aws-cdk: [APIGateway] LambdaIntegration: Add option to create a single trigger/permission with wildcards only instead of one for each ApiGateway Resource

For the Lambda ApiGateway integration, add an option to prefer a single wildcard trigger/integrationPermission instead of multiple triggers/integrationPermissions for each URL/endpoint/resource defined in the ApiGateway.

Currently the created triggers in the AWS console looks like that:

arn:aws:execute-api:us-east-1:123:api_id/prod/GET/v1/parent_res_1/*
arn:aws:execute-api:us-east-1:123:api_id/prod/POST/v1/parent_res_1/*
arn:aws:execute-api:us-east-1:123:api_id/prod/GET/v1/parent_res_2/*
...

The requested feature would allow to have something like that instead:

arn:aws:execute-api:us-east-1:123:api_id/*

Use Case

In case of APIs with a larger amount of urls/endpoints/resources, it is likely to get a “The final policy size (XXX) is bigger than the limit (20480)” error.

In our case, we run into that for an API with around 15 resources and worked around temporarily by setting LambdaIntegrationOptions.allowTestInvoke to false. This cut the number of triggers/IntegrationPermissions in half and the policy didn’t hit the limit anymore. However, we would prefer leaving allowTestInvoke to true. Moreover as the API grows over time, we will likely run into the same issue again later: the faster the API grows, the sooner. Implementing something like described in https://github.com/aws/aws-cdk/issues/5774#issuecomment-609583801 (also see below) currently seems to be something like a last resort for us.

Implication of the current state of CDK in this respect for us is that the CDK ApiGateway -> LambdaIntegration cannot be easily used for APIs with a considerable amount of endpoints because the CDK stack will break sooner or later when adding more resources to the APIGateway.

Proposed Solution

Add boolean option singleWildcardTrigger or singleWildcardIntegrationPermission to aws_cdk.aws_apigateway.LambdaIntegrationOptions.
Per default, it is false and everything works like as it does currently.
In case of true, only a single trigger with wildcards is generated (see above).
With the existing allowTestInvoke option, there is already an option which works globally an all tiggers/integrationPermissions as well. So something very similar is already available.

Other

There is a similar (duplicate?) issue which as been closed already https://github.com/aws/aws-cdk/issues/5774 (closed https://github.com/aws/aws-cdk/issues/5774#issuecomment-594902199 by AWS). The discussions in the end (after closing by AWS) are about workarounds (subclassing CDK) for something which seems to be missing as a feature, thus I created a new issue. Feel free to reopen the original one and add this as a duplicate.

Please also check https://github.com/aws/aws-cdk/issues/5774#issuecomment-609583801 which has been added after closing the issue. This comment describes the problem exactly the same as we see it.

This is a 🚀 Feature Request

About this issue

Original URL
State: open
Created 4 years ago
Reactions: 24
Comments: 33 (5 by maintainers)

Commits related to this issue

Added ability to upload case documents. Added ability to upload case documents i.e. files relevant to the case and view them. Added masonry via vue-masonry (warning: No TS support). Moved cases and a... — committed to aryan-programmer/justice-firm-v2 by aryan-programmer a year ago

Most upvoted comments

Expecting for this to be fixed also!

+12

leantorres73 on Jul 21, 2021

Author of the comment that is referenced in this ticket. It has been a few versions since that was posted and no longer works. I took some inspiration from @nija-at comment above. Rather extending the class as I did in the old method than using Aspects that apply it over all the whole API GW methods. So my alternative updated version that seems to work:

import lambda = require('@aws-cdk/aws-lambda');
import apigateway = require('@aws-cdk/aws-apigateway');

export class LambdaIntegrationNoPermission extends apigateway.LambdaIntegration {
  constructor(handler: lambda.IFunction, options?: apigateway.LambdaIntegrationOptions) {
    super(handler, options);
  }

  bind(method: apigateway.Method): apigateway.IntegrationConfig {
    const integrationConfig = super.bind(method);
    const permissions = method.node.children.filter(c => c instanceof lambda.CfnPermission);
    permissions.forEach(p => method.node.tryRemoveChild(p.node.id));
    return integrationConfig;
  }
}

const api = new apigateway.RestApi(this, id+"-api", {
            restApiName: id,
            deployOptions: { stageName: buildPros.Environment },
            defaultCorsPreflightOptions: {
                allowOrigins: apigateway.Cors.ALL_ORIGINS,
                allowMethods: apigateway.Cors.ALL_METHODS,
                allowHeaders: ["*"]
            },
            defaultIntegration: new LambdaIntegrationNoPermission(apiLambda, {proxy: true}),
        });

.... Add many methods and resources here ....

