fix(apigateway): lambda authorizer does not enforce default cache TTL (#27873)

lpizzinidev · web-flow · commit 25ee8ef61d6b · 2023-11-20T23:01:17.000Z
Adds default `authorizerResultTtlInSeconds` value of 300 seconds to prevent cache TTL value retention when first specified and then removed. Closes #27826. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.request-authorizer.lit.js.snapshot/RequestAuthorizerInteg.template.json
@@ -188,7 +188,7 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
-  "MyRestApiDeploymentB555B582d83364d66d67f510f848797cd89349d5": {
+  "MyRestApiDeploymentB555B58276a4103e7ef38befb395a9ace5fdce44": {
    "Type": "AWS::ApiGateway::Deployment",
    "Properties": {
     "Description": "Automatically created by the RestApi construct",
@@ -208,7 +208,7 @@
    "Type": "AWS::ApiGateway::Stage",
    "Properties": {
     "DeploymentId": {
-     "Ref": "MyRestApiDeploymentB555B582d83364d66d67f510f848797cd89349d5"
+     "Ref": "MyRestApiDeploymentB555B58276a4103e7ef38befb395a9ace5fdce44"
     },
     "RestApiId": {
      "Ref": "MyRestApi2D1F47A9"
@@ -306,6 +306,7 @@
   "MyAuthorizer6575980E": {
    "Type": "AWS::ApiGateway::Authorizer",
    "Properties": {
+    "AuthorizerResultTtlInSeconds": 300,
     "AuthorizerUri": {
      "Fn::Join": [
       "",
@@ -366,6 +367,7 @@
   "MySecondAuthorizer25A69B96": {
    "Type": "AWS::ApiGateway::Authorizer",
    "Properties": {
+    "AuthorizerResultTtlInSeconds": 300,
     "AuthorizerUri": {
      "Fn::Join": [
       "",
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.js.snapshot/TokenAuthorizerIAMRoleInteg.template.json
@@ -79,6 +79,7 @@
       "Arn"
      ]
     },
+    "AuthorizerResultTtlInSeconds": 300,
     "AuthorizerUri": {
      "Fn::Join": [
       "",
@@ -233,7 +234,7 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
-  "MyRestApiDeploymentB555B582694e8eb3fdb7b5f988ba347d35601979": {
+  "MyRestApiDeploymentB555B58259401a546b13c99de2d05e5e255a9ede": {
    "Type": "AWS::ApiGateway::Deployment",
    "Properties": {
     "Description": "Automatically created by the RestApi construct",
@@ -251,7 +252,7 @@
    "Type": "AWS::ApiGateway::Stage",
    "Properties": {
     "DeploymentId": {
-     "Ref": "MyRestApiDeploymentB555B582694e8eb3fdb7b5f988ba347d35601979"
+     "Ref": "MyRestApiDeploymentB555B58259401a546b13c99de2d05e5e255a9ede"
     },
     "RestApiId": {
      "Ref": "MyRestApi2D1F47A9"
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.js.snapshot/TokenAuthorizerInteg.template.json
@@ -96,6 +96,7 @@
   "MyAuthorizer6575980E": {
    "Type": "AWS::ApiGateway::Authorizer",
    "Properties": {
+    "AuthorizerResultTtlInSeconds": 600,
     "AuthorizerUri": {
      "Fn::Join": [
       "",
@@ -208,7 +209,7 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
-  "MyRestApiDeploymentB555B582e0e53f2547b469b538202de55968eaf0": {
+  "MyRestApiDeploymentB555B5827a9cde8f137f97e5aa74fca164d09d74": {
    "Type": "AWS::ApiGateway::Deployment",
    "Properties": {
     "Description": "Automatically created by the RestApi construct",
@@ -226,7 +227,7 @@
    "Type": "AWS::ApiGateway::Stage",
    "Properties": {
     "DeploymentId": {
-     "Ref": "MyRestApiDeploymentB555B582e0e53f2547b469b538202de55968eaf0"
+     "Ref": "MyRestApiDeploymentB555B5827a9cde8f137f97e5aa74fca164d09d74"
     },
     "RestApiId": {
      "Ref": "MyRestApi2D1F47A9"
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/authorizers/integ.token-authorizer.ts
@@ -16,6 +16,7 @@ const authorizerFn = new lambda.Function(stack, 'MyAuthorizerFunction', {
 
 const authorizer = new TokenAuthorizer(stack, 'MyAuthorizer', {
   handler: authorizerFn,
+  resultsCacheTtl: Duration.minutes(10),
 });
 
 const restapi = new RestApi(stack, 'MyRestApi', {
diff --git a/packages/aws-cdk-lib/aws-apigateway/lib/authorizers/lambda.ts b/packages/aws-cdk-lib/aws-apigateway/lib/authorizers/lambda.ts
@@ -32,7 +32,7 @@ export interface LambdaAuthorizerProps {
    * How long APIGateway should cache the results. Max 1 hour.
    * Disable caching by setting this to 0.
    *
-   * @default Duration.minutes(5)
+   * @default - Duration.minutes(5)
    */
   readonly resultsCacheTtl?: Duration;
 
@@ -215,7 +215,7 @@ export class TokenAuthorizer extends LambdaAuthorizer {
       type: 'TOKEN',
       authorizerUri: lambdaAuthorizerArn(props.handler),
       authorizerCredentials: props.assumeRole?.roleArn,
-      authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
+      authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds() ?? Duration.minutes(5).toSeconds(),
       identitySource: props.identitySource || 'method.request.header.Authorization',
       identityValidationExpression: props.validationRegex,
     };
@@ -284,7 +284,7 @@ export class RequestAuthorizer extends LambdaAuthorizer {
       type: 'REQUEST',
       authorizerUri: lambdaAuthorizerArn(props.handler),
       authorizerCredentials: props.assumeRole?.roleArn,
-      authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
+      authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds() ?? Duration.minutes(5).toSeconds(),
       identitySource: props.identitySources.map(is => is.toString()).join(','),
     };
 
diff --git a/packages/aws-cdk-lib/aws-apigateway/test/authorizers/lambda.test.ts b/packages/aws-cdk-lib/aws-apigateway/test/authorizers/lambda.test.ts
@@ -28,6 +28,7 @@ describe('lambda authorizer', () => {
       Type: 'TOKEN',
       RestApiId: stack.resolve(restApi.restApiId),
       IdentitySource: 'method.request.header.Authorization',
+      AuthorizerResultTtlInSeconds: 300,
       AuthorizerUri: {
         'Fn::Join': [
           '',
@@ -102,6 +103,7 @@ describe('lambda authorizer', () => {
     Template.fromStack(stack).hasResourceProperties('AWS::ApiGateway::Authorizer', {
       Type: 'REQUEST',
       RestApiId: stack.resolve(restApi.restApiId),
+      AuthorizerResultTtlInSeconds: 0,
       AuthorizerUri: {
         'Fn::Join': [
           '',
@@ -153,6 +155,33 @@ describe('lambda authorizer', () => {
 
   });
 
+  test('request authorizer with default cache TTL', () => {
+    const stack = new Stack();
+
+    const func = new lambda.Function(stack, 'myfunction', {
+      handler: 'handler',
+      code: lambda.Code.fromInline('foo'),
+      runtime: lambda.Runtime.NODEJS_LATEST,
+    });
+
+    const auth = new RequestAuthorizer(stack, 'myauthorizer', {
+      handler: func,
+      identitySources: [IdentitySource.header('whoami')],
+    });
+
+    const restApi = new RestApi(stack, 'myrestapi');
+    restApi.root.addMethod('ANY', undefined, {
+      authorizer: auth,
+      authorizationType: AuthorizationType.CUSTOM,
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGateway::Authorizer', {
+      Type: 'REQUEST',
+      RestApiId: stack.resolve(restApi.restApiId),
+      AuthorizerResultTtlInSeconds: 300,
+    });
+  });
+
   test('invalid request authorizer config', () => {
     const stack = new Stack();
 
