From beef4cf24c5c4db6b4061dce25d39103656eef62 Mon Sep 17 00:00:00 2001 From: Cris Barbero Date: Fri, 24 May 2019 13:41:48 -0600 Subject: [PATCH 1/7] Initial work to add ApiKeyRequired support - Implement new translator tests - Add swagger.py unit tests - Update documentation - refactor Auth handling in swagger.py --- samtranslator/model/api/api_generator.py | 16 +- samtranslator/model/eventsources/push.py | 52 +- samtranslator/swagger/swagger.py | 316 +++++-- tests/swagger/test_swagger.py | 120 ++- .../api_with_apikey_default_override.yaml | 51 ++ .../input/api_with_apikey_required.yaml | 21 + tests/translator/input/globals_for_api.yaml | 1 + ...icit_api_with_auth_and_conditions_max.yaml | 4 +- .../api_with_apikey_default_override.json | 363 ++++++++ .../output/api_with_apikey_required.json | 155 ++++ .../api_with_aws_iam_auth_overrides.json | 28 +- .../output/api_with_default_aws_iam_auth.json | 68 +- .../api_with_apikey_default_override.json | 371 +++++++++ .../aws-cn/api_with_apikey_required.json | 163 ++++ .../api_with_aws_iam_auth_overrides.json | 28 +- .../aws-cn/api_with_default_aws_iam_auth.json | 80 +- .../output/aws-cn/globals_for_api.json | 60 +- ...icit_api_with_auth_and_conditions_max.json | 98 ++- .../api_with_apikey_default_override.json | 371 +++++++++ .../aws-us-gov/api_with_apikey_required.json | 163 ++++ .../api_with_aws_iam_auth_overrides.json | 28 +- .../api_with_default_aws_iam_auth.json | 50 +- .../output/aws-us-gov/globals_for_api.json | 44 +- ...icit_api_with_auth_and_conditions_max.json | 774 +++++++++--------- tests/translator/output/globals_for_api.json | 60 +- ...icit_api_with_auth_and_conditions_max.json | 98 ++- tests/translator/test_translator.py | 2 + versions/2016-10-31.md | 33 +- 28 files changed, 2835 insertions(+), 783 deletions(-) create mode 100644 tests/translator/input/api_with_apikey_default_override.yaml create mode 100644 tests/translator/input/api_with_apikey_required.yaml create mode 100644 tests/translator/output/api_with_apikey_default_override.json create mode 100644 tests/translator/output/api_with_apikey_required.json create mode 100644 tests/translator/output/aws-cn/api_with_apikey_default_override.json create mode 100644 tests/translator/output/aws-cn/api_with_apikey_required.json create mode 100644 tests/translator/output/aws-us-gov/api_with_apikey_default_override.json create mode 100644 tests/translator/output/aws-us-gov/api_with_apikey_required.json diff --git a/samtranslator/model/api/api_generator.py b/samtranslator/model/api/api_generator.py index c906c0e6e0..aa77aa329c 100644 --- a/samtranslator/model/api/api_generator.py +++ b/samtranslator/model/api/api_generator.py @@ -21,8 +21,8 @@ CorsProperties.__new__.__defaults__ = (None, None, _CORS_WILDCARD, None, False) AuthProperties = namedtuple("_AuthProperties", - ["Authorizers", "DefaultAuthorizer", "InvokeRole", "AddDefaultAuthorizerToCorsPreflight"]) -AuthProperties.__new__.__defaults__ = (None, None, None, True) + ["Authorizers", "DefaultAuthorizer", "InvokeRole", "AddDefaultAuthorizerToCorsPreflight", "ApiKeyRequired"]) +AuthProperties.__new__.__defaults__ = (None, None, None, True, None) GatewayResponseProperties = ["ResponseParameters", "ResponseTemplates", "StatusCode"] @@ -308,9 +308,13 @@ def _add_auth(self): authorizers = self._get_authorizers(auth_properties.Authorizers, auth_properties.DefaultAuthorizer) if authorizers: - swagger_editor.add_authorizers(authorizers) + swagger_editor.add_authorizers_security_definitions(authorizers) self._set_default_authorizer(swagger_editor, authorizers, auth_properties.DefaultAuthorizer, - auth_properties.AddDefaultAuthorizerToCorsPreflight) + auth_properties.AddDefaultAuthorizerToCorsPreflight) + + if auth_properties.ApiKeyRequired: + swagger_editor.add_apikey_security_definition() + self._set_default_apikey_required(swagger_editor) # Assign the Swagger back to template @@ -523,6 +527,10 @@ def _set_default_authorizer(self, swagger_editor, authorizers, default_authorize swagger_editor.set_path_default_authorizer(path, default_authorizer, authorizers=authorizers, add_default_auth_to_preflight=add_default_auth_to_preflight) + def _set_default_apikey_required(self, swagger_editor): + for path in swagger_editor.iter_on_path(): + swagger_editor.set_path_default_apikey_required(path) + def _set_endpoint_configuration(self, rest_api, value): """ Sets endpoint configuration property of AWS::ApiGateway::RestApi resource diff --git a/samtranslator/model/eventsources/push.py b/samtranslator/model/eventsources/push.py index 14217806fb..087728c67c 100644 --- a/samtranslator/model/eventsources/push.py +++ b/samtranslator/model/eventsources/push.py @@ -71,8 +71,8 @@ class Schedule(PushEventSource): resource_type = 'Schedule' principal = 'events.amazonaws.com' property_types = { - 'Schedule': PropertyType(True, is_str()), - 'Input': PropertyType(False, is_str()) + 'Schedule': PropertyType(True, is_str()), + 'Input': PropertyType(False, is_str()) } def to_cloudformation(self, **kwargs): @@ -109,8 +109,8 @@ def _construct_target(self, function): :rtype: dict """ target = { - 'Arn': function.get_runtime_attr("arn"), - 'Id': self.logical_id + 'LambdaTarget' + 'Arn': function.get_runtime_attr("arn"), + 'Id': self.logical_id + 'LambdaTarget' } if self.Input is not None: target['Input'] = self.Input @@ -123,9 +123,9 @@ class CloudWatchEvent(PushEventSource): resource_type = 'CloudWatchEvent' principal = 'events.amazonaws.com' property_types = { - 'Pattern': PropertyType(False, is_type(dict)), - 'Input': PropertyType(False, is_str()), - 'InputPath': PropertyType(False, is_str()) + 'Pattern': PropertyType(False, is_type(dict)), + 'Input': PropertyType(False, is_str()), + 'InputPath': PropertyType(False, is_str()) } def to_cloudformation(self, **kwargs): @@ -163,8 +163,8 @@ def _construct_target(self, function): :rtype: dict """ target = { - 'Arn': function.get_runtime_attr("arn"), - 'Id': self.logical_id + 'LambdaTarget' + 'Arn': function.get_runtime_attr("arn"), + 'Id': self.logical_id + 'LambdaTarget' } if self.Input is not None: target['Input'] = self.Input @@ -179,9 +179,9 @@ class S3(PushEventSource): resource_type = 'S3' principal = 's3.amazonaws.com' property_types = { - 'Bucket': PropertyType(True, is_str()), - 'Events': PropertyType(True, one_of(is_str(), list_of(is_str()))), - 'Filter': PropertyType(False, dict_of(is_str(), is_str())) + 'Bucket': PropertyType(True, is_str()), + 'Events': PropertyType(True, one_of(is_str(), list_of(is_str()))), + 'Filter': PropertyType(False, dict_of(is_str(), is_str())) } def resources_to_link(self, resources): @@ -343,8 +343,8 @@ class SNS(PushEventSource): resource_type = 'SNS' principal = 'sns.amazonaws.com' property_types = { - 'Topic': PropertyType(True, is_str()), - 'FilterPolicy': PropertyType(False, dict_of(is_str(), list_of(one_of(is_str(), is_type(dict))))) + 'Topic': PropertyType(True, is_str()), + 'FilterPolicy': PropertyType(False, dict_of(is_str(), list_of(one_of(is_str(), is_type(dict))))) } def to_cloudformation(self, **kwargs): @@ -381,13 +381,13 @@ class Api(PushEventSource): resource_type = 'Api' principal = 'apigateway.amazonaws.com' property_types = { - 'Path': PropertyType(True, is_str()), - 'Method': PropertyType(True, is_str()), + 'Path': PropertyType(True, is_str()), + 'Method': PropertyType(True, is_str()), - # Api Event sources must "always" be paired with a Serverless::Api - 'RestApiId': PropertyType(True, is_str()), - 'Auth': PropertyType(False, is_type(dict)), - 'RequestModel': PropertyType(False, is_type(dict)) + # Api Event sources must "always" be paired with a Serverless::Api + 'RestApiId': PropertyType(True, is_str()), + 'Auth': PropertyType(False, is_type(dict)), + 'RequestModel': PropertyType(False, is_type(dict)) } def resources_to_link(self, resources): @@ -536,9 +536,9 @@ def _add_swagger_integration(self, api, function): if self.Auth: method_authorizer = self.Auth.get('Authorizer') + api_auth = api.get('Auth') if method_authorizer: - api_auth = api.get('Auth') api_authorizers = api_auth and api_auth.get('Authorizers') if method_authorizer != 'AWS_IAM': @@ -563,6 +563,16 @@ def _add_swagger_integration(self, api, function): 'is only a valid value when a DefaultAuthorizer on the API is specified.'.format( method=self.Method, path=self.Path)) + apikey_required_setting = self.Auth.get('ApiKeyRequired') + apikey_required_setting_is_false = apikey_required_setting is not None and not apikey_required_setting + if apikey_required_setting_is_false and not api_auth.get('ApiKeyRequired'): + raise InvalidEventException( + self.relative_id, + 'Unable to set ApiKeyRequired [False] on API method [{method}] for path [{path}] ' + 'because the related API does not specify any ApiKeyRequired.'.format( + method=self.Method, path=self.Path)) + + if method_authorizer or apikey_required_setting is not None: editor.add_auth_to_method(api=api, path=self.Path, method_name=self.Method, auth=self.Auth) if self.RequestModel: diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py index c823e2a6a0..287730064f 100644 --- a/samtranslator/swagger/swagger.py +++ b/samtranslator/swagger/swagger.py @@ -160,9 +160,9 @@ def add_lambda_integration(self, path, method, integration_uri, path_dict = self.get_path(path) path_dict[method][self._X_APIGW_INTEGRATION] = { - 'type': 'aws_proxy', - 'httpMethod': 'POST', - 'uri': integration_uri + 'type': 'aws_proxy', + 'httpMethod': 'POST', + 'uri': integration_uri } method_auth_config = method_auth_config or {} @@ -389,7 +389,7 @@ def _make_cors_allowed_methods_for_path(self, path): # Allow-Methods is comma separated string return ','.join(allow_methods) - def add_authorizers(self, authorizers): + def add_authorizers_security_definitions(self, authorizers): """ Add Authorizer definitions to the securityDefinitions part of Swagger. @@ -400,11 +400,48 @@ def add_authorizers(self, authorizers): for authorizer_name, authorizer in authorizers.items(): self.security_definitions[authorizer_name] = authorizer.generate_swagger() + def add_awsiam_security_definition(self): + """ + Adds AWS_IAM definition to the securityDefinitions part of Swagger. + Note: this method is idempotent + """ + + aws_iam_security_definition = { + 'AWS_IAM': { + 'x-amazon-apigateway-authtype': 'awsSigv4', + 'type': 'apiKey', + 'name': 'Authorization', + 'in': 'header' + } + } + + self.security_definitions = self.security_definitions or {} + self.security_definitions.update(aws_iam_security_definition) + + def add_apikey_security_definition(self): + """ + Adds api_key definition to the securityDefinitions part of Swagger. + Note: this method is idempotent + """ + + api_key_security_definition = { + 'api_key': { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + + self.security_definitions = self.security_definitions or {} + self.security_definitions.update(api_key_security_definition) + def set_path_default_authorizer(self, path, default_authorizer, authorizers, add_default_auth_to_preflight=True): """ - Sets the DefaultAuthorizer for each method on this path. The DefaultAuthorizer won't be set if an Authorizer - was defined at the Function/Path/Method level + Adds the default_authorizer to the security block for each method on this path unless an Authorizer + was defined at the Function/Path/Method level. This is intended to be used to set the + authorizer security restriction for all api methods based upon the default configured in the + Serverless API. :param string path: Path name :param string default_authorizer: Name of the authorizer to use as the default. Must be a key in the @@ -416,35 +453,171 @@ def set_path_default_authorizer(self, path, default_authorizer, authorizers, for method_name, method in self.get_path(path).items(): normalized_method_name = self._normalize_method_name(method_name) + # Excluding paramters section if normalized_method_name == "parameters": continue if add_default_auth_to_preflight or normalized_method_name != "options": - self.set_method_authorizer(path, method_name, default_authorizer, authorizers, - default_authorizer=default_authorizer, is_default=True) + normalized_method_name = self._normalize_method_name(method_name) + # It is possible that the method could have two definitions in a Fn::If block. + for method_definition in self.get_method_contents(self.get_path(path)[normalized_method_name]): + + # If no integration given, then we don't need to process this definition (could be AWS::NoValue) + if not self.method_definition_has_integration(method_definition): + continue + existing_security = method_definition.get('security', []) + authorizer_list = ['AWS_IAM'] + if authorizers: + authorizer_list.extend(authorizers.keys()) + authorizer_names = set(authorizer_list) + existing_non_authorizer_security = [] + existing_authorizer_security = [] + + # Split existing security into Authorizers and everything else + # (e.g. sigv4 (AWS_IAM), api_key (API Key/Usage Plans), NONE (marker for ignoring default)) + # We want to ensure only a single Authorizer security entry exists while keeping everything else + for security in existing_security: + if authorizer_names.isdisjoint(security.keys()): + existing_non_authorizer_security.append(security) + else: + existing_authorizer_security.append(security) + + none_idx = -1 + authorizer_security = [] + + # Check for an existing Authorizer before applying the default. It would be simpler + # if instead we applied the DefaultAuthorizer first and then simply + # overwrote it if necessary, however, the order in which things get + # applied (Function Api Events first; then Api Resource) complicates it. + # Check if Function/Path/Method specified 'NONE' for Authorizer + for idx, security in enumerate(existing_non_authorizer_security): + is_none = any(key == 'NONE' for key in security.keys()) + + if is_none: + none_idx = idx + break + + # NONE was found; remove it and don't add the DefaultAuthorizer + if none_idx > -1: + del existing_non_authorizer_security[none_idx] + + # Existing Authorizer found (defined at Function/Path/Method); use that instead of default + elif existing_authorizer_security: + authorizer_security = existing_authorizer_security + + # No existing Authorizer found; use default + else: + security_dict = {} + security_dict[default_authorizer] = [] + authorizer_security = [security_dict] + + security = existing_non_authorizer_security + authorizer_security + + if security: + method_definition['security'] = security + + # The first element of the method_definition['security'] should be AWS_IAM + # because authorizer_list = ['AWS_IAM'] is hardcoded above + if 'AWS_IAM' in method_definition['security'][0]: + self.add_awsiam_security_definition() + + def set_path_default_apikey_required(self, path): + """ + Add the ApiKey security as required for each method on this path unless ApiKeyRequired + was defined at the Function/Path/Method level. This is intended to be used to set the + apikey security restriction for all api methods based upon the default configured in the + Serverless API. + + :param string path: Path name + """ + + for method_name, _ in self.get_path(path).items(): + # Excluding paramters section + if method_name == "parameters": + continue + + normalized_method_name = self._normalize_method_name(method_name) + # It is possible that the method could have two definitions in a Fn::If block. + for method_definition in self.get_method_contents(self.get_path(path)[normalized_method_name]): + + # If no integration given, then we don't need to process this definition (could be AWS::NoValue) + if not self.method_definition_has_integration(method_definition): + continue + + existing_security = method_definition.get('security', []) + apikey_security_names = set(['api_key', 'api_key_false']) + existing_non_apikey_security = [] + existing_apikey_security = [] + apikey_security = [] + + # Split existing security into ApiKey and everything else + # (e.g. sigv4 (AWS_IAM), authorizers, NONE (marker for ignoring default authorizer)) + # We want to ensure only a single ApiKey security entry exists while keeping everything else + for security in existing_security: + if apikey_security_names.isdisjoint(security.keys()): + existing_non_apikey_security.append(security) + else: + existing_apikey_security.append(security) + + # Check for an existing method level ApiKey setting before applying the default. It would be simpler + # if instead we applied the default first and then simply + # overwrote it if necessary, however, the order in which things get + # applied (Function Api Events first; then Api Resource) complicates it. + # Check if Function/Path/Method specified 'False' for ApiKeyRequired + apikeyfalse_idx = -1 + for idx, security in enumerate(existing_apikey_security): + is_none = any(key == 'api_key_false' for key in security.keys()) + + if is_none: + apikeyfalse_idx = idx + break + + # api_key_false was found; remove it and don't add default api_key security setting + if apikeyfalse_idx > -1: + del existing_apikey_security[apikeyfalse_idx] + + # No existing ApiKey setting found or it's already set to the default + else: + security_dict = {} + security_dict['api_key'] = [] + apikey_security = [security_dict] + + security = existing_non_apikey_security + apikey_security + + if security != existing_security: + method_definition['security'] = security + def add_auth_to_method(self, path, method_name, auth, api): """ - Adds auth settings for this path/method. Auth settings currently consist solely of Authorizers - but this method will eventually include setting other auth settings such as API Key, - Resource Policy, etc. + Adds auth settings for this path/method. Auth settings currently consist of Authorizers and ApiKeyRequired + but this method will eventually include setting other auth settings such as Resource Policy, etc. + This is used to configure the security for individual functions. :param string path: Path name :param string method_name: Method name - :param dict auth: Auth configuration such as Authorizers, ApiKey, ResourcePolicy (only Authorizers supported - currently) + :param dict auth: Auth configuration such as Authorizers, ApiKeyRequired, ResourcePolicy + (Authorizers and ApiKeyRequired supported currently) :param dict api: Reference to the related Api's properties as defined in the template. """ method_authorizer = auth and auth.get('Authorizer') if method_authorizer: - api_auth = api.get('Auth') - api_authorizers = api_auth and api_auth.get('Authorizers') - default_authorizer = api_auth and api_auth.get('DefaultAuthorizer') + self._set_method_authorizer(path, method_name, method_authorizer) - self.set_method_authorizer(path, method_name, method_authorizer, api_authorizers, default_authorizer) + method_apikey_required = auth and auth.get('ApiKeyRequired') + if method_apikey_required is not None: + self._set_method_apikey_handling(path, method_name, method_apikey_required) + + def _set_method_authorizer(self, path, method_name, authorizer_name): + """ + Adds the authorizer_name to the security block for each method on this path. + This is used to configure the authorizer for individual functions. - def set_method_authorizer(self, path, method_name, authorizer_name, authorizers, default_authorizer, - is_default=False): + :param