Skip to content

apigateway: Can't override authorization_type on child resource if parent resource uses a custom authorizer #29658

New issue
Jump to bottom
New issue
Jump to bottom
Closed as not planned
Closed as not planned
apigateway: Can't override authorization_type on child resource if parent resource uses a custom authorizer#29658
Assignees
tim-finnigan
Labels
@aws-cdk/aws-apigatewayRelated to Amazon API GatewaybugThis issue is a bug.duplicateThis issue is a duplicate.
@kvncp

Description

@kvncp
kvncp
opened on Mar 31, 2024

Describe the bug

When setting the default authorization method on an API gateway resource to CUSTOM, the CDK logic prevents overriding this authorization on child resources to anything other than a Custom resource.

Attempts to override the authorizer type will fail with the message "Error: ApigwBugStack/api/Default/unauthenticated_endpoint/GET - Authorization type is set to NONE which is different from what is required by the authorizer [CUSTOM]"

Expected Behavior

It should be possible to override a child resource with a different authorization type.

Current Behavior

CDK failed with the error mentioned in the description.

Reproduction Steps

fake_lambda = aws_lambda.Function(
            self,
            "lambda",
            code=aws_lambda.Code.from_inline("..."),
            handler="handler",
            runtime=aws_lambda.Runtime.PYTHON_3_10,
        )

        api = aws_apigateway.RestApi(
            self,
            "api",
            default_method_options=aws_apigateway.MethodOptions(
                authorization_type=aws_apigateway.AuthorizationType.CUSTOM,
                authorizer=aws_apigateway.TokenAuthorizer(
                    self, "auth", handler=fake_lambda
                ),
            ),
        )

        # Works as expected, inherit authorization from api
        api.root.add_resource("authenticated_endpoint").add_method(
            "GET", integration=aws_apigateway.HttpIntegration("http://www.example.com")
        )

        noauth_method = api.root.add_resource("unauthenticated_endpoint").add_method(
            "GET",
            integration=aws_apigateway.HttpIntegration("http://www.example.com"),
            # This does not work, but should:
            # authorization_type=aws_apigateway.AuthorizationType.NONE,
        )
        # This workaround does work, showing this is a CDK problem, not a CF or API GW problem.
        noauth_method.node.default_child.add_property_override("AuthorizationType", "NONE")

This repro can be found here: /~https://github.com/kvncp/cdk-repro/blob/main/apigw-bug/apigw_bug/apigw_bug_stack.py

Possible Solution

When setting the authorization_type on a child resource, CDK should not fail if a custom authorizer was set on a parent resource.

Additional Information/Context

No response

CDK CLI Version

2.134

Framework Version

No response

Node.js Version

20.0.0

OS

OSX 12.2

Language

Python

Language Version

3.10

Other information

No response

Metadata

Assignees

Labels

@aws-cdk/aws-apigatewayRelated to Amazon API GatewaybugThis issue is a bug.duplicateThis issue is a duplicate.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions