Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[APIGateway] LambdaIntegration: Add option to create a single trigger/permission with wildcards only instead of one for each ApiGateway Resource

See original GitHub issue

For the Lambda ApiGateway integration, add an option to prefer a single wildcard trigger/integrationPermission instead of multiple triggers/integrationPermissions for each URL/endpoint/resource defined in the ApiGateway.

Currently the created triggers in the AWS console looks like that:

arn:aws:execute-api:us-east-1:123:api_id/prod/GET/v1/parent_res_1/*
arn:aws:execute-api:us-east-1:123:api_id/prod/POST/v1/parent_res_1/*
arn:aws:execute-api:us-east-1:123:api_id/prod/GET/v1/parent_res_2/*
...

The requested feature would allow to have something like that instead:

arn:aws:execute-api:us-east-1:123:api_id/*

Use Case

In case of APIs with a larger amount of urls/endpoints/resources, it is likely to get a “The final policy size (XXX) is bigger than the limit (20480)” error.

In our case, we run into that for an API with around 15 resources and worked around temporarily by setting LambdaIntegrationOptions.allowTestInvoke to false. This cut the number of triggers/IntegrationPermissions in half and the policy didn’t hit the limit anymore. However, we would prefer leaving allowTestInvoke to true. Moreover as the API grows over time, we will likely run into the same issue again later: the faster the API grows, the sooner. Implementing something like described in https://github.com/aws/aws-cdk/issues/5774#issuecomment-609583801 (also see below) currently seems to be something like a last resort for us.

Implication of the current state of CDK in this respect for us is that the CDK ApiGateway -> LambdaIntegration cannot be easily used for APIs with a considerable amount of endpoints because the CDK stack will break sooner or later when adding more resources to the APIGateway.

Proposed Solution

Add boolean option singleWildcardTrigger or singleWildcardIntegrationPermission to aws_cdk.aws_apigateway.LambdaIntegrationOptions.
Per default, it is false and everything works like as it does currently.
In case of true, only a single trigger with wildcards is generated (see above).
With the existing allowTestInvoke option, there is already an option which works globally an all tiggers/integrationPermissions as well. So something very similar is already available.

Other

There is a similar (duplicate?) issue which as been closed already https://github.com/aws/aws-cdk/issues/5774 (closed https://github.com/aws/aws-cdk/issues/5774#issuecomment-594902199 by AWS). The discussions in the end (after closing by AWS) are about workarounds (subclassing CDK) for something which seems to be missing as a feature, thus I created a new issue. Feel free to reopen the original one and add this as a duplicate.

Please also check https://github.com/aws/aws-cdk/issues/5774#issuecomment-609583801 which has been added after closing the issue. This comment describes the problem exactly the same as we see it.

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Reactions:16
Comments:29 (5 by maintainers)

Top GitHub Comments

10reactions

leantorres73commented, Jul 21, 2021

Expecting for this to be fixed also!

5reactions

rehanvdmcommented, Jun 10, 2021

Author of the comment that is referenced in this ticket. It has been a few versions since that was posted and no longer works. I took some inspiration from @nija-at comment above. Rather extending the class as I did in the old method than using Aspects that apply it over all the whole API GW methods. So my alternative updated version that seems to work:

import lambda = require('@aws-cdk/aws-lambda');
import apigateway = require('@aws-cdk/aws-apigateway');

export class LambdaIntegrationNoPermission extends apigateway.LambdaIntegration {
  constructor(handler: lambda.IFunction, options?: apigateway.LambdaIntegrationOptions) {
    super(handler, options);
  }

  bind(method: apigateway.Method): apigateway.IntegrationConfig {
    const integrationConfig = super.bind(method);
    const permissions = method.node.children.filter(c => c instanceof lambda.CfnPermission);
    permissions.forEach(p => method.node.tryRemoveChild(p.node.id));
    return integrationConfig;
  }
}

const api = new apigateway.RestApi(this, id+"-api", {
            restApiName: id,
            deployOptions: { stageName: buildPros.Environment },
            defaultCorsPreflightOptions: {
                allowOrigins: apigateway.Cors.ALL_ORIGINS,
                allowMethods: apigateway.Cors.ALL_METHODS,
                allowHeaders: ["*"]
            },
            defaultIntegration: new LambdaIntegrationNoPermission(apiLambda, {proxy: true}),
        });

.... Add many methods and resources here ....

/* Manually add the permission, specifying with the API function arnForExecuteApi empty params means for all methods, paths and stages    */
apiLambda.addPermission(id + "ApiGWPermissions", {
           action: 'lambda:InvokeFunction',
           principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
           sourceArn: api.arnForExecuteApi()
       });