fix(apigateway): authorizerUri does not resolve to the correct partit…

…ion (aws#8152) Add that the authorizerURI includes the correct partition. Previously, it always used the aws partition. fixes aws#8098 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
t6nn · Jun 4, 2020 · f455273 · f455273
1 parent 201b468
commit f455273
Show file tree

Hide file tree

Showing 13 changed files with 445 additions and 306 deletions.
diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts
@@ -170,7 +170,7 @@ export class TokenAuthorizer extends LambdaAuthorizer {
       name: props.authorizerName ?? this.node.uniqueId,
       restApiId,
       type: 'TOKEN',
-      authorizerUri: `arn:aws:apigateway:${Stack.of(this).region}:lambda:path/2015-03-31/functions/${props.handler.functionArn}/invocations`,
+      authorizerUri: lambdaAuthorizerArn(props.handler),
       authorizerCredentials: props.assumeRole?.roleArn,
       authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
       identitySource: props.identitySource || 'method.request.header.Authorization',
@@ -232,7 +232,7 @@ export class RequestAuthorizer extends LambdaAuthorizer {
       name: props.authorizerName ?? this.node.uniqueId,
       restApiId,
       type: 'REQUEST',
-      authorizerUri: `arn:aws:apigateway:${Stack.of(this).region}:lambda:path/2015-03-31/functions/${props.handler.functionArn}/invocations`,
+      authorizerUri: lambdaAuthorizerArn(props.handler),
       authorizerCredentials: props.assumeRole?.roleArn,
       authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
       identitySource: props.identitySources.map(is => is.toString()).join(','),
@@ -248,3 +248,10 @@ export class RequestAuthorizer extends LambdaAuthorizer {
     this.setupPermissions();
   }
 }
+
+/**
+ * constructs the authorizerURIArn.
+ */
+function lambdaAuthorizerArn(handler: lambda.IFunction) {
+  return `arn:${Stack.of(handler).partition}:apigateway:${Stack.of(handler).region}:lambda:path/2015-03-31/functions/${handler.functionArn}/invocations`;
+}
diff --git a/packages/@aws-cdk/aws-apigateway/lib/integration.ts b/packages/@aws-cdk/aws-apigateway/lib/integration.ts
@@ -113,9 +113,9 @@ export interface IntegrationProps {
    * - If you specify HTTP for the `type` property, specify the API endpoint URL.
    * - If you specify MOCK for the `type` property, don't specify this property.
    * - If you specify AWS for the `type` property, specify an AWS service that
-   *   follows this form: `arn:aws:apigateway:region:subdomain.service|service:path|action/service_api.`
+   *   follows this form: `arn:partition:apigateway:region:subdomain.service|service:path|action/service_api.`
    *   For example, a Lambda function URI follows this form:
-   *   arn:aws:apigateway:region:lambda:path/path. The path is usually in the
+   *   arn:partition:apigateway:region:lambda:path/path. The path is usually in the
    *   form /2015-03-31/functions/LambdaFunctionARN/invocations.
    *
    * @see https://docs.aws.amazon.com/apigateway/api-reference/resource/integration/#uri

diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.expected.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.expected.json
@@ -131,30 +131,6 @@
         "Name": "MyRestApi"
       }
     },
-    "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb": {
-      "Type": "AWS::ApiGateway::Deployment",
-      "Properties": {
-        "RestApiId": {
-          "Ref": "MyRestApi2D1F47A9"
-        },
-        "Description": "Automatically created by the RestApi construct"
-      },
-      "DependsOn": [
-        "MyRestApiANY05143F93"
-      ]
-    },
-    "MyRestApiDeploymentStageprodC33B8E5F": {
-      "Type": "AWS::ApiGateway::Stage",
-      "Properties": {
-        "RestApiId": {
-          "Ref": "MyRestApi2D1F47A9"
-        },
-        "DeploymentId": {
-          "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb"
-        },
-        "StageName": "prod"
-      }
-    },
     "MyRestApiCloudWatchRoleD4042E8E": {
       "Type": "AWS::IAM::Role",
       "Properties": {
@@ -200,6 +176,30 @@
         "MyRestApi2D1F47A9"
       ]
     },
+    "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb": {
+      "Type": "AWS::ApiGateway::Deployment",
+      "Properties": {
+        "RestApiId": {
+          "Ref": "MyRestApi2D1F47A9"
+        },
+        "Description": "Automatically created by the RestApi construct"
+      },
+      "DependsOn": [
+        "MyRestApiANY05143F93"
+      ]
+    },
+    "MyRestApiDeploymentStageprodC33B8E5F": {
+      "Type": "AWS::ApiGateway::Stage",
+      "Properties": {
+        "RestApiId": {
+          "Ref": "MyRestApi2D1F47A9"
+        },
+        "DeploymentId": {
+          "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb"
+        },
+        "StageName": "prod"
+      }
+    },
     "MyRestApiANY05143F93": {
       "Type": "AWS::ApiGateway::Method",
       "Properties": {
@@ -247,7 +247,11 @@
           "Fn::Join": [
             "",
             [
-              "arn:aws:apigateway:",
+              "arn:",
+              {
+                "Ref": "AWS::Partition"
+              },
+              ":apigateway:",
               {
                 "Ref": "AWS::Region"
               },

