internal CdkStack(Construct scope, string id, IStackProps props = null) : base(scope, id, props) { var startState = new Pass(this, "StartState"); var logGroup = new LogGroup(this, "HttpExpressWorkflowLogGroup"); var stepFunction = new StateMachine(this, "HttpExpressWorkflow", new StateMachineProps() { StateMachineName = "HttpExpressWorkflowExample", StateMachineType = StateMachineType.EXPRESS, Definition = startState, Logs = new LogOptions() { Destination = logGroup, Level = LogLevel.ALL }, TracingEnabled = true }); var apiGatewayRole = new Role(this, "ApiGatewayRole", new RoleProps() { AssumedBy = new ServicePrincipal("apigateway.amazonaws.com") }); apiGatewayRole.AddToPolicy(new PolicyStatement(new PolicyStatementProps() { Effect = Effect.ALLOW, Sid = "AllowStepFunctionExecution", Actions = new string[1] { "states:StartSyncExecution" }, Resources = new string[1] { stepFunction.StateMachineArn } })); var httpApi = new CfnHttpApi(this, "HttpApi", new CfnHttpApiProps() { StageName = "Main", }); var integration = new CfnIntegration(this, "StepFunctionIntegration", new CfnIntegrationProps() { ApiId = httpApi.Ref, IntegrationType = "AWS_PROXY", IntegrationSubtype = "StepFunctions-StartSyncExecution", CredentialsArn = apiGatewayRole.RoleArn, RequestParameters = new Dictionary <string, string>(2) { { "Input", "$request.body" }, { "StateMachineArn", stepFunction.StateMachineArn } }, PayloadFormatVersion = "1.0", ConnectionType = "INTERNET" }); var route = new CfnRoute(this, "StepFunctionRoute", new CfnRouteProps() { ApiId = httpApi.Ref, RouteKey = "POST /execute", Target = $"integrations/{integration.Ref}" }); }
internal Apigatewayv2JwtAuthzSampleStack(Construct scope, string id, IStackProps props = null) : base(scope, id, props) { const string LambdaKey = "secure-lambda"; // Create a lambda function that will execute the logic when the api is called. var function = new Function(this, LambdaKey, new FunctionProps { Runtime = Runtime.NODEJS_12_X, Code = Code.FromAsset("lambdas"), Handler = "my-secure-lambda.handler" }); // Add cors options. (if you intend to call this from a web app) var cors = new CorsPreflightOptions { AllowCredentials = true, AllowHeaders = new string[] { "Authorization" }, AllowMethods = new HttpMethod[] { HttpMethod.GET, HttpMethod.OPTIONS }, AllowOrigins = new string[] { "http://*****:*****@"/secureresource"; // add a route to the api, attaching the JWT authorizer and targeting the integration. var cr = new CfnRoute(this, $"{LambdaKey}-route", new CfnRouteProps { ApiId = api.HttpApiId, RouteKey = $"GET {apiPath}", AuthorizationType = "JWT", AuthorizerId = jwtAuthZ.Ref, Target = $"integrations/{integration.Ref}" }); // finally, add permissions so the http api can invoke the lambda for the api path. var resource = (CfnResource)api.Node.FindChild("Resource"); function.AddPermission($"{LambdaKey}-permission", new Permission { Principal = new Amazon.CDK.AWS.IAM.ServicePrincipal("apigateway.amazonaws.com"), Action = "lambda:InvokeFunction", SourceArn = $"arn:aws:execute-api:{this.Region}:{this.Account}:{resource.Ref}/*/*{apiPath}" }); }