string path: Path name + :param string method_name: Method name + :param string authorizer_name: Name of the authorizer to use. Must be a key in the + authorizers param. + """ normalized_method_name = self._normalize_method_name(method_name) # It is possible that the method could have two definitions in a Fn::If block. for method_definition in self.get_method_contents(self.get_path(path)[normalized_method_name]): @@ -452,82 +625,63 @@ def set_method_authorizer(self, path, method_name, authorizer_name, authorizers, # If no integration given, then we don't need to process this definition (could be AWS::NoValue) if not self.method_definition_has_integration(method_definition): continue + existing_security = method_definition.get('security', []) - # TEST: [{'sigv4': []}, {'api_key': []}]) - authorizer_list = ['AWS_IAM'] - if authorizers: - authorizer_list.extend(authorizers.keys()) - authorizer_names = set(authorizer_list) - existing_non_authorizer_security = [] - existing_authorizer_security = [] - - # Split existing security into Authorizers and everything else - # (e.g. sigv4 (AWS_IAM), api_key (API Key/Usage Plans), NONE (marker for ignoring default)) - # We want to ensure only a single Authorizer security entry exists while keeping everything else - for security in existing_security: - if authorizer_names.isdisjoint(security.keys()): - existing_non_authorizer_security.append(security) - else: - existing_authorizer_security.append(security) - none_idx = -1 - authorizer_security = [] + security_dict = {} + security_dict[authorizer_name] = [] + authorizer_security = [security_dict] - # If this is the Api-level DefaultAuthorizer we need to check for an - # existing Authorizer before applying the default. It would be simpler - # if instead we applied the DefaultAuthorizer first and then simply - # overwrote it if necessary, however, the order in which things get - # applied (Function Api Events first; then Api Resource) complicates it. - if is_default: - # Check if Function/Path/Method specified 'NONE' for Authorizer - for idx, security in enumerate(existing_non_authorizer_security): - is_none = any(key == 'NONE' for key in security.keys()) + # This assumes there are no autorizers already configured in the existing security block + security = existing_security + authorizer_security - if is_none: - none_idx = idx - break + if security: + method_definition['security'] = security - # NONE was found; remove it and don't add the DefaultAuthorizer - if none_idx > -1: - del existing_non_authorizer_security[none_idx] + # The first element of the method_definition['security'] should be AWS_IAM + # because authorizer_list = ['AWS_IAM'] is hardcoded above + if 'AWS_IAM' in method_definition['security'][0]: + self.add_awsiam_security_definition() - # Existing Authorizer found (defined at Function/Path/Method); use that instead of default - elif existing_authorizer_security: - authorizer_security = existing_authorizer_security + def _set_method_apikey_handling(self, path, method_name, apikey_required): + """ + Adds the apikey setting to the security block for each method on this path. + This is used to configure the authorizer for individual functions. - # No existing Authorizer found; use default - else: - security_dict = {} - security_dict[authorizer_name] = [] - authorizer_security = [security_dict] + :param string path: Path name + :param string method_name: Method name + :param bool apikey_required: Whether the apikey security is required + """ + normalized_method_name = self._normalize_method_name(method_name) + # It is possible that the method could have two definitions in a Fn::If block. + for method_definition in self.get_method_contents(self.get_path(path)[normalized_method_name]): + + # If no integration given, then we don't need to process this definition (could be AWS::NoValue) + if not self.method_definition_has_integration(method_definition): + continue + + existing_security = method_definition.get('security', []) - # This is a Function/Path/Method level Authorizer; simply set it + if apikey_required: + # We want to enable apikey required security + security_dict = {} + security_dict['api_key'] = [] + apikey_security = [security_dict] + self.add_apikey_security_definition() else: + # The method explicitly does NOT require apikey and there is an API default + # so let's add a marker 'api_key_false' so that we don't incorrectly override + # with the api default security_dict = {} - security_dict[authorizer_name] = [] - authorizer_security = [security_dict] + security_dict['api_key_false'] = [] + apikey_security = [security_dict] - security = existing_non_authorizer_security + authorizer_security + # This assumes there are no autorizers already configured in the existing security block + security = existing_security + apikey_security - if security: + if security != existing_security: method_definition['security'] = security - # The first element of the method_definition['security'] should be AWS_IAM - # because authorizer_list = ['AWS_IAM'] is hardcoded above - if 'AWS_IAM' in method_definition['security'][0]: - aws_iam_security_definition = { - 'AWS_IAM': { - 'x-amazon-apigateway-authtype': 'awsSigv4', - 'type': 'apiKey', - 'name': 'Authorization', - 'in': 'header' - } - } - if not self.security_definitions: - self.security_definitions = aws_iam_security_definition - elif 'AWS_IAM' not in self.security_definitions: - self.security_definitions.update(aws_iam_security_definition) - def add_request_model_to_method(self, path, method_name, request_model): """ Adds request model body parameter for this path/method. diff --git a/tests/swagger/test_swagger.py b/tests/swagger/test_swagger.py index e3771e87bf..907e091cb8 100644 --- a/tests/swagger/test_swagger.py +++ b/tests/swagger/test_swagger.py @@ -131,6 +131,7 @@ def test_must_not_fail_on_bad_path(self): self.assertTrue(self.editor.has_path("badpath")) self.assertFalse(self.editor.has_path("badpath", "somemethod")) + class TestSwaggerEditor_has_integration(TestCase): def setUp(self): @@ -725,6 +726,7 @@ def test_allow_credentials_is_skipped_with_false_value(self): actual = options_config[_X_INTEGRATION]["responses"]["default"]["responseParameters"] self.assertEqual(expected, actual) + class TestSwaggerEditor_make_cors_allowed_methods_for_path(TestCase): def setUp(self): @@ -1112,4 +1114,120 @@ def test_must_add_body_parameter_to_method_openapi_required_true(self): } } - self.assertEqual(expected, editor.swagger['paths']['/foo']['get']['requestBody']) \ No newline at end of file + self.assertEqual(expected, editor.swagger['paths']['/foo']['get']['requestBody']) + +class TestSwaggerEditor_add_auth(TestCase): + + def setUp(self): + + self.original_swagger = { + "swagger": "2.0", + "paths": { + "/foo": { + "get": { + _X_INTEGRATION: { + "a": "b" + } + }, + "post":{ + _X_INTEGRATION: { + "a": "b" + } + } + }, + "/bar": { + "get": { + _X_INTEGRATION: { + "a": "b" + } + } + }, + } + } + + self.editor = SwaggerEditor(self.original_swagger) + + def test_add_apikey_security_definition_is_added(self): + expected = { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + + self.editor.add_apikey_security_definition() + self.assertIn('securityDefinitions', self.editor.swagger) + self.assertIn('api_key', self.editor.swagger["securityDefinitions"]) + self.assertEqual(expected, self.editor.swagger["securityDefinitions"]['api_key']) + + def test_must_add_default_apikey_to_all_paths(self): + expected = [{ + "api_key": [] + }] + path = "/foo" + + + self.editor.set_path_default_apikey_required(path) + methods = self.editor.swagger["paths"][path] + for method in methods: + self.assertEqual(expected, methods[method]["security"]) + + def test_add_default_apikey_to_all_paths_correctly_handles_method_level_settings(self): + self.original_swagger = { + "swagger": "2.0", + "paths": { + "/foo": { + "apikeyfalse": { + _X_INTEGRATION: { + "a": "b" + }, + "security":[ + {"api_key_false":[]} + ] + }, + "apikeytrue": { + _X_INTEGRATION: { + "a": "b" + }, + "security":[ + {"api_key":[]} + ] + }, + "apikeydefault":{ + _X_INTEGRATION: { + "a": "b" + } + } + }, + } + } + + self.editor = SwaggerEditor(self.original_swagger) + api_key_exists = [{ + "api_key": [] + }] + path = "/foo" + + self.editor.set_path_default_apikey_required(path) + self.assertEqual([], self.editor.swagger["paths"][path]['apikeyfalse']["security"]) + self.assertEqual(api_key_exists, self.editor.swagger["paths"][path]['apikeytrue']["security"]) + self.assertEqual(api_key_exists, self.editor.swagger["paths"][path]['apikeydefault']["security"]) + + def test_set_method_apikey_handling_apikeyrequired_false(self): + expected = [{ + "api_key_false": [] + }] + path = "/bar" + method = "get" + + self.editor._set_method_apikey_handling(path, method, False) + self.assertEqual(expected, self.editor.swagger["paths"][path][method]["security"]) + + def test_set_method_apikey_handling_apikeyrequired_true(self): + expected = [{ + "api_key": [] + }] + path = "/bar" + method = "get" + + self.editor._set_method_apikey_handling(path, method, True) + self.assertEqual(expected, self.editor.swagger["paths"][path][method]["security"]) diff --git a/tests/translator/input/api_with_apikey_default_override.yaml b/tests/translator/input/api_with_apikey_default_override.yaml new file mode 100644 index 0000000000..53a94e3b62 --- /dev/null +++ b/tests/translator/input/api_with_apikey_default_override.yaml @@ -0,0 +1,51 @@ +Resources: + MyApiWithAuth: + Type: "AWS::Serverless::Api" + Properties: + StageName: Prod + Auth: + ApiKeyRequired: true + + MyFunctionWithApiKeyRequiredDefault: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + MyApiWithApiKeyRequiredDefault: + Type: Api + Properties: + RestApiId: !Ref MyApiWithAuth + Path: /ApiKeyDefault + Method: get + MyFunctionWithApiKeyRequiredTrue: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + MyApiWithApiKeyRequiredTrue: + Type: Api + Properties: + RestApiId: !Ref MyApiWithAuth + Path: /ApiKeyTrue + Method: get + Auth: + ApiKeyRequired: true + MyFunctionWithApiKeyRequiredFalse: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + MyApiWithApiKeyRequiredFalse: + Type: Api + Properties: + RestApiId: !Ref MyApiWithAuth + Path: /ApiKeyFalse + Method: get + Auth: + ApiKeyRequired: false diff --git a/tests/translator/input/api_with_apikey_required.yaml b/tests/translator/input/api_with_apikey_required.yaml new file mode 100644 index 0000000000..e5c562c916 --- /dev/null +++ b/tests/translator/input/api_with_apikey_required.yaml @@ -0,0 +1,21 @@ +Resources: + MyApiWithoutAuth: + Type: "AWS::Serverless::Api" + Properties: + StageName: Prod + + MyFunctionWithApiKeyRequired: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + MyApiWithApiKeyRequired: + Type: Api + Properties: + RestApiId: !Ref MyApiWithoutAuth + Path: /ApiKeyRequiredTrue + Method: get + Auth: + ApiKeyRequired: true diff --git a/tests/translator/input/globals_for_api.yaml b/tests/translator/input/globals_for_api.yaml index 5d3a956322..92aca3703e 100644 --- a/tests/translator/input/globals_for_api.yaml +++ b/tests/translator/input/globals_for_api.yaml @@ -8,6 +8,7 @@ Globals: Authorizers: MyCognitoAuth: UserPoolArn: !GetAtt MyUserPool.Arn + ApiKeyRequired: true Variables: SomeVar: Value diff --git a/tests/translator/input/implicit_api_with_auth_and_conditions_max.yaml b/tests/translator/input/implicit_api_with_auth_and_conditions_max.yaml index 61d2751a21..3c0ac05049 100644 --- a/tests/translator/input/implicit_api_with_auth_and_conditions_max.yaml +++ b/tests/translator/input/implicit_api_with_auth_and_conditions_max.yaml @@ -161,4 +161,6 @@ Resources: Type: Api Properties: Path: /users - Method: put \ No newline at end of file + Method: put + Auth: + ApiKeyRequired: true \ No newline at end of file diff --git a/tests/translator/output/api_with_apikey_default_override.json b/tests/translator/output/api_with_apikey_default_override.json new file mode 100644 index 0000000000..03f6db829a --- /dev/null +++ b/tests/translator/output/api_with_apikey_default_override.json @@ -0,0 +1,363 @@ +{ + "Resources": { + "MyApiWithAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithAuthDeployment054e605502" + }, + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrue": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredTrueRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefault": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredDefaultRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyApiWithAuthDeployment054e605502": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "Description": "RestApi deployment id: 054e60550295973114b1bc4384d00c8b641ea20f", + "StageName": "Stage" + } + }, + "MyFunctionWithApiKeyRequiredFalse": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredFalseRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredFalseRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyApiWithAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyFalse": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredFalse.Arn}/invocations" + } + }, + "security": [], + "responses": {} + } + }, + "/ApiKeyTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredTrue.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + }, + "/ApiKeyDefault": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredDefault.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + } + } + } + } + } \ No newline at end of file diff --git a/tests/translator/output/api_with_apikey_required.json b/tests/translator/output/api_with_apikey_required.json new file mode 100644 index 0000000000..b864a2dcc8 --- /dev/null +++ b/tests/translator/output/api_with_apikey_required.json @@ -0,0 +1,155 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeployment3ab9d13134" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithoutAuthDeployment3ab9d13134": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 3ab9d13134bf550e275a303c6987801dfb7f9d7b", + "StageName": "Stage" + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/api_with_aws_iam_auth_overrides.json b/tests/translator/output/api_with_aws_iam_auth_overrides.json index 6ca104082e..947b0d0c07 100644 --- a/tests/translator/output/api_with_aws_iam_auth_overrides.json +++ b/tests/translator/output/api_with_aws_iam_auth_overrides.json @@ -50,7 +50,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeployment8a32fb1652" + "Ref": "MyApiWithAwsIamAuthDeployment00f615258c" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -124,16 +124,6 @@ } } }, - "MyApiWithAwsIamAuthDeployment8a32fb1652": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" - }, - "Description": "RestApi deployment id: 8a32fb165218ee858b16980eed421b4f38d18f00", - "StageName": "Stage" - } - }, "MyFunctionMyCognitoAuthAPI1PermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -381,6 +371,16 @@ } } }, + "MyApiWithAwsIamAuthDeployment00f615258c": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuth" + }, + "Description": "RestApi deployment id: 00f615258c0deedd5cc900789f1f57d1fbde7df3", + "StageName": "Stage" + } + }, "MyFunctionCustomInvokeRoleAPI3PermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -561,10 +561,10 @@ "x-amazon-apigateway-authtype": "cognito_user_pools" }, "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } } @@ -592,4 +592,4 @@ } } } -} +} \ No newline at end of file diff --git a/tests/translator/output/api_with_default_aws_iam_auth.json b/tests/translator/output/api_with_default_aws_iam_auth.json index b7d0bb46f3..0fa561cfe5 100644 --- a/tests/translator/output/api_with_default_aws_iam_auth.json +++ b/tests/translator/output/api_with_default_aws_iam_auth.json @@ -1,15 +1,5 @@ { "Resources": { - "MyApiWithAwsIamAuthDeployment3364487a57": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" - }, - "Description": "RestApi deployment id: 3364487a57573f17976c9edc5dad6c3afe02a101", - "StageName": "Stage" - } - }, "MyFunctionWithAwsIamAuth": { "Type": "AWS::Lambda::Function", "Properties": { @@ -33,6 +23,16 @@ ] } }, + "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment58ccfefa9d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" + }, + "Description": "RestApi deployment id: 58ccfefa9d2b37d219e5cd439566227c228874ad", + "StageName": "Stage" + } + }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthPermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -79,7 +79,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeployment3364487a57" + "Ref": "MyApiWithAwsIamAuthDeployment2e654ad4c6" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -87,14 +87,16 @@ "StageName": "Prod" } }, - "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment1edb95497c": { - "Type": "AWS::ApiGateway::Deployment", + "MyApiWithAwsIamAuthAndDefaultInvokeRoleProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { + "DeploymentId": { + "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment58ccfefa9d" + }, "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" }, - "Description": "RestApi deployment id: 1edb95497ceb1e912fa65281f21a8f6f1098b5f4", - "StageName": "Stage" + "StageName": "Prod" } }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthAndDefaultInvokeRolePermissionProd": { @@ -139,13 +141,13 @@ } } }, - "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment61108120cf": { + "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment65ff252974": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" }, - "Description": "RestApi deployment id: 61108120cf9f293d5cf2fc21044a94dce2ed499a", + "Description": "RestApi deployment id: 65ff252974c6dc8ff4fa083009ab0a4838d92a93", "StageName": "Stage" } }, @@ -182,37 +184,35 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } } } }, - "MyApiWithAwsIamAuthAndDefaultInvokeRoleProdStage": { + "MyApiWithAwsIamAuthAndCustomInvokeRoleProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment1edb95497c" + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment65ff252974" }, "RestApiId": { - "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" }, "StageName": "Prod" } }, - "MyApiWithAwsIamAuthAndCustomInvokeRoleProdStage": { - "Type": "AWS::ApiGateway::Stage", + "MyApiWithAwsIamAuthDeployment2e654ad4c6": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment61108120cf" - }, "RestApiId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" + "Ref": "MyApiWithAwsIamAuth" }, - "StageName": "Prod" + "Description": "RestApi deployment id: 2e654ad4c60c5c1fff1e65a5b61eb502dbf42cbd", + "StageName": "Stage" } }, "MyApiWithAwsIamAuthAndDefaultInvokeRole": { @@ -248,10 +248,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } } @@ -290,10 +290,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } } @@ -366,4 +366,4 @@ } } } -} +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_apikey_default_override.json b/tests/translator/output/aws-cn/api_with_apikey_default_override.json new file mode 100644 index 0000000000..31e38efe95 --- /dev/null +++ b/tests/translator/output/aws-cn/api_with_apikey_default_override.json @@ -0,0 +1,371 @@ +{ + "Resources": { + "MyApiWithAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithAuthDeployment12e3363002" + }, + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrue": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredTrueRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefault": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredDefaultRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyApiWithAuthDeployment12e3363002": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "Description": "RestApi deployment id: 12e33630022574b70be75950554db06d81af114d", + "StageName": "Stage" + } + }, + "MyFunctionWithApiKeyRequiredFalse": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredFalseRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredFalseRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyApiWithAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyFalse": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredFalse.Arn}/invocations" + } + }, + "security": [], + "responses": {} + } + }, + "/ApiKeyTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredTrue.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + }, + "/ApiKeyDefault": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredDefault.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_apikey_required.json b/tests/translator/output/aws-cn/api_with_apikey_required.json new file mode 100644 index 0000000000..65a966df63 --- /dev/null +++ b/tests/translator/output/aws-cn/api_with_apikey_required.json @@ -0,0 +1,163 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuthDeploymentcc6d6fc40a": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: cc6d6fc40a37188fe0115a039b24e397dc149478", + "StageName": "Stage" + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeploymentcc6d6fc40a" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_aws_iam_auth_overrides.json b/tests/translator/output/aws-cn/api_with_aws_iam_auth_overrides.json index 49f1e90a40..8cf64eba56 100644 --- a/tests/translator/output/aws-cn/api_with_aws_iam_auth_overrides.json +++ b/tests/translator/output/aws-cn/api_with_aws_iam_auth_overrides.json @@ -50,7 +50,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeploymented0a631915" + "Ref": "MyApiWithAwsIamAuthDeploymentcaa40f95ee" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -103,6 +103,16 @@ } } }, + "MyApiWithAwsIamAuthDeploymentcaa40f95ee": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuth" + }, + "Description": "RestApi deployment id: caa40f95ee941baffc4ce02b45e862c5f7ea4d5e", + "StageName": "Stage" + } + }, "MyFunctionWithoutAuthAPI2PermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -145,16 +155,6 @@ } } }, - "MyApiWithAwsIamAuthDeploymented0a631915": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" - }, - "Description": "RestApi deployment id: ed0a631915dc4df4436f471e81cd69beb6f89603", - "StageName": "Stage" - } - }, "MyFunctionMyCognitoAuth": { "Type": "AWS::Lambda::Function", "Properties": { @@ -561,10 +561,10 @@ "x-amazon-apigateway-authtype": "cognito_user_pools" }, "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } }, @@ -600,4 +600,4 @@ } } } -} +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_default_aws_iam_auth.json b/tests/translator/output/aws-cn/api_with_default_aws_iam_auth.json index 58fd1f46b8..330aefa103 100644 --- a/tests/translator/output/aws-cn/api_with_default_aws_iam_auth.json +++ b/tests/translator/output/aws-cn/api_with_default_aws_iam_auth.json @@ -23,16 +23,6 @@ ] } }, - "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeploymentd0103947f7": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" - }, - "Description": "RestApi deployment id: d0103947f7e2e1d52ca7afac92f5afc8339a051b", - "StageName": "Stage" - } - }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthPermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -54,6 +44,16 @@ } } }, + "MyApiWithAwsIamAuthDeploymente6d5fb9b50": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuth" + }, + "Description": "RestApi deployment id: e6d5fb9b50efbcef7ba82212572d741a89330edf", + "StageName": "Stage" + } + }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -75,11 +75,21 @@ } } }, + "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentb406a33161": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" + }, + "Description": "RestApi deployment id: b406a33161a8a9cb2842e4374c3f0167931eb064", + "StageName": "Stage" + } + }, "MyApiWithAwsIamAuthProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeploymentc8adfb74cf" + "Ref": "MyApiWithAwsIamAuthDeploymente6d5fb9b50" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -91,7 +101,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeploymentd0103947f7" + "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment76f532c4be" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" @@ -141,16 +151,6 @@ } } }, - "MyApiWithAwsIamAuthDeploymentc8adfb74cf": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" - }, - "Description": "RestApi deployment id: c8adfb74cfae8b8052802a21a258ecbd5178d144", - "StageName": "Stage" - } - }, "MyApiWithAwsIamAuthAndCustomInvokeRole": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -184,10 +184,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } }, @@ -205,7 +205,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment2a6ecd9264" + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentb406a33161" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" @@ -246,10 +246,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } }, @@ -263,16 +263,6 @@ } } }, - "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment2a6ecd9264": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" - }, - "Description": "RestApi deployment id: 2a6ecd9264d4f59054caa89a94960604594cd94f", - "StageName": "Stage" - } - }, "MyApiWithAwsIamAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -306,10 +296,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } }, @@ -323,6 +313,16 @@ } } }, + "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment76f532c4be": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" + }, + "Description": "RestApi deployment id: 76f532c4bee79a53b122020ad84d7e9671824afe", + "StageName": "Stage" + } + }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthAndCustomInvokeRolePermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -390,4 +390,4 @@ } } } -} +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/globals_for_api.json b/tests/translator/output/aws-cn/globals_for_api.json index bcfdd57cad..8bd110f3fc 100644 --- a/tests/translator/output/aws-cn/globals_for_api.json +++ b/tests/translator/output/aws-cn/globals_for_api.json @@ -91,6 +91,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -115,6 +118,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, @@ -142,20 +150,10 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ServerlessRestApiDeploymente1212668e0" + "Ref": "ServerlessRestApiDeploymentf6c326a165" } } }, - "ServerlessRestApiDeploymente1212668e0": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "Description": "RestApi deployment id: e1212668e096994ab32167666f5a877bd6ac5fad", - "StageName": "Stage" - } - }, "ExplicitApiSomeStageStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { @@ -169,10 +167,30 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ExplicitApiDeploymentd5fa0145e9" + "Ref": "ExplicitApiDeployment43e01e673d" } } }, + "ServerlessRestApiDeploymentf6c326a165": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ServerlessRestApi" + }, + "Description": "RestApi deployment id: f6c326a1656cc9fbb0106cc645598d88575554eb", + "StageName": "Stage" + } + }, + "ExplicitApiDeployment43e01e673d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ExplicitApi" + }, + "Description": "RestApi deployment id: 43e01e673d7acbd09e4c38ff78dd6ddaf2ed1d55", + "StageName": "Stage" + } + }, "ImplicitApiFunctionGetHtmlPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -194,16 +212,6 @@ } } }, - "ExplicitApiDeploymentd5fa0145e9": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ExplicitApi" - }, - "Description": "RestApi deployment id: d5fa0145e9e6393911d32967e66fd7091d605483", - "StageName": "Stage" - } - }, "MyUserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { @@ -248,6 +256,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -272,6 +283,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, diff --git a/tests/translator/output/aws-cn/implicit_api_with_auth_and_conditions_max.json b/tests/translator/output/aws-cn/implicit_api_with_auth_and_conditions_max.json index 1ffd2bd98b..2ced69491d 100644 --- a/tests/translator/output/aws-cn/implicit_api_with_auth_and_conditions_max.json +++ b/tests/translator/output/aws-cn/implicit_api_with_auth_and_conditions_max.json @@ -223,7 +223,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "ServerlessRestApiDeployment13185ed4f8" + "Ref": "ServerlessRestApiDeployment6b0de9dc9a" }, "RestApiId": { "Ref": "ServerlessRestApi" @@ -594,17 +594,6 @@ }, "Condition": "FunctionCondition" }, - "ServerlessRestApiDeployment13185ed4f8": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "Description": "RestApi deployment id: 13185ed4f830a9731f30c8561a781a0f560748c1", - "StageName": "Stage" - }, - "Condition": "ServerlessRestApiCondition" - }, "MyFunctionRole": { "Type": "AWS::IAM::Role", "Properties": { @@ -652,6 +641,17 @@ }, "Condition": "FunctionCondition5" }, + "ServerlessRestApiDeployment6b0de9dc9a": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ServerlessRestApi" + }, + "Description": "RestApi deployment id: 6b0de9dc9a2450a248988d39c61e2ee23b257724", + "StageName": "Stage" + }, + "Condition": "ServerlessRestApiCondition" + }, "MyFunction3WithLambdaTokenAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -772,6 +772,9 @@ } }, "security": [ + { + "api_key": [] + }, { "MyCognitoAuth": [] } @@ -916,26 +919,37 @@ }, "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { + "MyLambdaTokenAuthNoneFunctionInvokeRole": { "in": "header", "type": "apiKey", - "name": "MyAuthorizationHeader", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" + "type": "token", + "authorizerResultTtlInSeconds": 0, + "authorizerUri": { + "Fn::Sub": [ + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "arn:aws" + } + ] + } }, - "x-amazon-apigateway-authtype": "cognito_user_pools" + "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaTokenAuthNoneFunctionInvokeRole": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + }, + "MyLambdaRequestAuth": { "in": "header", "type": "apiKey", - "name": "Authorization", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", + "type": "request", "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -943,19 +957,19 @@ "__FunctionArn__": "arn:aws" } ] - } + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" }, "x-amazon-apigateway-authtype": "custom" }, - "MyCognitoAuthMultipleUserPools": { + "MyCognitoAuth": { "in": "header", "type": "apiKey", - "name": "MyAuthorizationHeader2", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", + "identityValidationExpression": "myauthvalidationexpression", "providerARNs": [ - "arn:aws:2", - "arn:aws:3" + "arn:aws:1" ], "type": "cognito_user_pools" }, @@ -981,25 +995,19 @@ }, "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaRequestAuth": { + "MyCognitoAuthMultipleUserPools": { "in": "header", "type": "apiKey", - "name": "Unused", + "name": "MyAuthorizationHeader2", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "arn:aws" - } - ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + "identityValidationExpression": "myauthvalidationexpression2", + "providerARNs": [ + "arn:aws:2", + "arn:aws:3" + ], + "type": "cognito_user_pools" }, - "x-amazon-apigateway-authtype": "custom" + "x-amazon-apigateway-authtype": "cognito_user_pools" } } }, @@ -1037,4 +1045,4 @@ "Condition": "FunctionCondition2" } } -} +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_apikey_default_override.json b/tests/translator/output/aws-us-gov/api_with_apikey_default_override.json new file mode 100644 index 0000000000..a508c0e137 --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_with_apikey_default_override.json @@ -0,0 +1,371 @@ +{ + "Resources": { + "MyApiWithAuthDeployment084855ab6d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "Description": "RestApi deployment id: 084855ab6d04ef5b762ac75de403810cd5f0c166", + "StageName": "Stage" + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalseMyApiWithApiKeyRequiredFalsePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredFalse" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyFalse", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyApiWithAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithAuthDeployment084855ab6d" + }, + "RestApiId": { + "Ref": "MyApiWithAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredTrue": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredTrueRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefault": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredDefaultRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredFalse": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredFalseRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyFunctionWithApiKeyRequiredFalseRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredDefaultMyApiWithApiKeyRequiredDefaultPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredDefault" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyDefault", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueMyApiWithApiKeyRequiredTruePermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequiredTrue" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredTrueRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyApiWithAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyFalse": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredFalse.Arn}/invocations" + } + }, + "security": [], + "responses": {} + } + }, + "/ApiKeyTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredTrue.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + }, + "/ApiKeyDefault": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequiredDefault.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_apikey_required.json b/tests/translator/output/aws-us-gov/api_with_apikey_required.json new file mode 100644 index 0000000000..0d7f930765 --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_with_apikey_required.json @@ -0,0 +1,163 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeployment1f6bf4c0d5" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithoutAuthDeployment1f6bf4c0d5": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 1f6bf4c0d5babf513c5623a65931134211ad3d0b", + "StageName": "Stage" + } + } + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_aws_iam_auth_overrides.json b/tests/translator/output/aws-us-gov/api_with_aws_iam_auth_overrides.json index cf8d219509..02b60bcbdf 100644 --- a/tests/translator/output/aws-us-gov/api_with_aws_iam_auth_overrides.json +++ b/tests/translator/output/aws-us-gov/api_with_aws_iam_auth_overrides.json @@ -46,21 +46,11 @@ ] } }, - "MyApiWithAwsIamAuthDeploymentd6dd2d1504": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" - }, - "Description": "RestApi deployment id: d6dd2d1504ea960bdb50055b256d9292aa565e4b", - "StageName": "Stage" - } - }, "MyApiWithAwsIamAuthProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeploymentd6dd2d1504" + "Ref": "MyApiWithAwsIamAuthDeploymentc527246f7f" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -113,6 +103,16 @@ } } }, + "MyApiWithAwsIamAuthDeploymentc527246f7f": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuth" + }, + "Description": "RestApi deployment id: c527246f7ffc9d300cb5934f0a2feaf19ce90c8b", + "StageName": "Stage" + } + }, "MyFunctionWithoutAuthAPI2PermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -561,10 +561,10 @@ "x-amazon-apigateway-authtype": "cognito_user_pools" }, "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } }, @@ -600,4 +600,4 @@ } } } -} +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_default_aws_iam_auth.json b/tests/translator/output/aws-us-gov/api_with_default_aws_iam_auth.json index 2adb4725b4..c1231a4e8d 100644 --- a/tests/translator/output/aws-us-gov/api_with_default_aws_iam_auth.json +++ b/tests/translator/output/aws-us-gov/api_with_default_aws_iam_auth.json @@ -23,6 +23,16 @@ ] } }, + "MyApiWithAwsIamAuthDeploymentf659ad5ab8": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuth" + }, + "Description": "RestApi deployment id: f659ad5ab81c7fba674d23cb02c5a79da2ab11f2", + "StageName": "Stage" + } + }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthPermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -44,13 +54,13 @@ } } }, - "MyApiWithAwsIamAuthDeploymentf9a4964a7d": { + "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentf171a6f07c": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" }, - "Description": "RestApi deployment id: f9a4964a7df5021874e5a094662f1a2443982e0a", + "Description": "RestApi deployment id: f171a6f07cf7356e3ad2a7095d825396653f6fb5", "StageName": "Stage" } }, @@ -79,7 +89,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeploymentf9a4964a7d" + "Ref": "MyApiWithAwsIamAuthDeploymentf659ad5ab8" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -91,7 +101,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeploymentce2dead7de" + "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment1441ebcd54" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" @@ -141,23 +151,13 @@ } } }, - "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeploymentce2dead7de": { + "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment1441ebcd54": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" }, - "Description": "RestApi deployment id: ce2dead7ded0bb502db5bd0c105948c27bc96729", - "StageName": "Stage" - } - }, - "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentb31aa75bb2": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" - }, - "Description": "RestApi deployment id: b31aa75bb2284229d40917a9b424c8ea1cf98217", + "Description": "RestApi deployment id: 1441ebcd541a522a80b89b91d029f5f56dded2f2", "StageName": "Stage" } }, @@ -194,10 +194,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } }, @@ -215,7 +215,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentb31aa75bb2" + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentf171a6f07c" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" @@ -256,10 +256,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } }, @@ -306,10 +306,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "in": "header", + "x-amazon-apigateway-authtype": "awsSigv4", "type": "apiKey", "name": "Authorization", - "x-amazon-apigateway-authtype": "awsSigv4" + "in": "header" } } }, @@ -390,4 +390,4 @@ } } } -} +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/globals_for_api.json b/tests/translator/output/aws-us-gov/globals_for_api.json index 138c62aedb..42b4008f31 100644 --- a/tests/translator/output/aws-us-gov/globals_for_api.json +++ b/tests/translator/output/aws-us-gov/globals_for_api.json @@ -91,6 +91,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -115,6 +118,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, @@ -142,7 +150,7 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ServerlessRestApiDeploymentc969c99f9d" + "Ref": "ServerlessRestApiDeployment6fd1928d9b" } } }, @@ -159,10 +167,20 