(aws-cdk-lib): aws-sam.CfnApi does not support auth.ResourcePolicy and other options

tsuga commented 1 month ago

Describe the bug

AWS::Serverless::Api supports various auth methods.

AddApiKeyRequiredToCorsPreflight: Boolean AddDefaultAuthorizerToCorsPreflight: Boolean ApiKeyRequired: Boolean Authorizers: CognitoAuthorizer | LambdaTokenAuthorizer | LambdaRequestAuthorizer DefaultAuthorizer: String InvokeRole: String ResourcePolicy: ResourcePolicyStatement UsagePlan: ApiUsagePlan

https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-apiauth.html

However, only AddDefaultAuthorizerToCorsPreflight, Authorizers, and DefaultAuthorizer are supported. Others such as ResourcePolicy and ApiKeyRequired are not supported.

./node_modules/aws-cdk-lib/aws-sam/lib/sam.generated.d.ts

export interface CfnApiProps {
    [...]
    /**
     * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-serverless-api.html#cfn-serverless-api-auth
     */
    readonly auth?: CfnApi.AuthProperty | cdk.IResolvable;

    interface AuthProperty {
        /**
         * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-serverless-api-auth.html#cfn-serverless-api-auth-adddefaultauthorizertocorspreflight
         */
        readonly addDefaultAuthorizerToCorsPreflight?: boolean | cdk.IResolvable;
        /**
         * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-serverless-api-auth.html#cfn-serverless-api-auth-authorizers
         */
        readonly authorizers?: any | cdk.IResolvable;
        /**
         * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-serverless-api-auth.html#cfn-serverless-api-auth-defaultauthorizer
         */
        readonly defaultAuthorizer?: string;

Regression Issue

[ ] Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

It should cover all supported options.

Current Behavior

only AddDefaultAuthorizerToCorsPreflight, Authorizers, and DefaultAuthorizer are supported.

Reproduction Steps

See above

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.159.1 (build c66f4e3)

Framework Version

No response

Node.js Version

20

OS

ubuntu

Language

TypeScript

Language Version

No response

Other information

No response

ashishdhingra commented 1 month ago

Findings:

AWS::Serverless::Api > Auth defined the below properties (as reported by user):

AddApiKeyRequiredToCorsPreflight: Boolean
AddDefaultAuthorizerToCorsPreflight: Boolean
ApiKeyRequired: Boolean
Authorizers: CognitoAuthorizer | LambdaTokenAuthorizer | LambdaRequestAuthorizer
DefaultAuthorizer: String
InvokeRole: String
ResourcePolicy: ResourcePolicyStatement
UsagePlan: ApiUsagePlan

For generating L1 constructs, AWS service spec is loaded here.
- loadAwsServiceSpec ins imported from @aws-cdk/aws-service-spec module.
loadAwsServiceSpec() loads compressed db.json.gz into buffer.
db.json.gz is generated via build-db.main() which creates instance of FullDatabase.
FullDatabase imports CloudFormation resource spec, SAM resource spec, etc. here.
- SAM resource schema is loaded from CloudFormationResourceSpecification/us-east-1/100_sam and SAMSpec/sam.schema.json.
- SAMSpec/sam.schema.json was updated 5 months ago and for AWS::Serverless::Api.Auth, it only defines below properties:
- DefaultAuthorizer
- Authorizers
- AddDefaultAuthorizerToCorsPreflight

Will monitor to check if SAMSpec/sam.schema.json is updated in few days.

jiayiwang7 commented 1 month ago

We will be loading the SAM resources from the official SAM schema https://raw.githubusercontent.com/aws/serverless-application-model/develop/schema_source/sam.schema.json

Once https://github.com/cdklabs/awscdk-service-spec/pull/898 is merged, you shall see the updated schemas with ResourcePolicy, ApiKeyRequired in it.

aws / aws-cdk