search

pulumi / pulumi-aws-apigateway

Apache License 2.0
11 stars 5 forks source link

Lambda authorizer roles not automatically created #11

Open danielrbradley opened 2 years ago

danielrbradley commented 2 years ago

Hello!

Issue details

When creating a lambda authorizer, the roles and policies must be created manually.

In previous awsx examples, it appeared that the callback function was automatically created with the correct roles and policies, however, creating a Lambda in Go or Python and assigning it as an authorizer won't automatically add the correct role & policies.

Steps to reproduce

Deploy following example - note that the role is not set on the Function.

authLambda = aws.lambda_.Function("auth-lambda",
                                  runtime=aws.lambda_.Runtime.PYTHON3D8,
                                  code=pulumi.AssetArchive({
                                      ".": pulumi.FileArchive("./authorizer"),
                                  }),
                                  handler="handler.handler",
                                  )

api = apigateway.RestAPI('api', routes=[
    apigateway.RouteArgs(path="/", method="GET", local_path="www",
                         authorizers=[apigateway.AuthorizerArgs(
                             auth_type="custom",
                             parameter_name="Authorization",
                             type="request",
                             identity_source=[
                                 "method.request.header.Authorization"],
                             handler=authLambda
                         )]),
])

Expected: Role and policies to be created and assigned by the RestAPI - like in TypeScript Actual: Deployment failed

lukehoban commented 2 years ago

I think we will need to ask users to assign the right roles to lambdas, we will not want to try to “change” the policies for a lambda passed to us from the outside. Is there any reason we can’t just document what’s required?

danielrbradley commented 2 years ago

Ah I was mistaken - it's not the API gateway that creates the role and basic policy - it's the CallbackFunction in Typescript. I think we'd be better moving this issue to the main pulumi-aws repo to make role optional and build a default role if none has been provided by the user.