", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 0, + "type": "token", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] } - }, + }, "x-amazon-apigateway-authtype": "custom" - }, + }, "MyCognitoAuthMultipleUserPools": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader2", + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader2", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", + "identityValidationExpression": "myauthvalidationexpression2", "providerARNs": [ - "arn:aws:2", + "arn:aws:2", "arn:aws:3" - ], + ], "type": "cognito_user_pools" - }, + }, "x-amazon-apigateway-authtype": "cognito_user_pools" - }, - "MyLambdaTokenAuth": { - "in": "header", - "type": "apiKey", - "name": "MyCustomAuthHeader", + }, + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + }, "x-amazon-apigateway-authtype": "custom" - }, - "MyLambdaRequestAuth": { - "in": "header", - "type": "apiKey", - "name": "Unused", + }, + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" + }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } - }, + }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - }, + }, "Parameters": { "endpointConfigurationTypes": "REGIONAL" } } - }, + }, "MyApiMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -373,20 +397,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -394,20 +418,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -415,20 +439,20 @@ ] } } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -436,16 +460,16 @@ ] } } - }, + }, "MyApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -454,32 +478,42 @@ ] } } - }, + }, + "MyApiDeployment2b4f028142": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: 2b4f028142eb38900e00f362b76751032ac4e464", + "StageName": "Stage" + } + }, "MyApiProdStage": { - "Type": "AWS::ApiGateway::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeployment8401165542" - }, + "Ref": "MyApiDeployment2b4f028142" + }, "RestApiId": { "Ref": "MyApi" - }, + }, "StageName": "Prod" } - }, + }, "MyFunctionWithNoAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -487,20 +521,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } diff --git a/tests/translator/output/aws-cn/api_with_auth_all_maximum_openapi_3.json b/tests/translator/output/aws-cn/api_with_auth_all_maximum_openapi_3.json index de778924c6..33c63f8623 100644 --- a/tests/translator/output/aws-cn/api_with_auth_all_maximum_openapi_3.json +++ b/tests/translator/output/aws-cn/api_with_auth_all_maximum_openapi_3.json @@ -193,6 +193,9 @@ "security": [ { "NONE": [] + }, + { + "api_key": [] } ], "responses": {} @@ -210,6 +213,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -225,6 +231,9 @@ "security": [ { "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] } ], "responses": {} @@ -240,6 +249,9 @@ "security": [ { "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] } ], "responses": {} @@ -255,6 +267,9 @@ "security": [ { "MyLambdaRequestAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -264,19 +279,6 @@ "openapi": "3.0.1", "components": { "securitySchemes": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { "in": "header", "type": "apiKey", @@ -309,13 +311,14 @@ }, "x-amazon-apigateway-authtype": "cognito_user_pools" }, - "MyLambdaTokenAuth": { + "MyLambdaRequestAuth": { "in": "header", "type": "apiKey", - "name": "MyCustomAuthHeader", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -324,19 +327,30 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" }, "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaRequestAuth": { + "MyCognitoAuth": { "in": "header", "type": "apiKey", - "name": "Unused", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -345,9 +359,15 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } } @@ -362,22 +382,13 @@ } } }, - "MyApiMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "MyApiDeploymente3164c0eda": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", - { - "__ApiId__": { - "Ref": "MyApi" - } - } - ] - } + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: e3164c0edaf0d9fc342c47f30edf05040f87af8b" } }, "MyFunctionWithLambdaRequestAuthorizerPermissionTest": { @@ -422,15 +433,6 @@ } } }, - "MyApiDeploymentbaa112a5f1": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: baa112a5f13c2489dbb3bde338d974cf87541b01" - } - }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -470,11 +472,29 @@ } } }, + "MyApiMyLambdaTokenAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApi" + } + } + ] + } + } + }, "MyApiProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeploymentbaa112a5f1" + "Ref": "MyApiDeploymente3164c0eda" }, "RestApiId": { "Ref": "MyApi" diff --git a/tests/translator/output/aws-cn/globals_for_api.json b/tests/translator/output/aws-cn/globals_for_api.json index bcfdd57cad..8bd110f3fc 100644 --- a/tests/translator/output/aws-cn/globals_for_api.json +++ b/tests/translator/output/aws-cn/globals_for_api.json @@ -91,6 +91,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -115,6 +118,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, @@ -142,20 +150,10 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ServerlessRestApiDeploymente1212668e0" + "Ref": "ServerlessRestApiDeploymentf6c326a165" } } }, - "ServerlessRestApiDeploymente1212668e0": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "Description": "RestApi deployment id: e1212668e096994ab32167666f5a877bd6ac5fad", - "StageName": "Stage" - } - }, "ExplicitApiSomeStageStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { @@ -169,10 +167,30 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ExplicitApiDeploymentd5fa0145e9" + "Ref": "ExplicitApiDeployment43e01e673d" } } }, + "ServerlessRestApiDeploymentf6c326a165": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ServerlessRestApi" + }, + "Description": "RestApi deployment id: f6c326a1656cc9fbb0106cc645598d88575554eb", + "StageName": "Stage" + } + }, + "ExplicitApiDeployment43e01e673d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ExplicitApi" + }, + "Description": "RestApi deployment id: 43e01e673d7acbd09e4c38ff78dd6ddaf2ed1d55", + "StageName": "Stage" + } + }, "ImplicitApiFunctionGetHtmlPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -194,16 +212,6 @@ } } }, - "ExplicitApiDeploymentd5fa0145e9": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ExplicitApi" - }, - "Description": "RestApi deployment id: d5fa0145e9e6393911d32967e66fd7091d605483", - "StageName": "Stage" - } - }, "MyUserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { @@ -248,6 +256,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -272,6 +283,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, diff --git a/tests/translator/output/aws-cn/implicit_api_with_auth_and_conditions_max.json b/tests/translator/output/aws-cn/implicit_api_with_auth_and_conditions_max.json index 1ffd2bd98b..2ced69491d 100644 --- a/tests/translator/output/aws-cn/implicit_api_with_auth_and_conditions_max.json +++ b/tests/translator/output/aws-cn/implicit_api_with_auth_and_conditions_max.json @@ -223,7 +223,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "ServerlessRestApiDeployment13185ed4f8" + "Ref": "ServerlessRestApiDeployment6b0de9dc9a" }, "RestApiId": { "Ref": "ServerlessRestApi" @@ -594,17 +594,6 @@ }, "Condition": "FunctionCondition" }, - "ServerlessRestApiDeployment13185ed4f8": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "Description": "RestApi deployment id: 13185ed4f830a9731f30c8561a781a0f560748c1", - "StageName": "Stage" - }, - "Condition": "ServerlessRestApiCondition" - }, "MyFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -652,6 +641,17 @@ }, "Condition": "FunctionCondition5" }, + "ServerlessRestApiDeployment6b0de9dc9a": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ServerlessRestApi" + }, + "Description": "RestApi deployment id: 6b0de9dc9a2450a248988d39c61e2ee23b257724", + "StageName": "Stage" + }, + "Condition": "ServerlessRestApiCondition" + }, "MyFunction3WithLambdaTokenAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -772,6 +772,9 @@ } }, "security": [ + { + "api_key": [] + }, { "MyCognitoAuth": [] } @@ -916,26 +919,37 @@ }, "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { + "MyLambdaTokenAuthNoneFunctionInvokeRole": { "in": "header", "type": "apiKey", - "name": "MyAuthorizationHeader", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" + "type": "token", + "authorizerResultTtlInSeconds": 0, + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "arn:aws" + } + ] + } }, - "x-amazon-apigateway-authtype": "cognito_user_pools" + "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaTokenAuthNoneFunctionInvokeRole": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + }, + "MyLambdaRequestAuth": { "in": "header", "type": "apiKey", - "name": "Authorization", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", + "type": "request", "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -943,19 +957,19 @@ "__FunctionArn__": "arn:aws" } ] - } + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" }, "x-amazon-apigateway-authtype": "custom" }, - "MyCognitoAuthMultipleUserPools": { + "MyCognitoAuth": { "in": "header", "type": "apiKey", - "name": "MyAuthorizationHeader2", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", + "identityValidationExpression": "myauthvalidationexpression", "providerARNs": [ - "arn:aws:2", - "arn:aws:3" + "arn:aws:1" ], "type": "cognito_user_pools" }, @@ -981,25 +995,19 @@ }, "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaRequestAuth": { + "MyCognitoAuthMultipleUserPools": { "in": "header", "type": "apiKey", - "name": "Unused", + "name": "MyAuthorizationHeader2", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "arn:aws" - } - ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + "identityValidationExpression": "myauthvalidationexpression2", + "providerARNs": [ + "arn:aws:2", + "arn:aws:3" + ], + "type": "cognito_user_pools" }, - "x-amazon-apigateway-authtype": "custom" + "x-amazon-apigateway-authtype": "cognito_user_pools" } } }, @@ -1037,4 +1045,4 @@ "Condition": "FunctionCondition2" } } -} +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_apikey_default_override.json b/tests/translator/output/aws-us-gov/api_with_apikey_default_override.json new file mode 100644 index 0000000000..a508c0e137 --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_with_apikey_default_override.json @@ -0,0 +1,371 @@ +{ + "Resources": { + "MyApiWithAuthDeployment084855ab6d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "Description": "RestApi deployment id: 084855ab6d04ef5b762ac75de403810cd5f0c166", + "StageName": "Stage" + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyApiWithAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithAuthDeployment084855ab6d" + }, + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredTrue": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredTrueRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefault": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredDefaultRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalse": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredFalseRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredFalseRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyApiWithAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyFalse": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredFalse.Arn}/invocations" + } + }, + "security": [], + "responses": {} + } + }, + "/ApiKeyTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredTrue.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + }, + "/ApiKeyDefault": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredDefault.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_apikey_required.json b/tests/translator/output/aws-us-gov/api_with_apikey_required.json new file mode 100644 index 0000000000..0d7f930765 --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_with_apikey_required.json @@ -0,0 +1,163 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeployment1f6bf4c0d5" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithoutAuthDeployment1f6bf4c0d5": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 1f6bf4c0d5babf513c5623a65931134211ad3d0b", + "StageName": "Stage" + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json b/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json new file mode 100644 index 0000000000..90fc4e9da9 --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json @@ -0,0 +1,164 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "openapi": "3.0.1", + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeploymentfee0b2b452" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithoutAuthDeploymentfee0b2b452": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: fee0b2b45266fff45b8edba43206618eabefebfe" + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_auth_all_maximum.json b/tests/translator/output/aws-us-gov/api_with_auth_all_maximum.json index 7faead9d31..589b9fd953 100644 --- a/tests/translator/output/aws-us-gov/api_with_auth_all_maximum.json +++ b/tests/translator/output/aws-us-gov/api_with_auth_all_maximum.json @@ -1,39 +1,41 @@ { "Resources": { "MyFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, - "Handler": "index.handler", + }, "Role": { "Fn::GetAtt": [ - "MyFunctionRole", + "MyFunctionRole", "Arn" ] - }, - "Runtime": "nodejs8.10", - "Tags": [{ - "Value": "SAM", - "Key": "lambda:createdBy" - }] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -41,16 +43,16 @@ ] } } - }, + }, "MyApiMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -59,20 +61,20 @@ ] } } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -80,20 +82,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -101,20 +103,20 @@ ] } } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -122,20 +124,20 @@ ] } } - }, + }, "MyFunctionWithNoAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -143,218 +145,260 @@ ] } } - }, + }, + "MyApiDeployment7939ed72e3": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: 7939ed72e39cf5e3c86aaa365a531790a1d244e6", + "StageName": "Stage" + } + }, "MyFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [{ - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } } - }] + ] } } - }, + }, "MyApi": { - "Type": "AWS::ApiGateway::RestApi", + "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { "info": { - "version": "1.0", + "version": "1.0", "title": { "Ref": "AWS::StackName" } - }, + }, "paths": { "/": { "get": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "NONE": [] - }], + }, + "security": [ + { + "NONE": [] + }, + { + "api_key": [] + } + ], "responses": {} } - }, + }, "/users": { "put": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuth": [] - }], + }, + "security": [ + { + "MyCognitoAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "post": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuthMultipleUserPools": [] - }], + }, + "security": [ + { + "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "patch": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaTokenAuthNoneFunctionInvokeRole": [] - }], + }, + "security": [ + { + "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "delete": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaRequestAuth": [] - }], + }, + "security": [ + { + "MyLambdaRequestAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} } } - }, - "swagger": "2.0", + }, + "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { - "in": "header", - "type": "apiKey", - "name": "Authorization", + "in": "header", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 0, + "type": "token", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] } - }, + }, "x-amazon-apigateway-authtype": "custom" - }, + }, "MyCognitoAuthMultipleUserPools": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader2", + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader2", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", + "identityValidationExpression": "myauthvalidationexpression2", "providerARNs": [ - "arn:aws:2", + "arn:aws:2", "arn:aws:3" - ], + ], "type": "cognito_user_pools" - }, + }, "x-amazon-apigateway-authtype": "cognito_user_pools" - }, - "MyLambdaTokenAuth": { - "in": "header", - "type": "apiKey", - "name": "MyCustomAuthHeader", + }, + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + }, "x-amazon-apigateway-authtype": "custom" - }, - "MyLambdaRequestAuth": { - "in": "header", - "type": "apiKey", - "name": "Unused", + }, + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" + }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } - }, + }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - }, + }, "Parameters": { "endpointConfigurationTypes": "REGIONAL" } } - }, + }, "MyApiMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -363,20 +407,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -384,20 +428,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -405,30 +449,20 @@ ] } } - }, - "MyApiDeploymentf9e0be23dc": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: f9e0be23dccfaabdc2729c4d2221a3eeaa8e87db", - "StageName": "Stage" - } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -436,16 +470,16 @@ ] } } - }, + }, "MyApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -454,32 +488,32 @@ ] } } - }, + }, "MyApiProdStage": { - "Type": "AWS::ApiGateway::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeploymentf9e0be23dc" - }, + "Ref": "MyApiDeployment7939ed72e3" + }, "RestApiId": { "Ref": "MyApi" - }, + }, "StageName": "Prod" } - }, + }, "MyFunctionWithNoAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -487,20 +521,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } diff --git a/tests/translator/output/aws-us-gov/api_with_auth_all_maximum_openapi_3.json b/tests/translator/output/aws-us-gov/api_with_auth_all_maximum_openapi_3.json index c8187e9b8d..a4e560599a 100644 --- a/tests/translator/output/aws-us-gov/api_with_auth_all_maximum_openapi_3.json +++ b/tests/translator/output/aws-us-gov/api_with_auth_all_maximum_openapi_3.json @@ -104,15 +104,6 @@ } } }, - "MyApiDeployment26330d35c8": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: 26330d35c82ff087c8d34db2cade570f0e02910f" - } - }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -202,6 +193,9 @@ "security": [ { "NONE": [] + }, + { + "api_key": [] } ], "responses": {} @@ -219,6 +213,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -234,6 +231,9 @@ "security": [ { "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] } ], "responses": {} @@ -249,6 +249,9 @@ "security": [ { "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] } ], "responses": {} @@ -264,6 +267,9 @@ "security": [ { "MyLambdaRequestAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -273,19 +279,6 @@ "openapi": "3.0.1", "components": { "securitySchemes": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { "in": "header", "type": "apiKey", @@ -318,13 +311,14 @@ }, "x-amazon-apigateway-authtype": "cognito_user_pools" }, - "MyLambdaTokenAuth": { + "MyLambdaRequestAuth": { "in": "header", "type": "apiKey", - "name": "MyCustomAuthHeader", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -333,19 +327,30 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" }, "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaRequestAuth": { + "MyCognitoAuth": { "in": "header", "type": "apiKey", - "name": "Unused", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -354,9 +359,15 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } } @@ -470,11 +481,20 @@ } } }, + "MyApiDeploymente67481ad45": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: e67481ad4559fa2ba87f90009db679ae7d0c7c57" + } + }, "MyApiProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeployment26330d35c8" + "Ref": "MyApiDeploymente67481ad45" }, "RestApiId": { "Ref": "MyApi" diff --git a/tests/translator/output/aws-us-gov/globals_for_api.json b/tests/translator/output/aws-us-gov/globals_for_api.json index 138c62aedb..42b4008f31 100644 --- a/tests/translator/output/aws-us-gov/globals_for_api.json +++ b/tests/translator/output/aws-us-gov/globals_for_api.json @@ -91,6 +91,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -115,6 +118,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, @@ -142,7 +150,7 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ServerlessRestApiDeploymentc969c99f9d" + "Ref": "ServerlessRestApiDeployment6fd1928d9b" } } }, @@ -159,10 +167,20 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ExplicitApiDeploymentd5fa0145e9" + "Ref": "ExplicitApiDeployment43e01e673d" } } }, + "ExplicitApiDeployment43e01e673d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ExplicitApi" + }, + "Description": "RestApi deployment id: 43e01e673d7acbd09e4c38ff78dd6ddaf2ed1d55", + "StageName": "Stage" + } + }, "ImplicitApiFunctionGetHtmlPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -184,23 +202,13 @@ } } }, - "ServerlessRestApiDeploymentc969c99f9d": { + "ServerlessRestApiDeployment6fd1928d9b": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { "Ref": "ServerlessRestApi" }, - "Description": "RestApi deployment id: c969c99f9d6b6921dff605a206e8989bdb7d1bc7", - "StageName": "Stage" - } - }, - "ExplicitApiDeploymentd5fa0145e9": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ExplicitApi" - }, - "Description": "RestApi deployment id: d5fa0145e9e6393911d32967e66fd7091d605483", + "Description": "RestApi deployment id: 6fd1928d9b9ad3c711a371e1337306458029f8bd", "StageName": "Stage" } }, @@ -248,6 +256,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -272,6 +283,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, diff --git a/tests/translator/output/aws-us-gov/implicit_api_with_auth_and_conditions_max.json b/tests/translator/output/aws-us-gov/implicit_api_with_auth_and_conditions_max.json index ee12134b50..c29ef0c3b5 100644 --- a/tests/translator/output/aws-us-gov/implicit_api_with_auth_and_conditions_max.json +++ b/tests/translator/output/aws-us-gov/implicit_api_with_auth_and_conditions_max.json @@ -4,259 +4,248 @@ "Fn::Or": [ { "Condition": "FunctionCondition" - }, + }, { "Condition": "FunctionCondition2" - }, + }, { "Condition": "FunctionCondition3" - }, + }, { "Condition": "FunctionCondition4" - }, + }, { "Condition": "FunctionCondition5" - }, + }, { "Condition": "FunctionCondition6" } ] - }, + }, "FunctionCondition6": { "Fn::Equals": [ - true, + true, false ] - }, + }, "FunctionCondition5": { "Fn::Equals": [ - true, + true, false ] - }, + }, "FunctionCondition4": { "Fn::Equals": [ - true, + true, false ] - }, + }, "FunctionCondition3": { "Fn::Equals": [ - true, + true, false ] - }, + }, "FunctionCondition2": { "Fn::Equals": [ - true, + true, false ] - }, + }, "ServerlessRestApiSLASHusersPathCondition": { "Fn::Or": [ { "Condition": "FunctionCondition2" - }, + }, { "Condition": "FunctionCondition3" - }, + }, { "Condition": "FunctionCondition4" - }, + }, { "Condition": "FunctionCondition5" - }, + }, { "Condition": "FunctionCondition6" } ] - }, + }, "FunctionCondition": { "Fn::Equals": [ - true, + true, false ] } - }, + }, "Resources": { "MyFunction4WithLambdaTokenAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction4" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition4" - }, + }, "MyFunction4": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunction4Role", + "MyFunction4Role", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition4" - }, + }, "MyFunction6": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunction6Role", + "MyFunction6Role", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition6" - }, - "ServerlessRestApiDeploymentc06acce7cc": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "Description": "RestApi deployment id: c06acce7cc8764dcad4cb4a7c74b2d0b43310c00", - "StageName": "Stage" - }, - "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunction2WithCognitoMultipleUserPoolsAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction2" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition2" - }, + }, "MyFunction3": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunction3Role", + "MyFunction3Role", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition3" - }, + }, "MyFunction2": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunction2Role", + "MyFunction2Role", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition2" - }, + }, "ServerlessRestApiProdStage": { - "Type": "AWS::ApiGateway::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "ServerlessRestApiDeploymentc06acce7cc" - }, + "Ref": "ServerlessRestApiDeployment91a6380656" + }, "RestApiId": { "Ref": "ServerlessRestApi" - }, + }, "StageName": "Prod" - }, + }, "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunction5Role": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -265,23 +254,23 @@ } ] } - }, + }, "Condition": "FunctionCondition5" - }, + }, "MyFunction2Role": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -290,23 +279,23 @@ } ] } - }, + }, "Condition": "FunctionCondition2" - }, + }, "MyFunction4Role": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -315,69 +304,69 @@ } ] } - }, + }, "Condition": "FunctionCondition4" - }, + }, "MyFunction3WithLambdaTokenAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction3" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition3" - }, + }, "MyFunction5": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunction5Role", + "MyFunction5Role", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition5" - }, + }, "MyFunction6Role": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -386,18 +375,18 @@ } ] } - }, + }, "Condition": "FunctionCondition6" - }, + }, "ServerlessRestApiMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "ServerlessRestApi" @@ -405,67 +394,67 @@ } ] } - }, + }, "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunctionWithNoAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition" - }, + }, "MyFunction6WithDefaultAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction6" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition6" - }, + }, "MyFunction3Role": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -474,64 +463,64 @@ } ] } - }, + }, "Condition": "FunctionCondition3" - }, + }, "MyFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunctionRole", + "MyFunctionRole", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition" - }, + }, "MyFunction4WithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction4" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition4" - }, + }, "ServerlessRestApiMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "ServerlessRestApi" @@ -539,40 +528,40 @@ } ] } - }, + }, "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunction5WithLambdaRequestAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction5" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition5" - }, + }, "ServerlessRestApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "ServerlessRestApi" @@ -580,45 +569,45 @@ } ] } - }, + }, "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunctionWithNoAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition" - }, + }, "MyFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -627,414 +616,433 @@ } ] } - }, + }, "Condition": "FunctionCondition" - }, + }, "MyFunction5WithLambdaRequestAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction5" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition5" - }, + }, + "ServerlessRestApiDeployment91a6380656": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ServerlessRestApi" + }, + "Description": "RestApi deployment id: 91a63806562bbe4a3ad1c14c2444bc7d8d27397c", + "StageName": "Stage" + }, + "Condition": "ServerlessRestApiCondition" + }, "MyFunction3WithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction3" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition3" - }, + }, "MyFunction6WithDefaultAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction6" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition6" - }, + }, "ServerlessRestApi": { - "Type": "AWS::ApiGateway::RestApi", + "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { "info": { - "version": "1.0", + "version": "1.0", "title": { "Ref": "AWS::StackName" } - }, + }, "paths": { "/": { "Fn::If": [ - "FunctionCondition", + "FunctionCondition", { "get": { "Fn::If": [ - "FunctionCondition", + "FunctionCondition", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition", + "FunctionCondition", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ { "NONE": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, { "Ref": "AWS::NoValue" } ] - }, + }, "/users": { "Fn::If": [ - "ServerlessRestApiSLASHusersPathCondition", + "ServerlessRestApiSLASHusersPathCondition", { "put": { "Fn::If": [ - "FunctionCondition6", + "FunctionCondition6", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition6", + "FunctionCondition6", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction6.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ + { + "api_key": [] + }, { "MyCognitoAuth": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] - }, + }, "patch": { "Fn::If": [ - "FunctionCondition4", + "FunctionCondition4", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition4", + "FunctionCondition4", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction4.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ { "MyLambdaTokenAuthNoneFunctionInvokeRole": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] - }, + }, "post": { "Fn::If": [ - "FunctionCondition2", + "FunctionCondition2", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition2", + "FunctionCondition2", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction2.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ { "MyCognitoAuthMultipleUserPools": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] - }, + }, "get": { "Fn::If": [ - "FunctionCondition3", + "FunctionCondition3", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition3", + "FunctionCondition3", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction3.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ { "MyLambdaTokenAuth": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] - }, + }, "delete": { "Fn::If": [ - "FunctionCondition5", + "FunctionCondition5", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition5", + "FunctionCondition5", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction5.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ { "MyLambdaRequestAuth": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, { "Ref": "AWS::NoValue" } ] } - }, - "swagger": "2.0", + }, + "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { - "in": "header", - "type": "apiKey", - "name": "Authorization", + "in": "header", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 0, + "type": "token", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] } - }, + }, "x-amazon-apigateway-authtype": "custom" - }, - "MyCognitoAuthMultipleUserPools": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader2", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", - "providerARNs": [ - "arn:aws:2", - "arn:aws:3" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, - "MyLambdaTokenAuth": { - "in": "header", - "type": "apiKey", - "name": "MyCustomAuthHeader", + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + }, + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + }, "x-amazon-apigateway-authtype": "custom" - }, - "MyLambdaRequestAuth": { - "in": "header", - "type": "apiKey", - "name": "Unused", + }, + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" + }, "x-amazon-apigateway-authtype": "custom" + }, + "MyCognitoAuthMultipleUserPools": { + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader2", + "x-amazon-apigateway-authorizer": { + "identityValidationExpression": "myauthvalidationexpression2", + "providerARNs": [ + "arn:aws:2", + "arn:aws:3" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" } } - }, + }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - }, + }, "Parameters": { "endpointConfigurationTypes": "REGIONAL" } - }, + }, "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunction2WithCognitoMultipleUserPoolsAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction2" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition2" } } -} +} \ No newline at end of file diff --git a/tests/translator/output/globals_for_api.json b/tests/translator/output/globals_for_api.json index 13abe41971..23bbf1472d 100644 --- a/tests/translator/output/globals_for_api.json +++ b/tests/translator/output/globals_for_api.json @@ -68,6 +68,16 @@ } } }, + "ServerlessRestApiDeploymentaa32438b68": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ServerlessRestApi" + }, + "Description": "RestApi deployment id: aa32438b68e05d3771a975585dfbc7b012672b55", + "StageName": "Stage" + } + }, "ExplicitApi": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -91,6 +101,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -115,6 +128,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, @@ -134,20 +152,10 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ServerlessRestApiDeploymentdb4b9da82a" + "Ref": "ServerlessRestApiDeploymentaa32438b68" } } }, - "ServerlessRestApiDeploymentdb4b9da82a": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "Description": "RestApi deployment id: db4b9da82adc6031fcd32bf3a4954485464fc009", - "StageName": "Stage" - } - }, "ExplicitApiSomeStageStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { @@ -161,10 +169,20 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ExplicitApiDeploymentd5fa0145e9" + "Ref": "ExplicitApiDeployment43e01e673d" } } }, + "ExplicitApiDeployment43e01e673d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ExplicitApi" + }, + "Description": "RestApi deployment id: 43e01e673d7acbd09e4c38ff78dd6ddaf2ed1d55", + "StageName": "Stage" + } + }, "ImplicitApiFunctionGetHtmlPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -186,16 +204,6 @@ } } }, - "ExplicitApiDeploymentd5fa0145e9": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ExplicitApi" - }, - "Description": "RestApi deployment id: d5fa0145e9e6393911d32967e66fd7091d605483", - "StageName": "Stage" - } - }, "MyUserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { @@ -240,6 +248,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -264,6 +275,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, diff --git a/tests/translator/output/implicit_api_with_auth_and_conditions_max.json b/tests/translator/output/implicit_api_with_auth_and_conditions_max.json index a3e2433541..28dc23d353 100644 --- a/tests/translator/output/implicit_api_with_auth_and_conditions_max.json +++ b/tests/translator/output/implicit_api_with_auth_and_conditions_max.json @@ -223,7 +223,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "ServerlessRestApiDeploymente09cc405ab" + "Ref": "ServerlessRestApiDeploymentcbc79073ff" }, "RestApiId": { "Ref": "ServerlessRestApi" @@ -282,6 +282,17 @@ }, "Condition": "FunctionCondition2" }, + "ServerlessRestApiDeploymentcbc79073ff": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ServerlessRestApi" + }, + "Description": "RestApi deployment id: cbc79073ff900d53c3f67ea223640210914a672c", + "StageName": "Stage" + }, + "Condition": "ServerlessRestApiCondition" + }, "MyFunction4Role": { "Type": "AWS::IAM::Role", "Properties": { @@ -685,17 +696,6 @@ }, "Condition": "FunctionCondition6" }, - "ServerlessRestApiDeploymente09cc405ab": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "Description": "RestApi deployment id: e09cc405abe09a0afb9e5f0cb2e94cfba98767d5", - "StageName": "Stage" - }, - "Condition": "ServerlessRestApiCondition" - }, "ServerlessRestApi": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -772,6 +772,9 @@ } }, "security": [ + { + "api_key": [] + }, { "MyCognitoAuth": [] } @@ -916,26 +919,37 @@ }, "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { + "MyLambdaTokenAuthNoneFunctionInvokeRole": { "in": "header", "type": "apiKey", - "name": "MyAuthorizationHeader", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" + "type": "token", + "authorizerResultTtlInSeconds": 0, + "authorizerUri": { + "Fn::Sub": [ + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "arn:aws" + } + ] + } }, - "x-amazon-apigateway-authtype": "cognito_user_pools" + "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaTokenAuthNoneFunctionInvokeRole": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + }, + "MyLambdaRequestAuth": { "in": "header", "type": "apiKey", - "name": "Authorization", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", + "type": "request", "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -943,19 +957,19 @@ "__FunctionArn__": "arn:aws" } ] - } + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" }, "x-amazon-apigateway-authtype": "custom" }, - "MyCognitoAuthMultipleUserPools": { + "MyCognitoAuth": { "in": "header", "type": "apiKey", - "name": "MyAuthorizationHeader2", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", + "identityValidationExpression": "myauthvalidationexpression", "providerARNs": [ - "arn:aws:2", - "arn:aws:3" + "arn:aws:1" ], "type": "cognito_user_pools" }, @@ -981,25 +995,19 @@ }, "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaRequestAuth": { + "MyCognitoAuthMultipleUserPools": { "in": "header", "type": "apiKey", - "name": "Unused", + "name": "MyAuthorizationHeader2", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "arn:aws" - } - ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + "identityValidationExpression": "myauthvalidationexpression2", + "providerARNs": [ + "arn:aws:2", + "arn:aws:3" + ], + "type": "cognito_user_pools" }, - "x-amazon-apigateway-authtype": "custom" + "x-amazon-apigateway-authtype": "cognito_user_pools" } } } @@ -1029,4 +1037,4 @@ "Condition": "FunctionCondition2" } } -} +} \ No newline at end of file diff --git a/tests/translator/test_translator.py b/tests/translator/test_translator.py index 89402cfbfd..f2c4049cef 100644 --- a/tests/translator/test_translator.py +++ b/tests/translator/test_translator.py @@ -260,6 +260,8 @@ class TestTranslatorEndToEnd(TestCase): 'implicit_and_explicit_api_with_conditions', 'api_with_cors_and_conditions_no_definitionbody', 'api_with_auth_and_conditions_all_max', + 'api_with_apikey_default_override', + 'api_with_apikey_required', ], [ ("aws", "ap-southeast-1"), @@ -331,7 +333,8 @@ def test_transform_success(self, testcase, partition_with_region): 'api_with_auth_all_minimum_openapi', 'api_with_swagger_and_openapi_with_auth', 'api_with_openapi_definition_body_no_flag', - 'api_request_model_openapi_3' + 'api_request_model_openapi_3', + 'api_with_apikey_required_openapi_3' ], [ ("aws", "ap-southeast-1"), diff --git a/versions/2016-10-31.md b/versions/2016-10-31.md index 9493abadee..cc973c0130 100644 --- a/versions/2016-10-31.md +++ b/versions/2016-10-31.md @@ -226,7 +226,7 @@ EndpointConfiguration | `string` | Specify the type of endpoint for API endpoint BinaryMediaTypes | List of `string` | List of MIME types that your API could return. Use this to enable binary support for APIs. Use `~1` instead of `/` in the mime types (See examples in [template.yaml](../examples/2016-10-31/implicit_api_settings/template.yaml)). MinimumCompressionSize | `int` | Allow compression of response bodies based on client's Accept-Encoding header. Compression is triggered when response body size is greater