/* Manually add the permission, specifying with the API function arnForExecuteApi empty params means for all methods, paths and stages    */
apiLambda.addPermission(id + "ApiGWPermissions", {
           action: 'lambda:InvokeFunction',
           principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
           sourceArn: api.arnForExecuteApi()
       });

rehanvdm on Jun 10, 2021

I’m new to using CDK since I thought it would be a good idea to switch my AWS project from using Serverless Framework to cdk

I immediately hit this issue which meant I couldn’t deploy my HttpApi due to the per-route permissions making the policy too large to deploy.

After lots of head scratching, digging through aws-cdk code and borrowing ideas from the snippets above, here’s my contribution to the growing collection of (hacky) workarounds:

ApiGatewayV2 + HttpApi + Python Workaround

class PermittedHttpLambdaIntegration(HttpLambdaIntegration):
    handler: aws_cdk.aws_lambda.IFunction = None
    permitted_apis = set()

    def __init__(self,
        id: str,
        handler: aws_cdk.aws_lambda.IFunction,
        *,
        parameter_mapping = None,
        payload_format_version = None,
    ) -> None:
        self.handler = handler
        super().__init__(id, handler, parameter_mapping=parameter_mapping, payload_format_version=payload_format_version)

    @jsii.member(jsii_name="bind")
    def bind(
        self,
        *,
        route: apigwv2.IHttpRoute,
        scope: constructs.Construct,
    ) -> apigwv2.HttpRouteIntegrationConfig:
        _ = apigwv2.HttpRouteIntegrationBindOptions(
            route=route, scope=scope
        )

        # The JSSI stuff all blows up if we try and call super().bind() but it seems to
        # work if we punch through and do what HttpLambdaIntegration.bind()
        # would do by calling jsii.invoke directly :/
        #
        # (Maybe someone familiar with jsii knows how to override methods properly?)
        return typing.cast(apigwv2.HttpRouteIntegrationConfig, jsii.invoke(self, "bind", [_]))

    @jsii.member(jsii_name="completeBind")
    def _complete_bind(
        self,
        *,
        route: apigwv2.IHttpRoute,
        scope: constructs.Construct,
    ) -> None:
        api_id = route.http_api.api_id
        if api_id not in self.permitted_apis:
            self.permitted_apis.add(api_id)

            handler = self.handler
            handler.add_permission("ApiGatewayPermissions",
              principal=aws_iam.ServicePrincipal("apigateway.amazonaws.com"),
              action='lambda:InvokeFunction',
              source_arn="arn:aws:execute-api:{region}:{account}:{api_id}/*".format(
                  region=handler.env.region,
                  account=handler.env.account,
                  api_id=api_id,
              ))

In terms of the comment above where @enroly-mike was told that this is not a CDK problem it seems fair to note here that this issue didn’t exist with Serverless Framework which was creating a wildcard rule instead.

From my perspective as a first-time user of CDK this issue is a pretty big red flag for me currently. The issue is now over two years old and it seems pretty clear that this is a serious problem in situations where you have multiple routes that share a single function. (You can’t deploy your stack without implementing a workaround)

In my case I’m using Rust to implement a native lambda with Runtime.PROVIDED_AL2 which handles multiple, related routes. I wouldn’t have imagined this would be considered unusual, so it was surprising to hit a hurdle like this.

Versions:

cdk = 2.52.0 (build 096d2e0) aws-cdk-lib = 2.52.0 apigatewayv2-alpha = 2.52.0a0

rib on Nov 30, 2022

Unfortunately, we’ve not gotten around to tackling this issue.

However, I have a workaround below -

const lambda = new lambda.Function(...);

const api = new apigateway.RestApi(...);

// define all resources, methods and integrations that use 'lambda'

class PermissionAspect implements core.IAspect {
  visit(construct: core.IConstruct) {
    if (construct instanceof apigateway.Method) {
      const permissions = construct.node.children.filter(c => c instanceof lambda.CfnPermission);
      permissions.forEach(p => construct.node.tryRemoveChild(p.node.id));
    }
  }
}

core.Aspects.of(api).add(new PermissionAspect());

lambda.addPermission('ApiPermissions', {
   // ...
})

The PermissionAspect model walks the construct tree starting from the RestApi and removes all permissions associated with the methods. Then, a compressed set of permissions with wildcards can be added.