diff --git a/...es/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json b/...es/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json
@@ -119,7 +119,11 @@
           "Fn::Join": [
             "",
             [
-              "arn:aws:apigateway:",
+              "arn:",
+              {
+                "Ref": "AWS::Partition"
+              },
+              ":apigateway:",
               {
                 "Ref": "AWS::Region"
               },
@@ -170,30 +174,6 @@
         "Name": "MyRestApi"
       }
     },
-    "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb": {
-      "Type": "AWS::ApiGateway::Deployment",
-      "Properties": {
-        "RestApiId": {
-          "Ref": "MyRestApi2D1F47A9"
-        },
-        "Description": "Automatically created by the RestApi construct"
-      },
-      "DependsOn": [
-        "MyRestApiANY05143F93"
-      ]
-    },
-    "MyRestApiDeploymentStageprodC33B8E5F": {
-      "Type": "AWS::ApiGateway::Stage",
-      "Properties": {
-        "RestApiId": {
-          "Ref": "MyRestApi2D1F47A9"
-        },
-        "DeploymentId": {
-          "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb"
-        },
-        "StageName": "prod"
-      }
-    },
     "MyRestApiCloudWatchRoleD4042E8E": {
       "Type": "AWS::IAM::Role",
       "Properties": {
@@ -239,6 +219,30 @@
         "MyRestApi2D1F47A9"
       ]
     },
+    "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb": {
+      "Type": "AWS::ApiGateway::Deployment",
+      "Properties": {
+        "RestApiId": {
+          "Ref": "MyRestApi2D1F47A9"
+        },
+        "Description": "Automatically created by the RestApi construct"
+      },
+      "DependsOn": [
+        "MyRestApiANY05143F93"
+      ]
+    },
+    "MyRestApiDeploymentStageprodC33B8E5F": {
+      "Type": "AWS::ApiGateway::Stage",
+      "Properties": {
+        "RestApiId": {
+          "Ref": "MyRestApi2D1F47A9"
+        },
+        "DeploymentId": {
+          "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb"
+        },
+        "StageName": "prod"
+      }
+    },
     "MyRestApiANY05143F93": {
       "Type": "AWS::ApiGateway::Method",
       "Properties": {

diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.expected.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.expected.json
@@ -131,30 +131,6 @@
         "Name": "MyRestApi"
       }
     },
-    "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb": {
-      "Type": "AWS::ApiGateway::Deployment",
-      "Properties": {
-        "RestApiId": {
-          "Ref": "MyRestApi2D1F47A9"
-        },
-        "Description": "Automatically created by the RestApi construct"
-      },
-      "DependsOn": [
-        "MyRestApiANY05143F93"
-      ]
-    },
-    "MyRestApiDeploymentStageprodC33B8E5F": {
-      "Type": "AWS::ApiGateway::Stage",
-      "Properties": {
-        "RestApiId": {
-          "Ref": "MyRestApi2D1F47A9"
-        },
-        "DeploymentId": {
-          "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb"
-        },
-        "StageName": "prod"
-      }
-    },
     "MyRestApiCloudWatchRoleD4042E8E": {
       "Type": "AWS::IAM::Role",
       "Properties": {
@@ -200,6 +176,30 @@
         "MyRestApi2D1F47A9"
       ]
     },
+    "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb": {
+      "Type": "AWS::ApiGateway::Deployment",
+      "Properties": {
+        "RestApiId": {
+          "Ref": "MyRestApi2D1F47A9"
+        },
+        "Description": "Automatically created by the RestApi construct"
+      },
+      "DependsOn": [
+        "MyRestApiANY05143F93"
+      ]
+    },
+    "MyRestApiDeploymentStageprodC33B8E5F": {
+      "Type": "AWS::ApiGateway::Stage",
+      "Properties": {
+        "RestApiId": {
+          "Ref": "MyRestApi2D1F47A9"
+        },
+        "DeploymentId": {
+          "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb"
+        },
+        "StageName": "prod"
+      }
+    },
     "MyRestApiANY05143F93": {
       "Type": "AWS::ApiGateway::Method",
       "Properties": {
@@ -247,7 +247,11 @@
           "Fn::Join": [
             "",
             [
-              "arn:aws:apigateway:",
+              "arn:",
+              {
+                "Ref": "AWS::Partition"
+              },
+              ":apigateway:",
               {
                 "Ref": "AWS::Region"
               },