Merge branch 'master' into guchangh/eks-call

Author: NovakGu

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.87.1](https://github.com/aws/aws-cdk/compare/v1.87.0...v1.87.1) (2021-01-28)
+
+
+### Bug Fixes
+
+* **apigateway:** stack update fails to replace api key ([38cbe62](https://github.com/aws/aws-cdk/commit/38cbe620859d6efabda95dbdd3185a480ab43894)), closes [#12698](https://github.com/aws/aws-cdk/issues/12698)
+
 ## [1.87.0](https://github.com/aws/aws-cdk/compare/v1.86.0...v1.87.0) (2021-01-27)
 
 

packages/@aws-cdk/assert/lib/assertions/have-resource.ts

@@ -66,7 +66,7 @@ export class HaveResourceAssertion extends JestFriendlyAssertion<StackInspector>
     for (const logicalId of Object.keys(inspector.value.Resources || {})) {
       const resource = inspector.value.Resources[logicalId];
       if (resource.Type === this.resourceType) {
-        const propsToCheck = this.part === ResourcePart.Properties ? resource.Properties : resource;
+        const propsToCheck = this.part === ResourcePart.Properties ? (resource.Properties ?? {}) : resource;
 
         // Pass inspection object as 2nd argument, initialize failure with default string,
         // to maintain backwards compatibility with old predicate API.

packages/@aws-cdk/aws-apigateway/README.md

@@ -32,6 +32,7 @@ running on AWS Lambda, or any web application.
   - [IAM-based authorizer](#iam-based-authorizer)
   - [Lambda-based token authorizer](#lambda-based-token-authorizer)
   - [Lambda-based request authorizer](#lambda-based-request-authorizer)
+  - [Cognito User Pools authorizer](#cognito-user-pools-authorizer)
 - [Mutual TLS](#mutal-tls-mtls)
 - [Deployments](#deployments)
   - [Deep dive: Invalidation of deployments](#deep-dive-invalidation-of-deployments)
@@ -580,6 +581,25 @@ Authorizers can also be passed via the `defaultMethodOptions` property within th
 explicitly overridden, the specified defaults will be applied across all `Method`s across the `RestApi` or across all `Resource`s,
 depending on where the defaults were specified.
 
+### Cognito User Pools authorizer
+
+API Gateway also allows [Amazon Cognito user pools as authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html)
+
+The following snippet configures a Cognito user pool as an authorizer:
+
+```ts
+const userPool = new cognito.UserPool(stack, 'UserPool');
+
+const auth = new apigateway.CognitoUserPoolsAuthorizer(this, 'booksAuthorizer', {
+  cognitoUserPools: [userPool]
+});
+
+books.addMethod('GET', new apigateway.HttpIntegration('http://amazon.com'), {
+  authorizer: auth,
+  authorizationType: apigateway.AuthorizationType.COGNITO,
+});
+```
+
 ## Mutual TLS (mTLS)
 
 Mutual TLS can be configured to limit access to your API based by using client certificates instead of (or as an extension of) using authorization headers.