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ExplicitApiDeploymentd5fa0145e9" + "Ref": "ExplicitApiDeployment43e01e673d" } } }, + "ExplicitApiDeployment43e01e673d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ExplicitApi" + }, + "Description": "RestApi deployment id: 43e01e673d7acbd09e4c38ff78dd6ddaf2ed1d55", + "StageName": "Stage" + } + }, "ImplicitApiFunctionGetHtmlPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -184,23 +202,13 @@ } } }, - "ServerlessRestApiDeploymentc969c99f9d": { + "ServerlessRestApiDeployment6fd1928d9b": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { "Ref": "ServerlessRestApi" }, - "Description": "RestApi deployment id: c969c99f9d6b6921dff605a206e8989bdb7d1bc7", - "StageName": "Stage" - } - }, - "ExplicitApiDeploymentd5fa0145e9": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ExplicitApi" - }, - "Description": "RestApi deployment id: d5fa0145e9e6393911d32967e66fd7091d605483", + "Description": "RestApi deployment id: 6fd1928d9b9ad3c711a371e1337306458029f8bd", "StageName": "Stage" } }, @@ -248,6 +256,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -272,6 +283,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, diff --git a/tests/translator/output/aws-us-gov/implicit_api_with_auth_and_conditions_max.json b/tests/translator/output/aws-us-gov/implicit_api_with_auth_and_conditions_max.json index ee12134b50..c29ef0c3b5 100644 --- a/tests/translator/output/aws-us-gov/implicit_api_with_auth_and_conditions_max.json +++ b/tests/translator/output/aws-us-gov/implicit_api_with_auth_and_conditions_max.json @@ -4,259 +4,248 @@ "Fn::Or": [ { "Condition": "FunctionCondition" - }, + }, { "Condition": "FunctionCondition2" - }, + }, { "Condition": "FunctionCondition3" - }, + }, { "Condition": "FunctionCondition4" - }, + }, { "Condition": "FunctionCondition5" - }, + }, { "Condition": "FunctionCondition6" } ] - }, + }, "FunctionCondition6": { "Fn::Equals": [ - true, + true, false ] - }, + }, "FunctionCondition5": { "Fn::Equals": [ - true, + true, false ] - }, + }, "FunctionCondition4": { "Fn::Equals": [ - true, + true, false ] - }, + }, "FunctionCondition3": { "Fn::Equals": [ - true, + true, false ] - }, + }, "FunctionCondition2": { "Fn::Equals": [ - true, + true, false ] - }, + }, "ServerlessRestApiSLASHusersPathCondition": { "Fn::Or": [ { "Condition": "FunctionCondition2" - }, + }, { "Condition": "FunctionCondition3" - }, + }, { "Condition": "FunctionCondition4" - }, + }, { "Condition": "FunctionCondition5" - }, + }, { "Condition": "FunctionCondition6" } ] - }, + }, "FunctionCondition": { "Fn::Equals": [ - true, + true, false ] } - }, + }, "Resources": { "MyFunction4WithLambdaTokenAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction4" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition4" - }, + }, "MyFunction4": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunction4Role", + "MyFunction4Role", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition4" - }, + }, "MyFunction6": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunction6Role", + "MyFunction6Role", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition6" - }, - "ServerlessRestApiDeploymentc06acce7cc": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "Description": "RestApi deployment id: c06acce7cc8764dcad4cb4a7c74b2d0b43310c00", - "StageName": "Stage" - }, - "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunction2WithCognitoMultipleUserPoolsAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction2" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition2" - }, + }, "MyFunction3": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunction3Role", + "MyFunction3Role", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition3" - }, + }, "MyFunction2": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunction2Role", + "MyFunction2Role", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition2" - }, + }, "ServerlessRestApiProdStage": { - "Type": "AWS::ApiGateway::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "ServerlessRestApiDeploymentc06acce7cc" - }, + "Ref": "ServerlessRestApiDeployment91a6380656" + }, "RestApiId": { "Ref": "ServerlessRestApi" - }, + }, "StageName": "Prod" - }, + }, "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunction5Role": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -265,23 +254,23 @@ } ] } - }, + }, "Condition": "FunctionCondition5" - }, + }, "MyFunction2Role": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -290,23 +279,23 @@ } ] } - }, + }, "Condition": "FunctionCondition2" - }, + }, "MyFunction4Role": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -315,69 +304,69 @@ } ] } - }, + }, "Condition": "FunctionCondition4" - }, + }, "MyFunction3WithLambdaTokenAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction3" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition3" - }, + }, "MyFunction5": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunction5Role", + "MyFunction5Role", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition5" - }, + }, "MyFunction6Role": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -386,18 +375,18 @@ } ] } - }, + }, "Condition": "FunctionCondition6" - }, + }, "ServerlessRestApiMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "ServerlessRestApi" @@ -405,67 +394,67 @@ } ] } - }, + }, "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunctionWithNoAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition" - }, + }, "MyFunction6WithDefaultAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction6" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition6" - }, + }, "MyFunction3Role": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -474,64 +463,64 @@ } ] } - }, + }, "Condition": "FunctionCondition3" - }, + }, "MyFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunctionRole", + "MyFunctionRole", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] - }, + }, "Condition": "FunctionCondition" - }, + }, "MyFunction4WithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction4" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition4" - }, + }, "ServerlessRestApiMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "ServerlessRestApi" @@ -539,40 +528,40 @@ } ] } - }, + }, "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunction5WithLambdaRequestAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction5" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition5" - }, + }, "ServerlessRestApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "ServerlessRestApi" @@ -580,45 +569,45 @@ } ] } - }, + }, "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunctionWithNoAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition" - }, + }, "MyFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -627,414 +616,433 @@ } ] } - }, + }, "Condition": "FunctionCondition" - }, + }, "MyFunction5WithLambdaRequestAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction5" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition5" - }, + }, + "ServerlessRestApiDeployment91a6380656": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ServerlessRestApi" + }, + "Description": "RestApi deployment id: 91a63806562bbe4a3ad1c14c2444bc7d8d27397c", + "StageName": "Stage" + }, + "Condition": "ServerlessRestApiCondition" + }, "MyFunction3WithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction3" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition3" - }, + }, "MyFunction6WithDefaultAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction6" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition6" - }, + }, "ServerlessRestApi": { - "Type": "AWS::ApiGateway::RestApi", + "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { "info": { - "version": "1.0", + "version": "1.0", "title": { "Ref": "AWS::StackName" } - }, + }, "paths": { "/": { "Fn::If": [ - "FunctionCondition", + "FunctionCondition", { "get": { "Fn::If": [ - "FunctionCondition", + "FunctionCondition", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition", + "FunctionCondition", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ { "NONE": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, { "Ref": "AWS::NoValue" } ] - }, + }, "/users": { "Fn::If": [ - "ServerlessRestApiSLASHusersPathCondition", + "ServerlessRestApiSLASHusersPathCondition", { "put": { "Fn::If": [ - "FunctionCondition6", + "FunctionCondition6", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition6", + "FunctionCondition6", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction6.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ + { + "api_key": [] + }, { "MyCognitoAuth": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] - }, + }, "patch": { "Fn::If": [ - "FunctionCondition4", + "FunctionCondition4", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition4", + "FunctionCondition4", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction4.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ { "MyLambdaTokenAuthNoneFunctionInvokeRole": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] - }, + }, "post": { "Fn::If": [ - "FunctionCondition2", + "FunctionCondition2", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition2", + "FunctionCondition2", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction2.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ { "MyCognitoAuthMultipleUserPools": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] - }, + }, "get": { "Fn::If": [ - "FunctionCondition3", + "FunctionCondition3", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition3", + "FunctionCondition3", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction3.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ { "MyLambdaTokenAuth": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] - }, + }, "delete": { "Fn::If": [ - "FunctionCondition5", + "FunctionCondition5", { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::If": [ - "FunctionCondition5", + "FunctionCondition5", { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction5.Arn}/invocations" - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, "security": [ { "MyLambdaRequestAuth": [] } - ], + ], "responses": {} - }, + }, { "Ref": "AWS::NoValue" } ] } - }, + }, { "Ref": "AWS::NoValue" } ] } - }, - "swagger": "2.0", + }, + "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { - "in": "header", - "type": "apiKey", - "name": "Authorization", + "in": "header", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 0, + "type": "token", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] } - }, + }, "x-amazon-apigateway-authtype": "custom" - }, - "MyCognitoAuthMultipleUserPools": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader2", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", - "providerARNs": [ - "arn:aws:2", - "arn:aws:3" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, - "MyLambdaTokenAuth": { - "in": "header", - "type": "apiKey", - "name": "MyCustomAuthHeader", + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + }, + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + }, "x-amazon-apigateway-authtype": "custom" - }, - "MyLambdaRequestAuth": { - "in": "header", - "type": "apiKey", - "name": "Unused", + }, + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" + }, "x-amazon-apigateway-authtype": "custom" + }, + "MyCognitoAuthMultipleUserPools": { + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader2", + "x-amazon-apigateway-authorizer": { + "identityValidationExpression": "myauthvalidationexpression2", + "providerARNs": [ + "arn:aws:2", + "arn:aws:3" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" } } - }, + }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - }, + }, "Parameters": { "endpointConfigurationTypes": "REGIONAL" } - }, + }, "Condition": "ServerlessRestApiCondition" - }, + }, "MyFunction2WithCognitoMultipleUserPoolsAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction2" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "ServerlessRestApi" } } ] } - }, + }, "Condition": "FunctionCondition2" } } -} +} \ No newline at end of file diff --git a/tests/translator/output/globals_for_api.json b/tests/translator/output/globals_for_api.json index 13abe41971..23bbf1472d 100644 --- a/tests/translator/output/globals_for_api.json +++ b/tests/translator/output/globals_for_api.json @@ -68,6 +68,16 @@ } } }, + "ServerlessRestApiDeploymentaa32438b68": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ServerlessRestApi" + }, + "Description": "RestApi deployment id: aa32438b68e05d3771a975585dfbc7b012672b55", + "StageName": "Stage" + } + }, "ExplicitApi": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -91,6 +101,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -115,6 +128,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, @@ -134,20 +152,10 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ServerlessRestApiDeploymentdb4b9da82a" + "Ref": "ServerlessRestApiDeploymentaa32438b68" } } }, - "ServerlessRestApiDeploymentdb4b9da82a": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "Description": "RestApi deployment id: db4b9da82adc6031fcd32bf3a4954485464fc009", - "StageName": "Stage" - } - }, "ExplicitApiSomeStageStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { @@ -161,10 +169,20 @@ }, "CacheClusterEnabled": true, "DeploymentId": { - "Ref": "ExplicitApiDeploymentd5fa0145e9" + "Ref": "ExplicitApiDeployment43e01e673d" } } }, + "ExplicitApiDeployment43e01e673d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ExplicitApi" + }, + "Description": "RestApi deployment id: 43e01e673d7acbd09e4c38ff78dd6ddaf2ed1d55", + "StageName": "Stage" + } + }, "ImplicitApiFunctionGetHtmlPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -186,16 +204,6 @@ } } }, - "ExplicitApiDeploymentd5fa0145e9": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ExplicitApi" - }, - "Description": "RestApi deployment id: d5fa0145e9e6393911d32967e66fd7091d605483", - "StageName": "Stage" - } - }, "MyUserPool": { "Type": "AWS::Cognito::UserPool", "Properties": { @@ -240,6 +248,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -264,6 +275,11 @@ "type": "cognito_user_pools" }, "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } }, diff --git a/tests/translator/output/implicit_api_with_auth_and_conditions_max.json b/tests/translator/output/implicit_api_with_auth_and_conditions_max.json index a3e2433541..28dc23d353 100644 --- a/tests/translator/output/implicit_api_with_auth_and_conditions_max.json +++ b/tests/translator/output/implicit_api_with_auth_and_conditions_max.json @@ -223,7 +223,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "ServerlessRestApiDeploymente09cc405ab" + "Ref": "ServerlessRestApiDeploymentcbc79073ff" }, "RestApiId": { "Ref": "ServerlessRestApi" @@ -282,6 +282,17 @@ }, "Condition": "FunctionCondition2" }, + "ServerlessRestApiDeploymentcbc79073ff": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "ServerlessRestApi" + }, + "Description": "RestApi deployment id: cbc79073ff900d53c3f67ea223640210914a672c", + "StageName": "Stage" + }, + "Condition": "ServerlessRestApiCondition" + }, "MyFunction4Role": { "Type": "AWS::IAM::Role", "Properties": { @@ -685,17 +696,6 @@ }, "Condition": "FunctionCondition6" }, - "ServerlessRestApiDeploymente09cc405ab": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "ServerlessRestApi" - }, - "Description": "RestApi deployment id: e09cc405abe09a0afb9e5f0cb2e94cfba98767d5", - "StageName": "Stage" - }, - "Condition": "ServerlessRestApiCondition" - }, "ServerlessRestApi": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -772,6 +772,9 @@ } }, "security": [ + { + "api_key": [] + }, { "MyCognitoAuth": [] } @@ -916,26 +919,37 @@ }, "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { + "MyLambdaTokenAuthNoneFunctionInvokeRole": { "in": "header", "type": "apiKey", - "name": "MyAuthorizationHeader", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" + "type": "token", + "authorizerResultTtlInSeconds": 0, + "authorizerUri": { + "Fn::Sub": [ + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + { + "__FunctionArn__": "arn:aws" + } + ] + } }, - "x-amazon-apigateway-authtype": "cognito_user_pools" + "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaTokenAuthNoneFunctionInvokeRole": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + }, + "MyLambdaRequestAuth": { "in": "header", "type": "apiKey", - "name": "Authorization", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", + "type": "request", "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -943,19 +957,19 @@ "__FunctionArn__": "arn:aws" } ] - } + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" }, "x-amazon-apigateway-authtype": "custom" }, - "MyCognitoAuthMultipleUserPools": { + "MyCognitoAuth": { "in": "header", "type": "apiKey", - "name": "MyAuthorizationHeader2", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", + "identityValidationExpression": "myauthvalidationexpression", "providerARNs": [ - "arn:aws:2", - "arn:aws:3" + "arn:aws:1" ], "type": "cognito_user_pools" }, @@ -981,25 +995,19 @@ }, "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaRequestAuth": { + "MyCognitoAuthMultipleUserPools": { "in": "header", "type": "apiKey", - "name": "Unused", + "name": "MyAuthorizationHeader2", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", - "authorizerUri": { - "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", - { - "__FunctionArn__": "arn:aws" - } - ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + "identityValidationExpression": "myauthvalidationexpression2", + "providerARNs": [ + "arn:aws:2", + "arn:aws:3" + ], + "type": "cognito_user_pools" }, - "x-amazon-apigateway-authtype": "custom" + "x-amazon-apigateway-authtype": "cognito_user_pools" } } } @@ -1029,4 +1037,4 @@ "Condition": "FunctionCondition2" } } -} +} \ No newline at end of file diff --git a/tests/translator/test_translator.py b/tests/translator/test_translator.py index 89402cfbfd..26e7730975 100644 --- a/tests/translator/test_translator.py +++ b/tests/translator/test_translator.py @@ -260,6 +260,8 @@ class TestTranslatorEndToEnd(TestCase): 'implicit_and_explicit_api_with_conditions', 'api_with_cors_and_conditions_no_definitionbody', 'api_with_auth_and_conditions_all_max', + 'api_with_apikey_default_override', + 'api_with_apikey_required', ], [ ("aws", "ap-southeast-1"), diff --git a/versions/2016-10-31.md b/versions/2016-10-31.md index 9493abadee..cc973c0130 100644 --- a/versions/2016-10-31.md +++ b/versions/2016-10-31.md @@ -226,7 +226,7 @@ EndpointConfiguration | `string` | Specify the type of endpoint for API endpoint BinaryMediaTypes | List of `string` | List of MIME types that your API could return. Use this to enable binary support for APIs. Use `~1` instead of `/` in the mime types (See examples in [template.yaml](../examples/2016-10-31/implicit_api_settings/template.yaml)). MinimumCompressionSize | `int` | Allow compression of response bodies based on client's Accept-Encoding header. Compression is triggered when response body size is greater than or equal to your configured threshold. The maximum body size threshold is 10 MB (10,485,760 Bytes). The following compression types are supported: gzip, deflate, and identity. Cors | `string` or [Cors Configuration](#cors-configuration) | Enable CORS for all your APIs. Specify the domain to allow as a string or specify a dictionary with additional [Cors Configuration](#cors-configuration). NOTE: Cors requires SAM to modify your Swagger definition. Hence it works only inline swagger defined with `DefinitionBody`. -Auth | [API Auth Object](#api-auth-object) | Auth configuration for this API. Define Lambda and Cognito `Authorizers` and specify a `DefaultAuthorizer` for this API. +Auth | [API Auth Object](#api-auth-object) | Auth configuration for this API. Define Lambda and Cognito `Authorizers` and specify a `DefaultAuthorizer` for this API. Can specify default ApiKey restriction using `ApiKeyRequired`. GatewayResponses | Map of [Gateway Response Type](https://docs.aws.amazon.com/apigateway/api-reference/resource/gateway-response/) to [Gateway Response Object](#gateway-response-object) | Configures Gateway Reponses for an API. Gateway Responses are responses returned by API Gateway, either directly or through the use of Lambda Authorizers. Keys for this object are passed through to Api Gateway, so any value supported by `GatewayResponse.responseType` is supported here. AccessLogSetting | [CloudFormation AccessLogSetting property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-accesslogsetting.html) | Configures Access Log Setting for a stage. This value is passed through to CloudFormation, so any value supported by `AccessLogSetting` is supported here. CanarySetting | [CloudFormation CanarySetting property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-canarysetting.html) | Configure a Canary Setting to a Stage of a regular deployment. This value is passed through to Cloudformation, so any value supported by `CanarySetting` is supported here. @@ -526,7 +526,7 @@ Property Name | Type | Description Path | `string` | **Required.