feat(apigateway): add option for consolidating lambda permissions for rest and http lambda integrations #36021
Conversation
github-actions
bot
added
beginning-contributor
| }); | ||
|
|
||
| this.handler = handler; | ||
| this.enableTest = options.allowTestInvoke ?? true; |
There was a problem hiding this comment.
allowTestInvoke will be ignored if scopePermissionToMethod is set. This makes sense, but can we leave a warning to the user that the property if allowTestInvoke is set to false as the option will be ignored in that situation?
There was a problem hiding this comment.
Good shout! Added a warning to the documentation as well as annotating with a warning if both are set to false.
| The following code configures a `$connect` route with a AWS integration that integrates with a dynamodb table. On websocket api connect, | ||
| it will write new entry to the dynamodb table. | ||
| it will write new entry to the dynamodb table. | ||
|
|
There was a problem hiding this comment.
These changes in spaces are not needed.
cogwirrel
force-pushed
the
feat/apigw-lambda-permission-scope
branch
from
92cc608 to
f15b1a3
Compare
mergify
bot
dismissed
Abogical’s stale review
Pull request has been modified.
… rest and http lambda integrations The maximum Lambda permission policy size can be exceeded for APIs which reuse the same Lambda function for multiple operations, as the integration adds a new permission for each operation, scoped down to the specific operation. This change updates both the REST and HTTP API lambda integrations with options to scope the permission to any operation on the API, adding a single statement and avoiding overflowing the maximum policy size. Fixes aws#9327 Fixes aws#19535
cogwirrel
force-pushed
the
feat/apigw-lambda-permission-scope
branch
from
f15b1a3 to
95cf138
Compare
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
2 participants
Issue # (if applicable)
Fixes #9327
Fixes #19535
Reason for this change
The maximum Lambda permission policy size can be exceeded for APIs which reuse the same Lambda function for multiple operations, as the integration adds a new permission for each operation, scoped down to the specific operation.
Description of changes
This change updates both the REST and HTTP API lambda integrations with options to scope the permission to any operation on the API, adding a single statement and avoiding overflowing the maximum policy size.
Raised this as a new PR to replace #35705 so we have a clearer history in case we ever wanted to consider the more automatic implementation which collapses permissions.
Describe any new or updated permissions being added
Permission for API Gateway to invoke the lambda is scoped to any resource/method/stage when
scopePermissionToMethod(for REST) orscopePermissionToRoute(for HTTP) is set tofalse.Description of how you validated changes
Unit tests, Integ tests
Added an integration test for both REST and HTTP (
integ.lambda-permission-consolidation).Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license