packages/@aws-cdk/aws-apigateway/lib/authorizers/cognito.ts

@@ -0,0 +1,115 @@
+import * as cognito from '@aws-cdk/aws-cognito';
+import { Duration, Lazy, Names, Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnAuthorizer } from '../apigateway.generated';
+import { Authorizer, IAuthorizer } from '../authorizer';
+import { AuthorizationType } from '../method';
+import { IRestApi } from '../restapi';
+
+/**
+ * Properties for CognitoUserPoolsAuthorizer
+ */
+export interface CognitoUserPoolsAuthorizerProps {
+  /**
+   * An optional human friendly name for the authorizer. Note that, this is not the primary identifier of the authorizer.
+   *
+   * @default - the unique construct ID
+   */
+  readonly authorizerName?: string;
+
+  /**
+   * The user pools to associate with this authorizer.
+   */
+  readonly cognitoUserPools: cognito.IUserPool[];
+
+  /**
+   * How long APIGateway should cache the results. Max 1 hour.
+   * Disable caching by setting this to 0.
+   *
+   * @default Duration.minutes(5)
+   */
+  readonly resultsCacheTtl?: Duration;
+
+  /**
+   * The request header mapping expression for the bearer token. This is typically passed as part of the header, in which case
+   * this should be `method.request.header.Authorizer` where Authorizer is the header containing the bearer token.
+   * @see https://docs.aws.amazon.com/apigateway/api-reference/link-relation/authorizer-create/#identitySource
+   * @default `IdentitySource.header('Authorization')`
+   */
+  readonly identitySource?: string;
+}
+
+/**
+ * Cognito user pools based custom authorizer
+ *
+ * @resource AWS::ApiGateway::Authorizer
+ */
+export class CognitoUserPoolsAuthorizer extends Authorizer implements IAuthorizer {
+  /**
+   * The id of the authorizer.
+   * @attribute
+   */
+  public readonly authorizerId: string;
+
+  /**
+   * The ARN of the authorizer to be used in permission policies, such as IAM and resource-based grants.
+   * @attribute
+   */
+  public readonly authorizerArn: string;
+
+  /**
+   * The authorization type of this authorizer.
+   */
+  public readonly authorizationType?: AuthorizationType;
+
+  private restApiId?: string;
+
+  constructor(scope: Construct, id: string, props: CognitoUserPoolsAuthorizerProps) {
+    super(scope, id);
+
+    const restApiId = this.lazyRestApiId();
+    const resource = new CfnAuthorizer(this, 'Resource', {
+      name: props.authorizerName ?? Names.uniqueId(this),
+      restApiId,
+      type: 'COGNITO_USER_POOLS',
+      providerArns: props.cognitoUserPools.map(userPool => userPool.userPoolArn),
+      authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
+      identitySource: props.identitySource || 'method.request.header.Authorization',
+    });
+
+    this.authorizerId = resource.ref;
+    this.authorizerArn = Stack.of(this).formatArn({
+      service: 'execute-api',
+      resource: restApiId,
+      resourceName: `authorizers/${this.authorizerId}`,
+    });
+    this.authorizationType = AuthorizationType.COGNITO;
+  }
+
+  /**
+   * Attaches this authorizer to a specific REST API.
+   * @internal
+   */
+  public _attachToApi(restApi: IRestApi): void {
+    if (this.restApiId && this.restApiId !== restApi.restApiId) {
+      throw new Error('Cannot attach authorizer to two different rest APIs');
+    }
+
+    this.restApiId = restApi.restApiId;
+  }
+
+  /**
+   * Returns a token that resolves to the Rest Api Id at the time of synthesis.
+   * Throws an error, during token resolution, if no RestApi is attached to this authorizer.
+   */
+  private lazyRestApiId() {
+    return Lazy.string({
+      produce: () => {
+        if (!this.restApiId) {
+          throw new Error(`Authorizer (${this.node.path}) must be attached to a RestApi`);
+        }
+        return this.restApiId;
+      },
+    });
+  }
+}

packages/@aws-cdk/aws-apigateway/lib/authorizers/index.ts

@@ -1,2 +1,3 @@
 export * from './lambda';
 export * from './identity-source';
+export * from './cognito';

packages/@aws-cdk/aws-apigateway/lib/resource.ts

@@ -373,7 +373,51 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc
   }
 }
 
+/**
+ * Attributes that can be specified when importing a Resource
+ */
+export interface ResourceAttributes {
+  /**
+   * The ID of the resource.
+   */
+  readonly resourceId: string;
+
+  /**
+   * The rest API that this resource is part of.
+   */
+  readonly restApi: IRestApi;
+
+  /**
+   * The full path of this resource.
+   */
+  readonly path: string;
+}
+
 export class Resource extends ResourceBase {
+  /**
+   * Import an existing resource
+   */
+  public static fromResourceAttributes(scope: Construct, id: string, attrs: ResourceAttributes): IResource {
+    class Import extends ResourceBase {
+      public readonly api = attrs.restApi;
+      public readonly resourceId = attrs.resourceId;
+      public readonly path = attrs.path;
+      public readonly defaultIntegration?: Integration = undefined;
+      public readonly defaultMethodOptions?: MethodOptions = undefined;
+      public readonly defaultCorsPreflightOptions?: CorsOptions = undefined;
+
+      public get parentResource(): IResource {
+        throw new Error('parentResource is not configured for imported resource.');
+      }
+
+      public get restApi(): RestApi {
+        throw new Error('restApi is not configured for imported resource.');
+      }
+    }
+
+    return new Import(scope, id);
+  }
+
   public readonly parentResource?: IResource;
   public readonly api: IRestApi;
   public readonly resourceId: string;