** Uri path for which this function is invoked. MUST start with `/`. Method | `string` | **Required.** HTTP method for which this function is invoked. RestApiId | `string` | Identifier of a RestApi resource which MUST contain an operation with the given path and method. Typically, this is set to [reference](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html) an `AWS::Serverless::Api` resource defined in this template. If not defined, a default `AWS::Serverless::Api` resource is created using a generated Swagger document contains a union of all paths and methods defined by `Api` events defined in this template that do not specify a RestApiId. -Auth | [Function Auth Object](#function-auth-object) | Auth configuration for this specific Api+Path+Method. Useful for overriding the API's `DefaultAuthorizer` or setting auth config on an individual path when no `DefaultAuthorizer` is specified. +Auth | [Function Auth Object](#function-auth-object) | Auth configuration for this specific Api+Path+Method. Useful for overriding the API's `DefaultAuthorizer` setting auth config on an individual path when no `DefaultAuthorizer` is specified or overriding the default `ApiKeyRequired' setting. RequestModel | [Function Request Model Object](#function-request-model-object) | Request model configuration for this specific Api+Path+Method. ##### Example: Api event source object @@ -781,10 +781,14 @@ Cors: #### API Auth Object -Configure Auth on APIs. Define Lambda and Cognito `Authorizers` and specify a `DefaultAuthorizer`. If you use IAM permission, only specify `AWS_IAM` to a `DefaultAuthorizer`. For more information, see the documentation on [Lambda Authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html) and [Amazon Cognito User Pool Authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html) and [IAM Permissions](https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html). +Configure Auth on APIs. + +**Authorizers:** +Define Lambda and Cognito `Authorizers` and specify a `DefaultAuthorizer`. If you use IAM permission, only specify `AWS_IAM` to a `DefaultAuthorizer`. For more information, see the documentation on [Lambda Authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html) and [Amazon Cognito User Pool Authorizers](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html) and [IAM Permissions](https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html). ```yaml Auth: + ApiKeyRequired: true # OPTIONAL DefaultAuthorizer: MyCognitoAuth # OPTIONAL, if you use IAM permissions, specify AWS_IAM. Authorizers: MyCognitoAuth: @@ -819,6 +823,15 @@ Auth: ReauthorizeEvery: 0 # OPTIONAL; Service Default: 300 ``` +**ApiKey:** +Configure ApiKey restriction for all methods and paths on an API. This setting can be overriden on individual `AWS::Serverless::Function` using the [Function Auth Object](#function-auth-object). Typically this would be used to require ApiKey on all methods and then override it on select methods that you want to be public. + +```yaml +Auth: + ApiKeyRequired: true +``` + + #### Function Auth Object Configure Auth for a specific Api+Path+Method. @@ -835,6 +848,20 @@ Auth: Authorizer: 'NONE' ``` +Require api keys for a specific Api+Path+Method. + +```yaml +Auth: + ApiKeyRequired: true +``` + +If you have specified `ApiKeyRequired: true` globally on the API and want to make a specific Function public, override with the following: + +```yaml +Auth: + ApiKeyRequired: false +``` + #### Function Request Model Object Configure Request Model for a specific Api+Path+Method. From 1b03e5959435a27c6a98ac7bdcf1058b0931fc66 Mon Sep 17 00:00:00 2001 From: Cris Barbero Date: Wed, 5 Jun 2019 08:25:05 -0600 Subject: [PATCH 2/7] Fix spacing --- samtranslator/swagger/swagger.py | 12 ++- .../api_with_aws_iam_auth_overrides.json | 28 +++---- .../output/api_with_default_aws_iam_auth.json | 68 ++++++++-------- .../api_with_aws_iam_auth_overrides.json | 28 +++---- .../aws-cn/api_with_default_aws_iam_auth.json | 80 +++++++++---------- .../api_with_aws_iam_auth_overrides.json | 28 +++---- .../api_with_default_aws_iam_auth.json | 50 ++++++------ 7 files changed, 151 insertions(+), 143 deletions(-) diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py index 287730064f..3f2fed3ebd 100644 --- a/samtranslator/swagger/swagger.py +++ b/samtranslator/swagger/swagger.py @@ -416,7 +416,11 @@ def add_awsiam_security_definition(self): } self.security_definitions = self.security_definitions or {} - self.security_definitions.update(aws_iam_security_definition) + + # Only add the security definition if it doesn't exist. This helps ensure + # that we minimize changes to the swagger in the case of user defined swagger + if 'AWS_IAM' not in self.security_definitions: + self.security_definitions.update(aws_iam_security_definition) def add_apikey_security_definition(self): """ @@ -433,7 +437,11 @@ def add_apikey_security_definition(self): } self.security_definitions = self.security_definitions or {} - self.security_definitions.update(api_key_security_definition) + + # Only add the security definition if it doesn't exist. This helps ensure + # that we minimize changes to the swagger in the case of user defined swagger + if 'api_key' not in self.security_definitions: + self.security_definitions.update(api_key_security_definition) def set_path_default_authorizer(self, path, default_authorizer, authorizers, add_default_auth_to_preflight=True): diff --git a/tests/translator/output/api_with_aws_iam_auth_overrides.json b/tests/translator/output/api_with_aws_iam_auth_overrides.json index 947b0d0c07..6ca104082e 100644 --- a/tests/translator/output/api_with_aws_iam_auth_overrides.json +++ b/tests/translator/output/api_with_aws_iam_auth_overrides.json @@ -50,7 +50,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeployment00f615258c" + "Ref": "MyApiWithAwsIamAuthDeployment8a32fb1652" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -124,6 +124,16 @@ } } }, + "MyApiWithAwsIamAuthDeployment8a32fb1652": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuth" + }, + "Description": "RestApi deployment id: 8a32fb165218ee858b16980eed421b4f38d18f00", + "StageName": "Stage" + } + }, "MyFunctionMyCognitoAuthAPI1PermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -371,16 +381,6 @@ } } }, - "MyApiWithAwsIamAuthDeployment00f615258c": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" - }, - "Description": "RestApi deployment id: 00f615258c0deedd5cc900789f1f57d1fbde7df3", - "StageName": "Stage" - } - }, "MyFunctionCustomInvokeRoleAPI3PermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -561,10 +561,10 @@ "x-amazon-apigateway-authtype": "cognito_user_pools" }, "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } } @@ -592,4 +592,4 @@ } } } -} \ No newline at end of file +} diff --git a/tests/translator/output/api_with_default_aws_iam_auth.json b/tests/translator/output/api_with_default_aws_iam_auth.json index 0fa561cfe5..b7d0bb46f3 100644 --- a/tests/translator/output/api_with_default_aws_iam_auth.json +++ b/tests/translator/output/api_with_default_aws_iam_auth.json @@ -1,5 +1,15 @@ { "Resources": { + "MyApiWithAwsIamAuthDeployment3364487a57": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuth" + }, + "Description": "RestApi deployment id: 3364487a57573f17976c9edc5dad6c3afe02a101", + "StageName": "Stage" + } + }, "MyFunctionWithAwsIamAuth": { "Type": "AWS::Lambda::Function", "Properties": { @@ -23,16 +33,6 @@ ] } }, - "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment58ccfefa9d": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" - }, - "Description": "RestApi deployment id: 58ccfefa9d2b37d219e5cd439566227c228874ad", - "StageName": "Stage" - } - }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthPermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -79,7 +79,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeployment2e654ad4c6" + "Ref": "MyApiWithAwsIamAuthDeployment3364487a57" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -87,16 +87,14 @@ "StageName": "Prod" } }, - "MyApiWithAwsIamAuthAndDefaultInvokeRoleProdStage": { - "Type": "AWS::ApiGateway::Stage", + "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment1edb95497c": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment58ccfefa9d" - }, "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" }, - "StageName": "Prod" + "Description": "RestApi deployment id: 1edb95497ceb1e912fa65281f21a8f6f1098b5f4", + "StageName": "Stage" } }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthAndDefaultInvokeRolePermissionProd": { @@ -141,13 +139,13 @@ } } }, - "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment65ff252974": { + "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment61108120cf": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" }, - "Description": "RestApi deployment id: 65ff252974c6dc8ff4fa083009ab0a4838d92a93", + "Description": "RestApi deployment id: 61108120cf9f293d5cf2fc21044a94dce2ed499a", "StageName": "Stage" } }, @@ -184,35 +182,37 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } } } }, - "MyApiWithAwsIamAuthAndCustomInvokeRoleProdStage": { + "MyApiWithAwsIamAuthAndDefaultInvokeRoleProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment65ff252974" + "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment1edb95497c" }, "RestApiId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" + "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" }, "StageName": "Prod" } }, - "MyApiWithAwsIamAuthDeployment2e654ad4c6": { - "Type": "AWS::ApiGateway::Deployment", + "MyApiWithAwsIamAuthAndCustomInvokeRoleProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { + "DeploymentId": { + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment61108120cf" + }, "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" }, - "Description": "RestApi deployment id: 2e654ad4c60c5c1fff1e65a5b61eb502dbf42cbd", - "StageName": "Stage" + "StageName": "Prod" } }, "MyApiWithAwsIamAuthAndDefaultInvokeRole": { @@ -248,10 +248,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } } @@ -290,10 +290,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } } @@ -366,4 +366,4 @@ } } } -} \ No newline at end of file +} diff --git a/tests/translator/output/aws-cn/api_with_aws_iam_auth_overrides.json b/tests/translator/output/aws-cn/api_with_aws_iam_auth_overrides.json index 8cf64eba56..49f1e90a40 100644 --- a/tests/translator/output/aws-cn/api_with_aws_iam_auth_overrides.json +++ b/tests/translator/output/aws-cn/api_with_aws_iam_auth_overrides.json @@ -50,7 +50,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeploymentcaa40f95ee" + "Ref": "MyApiWithAwsIamAuthDeploymented0a631915" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -103,16 +103,6 @@ } } }, - "MyApiWithAwsIamAuthDeploymentcaa40f95ee": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" - }, - "Description": "RestApi deployment id: caa40f95ee941baffc4ce02b45e862c5f7ea4d5e", - "StageName": "Stage" - } - }, "MyFunctionWithoutAuthAPI2PermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -155,6 +145,16 @@ } } }, + "MyApiWithAwsIamAuthDeploymented0a631915": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuth" + }, + "Description": "RestApi deployment id: ed0a631915dc4df4436f471e81cd69beb6f89603", + "StageName": "Stage" + } + }, "MyFunctionMyCognitoAuth": { "Type": "AWS::Lambda::Function", "Properties": { @@ -561,10 +561,10 @@ "x-amazon-apigateway-authtype": "cognito_user_pools" }, "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } }, @@ -600,4 +600,4 @@ } } } -} \ No newline at end of file +} diff --git a/tests/translator/output/aws-cn/api_with_default_aws_iam_auth.json b/tests/translator/output/aws-cn/api_with_default_aws_iam_auth.json index 330aefa103..58fd1f46b8 100644 --- a/tests/translator/output/aws-cn/api_with_default_aws_iam_auth.json +++ b/tests/translator/output/aws-cn/api_with_default_aws_iam_auth.json @@ -23,6 +23,16 @@ ] } }, + "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeploymentd0103947f7": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" + }, + "Description": "RestApi deployment id: d0103947f7e2e1d52ca7afac92f5afc8339a051b", + "StageName": "Stage" + } + }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthPermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -44,16 +54,6 @@ } } }, - "MyApiWithAwsIamAuthDeploymente6d5fb9b50": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" - }, - "Description": "RestApi deployment id: e6d5fb9b50efbcef7ba82212572d741a89330edf", - "StageName": "Stage" - } - }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -75,21 +75,11 @@ } } }, - "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentb406a33161": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" - }, - "Description": "RestApi deployment id: b406a33161a8a9cb2842e4374c3f0167931eb064", - "StageName": "Stage" - } - }, "MyApiWithAwsIamAuthProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeploymente6d5fb9b50" + "Ref": "MyApiWithAwsIamAuthDeploymentc8adfb74cf" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -101,7 +91,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment76f532c4be" + "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeploymentd0103947f7" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" @@ -151,6 +141,16 @@ } } }, + "MyApiWithAwsIamAuthDeploymentc8adfb74cf": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuth" + }, + "Description": "RestApi deployment id: c8adfb74cfae8b8052802a21a258ecbd5178d144", + "StageName": "Stage" + } + }, "MyApiWithAwsIamAuthAndCustomInvokeRole": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -184,10 +184,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } }, @@ -205,7 +205,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentb406a33161" + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment2a6ecd9264" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" @@ -246,10 +246,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } }, @@ -263,6 +263,16 @@ } } }, + "MyApiWithAwsIamAuthAndCustomInvokeRoleDeployment2a6ecd9264": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" + }, + "Description": "RestApi deployment id: 2a6ecd9264d4f59054caa89a94960604594cd94f", + "StageName": "Stage" + } + }, "MyApiWithAwsIamAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -296,10 +306,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } }, @@ -313,16 +323,6 @@ } } }, - "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment76f532c4be": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" - }, - "Description": "RestApi deployment id: 76f532c4bee79a53b122020ad84d7e9671824afe", - "StageName": "Stage" - } - }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthAndCustomInvokeRolePermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -390,4 +390,4 @@ } } } -} \ No newline at end of file +} diff --git a/tests/translator/output/aws-us-gov/api_with_aws_iam_auth_overrides.json b/tests/translator/output/aws-us-gov/api_with_aws_iam_auth_overrides.json index 02b60bcbdf..cf8d219509 100644 --- a/tests/translator/output/aws-us-gov/api_with_aws_iam_auth_overrides.json +++ b/tests/translator/output/aws-us-gov/api_with_aws_iam_auth_overrides.json @@ -46,11 +46,21 @@ ] } }, + "MyApiWithAwsIamAuthDeploymentd6dd2d1504": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuth" + }, + "Description": "RestApi deployment id: d6dd2d1504ea960bdb50055b256d9292aa565e4b", + "StageName": "Stage" + } + }, "MyApiWithAwsIamAuthProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeploymentc527246f7f" + "Ref": "MyApiWithAwsIamAuthDeploymentd6dd2d1504" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -103,16 +113,6 @@ } } }, - "MyApiWithAwsIamAuthDeploymentc527246f7f": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" - }, - "Description": "RestApi deployment id: c527246f7ffc9d300cb5934f0a2feaf19ce90c8b", - "StageName": "Stage" - } - }, "MyFunctionWithoutAuthAPI2PermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -561,10 +561,10 @@ "x-amazon-apigateway-authtype": "cognito_user_pools" }, "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } }, @@ -600,4 +600,4 @@ } } } -} \ No newline at end of file +} diff --git a/tests/translator/output/aws-us-gov/api_with_default_aws_iam_auth.json b/tests/translator/output/aws-us-gov/api_with_default_aws_iam_auth.json index c1231a4e8d..2adb4725b4 100644 --- a/tests/translator/output/aws-us-gov/api_with_default_aws_iam_auth.json +++ b/tests/translator/output/aws-us-gov/api_with_default_aws_iam_auth.json @@ -23,16 +23,6 @@ ] } }, - "MyApiWithAwsIamAuthDeploymentf659ad5ab8": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithAwsIamAuth" - }, - "Description": "RestApi deployment id: f659ad5ab81c7fba674d23cb02c5a79da2ab11f2", - "StageName": "Stage" - } - }, "MyFunctionWithAwsIamAuthMyApiWithAwsIamAuthPermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -54,13 +44,13 @@ } } }, - "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentf171a6f07c": { + "MyApiWithAwsIamAuthDeploymentf9a4964a7d": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" + "Ref": "MyApiWithAwsIamAuth" }, - "Description": "RestApi deployment id: f171a6f07cf7356e3ad2a7095d825396653f6fb5", + "Description": "RestApi deployment id: f9a4964a7df5021874e5a094662f1a2443982e0a", "StageName": "Stage" } }, @@ -89,7 +79,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthDeploymentf659ad5ab8" + "Ref": "MyApiWithAwsIamAuthDeploymentf9a4964a7d" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuth" @@ -101,7 +91,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment1441ebcd54" + "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeploymentce2dead7de" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" @@ -151,13 +141,23 @@ } } }, - "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeployment1441ebcd54": { + "MyApiWithAwsIamAuthAndDefaultInvokeRoleDeploymentce2dead7de": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndDefaultInvokeRole" }, - "Description": "RestApi deployment id: 1441ebcd541a522a80b89b91d029f5f56dded2f2", + "Description": "RestApi deployment id: ce2dead7ded0bb502db5bd0c105948c27bc96729", + "StageName": "Stage" + } + }, + "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentb31aa75bb2": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" + }, + "Description": "RestApi deployment id: b31aa75bb2284229d40917a9b424c8ea1cf98217", "StageName": "Stage" } }, @@ -194,10 +194,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } }, @@ -215,7 +215,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentf171a6f07c" + "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRoleDeploymentb31aa75bb2" }, "RestApiId": { "Ref": "MyApiWithAwsIamAuthAndCustomInvokeRole" @@ -256,10 +256,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } }, @@ -306,10 +306,10 @@ "swagger": "2.0", "securityDefinitions": { "AWS_IAM": { - "x-amazon-apigateway-authtype": "awsSigv4", + "in": "header", "type": "apiKey", "name": "Authorization", - "in": "header" + "x-amazon-apigateway-authtype": "awsSigv4" } } }, @@ -390,4 +390,4 @@ } } } -} \ No newline at end of file +} From f8ed4696968cabeb60a985a672775e51f573780b Mon Sep 17 00:00:00 2001 From: Cris Barbero Date: Thu, 20 Jun 2019 13:41:41 -0600 Subject: [PATCH 3/7] undo space changes --- samtranslator/model/eventsources/push.py | 34 ++++++++++++------------ 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/samtranslator/model/eventsources/push.py b/samtranslator/model/eventsources/push.py index 087728c67c..23b43d2d52 100644 --- a/samtranslator/model/eventsources/push.py +++ b/samtranslator/model/eventsources/push.py @@ -71,8 +71,8 @@ class Schedule(PushEventSource): resource_type = 'Schedule' principal = 'events.amazonaws.com' property_types = { - 'Schedule': PropertyType(True, is_str()), - 'Input': PropertyType(False, is_str()) + 'Schedule': PropertyType(True, is_str()), + 'Input': PropertyType(False, is_str()) } def to_cloudformation(self, **kwargs): @@ -109,8 +109,8 @@ def _construct_target(self, function): :rtype: dict """ target = { - 'Arn': function.get_runtime_attr("arn"), - 'Id': self.logical_id + 'LambdaTarget' + 'Arn': function.get_runtime_attr("arn"), + 'Id': self.logical_id + 'LambdaTarget' } if self.Input is not None: target['Input'] = self.Input @@ -163,8 +163,8 @@ def _construct_target(self, function): :rtype: dict """ target = { - 'Arn': function.get_runtime_attr("arn"), - 'Id': self.logical_id + 'LambdaTarget' + 'Arn': function.get_runtime_attr("arn"), + 'Id': self.logical_id + 'LambdaTarget' } if self.Input is not None: target['Input'] = self.Input @@ -179,9 +179,9 @@ class S3(PushEventSource): resource_type = 'S3' principal = 's3.amazonaws.com' property_types = { - 'Bucket': PropertyType(True, is_str()), - 'Events': PropertyType(True, one_of(is_str(), list_of(is_str()))), - 'Filter': PropertyType(False, dict_of(is_str(), is_str())) + 'Bucket': PropertyType(True, is_str()), + 'Events': PropertyType(True, one_of(is_str(), list_of(is_str()))), + 'Filter': PropertyType(False, dict_of(is_str(), is_str())) } def resources_to_link(self, resources): @@ -343,8 +343,8 @@ class SNS(PushEventSource): resource_type = 'SNS' principal = 'sns.amazonaws.com' property_types = { - 'Topic': PropertyType(True, is_str()), - 'FilterPolicy': PropertyType(False, dict_of(is_str(), list_of(one_of(is_str(), is_type(dict))))) + 'Topic': PropertyType(True, is_str()), + 'FilterPolicy': PropertyType(False, dict_of(is_str(), list_of(one_of(is_str(), is_type(dict))))) } def to_cloudformation(self, **kwargs): @@ -381,13 +381,13 @@ class Api(PushEventSource): resource_type = 'Api' principal = 'apigateway.amazonaws.com' property_types = { - 'Path': PropertyType(True, is_str()), - 'Method': PropertyType(True, is_str()), + 'Path': PropertyType(True, is_str()), + 'Method': PropertyType(True, is_str()), - # Api Event sources must "always" be paired with a Serverless::Api - 'RestApiId': PropertyType(True, is_str()), - 'Auth': PropertyType(False, is_type(dict)), - 'RequestModel': PropertyType(False, is_type(dict)) + # Api Event sources must "always" be paired with a Serverless::Api + 'RestApiId': PropertyType(True, is_str()), + 'Auth': PropertyType(False, is_type(dict)), + 'RequestModel': PropertyType(False, is_type(dict)) } def resources_to_link(self, resources): From ed7b7a15ec06afea3eb00e0e06cf875a410635f0 Mon Sep 17 00:00:00 2001 From: Cris Barbero Date: Thu, 20 Jun 2019 16:34:32 -0600 Subject: [PATCH 4/7] Add openapi3 tests --- .../api_with_apikey_required_openapi_3.yaml | 21 + .../input/api_with_auth_all_maximum.yaml | 1 + .../api_with_auth_all_maximum_openapi_3.yaml | 1 + .../api_with_apikey_required_openapi_3.json | 155 ++++++ .../output/api_with_auth_all_maximum.json | 474 +++++++++-------- .../api_with_auth_all_maximum_openapi_3.json | 90 ++-- .../api_with_apikey_required_openapi_3.json | 163 ++++++ .../aws-cn/api_with_auth_all_maximum.json | 478 ++++++++++-------- .../api_with_auth_all_maximum_openapi_3.json | 120 +++-- .../api_with_apikey_required_openapi_3.json | 163 ++++++ .../aws-us-gov/api_with_auth_all_maximum.json | 478 ++++++++++-------- .../api_with_auth_all_maximum_openapi_3.json | 90 ++-- 12 files changed, 1450 insertions(+), 784 deletions(-) create mode 100644 tests/translator/input/api_with_apikey_required_openapi_3.yaml create mode 100644 tests/translator/output/api_with_apikey_required_openapi_3.json create mode 100644 tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json create mode 100644 tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json diff --git a/tests/translator/input/api_with_apikey_required_openapi_3.yaml b/tests/translator/input/api_with_apikey_required_openapi_3.yaml new file mode 100644 index 0000000000..e5c562c916 --- /dev/null +++ b/tests/translator/input/api_with_apikey_required_openapi_3.yaml @@ -0,0 +1,21 @@ +Resources: + MyApiWithoutAuth: + Type: "AWS::Serverless::Api" + Properties: + StageName: Prod + + MyFunctionWithApiKeyRequired: + Type: AWS::Serverless::Function + Properties: + CodeUri: s3://bucket/key + Handler: index.handler + Runtime: nodejs8.10 + Events: + MyApiWithApiKeyRequired: + Type: Api + Properties: + RestApiId: !Ref MyApiWithoutAuth + Path: /ApiKeyRequiredTrue + Method: get + Auth: + ApiKeyRequired: true diff --git a/tests/translator/input/api_with_auth_all_maximum.yaml b/tests/translator/input/api_with_auth_all_maximum.yaml index 89c94fdc7e..e3dbd397b3 100644 --- a/tests/translator/input/api_with_auth_all_maximum.yaml +++ b/tests/translator/input/api_with_auth_all_maximum.yaml @@ -5,6 +5,7 @@ Resources: StageName: Prod Auth: DefaultAuthorizer: MyCognitoAuth + ApiKeyRequired: true Authorizers: MyCognitoAuth: UserPoolArn: arn:aws:1 diff --git a/tests/translator/input/api_with_auth_all_maximum_openapi_3.yaml b/tests/translator/input/api_with_auth_all_maximum_openapi_3.yaml index 8cab3cd48c..bb236464fe 100644 --- a/tests/translator/input/api_with_auth_all_maximum_openapi_3.yaml +++ b/tests/translator/input/api_with_auth_all_maximum_openapi_3.yaml @@ -6,6 +6,7 @@ Resources: OpenApiVersion: '3.0.1' Auth: DefaultAuthorizer: MyCognitoAuth + ApiKeyRequired: true Authorizers: MyCognitoAuth: UserPoolArn: arn:aws:1 diff --git a/tests/translator/output/api_with_apikey_required_openapi_3.json b/tests/translator/output/api_with_apikey_required_openapi_3.json new file mode 100644 index 0000000000..5b4da1067a --- /dev/null +++ b/tests/translator/output/api_with_apikey_required_openapi_3.json @@ -0,0 +1,155 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeployment3ab9d13134" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithoutAuthDeployment3ab9d13134": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 3ab9d13134bf550e275a303c6987801dfb7f9d7b", + "StageName": "Stage" + } + } + } + } \ No newline at end of file diff --git a/tests/translator/output/api_with_auth_all_maximum.json b/tests/translator/output/api_with_auth_all_maximum.json index 61b4a6b398..3701420314 100644 --- a/tests/translator/output/api_with_auth_all_maximum.json +++ b/tests/translator/output/api_with_auth_all_maximum.json @@ -1,39 +1,41 @@ { "Resources": { "MyFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, - "Handler": "index.handler", + }, "Role": { "Fn::GetAtt": [ - "MyFunctionRole", + "MyFunctionRole", "Arn" ] - }, - "Runtime": "nodejs8.10", - "Tags": [{ - "Value": "SAM", - "Key": "lambda:createdBy" - }] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -41,16 +43,16 @@ ] } } - }, + }, "MyApiMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -59,20 +61,20 @@ ] } } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -80,20 +82,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -101,20 +103,20 @@ ] } } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -122,20 +124,20 @@ ] } } - }, + }, "MyFunctionWithNoAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -143,210 +145,242 @@ ] } } - }, + }, "MyFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [{ - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } } - }] + ] } } - }, + }, "MyApi": { - "Type": "AWS::ApiGateway::RestApi", + "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { "info": { - "version": "1.0", + "version": "1.0", "title": { "Ref": "AWS::StackName" } - }, + }, "paths": { "/": { "get": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "NONE": [] - }], + }, + "security": [ + { + "NONE": [] + }, + { + "api_key": [] + } + ], "responses": {} } - }, + }, "/users": { "put": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuth": [] - }], + }, + "security": [ + { + "MyCognitoAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "post": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuthMultipleUserPools": [] - }], + }, + "security": [ + { + "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "patch": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaTokenAuthNoneFunctionInvokeRole": [] - }], + }, + "security": [ + { + "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "delete": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaRequestAuth": [] - }], + }, + "security": [ + { + "MyLambdaRequestAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} } } - }, - "swagger": "2.0", + }, + "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { - "in": "header", - "type": "apiKey", - "name": "Authorization", + "in": "header", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 0, + "type": "token", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] } - }, + }, "x-amazon-apigateway-authtype": "custom" - }, + }, "MyCognitoAuthMultipleUserPools": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader2", + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader2", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", + "identityValidationExpression": "myauthvalidationexpression2", "providerARNs": [ - "arn:aws:2", + "arn:aws:2", "arn:aws:3" - ], + ], "type": "cognito_user_pools" - }, + }, "x-amazon-apigateway-authtype": "cognito_user_pools" - }, - "MyLambdaTokenAuth": { - "in": "header", - "type": "apiKey", - "name": "MyCustomAuthHeader", + }, + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + }, "x-amazon-apigateway-authtype": "custom" - }, - "MyLambdaRequestAuth": { - "in": "header", - "type": "apiKey", - "name": "Unused", + }, + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader", + "x-amazon-apigateway-authorizer": { + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ - "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" + }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } } } - }, + }, "MyApiMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -355,20 +389,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -376,20 +410,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -397,30 +431,20 @@ ] } } - }, - "MyApiDeployment22f365e69f": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: 22f365e69fd10c36975a60c0b715eb1340f4b5e6", - "StageName": "Stage" - } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -428,16 +452,26 @@ ] } } - }, + }, + "MyApiDeployment0cec4886a5": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: 0cec4886a504a36373a7cbd8952ec7aa9643bfbd", + "StageName": "Stage" + } + }, "MyApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -446,32 +480,32 @@ ] } } - }, + }, "MyApiProdStage": { - "Type": "AWS::ApiGateway::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeployment22f365e69f" - }, + "Ref": "MyApiDeployment0cec4886a5" + }, "RestApiId": { "Ref": "MyApi" - }, + }, "StageName": "Prod" } - }, + }, "MyFunctionWithNoAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -479,20 +513,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } diff --git a/tests/translator/output/api_with_auth_all_maximum_openapi_3.json b/tests/translator/output/api_with_auth_all_maximum_openapi_3.json index 1968c4ec00..ff6efcd6f9 100644 --- a/tests/translator/output/api_with_auth_all_maximum_openapi_3.json +++ b/tests/translator/output/api_with_auth_all_maximum_openapi_3.json @@ -170,6 +170,15 @@ } } }, + "MyApiDeployment959b43a9ef": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: 959b43a9efc3347ee417e242c5f936bbd40ef663" + } + }, "MyApi": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -193,6 +202,9 @@ "security": [ { "NONE": [] + }, + { + "api_key": [] } ], "responses": {} @@ -210,6 +222,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -225,6 +240,9 @@ "security": [ { "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] } ], "responses": {} @@ -240,6 +258,9 @@ "security": [ { "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] } ], "responses": {} @@ -255,6 +276,9 @@ "security": [ { "MyLambdaRequestAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -264,19 +288,6 @@ "openapi": "3.0.1", "components": { "securitySchemes": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { "in": "header", "type": "apiKey", @@ -309,13 +320,14 @@ }, "x-amazon-apigateway-authtype": "cognito_user_pools" }, - "MyLambdaTokenAuth": { + "MyLambdaRequestAuth": { "in": "header", "type": "apiKey", - "name": "MyCustomAuthHeader", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -324,19 +336,30 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" }, "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaRequestAuth": { + "MyCognitoAuth": { "in": "header", "type": "apiKey", - "name": "Unused", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -345,9 +368,15 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } } @@ -453,20 +482,11 @@ } } }, - "MyApiDeployment18e0cddfbf": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: 18e0cddfbf74ca986461d5a484b9eedd934a6423" - } - }, "MyApiProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeployment18e0cddfbf" + "Ref": "MyApiDeployment959b43a9ef" }, "RestApiId": { "Ref": "MyApi" diff --git a/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json b/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json new file mode 100644 index 0000000000..7952eb5fca --- /dev/null +++ b/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json @@ -0,0 +1,163 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuthDeploymentcc6d6fc40a": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: cc6d6fc40a37188fe0115a039b24e397dc149478", + "StageName": "Stage" + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeploymentcc6d6fc40a" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + } + } + } \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_auth_all_maximum.json b/tests/translator/output/aws-cn/api_with_auth_all_maximum.json index 781c9b8bef..b74a6965e7 100644 --- a/tests/translator/output/aws-cn/api_with_auth_all_maximum.json +++ b/tests/translator/output/aws-cn/api_with_auth_all_maximum.json @@ -1,39 +1,41 @@ { "Resources": { "MyFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, - "Handler": "index.handler", + }, "Role": { "Fn::GetAtt": [ - "MyFunctionRole", + "MyFunctionRole", "Arn" ] - }, - "Runtime": "nodejs8.10", - "Tags": [{ - "Value": "SAM", - "Key": "lambda:createdBy" - }] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -41,16 +43,16 @@ ] } } - }, + }, "MyApiMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -59,20 +61,20 @@ ] } } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -80,20 +82,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -101,30 +103,20 @@ ] } } - }, - "MyApiDeployment8401165542": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: 8401165542e94cea0086026b427b10c966b84f1d", - "StageName": "Stage" - } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -132,20 +124,20 @@ ] } } - }, + }, "MyFunctionWithNoAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -153,218 +145,250 @@ ] } } - }, + }, "MyFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [{ - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } } - }] + ] } } - }, + }, "MyApi": { - "Type": "AWS::ApiGateway::RestApi", + "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { "info": { - "version": "1.0", + "version": "1.0", "title": { "Ref": "AWS::StackName" } - }, + }, "paths": { "/": { "get": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "NONE": [] - }], + }, + "security": [ + { + "NONE": [] + }, + { + "api_key": [] + } + ], "responses": {} } - }, + }, "/users": { "put": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuth": [] - }], + }, + "security": [ + { + "MyCognitoAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "post": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuthMultipleUserPools": [] - }], + }, + "security": [ + { + "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "patch": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaTokenAuthNoneFunctionInvokeRole": [] - }], + }, + "security": [ + { + "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "delete": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaRequestAuth": [] - }], + }, + "security": [ + { + "MyLambdaRequestAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} } } - }, - "swagger": "2.0", + }, + "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { - "in": "header", - "type": "apiKey", - "name": "Authorization", + "in": "header", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 0, + "type": "token", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] } - }, + }, "x-amazon-apigateway-authtype": "custom" - }, + }, "MyCognitoAuthMultipleUserPools": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader2", + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader2", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", + "identityValidationExpression": "myauthvalidationexpression2", "providerARNs": [ - "arn:aws:2", + "arn:aws:2", "arn:aws:3" - ], + ], "type": "cognito_user_pools" - }, + }, "x-amazon-apigateway-authtype": "cognito_user_pools" - }, - "MyLambdaTokenAuth": { - "in": "header", - "type": "apiKey", - "name": "MyCustomAuthHeader", + }, + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + }, "x-amazon-apigateway-authtype": "custom" - }, - "MyLambdaRequestAuth": { - "in": "header", - "type": "apiKey", - "name": "Unused", + }, + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ - "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" + }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } - }, + }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - }, + }, "Parameters": { "endpointConfigurationTypes": "REGIONAL" } } - }, + }, "MyApiMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -373,20 +397,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -394,20 +418,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -415,20 +439,20 @@ ] } } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -436,16 +460,16 @@ ] } } - }, + }, "MyApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -454,32 +478,42 @@ ] } } - }, + }, + "MyApiDeployment2b4f028142": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: 2b4f028142eb38900e00f362b76751032ac4e464", + "StageName": "Stage" + } + }, "MyApiProdStage": { - "Type": "AWS::ApiGateway::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeployment8401165542" - }, + "Ref": "MyApiDeployment2b4f028142" + }, "RestApiId": { "Ref": "MyApi" - }, + }, "StageName": "Prod" } - }, + }, "MyFunctionWithNoAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -487,20 +521,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } diff --git a/tests/translator/output/aws-cn/api_with_auth_all_maximum_openapi_3.json b/tests/translator/output/aws-cn/api_with_auth_all_maximum_openapi_3.json index de778924c6..33c63f8623 100644 --- a/tests/translator/output/aws-cn/api_with_auth_all_maximum_openapi_3.json +++ b/tests/translator/output/aws-cn/api_with_auth_all_maximum_openapi_3.json @@ -193,6 +193,9 @@ "security": [ { "NONE": [] + }, + { + "api_key": [] } ], "responses": {} @@ -210,6 +213,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -225,6 +231,9 @@ "security": [ { "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] } ], "responses": {} @@ -240,6 +249,9 @@ "security": [ { "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] } ], "responses": {} @@ -255,6 +267,9 @@ "security": [ { "MyLambdaRequestAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -264,19 +279,6 @@ "openapi": "3.0.1", "components": { "securitySchemes": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { "in": "header", "type": "apiKey", @@ -309,13 +311,14 @@ }, "x-amazon-apigateway-authtype": "cognito_user_pools" }, - "MyLambdaTokenAuth": { + "MyLambdaRequestAuth": { "in": "header", "type": "apiKey", - "name": "MyCustomAuthHeader", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -324,19 +327,30 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" }, "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaRequestAuth": { + "MyCognitoAuth": { "in": "header", "type": "apiKey", - "name": "Unused", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -345,9 +359,15 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } } @@ -362,22 +382,13 @@ } } }, - "MyApiMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "MyApiDeploymente3164c0eda": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", - { - "__ApiId__": { - "Ref": "MyApi" - } - } - ] - } + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: e3164c0edaf0d9fc342c47f30edf05040f87af8b" } }, "MyFunctionWithLambdaRequestAuthorizerPermissionTest": { @@ -422,15 +433,6 @@ } } }, - "MyApiDeploymentbaa112a5f1": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: baa112a5f13c2489dbb3bde338d974cf87541b01" - } - }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionTest": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -470,11 +472,29 @@ } } }, + "MyApiMyLambdaTokenAuthAuthorizerPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + { + "__ApiId__": { + "Ref": "MyApi" + } + } + ] + } + } + }, "MyApiProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeploymentbaa112a5f1" + "Ref": "MyApiDeploymente3164c0eda" }, "RestApiId": { "Ref": "MyApi" diff --git a/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json b/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json new file mode 100644 index 0000000000..6fc74a2c9f --- /dev/null +++ b/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json @@ -0,0 +1,163 @@ +{ + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } + }, + "swagger": "2.0", + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeployment1f6bf4c0d5" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } + } + ] + } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithoutAuthDeployment1f6bf4c0d5": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 1f6bf4c0d5babf513c5623a65931134211ad3d0b", + "StageName": "Stage" + } + } + } + } \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_auth_all_maximum.json b/tests/translator/output/aws-us-gov/api_with_auth_all_maximum.json index 7faead9d31..589b9fd953 100644 --- a/tests/translator/output/aws-us-gov/api_with_auth_all_maximum.json +++ b/tests/translator/output/aws-us-gov/api_with_auth_all_maximum.json @@ -1,39 +1,41 @@ { "Resources": { "MyFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "index.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "thumbnails.zip" - }, - "Handler": "index.handler", + }, "Role": { "Fn::GetAtt": [ - "MyFunctionRole", + "MyFunctionRole", "Arn" ] - }, - "Runtime": "nodejs8.10", - "Tags": [{ - "Value": "SAM", - "Key": "lambda:createdBy" - }] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -41,16 +43,16 @@ ] } } - }, + }, "MyApiMyLambdaRequestAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -59,20 +61,20 @@ ] } } - }, + }, "MyFunctionWithLambdaTokenAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PATCH/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -80,20 +82,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -101,20 +103,20 @@ ] } } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -122,20 +124,20 @@ ] } } - }, + }, "MyFunctionWithNoAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -143,218 +145,260 @@ ] } } - }, + }, + "MyApiDeployment7939ed72e3": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: 7939ed72e39cf5e3c86aaa365a531790a1d244e6", + "StageName": "Stage" + } + }, "MyFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [{ - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } } - }] + ] } } - }, + }, "MyApi": { - "Type": "AWS::ApiGateway::RestApi", + "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { "info": { - "version": "1.0", + "version": "1.0", "title": { "Ref": "AWS::StackName" } - }, + }, "paths": { "/": { "get": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "NONE": [] - }], + }, + "security": [ + { + "NONE": [] + }, + { + "api_key": [] + } + ], "responses": {} } - }, + }, "/users": { "put": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuth": [] - }], + }, + "security": [ + { + "MyCognitoAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "post": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyCognitoAuthMultipleUserPools": [] - }], + }, + "security": [ + { + "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "patch": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaTokenAuthNoneFunctionInvokeRole": [] - }], + }, + "security": [ + { + "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] + } + ], "responses": {} - }, + }, "delete": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations" } - }, - "security": [{ - "MyLambdaRequestAuth": [] - }], + }, + "security": [ + { + "MyLambdaRequestAuth": [] + }, + { + "api_key": [] + } + ], "responses": {} } } - }, - "swagger": "2.0", + }, + "swagger": "2.0", "securityDefinitions": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { - "in": "header", - "type": "apiKey", - "name": "Authorization", + "in": "header", + "type": "apiKey", + "name": "Authorization", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 0, + "type": "token", + "authorizerResultTtlInSeconds": 0, "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] } - }, + }, "x-amazon-apigateway-authtype": "custom" - }, + }, "MyCognitoAuthMultipleUserPools": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader2", + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader2", "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression2", + "identityValidationExpression": "myauthvalidationexpression2", "providerARNs": [ - "arn:aws:2", + "arn:aws:2", "arn:aws:3" - ], + ], "type": "cognito_user_pools" - }, + }, "x-amazon-apigateway-authtype": "cognito_user_pools" - }, - "MyLambdaTokenAuth": { - "in": "header", - "type": "apiKey", - "name": "MyCustomAuthHeader", + }, + "MyLambdaRequestAuth": { + "in": "header", + "type": "apiKey", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + }, "x-amazon-apigateway-authtype": "custom" - }, - "MyLambdaRequestAuth": { - "in": "header", - "type": "apiKey", - "name": "Unused", + }, + "MyCognitoAuth": { + "in": "header", + "type": "apiKey", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ - "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", + "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", { "__FunctionArn__": "arn:aws" } ] - }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" - }, + }, + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" + }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } - }, + }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - }, + }, "Parameters": { "endpointConfigurationTypes": "REGIONAL" } } - }, + }, "MyApiMyLambdaTokenAuthAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -363,20 +407,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -384,20 +428,20 @@ ] } } - }, + }, "MyFunctionWithLambdaRequestAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/DELETE/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -405,30 +449,20 @@ ] } } - }, - "MyApiDeploymentf9e0be23dc": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: f9e0be23dccfaabdc2729c4d2221a3eeaa8e87db", - "StageName": "Stage" - } - }, + }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/users", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApi" } @@ -436,16 +470,16 @@ ] } } - }, + }, "MyApiMyLambdaTokenAuthNoneFunctionInvokeRoleAuthorizerPermission": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": "arn:aws", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": "arn:aws", "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/authorizers/*", { "__ApiId__": { "Ref": "MyApi" @@ -454,32 +488,32 @@ ] } } - }, + }, "MyApiProdStage": { - "Type": "AWS::ApiGateway::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeploymentf9e0be23dc" - }, + "Ref": "MyApiDeployment7939ed72e3" + }, "RestApiId": { "Ref": "MyApi" - }, + }, "StageName": "Prod" } - }, + }, "MyFunctionWithNoAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } @@ -487,20 +521,20 @@ ] } } - }, + }, "MyFunctionWithDefaultAuthorizerPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunction" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/PUT/users", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApi" } diff --git a/tests/translator/output/aws-us-gov/api_with_auth_all_maximum_openapi_3.json b/tests/translator/output/aws-us-gov/api_with_auth_all_maximum_openapi_3.json index c8187e9b8d..a4e560599a 100644 --- a/tests/translator/output/aws-us-gov/api_with_auth_all_maximum_openapi_3.json +++ b/tests/translator/output/aws-us-gov/api_with_auth_all_maximum_openapi_3.json @@ -104,15 +104,6 @@ } } }, - "MyApiDeployment26330d35c8": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApi" - }, - "Description": "RestApi deployment id: 26330d35c82ff087c8d34db2cade570f0e02910f" - } - }, "MyFunctionWithCognitoMultipleUserPoolsAuthorizerPermissionProd": { "Type": "AWS::Lambda::Permission", "Properties": { @@ -202,6 +193,9 @@ "security": [ { "NONE": [] + }, + { + "api_key": [] } ], "responses": {} @@ -219,6 +213,9 @@ "security": [ { "MyCognitoAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -234,6 +231,9 @@ "security": [ { "MyCognitoAuthMultipleUserPools": [] + }, + { + "api_key": [] } ], "responses": {} @@ -249,6 +249,9 @@ "security": [ { "MyLambdaTokenAuthNoneFunctionInvokeRole": [] + }, + { + "api_key": [] } ], "responses": {} @@ -264,6 +267,9 @@ "security": [ { "MyLambdaRequestAuth": [] + }, + { + "api_key": [] } ], "responses": {} @@ -273,19 +279,6 @@ "openapi": "3.0.1", "components": { "securitySchemes": { - "MyCognitoAuth": { - "in": "header", - "type": "apiKey", - "name": "MyAuthorizationHeader", - "x-amazon-apigateway-authorizer": { - "identityValidationExpression": "myauthvalidationexpression", - "providerARNs": [ - "arn:aws:1" - ], - "type": "cognito_user_pools" - }, - "x-amazon-apigateway-authtype": "cognito_user_pools" - }, "MyLambdaTokenAuthNoneFunctionInvokeRole": { "in": "header", "type": "apiKey", @@ -318,13 +311,14 @@ }, "x-amazon-apigateway-authtype": "cognito_user_pools" }, - "MyLambdaTokenAuth": { + "MyLambdaRequestAuth": { "in": "header", "type": "apiKey", - "name": "MyCustomAuthHeader", + "name": "Unused", "x-amazon-apigateway-authorizer": { - "type": "token", - "authorizerResultTtlInSeconds": 20, + "type": "request", + "authorizerResultTtlInSeconds": 0, + "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", "authorizerUri": { "Fn::Sub": [ "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -333,19 +327,30 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", - "identityValidationExpression": "mycustomauthexpression" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" }, "x-amazon-apigateway-authtype": "custom" }, - "MyLambdaRequestAuth": { + "MyCognitoAuth": { "in": "header", "type": "apiKey", - "name": "Unused", + "name": "MyAuthorizationHeader", "x-amazon-apigateway-authorizer": { - "type": "request", - "authorizerResultTtlInSeconds": 0, - "identitySource": "method.request.header.Authorization1, method.request.querystring.Authorization2, stageVariables.Authorization3, context.Authorization4", + "identityValidationExpression": "myauthvalidationexpression", + "providerARNs": [ + "arn:aws:1" + ], + "type": "cognito_user_pools" + }, + "x-amazon-apigateway-authtype": "cognito_user_pools" + }, + "MyLambdaTokenAuth": { + "in": "header", + "type": "apiKey", + "name": "MyCustomAuthHeader", + "x-amazon-apigateway-authorizer": { + "type": "token", + "authorizerResultTtlInSeconds": 20, "authorizerUri": { "Fn::Sub": [ "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${__FunctionArn__}/invocations", @@ -354,9 +359,15 @@ } ] }, - "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access" + "authorizerCredentials": "arn:aws:iam::123456789012:role/S3Access", + "identityValidationExpression": "mycustomauthexpression" }, "x-amazon-apigateway-authtype": "custom" + }, + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } } } @@ -470,11 +481,20 @@ } } }, + "MyApiDeploymente67481ad45": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "RestApi deployment id: e67481ad4559fa2ba87f90009db679ae7d0c7c57" + } + }, "MyApiProdStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiDeployment26330d35c8" + "Ref": "MyApiDeploymente67481ad45" }, "RestApiId": { "Ref": "MyApi" From 1875fb3aae91573462bd53439d2e83cf79ce4e0a Mon Sep 17 00:00:00 2001 From: Cris Barbero Date: Fri, 21 Jun 2019 09:52:44 -0600 Subject: [PATCH 5/7] Fix linting errors --- samtranslator/model/api/api_generator.py | 5 +++-- samtranslator/swagger/swagger.py | 1 - 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/samtranslator/model/api/api_generator.py b/samtranslator/model/api/api_generator.py index aa77aa329c..e5db8184cd 100644 --- a/samtranslator/model/api/api_generator.py +++ b/samtranslator/model/api/api_generator.py @@ -21,7 +21,8 @@ CorsProperties.__new__.__defaults__ = (None, None, _CORS_WILDCARD, None, False) AuthProperties = namedtuple("_AuthProperties", - ["Authorizers", "DefaultAuthorizer", "InvokeRole", "AddDefaultAuthorizerToCorsPreflight", "ApiKeyRequired"]) + ["Authorizers", "DefaultAuthorizer", "InvokeRole", "AddDefaultAuthorizerToCorsPreflight", + "ApiKeyRequired"]) AuthProperties.__new__.__defaults__ = (None, None, None, True, None) GatewayResponseProperties = ["ResponseParameters", "ResponseTemplates", "StatusCode"] @@ -310,7 +311,7 @@ def _add_auth(self): if authorizers: swagger_editor.add_authorizers_security_definitions(authorizers) self._set_default_authorizer(swagger_editor, authorizers, auth_properties.DefaultAuthorizer, - auth_properties.AddDefaultAuthorizerToCorsPreflight) + auth_properties.AddDefaultAuthorizerToCorsPreflight) if auth_properties.ApiKeyRequired: swagger_editor.add_apikey_security_definition() diff --git a/samtranslator/swagger/swagger.py b/samtranslator/swagger/swagger.py index 3f2fed3ebd..2b61f509f1 100644 --- a/samtranslator/swagger/swagger.py +++ b/samtranslator/swagger/swagger.py @@ -595,7 +595,6 @@ def set_path_default_apikey_required(self, path): if security != existing_security: method_definition['security'] = security - def add_auth_to_method(self, path, method_name, auth, api): """ Adds auth settings for this path/method. Auth settings currently consist of Authorizers and ApiKeyRequired From 57c1efe9ac9bf9d325b8a1416353d12fea073505 Mon Sep 17 00:00:00 2001 From: Cris Barbero Date: Fri, 21 Jun 2019 11:02:47 -0600 Subject: [PATCH 6/7] Update apikey openapi3 tests with expected output. --- .../api_with_apikey_required_openapi_3.yaml | 3 +- .../api_with_apikey_required_openapi_3.json | 271 +++++++++--------- .../api_with_apikey_required_openapi_3.json | 115 ++++---- .../api_with_apikey_required_openapi_3.json | 119 ++++---- 4 files changed, 256 insertions(+), 252 deletions(-) diff --git a/tests/translator/input/api_with_apikey_required_openapi_3.yaml b/tests/translator/input/api_with_apikey_required_openapi_3.yaml index e5c562c916..95d7727c58 100644 --- a/tests/translator/input/api_with_apikey_required_openapi_3.yaml +++ b/tests/translator/input/api_with_apikey_required_openapi_3.yaml @@ -3,7 +3,8 @@ Resources: Type: "AWS::Serverless::Api" Properties: StageName: Prod - + OpenApiVersion: '3.0.1' + MyFunctionWithApiKeyRequired: Type: AWS::Serverless::Function Properties: diff --git a/tests/translator/output/api_with_apikey_required_openapi_3.json b/tests/translator/output/api_with_apikey_required_openapi_3.json index 5b4da1067a..f9bc29f8c4 100644 --- a/tests/translator/output/api_with_apikey_required_openapi_3.json +++ b/tests/translator/output/api_with_apikey_required_openapi_3.json @@ -1,81 +1,91 @@ { - "Resources": { - "MyFunctionWithApiKeyRequiredRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] - } + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] } - ] - } + } + ] } - }, - "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": { - "Ref": "MyFunctionWithApiKeyRequired" - }, - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", - { - "__Stage__": "*", - "__ApiId__": { - "Ref": "MyApiWithoutAuth" - } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" } - ] - } + } + ] } - }, - "MyApiWithoutAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/ApiKeyRequiredTrue": { - "get": { - "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", - "uri": { - "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" - } - }, - "security": [ - { - "api_key": [] - } - ], - "responses": {} - } + } + }, + "MyApiWithoutAuthDeployment362c03cec4": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 362c03cec4d1e425d49ca04895320cd58490c2d4" + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } + }, + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} } - }, - "swagger": "2.0", - "securityDefinitions": { + } + }, + "openapi": "3.0.1", + "components": { + "securitySchemes": { "api_key": { "type": "apiKey", "name": "x-api-key", @@ -84,72 +94,63 @@ } } } - }, - "MyApiWithoutAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiWithoutAuthDeployment3ab9d13134" - }, - "RestApiId": { - "Ref": "MyApiWithoutAuth" - }, - "StageName": "Prod" - } - }, - "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": { - "Ref": "MyFunctionWithApiKeyRequired" - }, - "SourceArn": { - "Fn::Sub": [ - "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", - { - "__Stage__": "Prod", - "__ApiId__": { - "Ref": "MyApiWithoutAuth" - } - } - ] - } - } - }, - "MyFunctionWithApiKeyRequired": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Handler": "index.handler", - "Code": { - "S3Bucket": "bucket", - "S3Key": "key" - }, - "Role": { - "Fn::GetAtt": [ - "MyFunctionWithApiKeyRequiredRole", - "Arn" - ] - }, - "Runtime": "nodejs8.10", - "Tags": [ + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeployment362c03cec4" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", { - "Value": "SAM", - "Key": "lambda:createdBy" + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } } ] } - }, - "MyApiWithoutAuthDeployment3ab9d13134": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithoutAuth" - }, - "Description": "RestApi deployment id: 3ab9d13134bf550e275a303c6987801dfb7f9d7b", - "StageName": "Stage" - } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } } - } \ No newline at end of file + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json b/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json index 7952eb5fca..a3e89758ab 100644 --- a/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json +++ b/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json @@ -1,19 +1,19 @@ { "Resources": { "MyFunctionWithApiKeyRequiredRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -23,20 +23,20 @@ ] } } - }, + }, "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunctionWithApiKeyRequired" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApiWithoutAuth" } @@ -44,90 +44,91 @@ ] } } - }, - "MyApiWithoutAuthDeploymentcc6d6fc40a": { - "Type": "AWS::ApiGateway::Deployment", + }, + "MyApiWithoutAuthDeployment3228c3480e": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { "Ref": "MyApiWithoutAuth" - }, - "Description": "RestApi deployment id: cc6d6fc40a37188fe0115a039b24e397dc149478", - "StageName": "Stage" + }, + "Description": "RestApi deployment id: 3228c3480e71b3b8f21b3fefff2c5ad79bebe54c" } - }, + }, "MyApiWithoutAuth": { - "Type": "AWS::ApiGateway::RestApi", + "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { "info": { - "version": "1.0", + "version": "1.0", "title": { "Ref": "AWS::StackName" } - }, + }, "paths": { "/ApiKeyRequiredTrue": { "get": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" } - }, + }, "security": [ { "api_key": [] } - ], + ], "responses": {} } } - }, - "swagger": "2.0", - "securityDefinitions": { - "api_key": { - "type": "apiKey", - "name": "x-api-key", - "in": "header" - } + }, + "openapi": "3.0.1", + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } + } } - }, + }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - }, + }, "Parameters": { "endpointConfigurationTypes": "REGIONAL" } } - }, + }, "MyApiWithoutAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithoutAuthDeploymentcc6d6fc40a" - }, + "Ref": "MyApiWithoutAuthDeployment3228c3480e" + }, "RestApiId": { "Ref": "MyApiWithoutAuth" - }, + }, "StageName": "Prod" } - }, + }, "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunctionWithApiKeyRequired" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApiWithoutAuth" } @@ -135,25 +136,25 @@ ] } } - }, + }, "MyFunctionWithApiKeyRequired": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "bucket", + "S3Bucket": "bucket", "S3Key": "key" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunctionWithApiKeyRequiredRole", + "MyFunctionWithApiKeyRequiredRole", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] diff --git a/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json b/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json index 6fc74a2c9f..5f6a5f6af3 100644 --- a/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json +++ b/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json @@ -1,19 +1,19 @@ { "Resources": { "MyFunctionWithApiKeyRequiredRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], + ], "AssumeRolePolicyDocument": { - "Version": "2012-10-17", + "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" - ], - "Effect": "Allow", + ], + "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" @@ -23,20 +23,20 @@ ] } } - }, + }, "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunctionWithApiKeyRequired" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", { - "__Stage__": "*", + "__Stage__": "*", "__ApiId__": { "Ref": "MyApiWithoutAuth" } @@ -44,80 +44,79 @@ ] } } - }, + }, "MyApiWithoutAuth": { - "Type": "AWS::ApiGateway::RestApi", + "Type": "AWS::ApiGateway::RestApi", "Properties": { "Body": { "info": { - "version": "1.0", + "version": "1.0", "title": { "Ref": "AWS::StackName" } - }, + }, "paths": { "/ApiKeyRequiredTrue": { "get": { "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", + "httpMethod": "POST", + "type": "aws_proxy", "uri": { "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" } - }, + }, "security": [ { "api_key": [] } - ], + ], "responses": {} } } - }, - "swagger": "2.0", - "securityDefinitions": { - "api_key": { - "type": "apiKey", - "name": "x-api-key", - "in": "header" + }, + "openapi": "3.0.1", + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" + } } } - }, + }, "EndpointConfiguration": { "Types": [ "REGIONAL" ] - }, + }, "Parameters": { "endpointConfigurationTypes": "REGIONAL" } } - }, - "MyApiWithoutAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", + }, + "MyApiWithoutAuthDeploymentcde744dde5": { + "Type": "AWS::ApiGateway::Deployment", "Properties": { - "DeploymentId": { - "Ref": "MyApiWithoutAuthDeployment1f6bf4c0d5" - }, "RestApiId": { "Ref": "MyApiWithoutAuth" - }, - "StageName": "Prod" + }, + "Description": "RestApi deployment id: cde744dde52f60ada8fc672db9a4f1b838c83fc7" } - }, + }, "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { - "Type": "AWS::Lambda::Permission", + "Type": "AWS::Lambda::Permission", "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", "FunctionName": { "Ref": "MyFunctionWithApiKeyRequired" - }, + }, "SourceArn": { "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", { - "__Stage__": "Prod", + "__Stage__": "Prod", "__ApiId__": { "Ref": "MyApiWithoutAuth" } @@ -125,38 +124,40 @@ ] } } - }, + }, "MyFunctionWithApiKeyRequired": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { - "Handler": "index.handler", + "Handler": "index.handler", "Code": { - "S3Bucket": "bucket", + "S3Bucket": "bucket", "S3Key": "key" - }, + }, "Role": { "Fn::GetAtt": [ - "MyFunctionWithApiKeyRequiredRole", + "MyFunctionWithApiKeyRequiredRole", "Arn" ] - }, - "Runtime": "nodejs8.10", + }, + "Runtime": "nodejs8.10", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] } - }, - "MyApiWithoutAuthDeployment1f6bf4c0d5": { - "Type": "AWS::ApiGateway::Deployment", + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeploymentcde744dde5" + }, "RestApiId": { "Ref": "MyApiWithoutAuth" - }, - "Description": "RestApi deployment id: 1f6bf4c0d5babf513c5623a65931134211ad3d0b", - "StageName": "Stage" + }, + "StageName": "Prod" } } } From 36cf808fd8cd8c0ec5df40a6c19979db88839299 Mon Sep 17 00:00:00 2001 From: Cris Barbero Date: Fri, 21 Jun 2019 11:12:21 -0600 Subject: [PATCH 7/7] Move OpenApi Auth processing- Since the ApiKey setting can be specified just at a Function level, we need to ensure the OpenApi Auth post processing happens even if the API has no explicit Auth Settings --- samtranslator/model/api/api_generator.py | 6 +- .../api_with_apikey_required_openapi_3.json | 20 +- .../api_with_apikey_required_openapi_3.json | 292 ++++++++--------- .../api_with_apikey_required_openapi_3.json | 294 +++++++++--------- tests/translator/test_translator.py | 3 +- 5 files changed, 309 insertions(+), 306 deletions(-) diff --git a/samtranslator/model/api/api_generator.py b/samtranslator/model/api/api_generator.py index e5db8184cd..4949309d98 100644 --- a/samtranslator/model/api/api_generator.py +++ b/samtranslator/model/api/api_generator.py @@ -116,6 +116,8 @@ def _construct_rest_api(self): if self.definition_uri: rest_api.BodyS3Location = self._construct_body_s3_dict() elif self.definition_body: + # # Post Process OpenApi Auth Settings + self.definition_body = self._openapi_auth_postprocess(self.definition_body) rest_api.Body = self.definition_body if self.name: @@ -318,8 +320,8 @@ def _add_auth(self): self._set_default_apikey_required(swagger_editor) # Assign the Swagger back to template - - self.definition_body = self._openapi_auth_postprocess(swagger_editor.swagger) + # self.definition_body = self._openapi_auth_postprocess(swagger_editor.swagger) + self.definition_body = swagger_editor.swagger def _openapi_auth_postprocess(self, definition_body): """ diff --git a/tests/translator/output/api_with_apikey_required_openapi_3.json b/tests/translator/output/api_with_apikey_required_openapi_3.json index f9bc29f8c4..e913e63751 100644 --- a/tests/translator/output/api_with_apikey_required_openapi_3.json +++ b/tests/translator/output/api_with_apikey_required_openapi_3.json @@ -45,15 +45,6 @@ } } }, - "MyApiWithoutAuthDeployment362c03cec4": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithoutAuth" - }, - "Description": "RestApi deployment id: 362c03cec4d1e425d49ca04895320cd58490c2d4" - } - }, "MyApiWithoutAuth": { "Type": "AWS::ApiGateway::RestApi", "Properties": { @@ -100,7 +91,7 @@ "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { - "Ref": "MyApiWithoutAuthDeployment362c03cec4" + "Ref": "MyApiWithoutAuthDeployment741383c56d" }, "RestApiId": { "Ref": "MyApiWithoutAuth" @@ -151,6 +142,15 @@ } ] } + }, + "MyApiWithoutAuthDeployment741383c56d": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 741383c56de0cab1f561223582a9259cf165b42f" + } } } } \ No newline at end of file diff --git a/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json b/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json index a3e89758ab..0ecfb136d8 100644 --- a/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json +++ b/tests/translator/output/aws-cn/api_with_apikey_required_openapi_3.json @@ -1,164 +1,164 @@ { - "Resources": { - "MyFunctionWithApiKeyRequiredRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] - } + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] } - ] - } + } + ] } - }, - "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": { - "Ref": "MyFunctionWithApiKeyRequired" - }, - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", - { - "__Stage__": "*", - "__ApiId__": { - "Ref": "MyApiWithoutAuth" - } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" } - ] - } + } + ] } - }, - "MyApiWithoutAuthDeployment3228c3480e": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithoutAuth" + } + }, + "MyApiWithoutAuthDeployment859a8b8388": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: 859a8b8388c863dbda96b384cefea4ac988f5f81" + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } }, - "Description": "RestApi deployment id: 3228c3480e71b3b8f21b3fefff2c5ad79bebe54c" - } - }, - "MyApiWithoutAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/ApiKeyRequiredTrue": { - "get": { - "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", - "uri": { - "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" - } - }, - "security": [ - { - "api_key": [] - } - ], - "responses": {} - } + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-cn:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} } - }, - "openapi": "3.0.1", - "components": { - "securitySchemes": { - "api_key": { - "type": "apiKey", - "name": "x-api-key", - "in": "header" - } - } } }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" - ] - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - } - } - }, - "MyApiWithoutAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiWithoutAuthDeployment3228c3480e" - }, - "RestApiId": { - "Ref": "MyApiWithoutAuth" - }, - "StageName": "Prod" - } - }, - "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": { - "Ref": "MyFunctionWithApiKeyRequired" - }, - "SourceArn": { - "Fn::Sub": [ - "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", - { - "__Stage__": "Prod", - "__ApiId__": { - "Ref": "MyApiWithoutAuth" - } + "openapi": "3.0.1", + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } - ] + } } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" } - }, - "MyFunctionWithApiKeyRequired": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Handler": "index.handler", - "Code": { - "S3Bucket": "bucket", - "S3Key": "key" - }, - "Role": { - "Fn::GetAtt": [ - "MyFunctionWithApiKeyRequiredRole", - "Arn" - ] - }, - "Runtime": "nodejs8.10", - "Tags": [ + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeployment859a8b8388" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-cn:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", { - "Value": "SAM", - "Key": "lambda:createdBy" + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } } ] } } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } } - } \ No newline at end of file + } +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json b/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json index 5f6a5f6af3..90fc4e9da9 100644 --- a/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json +++ b/tests/translator/output/aws-us-gov/api_with_apikey_required_openapi_3.json @@ -1,164 +1,164 @@ { - "Resources": { - "MyFunctionWithApiKeyRequiredRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "ManagedPolicyArns": [ - "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] - } - } - ] - } - } - }, - "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": { - "Ref": "MyFunctionWithApiKeyRequired" - }, - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", - { - "__Stage__": "*", - "__ApiId__": { - "Ref": "MyApiWithoutAuth" - } + "Resources": { + "MyFunctionWithApiKeyRequiredRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] } - ] - } + } + ] } - }, - "MyApiWithoutAuth": { - "Type": "AWS::ApiGateway::RestApi", - "Properties": { - "Body": { - "info": { - "version": "1.0", - "title": { - "Ref": "AWS::StackName" - } - }, - "paths": { - "/ApiKeyRequiredTrue": { - "get": { - "x-amazon-apigateway-integration": { - "httpMethod": "POST", - "type": "aws_proxy", - "uri": { - "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" - } - }, - "security": [ - { - "api_key": [] - } - ], - "responses": {} - } - } - }, - "openapi": "3.0.1", - "components": { - "securitySchemes": { - "api_key": { - "type": "apiKey", - "name": "x-api-key", - "in": "header" - } + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionTest": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" } } - }, - "EndpointConfiguration": { - "Types": [ - "REGIONAL" - ] - }, - "Parameters": { - "endpointConfigurationTypes": "REGIONAL" - } + ] } - }, - "MyApiWithoutAuthDeploymentcde744dde5": { - "Type": "AWS::ApiGateway::Deployment", - "Properties": { - "RestApiId": { - "Ref": "MyApiWithoutAuth" + } + }, + "MyApiWithoutAuth": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "info": { + "version": "1.0", + "title": { + "Ref": "AWS::StackName" + } }, - "Description": "RestApi deployment id: cde744dde52f60ada8fc672db9a4f1b838c83fc7" - } - }, - "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { - "Type": "AWS::Lambda::Permission", - "Properties": { - "Action": "lambda:invokeFunction", - "Principal": "apigateway.amazonaws.com", - "FunctionName": { - "Ref": "MyFunctionWithApiKeyRequired" + "paths": { + "/ApiKeyRequiredTrue": { + "get": { + "x-amazon-apigateway-integration": { + "httpMethod": "POST", + "type": "aws_proxy", + "uri": { + "Fn::Sub": "arn:aws-us-gov:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunctionWithApiKeyRequired.Arn}/invocations" + } + }, + "security": [ + { + "api_key": [] + } + ], + "responses": {} + } + } }, - "SourceArn": { - "Fn::Sub": [ - "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", - { - "__Stage__": "Prod", - "__ApiId__": { - "Ref": "MyApiWithoutAuth" - } + "openapi": "3.0.1", + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "x-api-key", + "in": "header" } - ] + } } + }, + "EndpointConfiguration": { + "Types": [ + "REGIONAL" + ] + }, + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" } - }, - "MyFunctionWithApiKeyRequired": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Handler": "index.handler", - "Code": { - "S3Bucket": "bucket", - "S3Key": "key" - }, - "Role": { - "Fn::GetAtt": [ - "MyFunctionWithApiKeyRequiredRole", - "Arn" - ] - }, - "Runtime": "nodejs8.10", - "Tags": [ + } + }, + "MyApiWithoutAuthProdStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "MyApiWithoutAuthDeploymentfee0b2b452" + }, + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "StageName": "Prod" + } + }, + "MyFunctionWithApiKeyRequiredMyApiWithApiKeyRequiredPermissionProd": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:invokeFunction", + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "MyFunctionWithApiKeyRequired" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws-us-gov:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/ApiKeyRequiredTrue", { - "Value": "SAM", - "Key": "lambda:createdBy" + "__Stage__": "Prod", + "__ApiId__": { + "Ref": "MyApiWithoutAuth" + } } ] } - }, - "MyApiWithoutAuthProdStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "DeploymentId": { - "Ref": "MyApiWithoutAuthDeploymentcde744dde5" - }, - "RestApiId": { - "Ref": "MyApiWithoutAuth" - }, - "StageName": "Prod" - } + } + }, + "MyFunctionWithApiKeyRequired": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Code": { + "S3Bucket": "bucket", + "S3Key": "key" + }, + "Role": { + "Fn::GetAtt": [ + "MyFunctionWithApiKeyRequiredRole", + "Arn" + ] + }, + "Runtime": "nodejs8.10", + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] + } + }, + "MyApiWithoutAuthDeploymentfee0b2b452": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApiWithoutAuth" + }, + "Description": "RestApi deployment id: fee0b2b45266fff45b8edba43206618eabefebfe" } } - } \ No newline at end of file + } +} \ No newline at end of file diff --git a/tests/translator/test_translator.py b/tests/translator/test_translator.py index 26e7730975..f2c4049cef 100644 --- a/tests/translator/test_translator.py +++ b/tests/translator/test_translator.py @@ -333,7 +333,8 @@ def test_transform_success(self, testcase, partition_with_region): 'api_with_auth_all_minimum_openapi', 'api_with_swagger_and_openapi_with_auth', 'api_with_openapi_definition_body_no_flag', - 'api_request_model_openapi_3' + 'api_request_model_openapi_3', + 'api_with_apikey_required_openapi_3' ], [ ("aws", "ap-southeast-1"),