feat: adding OwnershipVerificationCertificateArn and DisableExecuteApiEndpoint to APIs. (#93) (#2239)

Co-authored-by: sattigar <67429403+sattigar@users.noreply.github.com>

Author: mndeveci

integration/combination/test_api_with_disable_execute_api_endpoint.py

@@ -0,0 +1,30 @@
+from parameterized import parameterized
+
+from integration.helpers.base_test import BaseTest
+
+
+class TestApiWithDisableExecuteApiEndpoint(BaseTest):
+    @parameterized.expand(
+        [
+            ("combination/api_with_disable_execute_api_endpoint", True),
+            ("combination/api_with_disable_execute_api_endpoint", False),
+        ]
+    )
+    def test_end_point_configuration(self, file_name, disable_value):
+        parameters = [
+            {
+                "ParameterKey": "DisableExecuteApiEndpointValue",
+                "ParameterValue": "true" if disable_value else "false",
+                "UsePreviousValue": False,
+                "ResolvedValue": "string",
+            }
+        ]
+
+        self.create_and_verify_stack(file_name, parameters)
+
+        rest_api_id = self.get_physical_id_by_type("AWS::ApiGateway::RestApi")
+        apigw_client = self.client_provider.api_client
+
+        response = apigw_client.get_rest_api(restApiId=rest_api_id)
+        api_result = response["disableExecuteApiEndpoint"]
+        self.assertEqual(api_result, disable_value)

integration/resources/expected/combination/api_with_disable_execute_api_endpoint.json

@@ -0,0 +1,8 @@
+[
+    {"LogicalResourceId": "RestApiGateway", "ResourceType": "AWS::ApiGateway::RestApi"},
+    {"LogicalResourceId": "RestApiGatewayDeployment", "ResourceType": "AWS::ApiGateway::Deployment"},
+    {"LogicalResourceId": "RestApiGatewayProdStage", "ResourceType": "AWS::ApiGateway::Stage"},
+    {"LogicalResourceId": "RestApiFunction", "ResourceType": "AWS::Lambda::Function"},
+    {"LogicalResourceId": "RestApiFunctionIamPermissionProd", "ResourceType": "AWS::Lambda::Permission"},
+    {"LogicalResourceId": "RestApiFunctionRole", "ResourceType": "AWS::IAM::Role"}
+]

integration/resources/templates/combination/api_with_disable_execute_api_endpoint.yaml

@@ -0,0 +1,39 @@
+Parameters:
+  DisableExecuteApiEndpointValue:
+    Description: Variable to define if client can access default API endpoint.
+    Type: String
+    AllowedValues: [true, false]
+
+Resources:
+  RestApiGateway:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: Prod
+      DisableExecuteApiEndpoint:
+        Ref: DisableExecuteApiEndpointValue
+
+  RestApiFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      InlineCode: |
+        exports.handler = async (event) => {
+          const response = {
+            statusCode: 200,
+            body: JSON.stringify('Hello from Lambda!'),
+          };
+          return response;
+        };
+      Handler: index.handler
+      Runtime: nodejs12.x
+      Events:
+        Iam:
+          Type: Api
+          Properties:
+            RestApiId: !Ref RestApiGateway
+            Method: GET
+            Path: /
+Outputs:
+  ApiUrl:
+    Description: "API endpoint URL for Prod environment"
+    Value:
+      Fn::Sub: 'https://${RestApiGateway}.execute-api.${AWS::Region}.${AWS::URLSuffix}/Prod/'

samtranslator/model/api/api_generator.py

@@ -170,6 +170,7 @@ def __init__(
         method_settings=None,
         binary_media=None,
         minimum_compression_size=None,
+        disable_execute_api_endpoint=None,
         cors=None,
         auth=None,
         gateway_responses=None,
@@ -218,6 +219,7 @@ def __init__(
         self.method_settings = method_settings
         self.binary_media = binary_media
         self.minimum_compression_size = minimum_compression_size
+        self.disable_execute_api_endpoint = disable_execute_api_endpoint
         self.cors = cors
         self.auth = auth
         self.gateway_responses = gateway_responses
@@ -290,8 +292,27 @@ def _construct_rest_api(self):
         if self.mode:
             rest_api.Mode = self.mode
 
+        if self.disable_execute_api_endpoint is not None:
+            self._add_endpoint_extension()
+
         return rest_api
 
+    def _add_endpoint_extension(self):
+        """Add disableExecuteApiEndpoint if it is set in SAM
+        Note:
+        If neither DefinitionUri nor DefinitionBody are specified,
+        SAM will generate a openapi definition body based on template configuration.
+        https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-definitionbody
+        For this reason, we always put DisableExecuteApiEndpoint into openapi object irrespective of origin of DefinitionBody.
+        """
+        if self.disable_execute_api_endpoint and not self.definition_body:
+            raise InvalidResourceException(
+                self.logical_id, "DisableExecuteApiEndpoint works only within 'DefinitionBody' property."
+            )
+        editor = SwaggerEditor(self.definition_body)
+        editor.add_disable_execute_api_endpoint_extension(self.disable_execute_api_endpoint)
+        self.definition_body = editor.swagger
+
     def _construct_body_s3_dict(self):
         """Constructs the RestApi's `BodyS3Location property`_, from the SAM Api's DefinitionUri property.
 
