fix(api-gateway): add validation to variables property on Stage resource (#25267)

Closes #3635 

From the original issue: API Gateway Stage variables must match a regex to be valid ([See the documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-variables)). When adding variables using CDK, this regex is not enforced, so it can synthesize a CloudFormation template that cannot be deployed.

This PR fixes this issue by adding a validation that the strings match that regex along with a unit test for these changes.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: sumupitchayan

Diff for: packages/@aws-cdk/cx-api/FEATURE_FLAGS.md

@@ -17,6 +17,7 @@ Flags come in three types:
 
 | Flag | Summary | Since | Type |
 | ----- | ----- | ----- | ----- |
+| [@aws-cdk/aws-apigateway:requestValidatorUniqueId](#aws-cdkaws-apigatewayrequestvalidatoruniqueid) | Generate a unique id for each RequestValidator added to a method | V2·NEXT | (fix) |
 | [@aws-cdk/aws-route53-patters:useCertificate](#aws-cdkaws-route53-pattersusecertificate) | Use the official `Certificate` resource instead of `DnsValidatedCertificate` | V2·NEXT | (default) |
 | [@aws-cdk/core:newStyleStackSynthesis](#aws-cdkcorenewstylestacksynthesis) | Switch to new stack synthesis method which enables CI/CD | 2.0.0 | (fix) |
 | [@aws-cdk/core:stackRelativeExports](#aws-cdkcorestackrelativeexports) | Name exports based on the construct paths relative to the stack, rather than the global construct path | 2.0.0 | (fix) |
@@ -90,7 +91,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
     "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
     "@aws-cdk/aws-redshift:columnId": true,
-    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true
   }
 }
 ```
@@ -320,6 +322,23 @@ Encryption can also be configured explicitly using the `encrypted` property.
 **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption.
 
 
+### @aws-cdk/aws-apigateway:requestValidatorUniqueId
+
+*Generate a unique id for each RequestValidator added to a method* (fix)
+
+This flag allows multiple RequestValidators to be added to a RestApi when
+providing the `RequestValidatorOptions` in the `addMethod()` method.
+
+If the flag is not set then only a single RequestValidator can be added in this way.
+Any additional RequestValidators have to be created directly with `new RequestValidator`.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2·NEXT | `false` | `true` |
+
+
 ### @aws-cdk/aws-route53-patters:useCertificate
 
 *Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default)

Diff for: packages/aws-cdk-lib/aws-apigateway/lib/lambda-api.ts

@@ -1,9 +1,10 @@
-import * as lambda from '../../aws-lambda';
+// import * as cdk from '../../core';
 import { Construct } from 'constructs';
 import { LambdaIntegration, LambdaIntegrationOptions } from './integrations';
 import { Method } from './method';
 import { ProxyResource, Resource } from './resource';
 import { RestApi, RestApiProps } from './restapi';
+import * as lambda from '../../aws-lambda';
 
 export interface LambdaRestApiProps extends RestApiProps {
   /**
@@ -68,6 +69,19 @@ export class LambdaRestApi extends RestApi {
       this.root.addMethod = addMethodThrows;
       this.root.addProxy = addProxyThrows;
     }
+
+    this.node.addValidation({
+      validate() {
+        for (const value of Object.values(props.deployOptions?.variables ?? {})) {
+          // Checks that variable Stage values match regex
+          const regexp = /[A-Za-z0-9-._~:/?#&=,]+/;
+          if (value.match(regexp) === null) {
+            return ['Stage variable value ' + value + ' does not match the regex.'];
+          }
+        }
+        return [];
+      },
+    });
   }
 }
 

Diff for: packages/aws-cdk-lib/aws-apigateway/lib/stage.ts

@@ -102,7 +102,7 @@ export interface StageOptions extends MethodDeploymentOptions {
   /**
    * A map that defines the stage variables. Variable names must consist of
    * alphanumeric characters, and the values must match the following regular
-   * expression: [A-Za-z0-9-._~:/?#&=,]+.
+   * expression: [A-Za-z0-9-._~:/?#&=,]+.
    *
    * @default - No stage variables.
    */

Diff for: packages/aws-cdk-lib/aws-apigateway/test/lambda-api.test.ts

@@ -2,6 +2,7 @@ import { Match, Template } from '../../assertions';
 import * as lambda from '../../aws-lambda';
 import * as cdk from '../../core';
 import * as apigw from '../lib';
+import { LambdaRestApi } from '../lib';
 
 describe('lambda api', () => {
   test('LambdaRestApi defines a REST API with Lambda proxy integration', () => {
@@ -405,4 +406,33 @@ describe('lambda api', () => {
       },
     });
   });
+
+  test('setting deployOptions variable with invalid value throws validation error', () => {
+    // GIVEN
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app);
+
+    const handler = new lambda.Function(stack, 'handler', {
+      handler: 'index.handler',
+      code: lambda.Code.fromInline('boom'),
+      runtime: lambda.Runtime.NODEJS_10_X,
+    });
+
+    const versionAlias = lambda.Version.fromVersionAttributes(stack, 'VersionInfo', {
+      lambda: handler,
+      version: '${stageVariables.lambdaAlias}',
+    });
+
+    new LambdaRestApi(stack, 'RestApi', {
+      restApiName: 'my-test-api',
+      handler: versionAlias,
+      deployOptions: {
+        variables: {
+          functionName: '$$$',
+        },
+      },
+    });
+
+    expect(() => app.synth()).toThrow('Validation failed with the following errors:\n  [Default/RestApi] Stage variable value $$$ does not match the regex.');
+  });
 });

Diff for: packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -17,6 +17,7 @@ Flags come in three types:
 
 | Flag | Summary | Since | Type |
 | ----- | ----- | ----- | ----- |
+| [@aws-cdk/aws-apigateway:requestValidatorUniqueId](#aws-cdkaws-apigatewayrequestvalidatoruniqueid) | Generate a unique id for each RequestValidator added to a method | V2·NEXT | (fix) |
 | [@aws-cdk/aws-route53-patters:useCertificate](#aws-cdkaws-route53-pattersusecertificate) | Use the official `Certificate` resource instead of `DnsValidatedCertificate` | V2·NEXT | (default) |
 | [@aws-cdk/core:newStyleStackSynthesis](#aws-cdkcorenewstylestacksynthesis) | Switch to new stack synthesis method which enables CI/CD | 2.0.0 | (fix) |
 | [@aws-cdk/core:stackRelativeExports](#aws-cdkcorestackrelativeexports) | Name exports based on the construct paths relative to the stack, rather than the global construct path | 2.0.0 | (fix) |
@@ -90,7 +91,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
     "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
     "@aws-cdk/aws-redshift:columnId": true,
-    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true
   }
 }
 ```
@@ -320,6 +322,23 @@ Encryption can also be configured explicitly using the `encrypted` property.
 **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption.
 
 
+### @aws-cdk/aws-apigateway:requestValidatorUniqueId
+
+*Generate a unique id for each RequestValidator added to a method* (fix)
+
+This flag allows multiple RequestValidators to be added to a RestApi when
+providing the `RequestValidatorOptions` in the `addMethod()` method.
+
+If the flag is not set then only a single RequestValidator can be added in this way.
+Any additional RequestValidators have to be created directly with `new RequestValidator`.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2·NEXT | `false` | `true` |
+
+
 ### @aws-cdk/aws-route53-patters:useCertificate
 
 *Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default)