nija-at on Nov 18, 2020

Hey, we’ve actually just recently merged a PR which aims to tackle all sorts of policy size limit issues. Look forward to the next v2 release and let me know if this is still an issue 🙂

https://github.com/aws/aws-cdk/pull/19114

peterwoodworth on Mar 28, 2022

Here’s a solution that’s similar to the ones of @rehanvdm but the lambda integration are also responsable to register the permission of the lambda:InvokeFunction

import * as iam from 'aws-cdk-lib/aws-iam';
import * as lambda from 'aws-cdk-lib/aws-lambda';
import * as apigateway from 'aws-cdk-lib/aws-apigateway';

export interface LambdaIntegrationOnePermissionOnlyOptions extends apigateway.LambdaIntegrationOptions {
  restApi: apigateway.IRestApi
}

export class LambdaIntegrationOnePermissionOnly extends apigateway.LambdaIntegration {

  constructor(handler: lambda.IFunction, options: LambdaIntegrationOnePermissionOnlyOptions) {
    super(handler, options);

    handler.addPermission('apigw-permissions', {
      principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
      action: 'lambda:InvokeFunction',
      sourceArn: options.restApi.arnForExecuteApi()
    });
  }

  bind(method: apigateway.Method): apigateway.IntegrationConfig {
    const integrationConfig = super.bind(method);

    // Remove all AWS::Lambda::Permission on methods
    const permissions = method.node.children.filter(c => c instanceof lambda.CfnPermission);
    permissions.forEach(p => method.node.tryRemoveChild(p.node.id));
    return integrationConfig;
  }
}

JPLemelin on Mar 10, 2022

Note sure if its the case for anyone else but the above code didn’t work with cdk 2.37.1 so I had to resort to the following

export class LambdaIntegrationNoPermission extends apigateway.LambdaIntegration {
  constructor(
    handler: lambda.IFunction,
    options?: apigateway.LambdaIntegrationOptions
  ) {
    super(handler, options);
  }

  bind(method: apigateway.Method): apigateway.IntegrationConfig {
    const integrationConfig = super.bind(method);
    const permissions = method.node.children.filter(
      // @ts-ignore
      (c) => c.node.host.action === "lambda:InvokeFunction"
    );

    console.log(permissions);

    permissions.forEach((p) => method.node.tryRemoveChild(p.node.id));
    return integrationConfig;
  }
}

I was told by AWS Premium support that this wasn’t a CDK problem, it was a lambda problem, I’m somewhat unconvinced by that statement. Also forgive me for my TS escape, please feel free to recommend a more type safe way (or collapse the permissions properly)

enroly-mike on Aug 18, 2022

Thanks for letting us know @robert-hanuschke, we’re aware that our fix which went out before didn’t fix as many of these issues as we would have liked. We’re still working on figuring out how to best minimize the templates

peterwoodworth on Apr 25, 2022

class LambdaIntegrationNoPermission extends apigateway.LambdaIntegration {
  constructor(handler: lambda.IFunction, options?: apigateway.LambdaIntegrationOptions) {
    super(handler, options);
  }

  bind(method: apigateway.Method): apigateway.IntegrationConfig {
    const integrationConfig = super.bind(method);
    const permissions = method.node.children.filter(c => c instanceof lambda.CfnPermission);
    permissions.forEach(p => method.node.tryRemoveChild(p.node.id));
    return integrationConfig;
  }
}

========================================================================== Example from my code :

 getStartedAttributeRoute.addMethod("GET", new LambdaIntegrationNoPermission(attributeServiceLambda),
      {
        apiKeyRequired: true,
        authorizer: auth,
        authorizationType: apigateway.AuthorizationType.COGNITO,
        authorizationScopes: oAuthScope
      }
    )

ghadimdallal on Jun 2, 2022

If you’re looking for Python solution, here is my snippet translated from @rehanvdm

from aws_cdk.aws_lambda import CfnPermission
from aws_cdk.aws_apigateway import LambdaIntegration, Method, RestApi

class CustomLambdaIntegration(LambdaIntegration):
    def __init__(self, handler, **kwargs):
        super().__init__(handler, **kwargs)

    def bind(self, method: Method):
        config = super().bind(method)
        permissions = filter(
            lambda x: isinstance(x, CfnPermission), method.node.children
        )
        for permission in permissions:
            method.node.try_remove_child(permission.node.id)
        return config

...
backend_integration = CustomLambdaIntegration(backend_function)

api = RestApi(
    self,
    "My API",
    default_integration=backend_integration,
)

backend_function.add_permission(
            id="API invoke permission",
            principal=ServicePrincipal("apigateway.amazonaws.com"),
            action="lambda:InvokeFunction",
            source_arn=api.arn_for_execute_api(),
        )

oleksii-donoha on Jun 29, 2021