@@ -444,6 +465,9 @@ def _construct_api_domain(self, rest_api):
         if self.domain.get("SecurityPolicy", None):
             domain.SecurityPolicy = self.domain["SecurityPolicy"]
 
+        if self.domain.get("OwnershipVerificationCertificateArn", None):
+            domain.OwnershipVerificationCertificateArn = self.domain["OwnershipVerificationCertificateArn"]
+
         # Create BasepathMappings
         if self.domain.get("BasePath") and isinstance(self.domain.get("BasePath"), string_types):
             basepaths = [self.domain.get("BasePath")]

samtranslator/model/api/http_api_generator.py

@@ -253,6 +253,12 @@ def _construct_api_domain(self, http_api):
                 "EndpointConfiguration for Custom Domains must be one of {}.".format(["REGIONAL"]),
             )
         domain_config["EndpointType"] = endpoint
+
+        if self.domain.get("OwnershipVerificationCertificateArn", None):
+            domain_config["OwnershipVerificationCertificateArn"] = self.domain.get(
+                "OwnershipVerificationCertificateArn"
+            )
+
         domain_config["CertificateArn"] = self.domain.get("CertificateArn")
         if self.domain.get("SecurityPolicy", None):
             domain_config["SecurityPolicy"] = self.domain.get("SecurityPolicy")

samtranslator/model/apigateway.py

@@ -169,6 +169,7 @@ class ApiGatewayDomainName(Resource):
         "MutualTlsAuthentication": PropertyType(False, is_type(dict)),
         "SecurityPolicy": PropertyType(False, is_str()),
         "CertificateArn": PropertyType(False, is_str()),
+        "OwnershipVerificationCertificateArn": PropertyType(False, is_str()),
     }
 
 

samtranslator/model/sam_resources.py

@@ -878,6 +878,7 @@ class SamApi(SamResourceMacro):
         "Domain": PropertyType(False, is_type(dict)),
         "Description": PropertyType(False, is_str()),
         "Mode": PropertyType(False, is_str()),
+        "DisableExecuteApiEndpoint": PropertyType(False, is_type(bool)),
     }
 
     referable_properties = {
@@ -925,6 +926,7 @@ def to_cloudformation(self, **kwargs):
             method_settings=self.MethodSettings,
             binary_media=self.BinaryMediaTypes,
             minimum_compression_size=self.MinimumCompressionSize,
+            disable_execute_api_endpoint=self.DisableExecuteApiEndpoint,
             cors=self.Cors,
             auth=self.Auth,
             gateway_responses=self.GatewayResponses,

samtranslator/swagger/swagger.py

@@ -25,6 +25,7 @@ class SwaggerEditor(object):
     _X_ANY_METHOD = "x-amazon-apigateway-any-method"
     _X_APIGW_REQUEST_VALIDATORS = "x-amazon-apigateway-request-validators"
     _X_APIGW_REQUEST_VALIDATOR = "x-amazon-apigateway-request-validator"
+    _X_ENDPOINT_CONFIG = "x-amazon-apigateway-endpoint-configuration"
     _CACHE_KEY_PARAMETERS = "cacheKeyParameters"
     # https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
     _ALL_HTTP_METHODS = ["OPTIONS", "GET", "HEAD", "POST", "PUT", "DELETE", "PATCH"]
@@ -111,6 +112,19 @@ def get_method_contents(self, method):
             return method[self._CONDITIONAL_IF][1:]
         return [method]
 
+    def add_disable_execute_api_endpoint_extension(self, disable_execute_api_endpoint):
+        """Add endpoint configuration to _X_APIGW_ENDPOINT_CONFIG in open api definition as extension
+        Following this guide:
+        https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-endpoint-configuration.html
+        :param boolean disable_execute_api_endpoint: Specifies whether clients can invoke your API by using the default execute-api endpoint.
+        """
+        if not self._doc.get(self._X_ENDPOINT_CONFIG):
+            self._doc[self._X_ENDPOINT_CONFIG] = {}
+
+        DISABLE_EXECUTE_API_ENDPOINT = "disableExecuteApiEndpoint"
+        set_disable_api_endpoint = {DISABLE_EXECUTE_API_ENDPOINT: disable_execute_api_endpoint}
+        self._doc[self._X_ENDPOINT_CONFIG].update(set_disable_api_endpoint)
+
     def has_integration(self, path, method):
         """
         Checks if an API Gateway integration is already present at the given path/method

samtranslator/validator/sam_schema/definitions/api.json

@@ -98,6 +98,12 @@
                   "intrinsic"
                 ]
               },
+              "DisableExecuteApiEndpoint": {
+                "type": [
+                  "boolean",
+                  "intrinsic"
+                ]
+              },
               "Domain": {
                 "$ref": "#definitions/AWS::Serverless::Api.DomainConfiguration"
               },
@@ -443,6 +449,12 @@
             "string",
             "intrinsic"
           ]
+        },
+        "OwnershipVerificationCertificateArn": {
+          "type": [
+            "string",
+            "intrinsic"
+          ]
         }
       },
       "required": [