packages/@aws-cdk/aws-apigateway/package.json

@@ -80,6 +80,7 @@
   "dependencies": {
     "@aws-cdk/aws-certificatemanager": "0.0.0",
     "@aws-cdk/aws-cloudwatch": "0.0.0",
+    "@aws-cdk/aws-cognito": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
@@ -95,6 +96,7 @@
   "peerDependencies": {
     "@aws-cdk/aws-certificatemanager": "0.0.0",
     "@aws-cdk/aws-cloudwatch": "0.0.0",
+    "@aws-cdk/aws-cognito": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",

packages/@aws-cdk/aws-apigateway/test/authorizers/cognito.test.ts

@@ -0,0 +1,66 @@
+import '@aws-cdk/assert/jest';
+import * as cognito from '@aws-cdk/aws-cognito';
+import { Duration, Stack } from '@aws-cdk/core';
+import { AuthorizationType, CognitoUserPoolsAuthorizer, RestApi } from '../../lib';
+
+describe('Cognito Authorizer', () => {
+  test('default cognito authorizer', () => {
+    // GIVEN
+    const stack = new Stack();
+    const userPool = new cognito.UserPool(stack, 'UserPool');
+
+    // WHEN
+    const authorizer = new CognitoUserPoolsAuthorizer(stack, 'myauthorizer', {
+      cognitoUserPools: [userPool],
+    });
+
+    const restApi = new RestApi(stack, 'myrestapi');
+    restApi.root.addMethod('ANY', undefined, {
+      authorizer,
+      authorizationType: AuthorizationType.COGNITO,
+    });
+
+    // THEN
+    expect(stack).toHaveResource('AWS::ApiGateway::Authorizer', {
+      Type: 'COGNITO_USER_POOLS',
+      RestApiId: stack.resolve(restApi.restApiId),
+      IdentitySource: 'method.request.header.Authorization',
+      ProviderARNs: [stack.resolve(userPool.userPoolArn)],
+    });
+
+    expect(authorizer.authorizerArn.endsWith(`/authorizers/${authorizer.authorizerId}`)).toBeTruthy();
+  });
+
+  test('cognito authorizer with all parameters specified', () => {
+    // GIVEN
+    const stack = new Stack();
+    const userPool1 = new cognito.UserPool(stack, 'UserPool1');
+    const userPool2 = new cognito.UserPool(stack, 'UserPool2');
+
+    // WHEN
+    const authorizer = new CognitoUserPoolsAuthorizer(stack, 'myauthorizer', {
+      cognitoUserPools: [userPool1, userPool2],
+      identitySource: 'method.request.header.whoami',
+      authorizerName: 'myauthorizer',
+      resultsCacheTtl: Duration.minutes(1),
+    });
+
+    const restApi = new RestApi(stack, 'myrestapi');
+    restApi.root.addMethod('ANY', undefined, {
+      authorizer,
+      authorizationType: AuthorizationType.COGNITO,
+    });
+
+    // THEN
+    expect(stack).toHaveResource('AWS::ApiGateway::Authorizer', {
+      Type: 'COGNITO_USER_POOLS',
+      Name: 'myauthorizer',
+      RestApiId: stack.resolve(restApi.restApiId),
+      IdentitySource: 'method.request.header.whoami',
+      AuthorizerResultTtlInSeconds: 60,
+      ProviderARNs: [stack.resolve(userPool1.userPoolArn), stack.resolve(userPool2.userPoolArn)],
+    });
+
+    expect(authorizer.authorizerArn.endsWith(`/authorizers/${authorizer.authorizerId}`)).toBeTruthy();
+  });
+});