CfnAuthorizer creation fails if optional property `identitySource` is missing

Describe the bug Trying to create a CfnAuthorizer without identitySource specified in the props fails.

The identitySource field is specified as “Required: no” in the CloudFormation docs.

Furthermore, once you have deployed an authorizer with identitySource specified, removing this from the props and redeploying will not remove the Identity Sources from the authorizer.

To Reproduce Use this minimal stack:

import * as cdk from "@aws-cdk/cdk";
import * as apig from "@aws-cdk/aws-apigateway";
import * as lambda from "@aws-cdk/aws-lambda";

export class IdentitySourceStack extends cdk.Stack {
    constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
        super(scope, id, props);

        new IdentitySourceService(this, "testService");
    }
}

export class IdentitySourceService extends cdk.Construct {

    constructor(scope: cdk.Construct, id: string) {
        super(scope, id);

        const handlerFunction = new lambda.Function(this, "sayHelloHandler", {
            runtime: lambda.Runtime.NodeJS810,
            code: lambda.Code.directory("resources"),
            handler: "index.handler",
        });

        const authoriserFunction = new lambda.Function(this, "authoriser", {
            runtime: lambda.Runtime.NodeJS810,
            code: lambda.Code.directory("resources"),
            handler: "index.authoriser",
        });

        const api = new apig.RestApi(this, "IdentitySourceApi", {
            restApiName: "Identity source service",
            description: "This API shows that the IdentitySource option is required",
            deploy: true,
        });

        const authoriser = new apig.CfnAuthorizer(this, "apiAuthoriser", {
            restApiId: api.restApiId,
            type: "REQUEST",
            // Uncomment the line below for deployment to succeed
            // identitySource: "method.request.header.Authorization",
            name: "MyAuthorizer",
            authorizerUri: `arn:aws:apigateway:eu-west-3:lambda:path/2015-03-31/functions/${authoriserFunction.functionArn}/invocations`,
        });

        const handlerIntegration = new apig.LambdaIntegration(handlerFunction);

        api.root.addMethod("GET", handlerIntegration, {
            authorizationType: apig.AuthorizationType.Custom,
            authorizerId: authoriser.authorizerId,
        });
    }
}

First, deploy using tsc && cdk deploy with identitySource commented out. It fails with the error:

CREATE_FAILED        | AWS::ApiGateway::Authorizer | testService/apiAuthoriser (testServiceapiAuthoriser950C7F8F) Invalid request input (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException; Request ID: 925fdf20-77c5-11e9-a2f7-c3ab60e1a613)

Second, un-comment identitySource and deploy again. The authorizer is created with the identity sources specified.

Third, comment out the identitySource again, and redeploy. The deployment succeeds, but the identity sources are still specified on the resource.

Finally, delete the identity sources from the authorizer through the console. This succeeds, indicating that they really aren’t required.

Expected behavior The stack should deploy successfully without identitySource specified.

The identity sources should be removed when redeploying after removing them from the props.

Version:

• OS: Mac OS 10.13.6
• Programming Language: TypeScript
• CDK Version: 0.31.0