You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(events): additional plaintext header are not set on eventbridge connection (#21857)
Fixes: #21855
While creating a Eventbridge connection to make api calls to an external api one sometimes have to add additional header parameters like `Content-Type = application/json`
These additional headers can be either be a secret value or a plaintext value specified at deploy time.
The connection class provides a HttpParameter class that alows you to set a static/unsecure/plaintext value for a header key
```javascript
const connection = new Connection(this, "connection", {
authorization: Authorization.apiKey( "authorization", secret.secretValue),
headerParameters: {
"Content-Type": HttpParameter.fromString("application/json"),
},
});
```
This should lead to api calls made with the connection have a Header present with key/value `"Content-Type": "application/json"`,
The actual behavior was prior to this Fix that the header wasn't present in the api calls made with this connection.
While debugging the issue I used the following aws cli commands to check what has been deployed by cdk/cloudformation
`aws events describe-connection --name <name-of-the-connection> `
which result was similair to this
```JSON
{
"ConnectionArn": "arn:aws:events:eu-west-1:XXXXXXX:connection/SomeConnection/0848ec46-413a-4d40-8834-XXXXXX",
"Name": "SomeConnection",
"ConnectionState": "AUTHORIZED",
"AuthorizationType": "API_KEY",
"SecretArn": "arn:aws:secretsmanager:eu-west-1:XXXXXXX:secret:events!connection/SomeSecret/1e74cbb0-dfc6-4b77-a49f-b204e6b74a46-XXXXXX",
"AuthParameters": {
"ApiKeyAuthParameters": {
"ApiKeyName": "authorization"
},
"InvocationHttpParameters": {
"HeaderParameters": [
{
"Key": "Content-Type",
"IsValueSecret": true
}
]
}
},
"CreationTime": "2022-08-29T16:57:35+02:00",
"LastModifiedTime": "2022-08-29T16:57:35+02:00",
"LastAuthorizedTime": "2022-08-29T16:57:35+02:00"
}
```
Which indicates that the header value is not set because it is treated as secret value and needs to be provided by the referenced secret.
Then i checked the Cloudformation spec
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-events-connection-parameter.html
There it is indicated that there is the property `isValueSecret` which indicates if the value is a secret or not.
The next step was to check why cdk generates a template that doesn't work and thereby checked the HttpParameter class.
This class is responsible for generating the `AWS::Events::Connection Parameter` properties.
I noticed that only the `HttpParameter.fromSecret()` sets the `isValueSecret` flag.
But it seems to be the case that for this property the default value is true by cloudformation, so omiting this attribute in the _render function results to `isValueSecret: true` at deploy time.
After that i explicity set the value to false for the case the user specifies a plaintext value throught the `HttpParameter.fromString()` method.
To make sure the correct values are deployed by cloudformation I added a integration test including an assertion that the deployed connection has the correct isValueSecret flag set and the value for the header is set.
----
### All Submissions:
* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)
### Adding new Unconventional Dependencies:
* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)
### New Features
* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
0 commit comments