fix(appsync): erroneous api key created when additional authorization…

… is not configured (aws#9057) fixes aws#9054 The AppSync GraphQL API uses API_KEY Auth by default. For this it creates an API key. This is fine as long as API_KEY auth is configured for the API. But this behaviour is erroneous when API_KEY Auth is neither the default nor an addition authentication method. This PR addresses this issue and ensures that an API key is only created when API_KEY auth is really configured. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
BLasan · Jul 17, 2020 · 6f934e9 · 6f934e9
1 parent a4d5ed1
commit 6f934e9
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
@@ -341,9 +341,9 @@ export class GraphQLApi extends Construct {
 
     if (
       defaultAuthorizationType === AuthorizationType.API_KEY ||
-      props.authorizationConfig?.additionalAuthorizationModes?.findIndex(
+      props.authorizationConfig?.additionalAuthorizationModes?.some(
         (authMode) => authMode.authorizationType === AuthorizationType.API_KEY
-      ) !== -1
+      )
     ) {
       const apiKeyConfig: ApiKeyConfig = props.authorizationConfig
         ?.defaultAuthorization?.apiKeyConfig || {

diff --git a/packages/@aws-cdk/aws-appsync/test/appsync-apikey.test.ts b/packages/@aws-cdk/aws-appsync/test/appsync-apikey.test.ts
@@ -0,0 +1,81 @@
+import '@aws-cdk/assert/jest';
+import * as cdk from '@aws-cdk/core';
+import * as path from 'path';
+import * as appsync from '../lib';
+
+describe('AppSync Authorization Config', () => {
+  test('AppSync creates default api key', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    new appsync.GraphQLApi(stack, 'api', {
+      name: 'api',
+      schemaDefinitionFile: path.join(__dirname, 'schema.graphql'),
+    });
+
+    // THEN
+    expect(stack).toHaveResource('AWS::AppSync::ApiKey');
+  });
+
+  test('AppSync creates api key from additionalAuthorizationModes', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    new appsync.GraphQLApi(stack, 'api', {
+      name: 'api',
+      schemaDefinitionFile: path.join(__dirname, 'schema.graphql'),
+      authorizationConfig: {
+        defaultAuthorization: {
+          authorizationType: appsync.AuthorizationType.IAM,
+        },
+        additionalAuthorizationModes: [
+          { authorizationType: appsync.AuthorizationType.API_KEY },
+        ],
+      },
+    });
+
+    // THEN
+    expect(stack).toHaveResource('AWS::AppSync::ApiKey');
+  });
+
+  test('AppSync does not create unspecified api key from additionalAuthorizationModes', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    new appsync.GraphQLApi(stack, 'api', {
+      name: 'api',
+      schemaDefinitionFile: path.join(__dirname, 'schema.graphql'),
+      authorizationConfig: {
+        defaultAuthorization: {
+          authorizationType: appsync.AuthorizationType.IAM,
+        },
+      },
+    });
+
+    // THEN
+    expect(stack).not.toHaveResource('AWS::AppSync::ApiKey');
+  });
+
+  test('appsync does not create unspecified api key with empty additionalAuthorizationModes', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    new appsync.GraphQLApi(stack, 'api', {
+      name: 'api',
+      schemaDefinitionFile: path.join(__dirname, 'schema.graphql'),
+      authorizationConfig: {
+        defaultAuthorization: {
+          authorizationType: appsync.AuthorizationType.IAM,
+        },
+        additionalAuthorizationModes: [],
+      },
+    });
+
+    // THEN
+    expect(stack).not.toHaveResource('AWS::AppSync::ApiKey');
+  });
+});