AlwaysDeploy does not include GatewayResponse updates about serverless-application-model HOT 7 CLOSED

Hi there, thanks for opening an issue. It would often result in weird behaviour if you mix SAM resources with regular CloudFormation resources. I would recommend defining the gateway response as part of the openapi specification in DefintionBody or DefinitionUri property of your SAM API. An simple example is given here:

openapi: 3.0.0
info:
  title: Sample API
  version: 1.0.0
paths:
  /someEndpoint:
    get:
      summary: Sample endpoint
      responses:
        '401':
          description: Unauthorized access. The client will be redirected.
          content:
            text/html:
              schema:
                type: string
                example: |
                  <html>
                    <head>
                      <meta 
                        http-equiv="refresh" 
                        content="0;url=/shell?target=$context.path">
                    </head>
                    <body></body>
                  </html>

from serverless-application-model.

Thanks @GavinZZ, unfortunately, I don't think this will work for my use case. The responses I'm manipulating are generated by the CognitoAuthorizer, not by any of my mapped endpoints. As far as I understand things, your solution would require the request getting past the authorizer before those response transformations were implemented.

from serverless-application-model.

@mousedownmike I spent some time and wrote an example following your description. However, I cannot reproduce this problem.

I'm using a simple template like the following

Transform: AWS::Serverless-2016-10-31
Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: MyNewStageName
      DefinitionBody:
        # Simple HTTP Proxy API
        openapi: '3.0'
        info:
          version: '2016-09-23T22:23:23Z'
          title: Simple Api
        basePath: /demo
        schemes:
        - https
        paths:
          /http/{proxy+}:
            x-amazon-apigateway-any-method:
              parameters:
              - name: proxy
                in: path
              x-amazon-apigateway-integration:
                type: http_proxy
                uri: http://httpbin.org/{proxy}
                httpMethod: ANY
                passthroughBehavior: when_no_match
                requestParameters:
                  integration.request.path.proxy: method.request.path.proxy
  UnauthorizedRedirect:
    Type: AWS::ApiGateway::GatewayResponse
    Properties:
      ResponseTemplates:
        text/html: |
          <html>
              <head>
                  <meta 
                    http-equiv="refresh" 
                    content="0;url=/shell?target=$context.path">
              </head>
              <body></body>
          </html>
      ResponseType: UNAUTHORIZED
      RestApiId: !Ref MyApi
      StatusCode: '401'

Note that this template includes a SAM API, a AWS::ApiGateway::GatewayResponse resource. I am able to deploy this template successfully for the first time.

Then I proceeded with updating the AWS::ApiGateway::GatewayResponse resource

  UnauthorizedRedirect:
      ResponseType: UNAUTHORIZED
      RestApiId: !Ref MyApi
      StatusCode: '403'

I then tried to deploy this updated template again and I am able to deploy it and I can see changes reflected in the console as well. So I'm not able to reproduce the issue described.

To be super clear, this problem is not related to AlwaysDeploy as this property only works with properties changed in SAM API resource itself. Also, since the GatewayResponse resource depends on the API resource (implicit depends on through the RestApiId: !Ref MyApi), changes in AWS::ApiGateway::GatewayResponse should always be deployed prior to deploying the API resource. If a change is not recognized, this is most likely not a SAM issue but a CloudFormation or ApiGateway issue.

from serverless-application-model.

@GavinZZ, thank you for your time on this. Without using an Authorizer on the API, I don't think it replicates the experience I was having. To be clear, I do see the changes reflected in the console when I apply the template. The problem is that they don't actually function for responses generated by the Authorizer. From my understanding of what you're saying, it sounds like that's expected.

I might recommend a minor documentation update for the AlwaysDeploy property to call out the fact that changes to standard CloudFormation resources "should always be deployed prior to deploying the API resource". Unfortunately, using a DependsOn relationship doesn't appear to guarantee that (or, quite possibly, I didn't test that properly).

Ultimately, I've decided not to use the GatewayResponse resources because they just don't offer the flexibility I was hoping for... specifically, no $context interpolation in headers. I've opted to use Lambda@Edge functions to manipulate the respones as necessary.

from serverless-application-model.

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

from serverless-application-model.

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

from serverless-application-model.

@mousedownmike thanks for the suggestion, I'm going to create a task internally for doc update to clearly state the limitation of AlwaysDeploy property.

To be clear, I do see the changes reflected in the console when I apply the template. The problem is that they don't actually function for responses generated by the Authorizer. From my understanding of what you're saying, it sounds like that's expected.

That's definitely not expected, but all SAM Transform does it to transform the template into standard CloudFormation template. Specifically in your scenario, this problem seems to be an issue on ApiGateway side or CloudFormation side. Unfortunately, there's not much SAM can do since the transformed template looks valid.

from serverless-application-model.