DEV Community

Konstantin
Konstantin

Posted on

1 1

Painful CDK - 1

#cdk #aws #cognito #restapi

AWS CDK is a great tool. Although it sometimes works not as expected. In this post, I'd like to share some CDK pain.

Let's take a look on the simple piece of code below. My goal is to create a new Cognito user pool authorizer and use it to protect a newly created endpoint with a lambda integration.

// create cognito authorizer:
const authorizer = new apigateway.CfnAuthorizer(this.ctx, "restApiMyResourceAuthorizer", {
      restApiId: this.restApi.restApiId,
      type: "COGNITO_USER_POOLS",
      identitySource: "method.request.header.Authorization",
      name: "restApiMyResourceAuthorizer",
      providerArns: [".."],
 });
// create a resource
const myResource: apigateway.Resource = this.restApi.root.addResource("myResource");
// add an endpoint to the Rest API resource with authorizer
myResource.addMethod(lambdaDeploymentOptions.httpMethod, new apigateway.LambdaIntegration(lambda),{
      authorizationType: apigateway.AuthorizationType.COGNITO,
      authorizer: {
        authorizerId: authorizer.node.id,
        authorizationType: apigateway.AuthorizationType.COGNITO,
      }
});
Enter fullscreen mode Exit fullscreen mode

This gives:

Invalid authorizer ID specified. Setting the authorization type to CUSTOM or COGNITO_USER_POOLS requires a valid authorizer.

There are some opened questions in the internet on this topic.
Solution I've found is a bit hacky:

const method = myResource.addMethod(lambdaDeploymentOptions.httpMethod, new apigateway.LambdaIntegration(lambda),{
    authorizationType: apigateway.AuthorizationType.COGNITO,
    authorizer: {
    authorizerId: lambdaDeploymentOptions.authorizer.node.id,
    authorizationType: apigateway.AuthorizationType.COGNITO,
  }
});

const child = method.node.findChild('Resource') as apigateway.CfnMethod;
child.addPropertyOverride('AuthorizationType', 'COGNITO_USER_POOLS');
child.addPropertyOverride('AuthorizerId', { Ref: lambdaDeploymentOptions.authorizer.logicalId });
Enter fullscreen mode Exit fullscreen mode

In case of questions: "why CfnAuthorizer, not CognitoUserPoolsAuthorizer. The reason is simple - CognitoUserPoolsAuthorizer does not allow to set Token Validation regular expression (identityValidationExpression).

P.S.
There is a general guide how to solve issues with CDK. "Escape hatches": https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html

profile
AWS
 Promoted

AWS Security LIVE!

Join us for AWS Security LIVE!

Discover the future of cloud security. Tune in live for trends, tips, and solutions from AWS and AWS Partners.

Learn More

Top comments (0)

profile
Coherence
 Promoted

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Read next

githubopensource profile image

Revolutionizing LLM Development: LangWatch - Your All-in-One LLM Ops Platform

GitHubOpenSource -

mikeyoung44 profile image

A beginner's guide to the Meta-Llama-3.1-405b-Instruct model by Meta on Replicate

Mike Young -

calvinceawitim profile image

Sleep Pattern Analysis using .NET MAUI Toolkit Range Column Chart

Calvince Moth -

mikeyoung44 profile image

AI vs Experts: New Test Shows Open-Source Models Match Private Ones but Still Fall Short of Human Skills

Mike Young -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay