Skip to content

(apigateway): Changes to authorizer does not cause latest deployment to update #16554

New issue
New issue
Closed
#23215
Closed
(apigateway): Changes to authorizer does not cause latest deployment to update#16554
#23215
Labels
@aws-cdk/aws-apigatewayRelated to Amazon API GatewaybugThis issue is a bug.effort/smallSmall work item – less than a day of effortp2
@kamzil

Description

@kamzil
kamzil
opened on Sep 20, 2021

When you have an authorizer that has an imported Lambda from another stack set as handler (authorizerUri), and you change that ARN, authorizer will start failing with AuthorizerConfigurationException on requests to API endpoints that have that authorizer attached.

API Gateway logs reveal that the authorizer is still trying to invoke the Lambda with the old ARN, and fails because Lambda permission has already been replaced with one that contains the new ARN.

This is most likely because CDK won't create a new REST API deployment despite of updating the authorizerUri of the CfnAuthorizer construct.

Reproduction Steps

  1. Add a new Lambda, REST API, authorizer and method to your stack. Authorizer Lambda should already exist in another stack:
    // Lambda that should be served via your API
    const yourLambda = new lambda.Function(...)

    // Authorizer that uses a Lambda from another stack
    const authorizerLambdaFuncArn = 'authorizer-lambda-arn-goes-here'
    const someAuthorizer = new TokenAuthorizer(this, 'SomeAuthorizer', {
      authorizerName: 'someAuthorizer',
      handler: Function.fromFunctionArn(this, 'SomeAuthorizerFunction', authorizerLambdaFuncArn),
    })

    // REST API
    const restApi = new RestApi(this, 'SomeApi', {
      restApiName: 'some-api',
    })

    // API method configured with your Lambda and the authorizer
    restApi.root.addMethod('GET', new LambdaIntegration(yourLambda), {
      authorizationType: AuthorizationType.CUSTOM,
      authorizer: someAuthorizer,
    })
  1. cdk deploy your stack
  2. Requests to your API endpoint should successfully pass to the authorizer
  3. Change authorizerLambdaFuncArn to some other Lambda function's ARN
  4. Repeat step 2
  5. Requests to your API endpoint should now return AuthorizerConfigurationException

What did you expect to happen?

CDK should create a new deployment so that requests will be forwarded to the correct authorizer Lambda

What actually happened?

No new deployment created but Lambda Permission is updated, which leads to permission error.

Environment

  • CDK CLI Version : 1.123.0
  • Framework Version: 1.123.0
  • Node.js Version: v14.17.5
  • OS : MacOS 10.15.7
  • Language (Version): TypeScript 4.3.5

Other

Workaround:

Add the following in your code:

    if (restApi.latestDeployment) {
      restApi.latestDeployment.addToLogicalId({
        someAuthorizerFunctionArn: authorizerLambdaFuncArn,
      })
    }

This will cause CDK to create a new API deployment.

This is 🐛 Bug Report

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-apigatewayRelated to Amazon API GatewaybugThis issue is a bug.effort/smallSmall work item – less than a day of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions