Deployment hangs for more than 10 authorizers

[louislatreille]

Hello!

• Vote on this issue by adding a 👍 reaction
• To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

I am using the AWS API Gateway crosswalk module (@pulumi/aws with @pulumi/aws-apigateway). As suggested in the docs.

API Gateway has a default quota of 10 authorizers per API. When creating more than 10 authorizers the deployment hangs instead of failing.

Steps to reproduce

import * as aws from "@pulumi/aws";
import { authorizerLambda } from "./auth-lambda";
import * as apigateway from "@pulumi/aws-apigateway";

const f = new aws.lambda.CallbackFunction("f", {
    callback: async (ev, ctx) => {
      console.log(JSON.stringify(ev));
      return {
        statusCode: 200,
        body: "Hello, World!",
      };
    },
  });

const routes: apigateway.types.input.RouteArgs[] = [];
for (let i = 0; i < 11; i++) {
    const lambdaAuthorizer: apigateway.types.input.AuthorizerArgs = {
        authType: "custom",
        authorizerName: `lambda-authorizer${i}`,
        parameterName: "Authorization",
        identityValidationExpression: "^Bearer [-0-9a-zA-Z\._]*$",
        type: "token",
        parameterLocation: "header",
        authorizerResultTtlInSeconds: 300,
        handler: new aws.lambda.CallbackFunction("authorizer", {
            callback: authorizerLambda(),
        }),
    }

    routes.push({
      path: `/route${i}`,
      method: "ANY",
      eventHandler: f,
      authorizers: [lambdaAuthorizer]
  });
}

const api = new apigateway.RestAPI("multi-auth-api", {
    routes: routes,
    binaryMediaTypes: ["application/json"],
});

export const url = api.url;

[louislatreille]

After a bit more investigation, it seems like the issue is related to the API Gateway body length, and not the duplicate authorizers directly.

If I do a pumuli stack export and search for the gateway body, I can see that the body length is ~9900 characters with 10 routes. When I add a new route it tips over 10000 characters. It looks like the majority of the body is taken by the authorizer configurations.

[leshibily]

@louislatreille Do we have any update on this issue? Is there any workaround?

[danielrbradley]

As a workaround the only option right now would be to create the underlying AWS resources directly rather than using this compoent.

In order to address this issue, it could be a breaking change as could cause existing resources to be recreated. Especially if the full fix is probably to try and move away from having to specify all routes via the body and instead look at using sub-resources.

Internally, it would also be good to identify why this is hanging rather than failing when the body size is exceeded.

One thing that would be helpful here is to have a complete runnable reproduction of the issue. I.e. a full program which creates 11 routes in a loop and consistently fails when deploying.

[pierskarsenbarg]

@louislatreille @louislatreille So this is a weird one.

By default on a per API Gateway basis, you can't have more than 10 routes. I suspect that neither of you have increased this quota. I don't know why it's hanging when you run an update but this is why it's not working when you have 11 routes

https://github.com/pierskarsenbarg/lambda-authorizer-issue if anyone wants to reproduce this

[thebigtoolbox]

As a workaround the only option right now would be to create the underlying AWS resources directly rather than using this compoent.

@danielrbradley , do you mean directly in AWS without using Pulumi?

[danielrbradley]

@thebigtoolbox correct

Here's an example of using the underlying resources: https://github.com/pulumi/examples/blob/master/aws-ts-apigateway-eventbridge/index.ts

Edit: sorry - still using the pulumi-aws provider - just not the aws-apigateway component.

[pierskarsenbarg]

@thebigtoolbox just to confirm, you'd still use Pulumi to manage the resource, but you would use the api gateway resource within the AWS classic SDK package rather than the separate api gateway package from this repository

[flostadler]

API gateway allows 300 routes per API GW by default. But it allows only 10 authorizers. @louislatreille you were affected by this bug https://github.com/pulumi/pulumi-aws-apigateway/issues/156 that was since fixed and released in v2.5.1.

We still need to hunt down why the deployment hangs for more than 10 authorizers. It should rather just fail. I updated the description and title to capture this.