than or equal to your configured threshold. The maximum body size threshold is 10 MB (10,485,760 Bytes). The following compression types are supported: gzip, deflate, and identity. Cors | `string` or [Cors Configuration](#cors-configuration) | Enable CORS for all your APIs. Specify the domain to allow as a string or specify a dictionary with additional [Cors Configuration](#cors-configuration). NOTE: Cors requires SAM to modify your Swagger definition. Hence it works only inline swagger defined with `DefinitionBody`. -Auth | [API Auth Object](#api-auth-object) | Auth configuration for this API. Define Lambda and Cognito `Authorizers` and specify a `DefaultAuthorizer` for this API. +Auth | [API Auth Object](#api-auth-object) | Auth configuration for this API. Define Lambda and Cognito `Authorizers` and specify a `DefaultAuthorizer` for this API. Can specify default ApiKey restriction using `ApiKeyRequired`. GatewayResponses | Map of [Gateway Response Type](https://docs.aws.amazon.com/apigateway/api-reference/resource/gateway-response/) to [Gateway Response Object](#gateway-response-object) | Configures Gateway Reponses for an API. Gateway Responses are responses returned by API Gateway, either directly or through the use of Lambda Authorizers. Keys for this object are passed through to Api Gateway, so any value supported by `GatewayResponse.responseType` is supported here. AccessLogSetting | [CloudFormation AccessLogSetting property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-accesslogsetting.html) | Configures Access Log Setting for a stage. This value is passed through to CloudFormation, so any value supported by `AccessLogSetting` is supported here. CanarySetting | [CloudFormation CanarySetting property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-canarysetting.html) | Configure a Canary Setting to a Stage of a regular deployment. This value is passed through to Cloudformation, so any value supported by `CanarySetting` is supported here. @@ -526,7 +526,7 @@ Property Name | Type | Description Path | `string` | **Required.** Uri path for which this function is invoked. MUST start with `/`. Method | `string` | **Required.** HTTP method for which this function is invoked. RestApiId | `string` | Identifier of a RestApi resource which MUST contain an operation with the given path and method. Typically, this is set to [reference](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) an `AWS::Serverless::Api` resource defined in this template. If not defined, a default `AWS::Serverless::Api` resource is created using a generated Swagger document contains a union of all paths and methods defined by `Api` events defined in this template that do not specify a RestApiId. -Auth | [Function Auth Object](#function-auth-object) | Auth configuration for this specific Api+Path+Method. Useful for overriding the API's `DefaultAuthorizer` or setting auth config on an individual path when no `DefaultAuthorizer` is specified. +Auth | [Function Auth Object](#function-auth-object) | Auth configuration for this specific Api+Path+Method. Useful for overriding the API's `DefaultAuthorizer` setting auth config on an individual path when no `DefaultAuthorizer` is specified or overriding the default `ApiKeyRequired' setting. RequestModel | [Function Request Model Object](#function-request-model-object) | Request model configuration for this specific Api+Path+Method. ##### Example: Api event source object @@ -781,10 +781,14 @@ Cors: #### API Auth Object -Configure Auth on APIs. Define Lambda and Cognito `Authorizers` and specify a `DefaultAuthorizer`. If you use IAM permission, only specify `AWS_IAM` to a `DefaultAuthorizer`. For more information, see the documentation on [Lambda Authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html) and [Amazon Cognito User Pool Authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html) and [IAM Permissions](https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html). +Configure Auth on APIs. + +**Authorizers:** +Define Lambda and Cognito `Authorizers` and specify a `DefaultAuthorizer`. If you use IAM permission, only specify `AWS_IAM` to a `DefaultAuthorizer`. For more information, see the documentation on [Lambda Authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html) and [Amazon Cognito User Pool Authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html) and [IAM Permissions](https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html). ```yaml Auth: + ApiKeyRequired: true # OPTIONAL DefaultAuthorizer: MyCognitoAuth # OPTIONAL, if you use IAM permissions, specify AWS_IAM. Authorizers: MyCognitoAuth: @@ -819,6 +823,15 @@ Auth: ReauthorizeEvery: 0 # OPTIONAL; Service Default: 300 ``` +**ApiKey:** +Configure ApiKey restriction for all methods and paths on an API. This setting can be overriden on individual `AWS::Serverless::Function` using the [Function Auth Object](#function-auth-object). Typically this would be used to require ApiKey on all methods and then override it on select methods that you want to be public. + +```yaml +Auth: + ApiKeyRequired: true +``` + + #### Function Auth Object Configure Auth for a specific Api+Path+Method. @@ -835,6 +848,20 @@ Auth: Authorizer: 'NONE' ``` +Require api keys for a specific Api+Path+Method. + +```yaml +Auth: + ApiKeyRequired: true +``` + +If you have specified `ApiKeyRequired: true` globally on the API and want to make a specific Function public, override with the following: + +```yaml +Auth: + ApiKeyRequired: false +``` + #### Function Request Model Object Configure Request Model for a specific Api+Path+Method.