fix(apigateway): CORS OPTIONS method should not require auth (#22402)

When you create a RestApi and you provide `defaultCorsPreflightOptions` we automatically create a CORS OPTIONS method for each method. If you also provide `defaultMethodOptions` then those default options get passed through to the CORS OPTION method as well. In the case of authentication options this should not be the case.

This PR explicitly sets the authentication related options to NONE values which overrides whatever is provided in `defaultMethodOptions`.

I've updated an integration tests to assert that an OPTIONS call is successful (I also tested before the fix to assert that it failed).

fixes #8615


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: corymhall

packages/@aws-cdk/aws-apigateway/README.md

@@ -740,7 +740,51 @@ books.addMethod('GET', new apigateway.HttpIntegration('http://amazon.com'), {
 
 A full working example is shown below.
 
-[Full token authorizer example](test/authorizers/integ.token-authorizer.lit.ts).
+```ts
+import * as path from 'path';
+import * as lambda from '@aws-cdk/aws-lambda';
+import { App, Stack } from '@aws-cdk/core';
+import { MockIntegration, PassthroughBehavior, RestApi, TokenAuthorizer, Cors } from '../../lib';
+
+/// !show
+const app = new App();
+const stack = new Stack(app, 'TokenAuthorizerInteg');
+
+const authorizerFn = new lambda.Function(stack, 'MyAuthorizerFunction', {
+  runtime: lambda.Runtime.NODEJS_14_X,
+  handler: 'index.handler',
+  code: lambda.AssetCode.fromAsset(path.join(__dirname, 'integ.token-authorizer.handler')),
+});
+
+const authorizer = new TokenAuthorizer(stack, 'MyAuthorizer', {
+  handler: authorizerFn,
+});
+
+const restapi = new RestApi(stack, 'MyRestApi', {
+  cloudWatchRole: true,
+  defaultMethodOptions: {
+    authorizer,
+  },
+  defaultCorsPreflightOptions: {
+    allowOrigins: Cors.ALL_ORIGINS,
+  },
+});
+
+
+restapi.root.addMethod('ANY', new MockIntegration({
+  integrationResponses: [
+    { statusCode: '200' },
+  ],
+  passthroughBehavior: PassthroughBehavior.NEVER,
+  requestTemplates: {
+    'application/json': '{ "statusCode": 200 }',
+  },
+}), {
+  methodResponses: [
+    { statusCode: '200' },
+  ],
+});
+```
 
 By default, the `TokenAuthorizer` looks for the authorization token in the request header with the key 'Authorization'. This can,
 however, be modified by changing the `identitySource` property.

packages/@aws-cdk/aws-apigateway/lib/method.ts

@@ -186,7 +186,7 @@ export class Method extends Resource {
 
     const defaultMethodOptions = props.resource.defaultMethodOptions || {};
     const authorizer = options.authorizer || defaultMethodOptions.authorizer;
-    const authorizerId = authorizer?.authorizerId;
+    const authorizerId = authorizer?.authorizerId ? authorizer.authorizerId : undefined;
 
     const authorizationTypeOption = options.authorizationType || defaultMethodOptions.authorizationType;
     const authorizationType = authorizer?.authorizationType || authorizationTypeOption || AuthorizationType.NONE;

packages/@aws-cdk/aws-apigateway/lib/resource.ts

@@ -4,7 +4,7 @@ import { CfnResource, CfnResourceProps } from './apigateway.generated';
 import { Cors, CorsOptions } from './cors';
 import { Integration } from './integration';
 import { MockIntegration } from './integrations';
-import { Method, MethodOptions } from './method';
+import { Method, MethodOptions, AuthorizationType } from './method';
 import { IRestApi, RestApi } from './restapi';
 
 export interface IResource extends IResourceBase {
@@ -296,6 +296,12 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc
         { statusCode: `${statusCode}`, responseParameters: integrationResponseParams, responseTemplates: renderResponseTemplate() },
       ],
     }), {
+      authorizer: {
+        authorizerId: '',
+        authorizationType: AuthorizationType.NONE,
+      },
+      apiKeyRequired: false,
+      authorizationType: AuthorizationType.NONE,
       methodResponses: [
         { statusCode: `${statusCode}`, responseParameters: methodResponseParams },
       ],

packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.lit.ts

@@ -0,0 +1,127 @@
+import * as path from 'path';
+import * as lambda from '@aws-cdk/aws-lambda';
+import { App, Stack, Duration } from '@aws-cdk/core';
+import { IntegTest, ExpectedResult, Match } from '@aws-cdk/integ-tests';
+import { MockIntegration, PassthroughBehavior, RestApi, TokenAuthorizer, Cors } from '../../lib';
+
+const app = new App();
+const stack = new Stack(app, 'TokenAuthorizerInteg');
+
+const authorizerFn = new lambda.Function(stack, 'MyAuthorizerFunction', {
+  runtime: lambda.Runtime.NODEJS_14_X,
+  handler: 'index.handler',
+  code: lambda.AssetCode.fromAsset(path.join(__dirname, 'integ.token-authorizer.handler')),
+});
+
+const authorizer = new TokenAuthorizer(stack, 'MyAuthorizer', {
+  handler: authorizerFn,
+});
+
+const restapi = new RestApi(stack, 'MyRestApi', {
+  cloudWatchRole: true,
+  defaultMethodOptions: {
+    authorizer,
+  },
+  defaultCorsPreflightOptions: {
+    allowOrigins: Cors.ALL_ORIGINS,
+  },
+});
+
+
+restapi.root.addMethod('ANY', new MockIntegration({
+  integrationResponses: [
+    { statusCode: '200' },
+  ],
+  passthroughBehavior: PassthroughBehavior.NEVER,
+  requestTemplates: {
+    'application/json': '{ "statusCode": 200 }',
+  },
+}), {
+  methodResponses: [
+    { statusCode: '200' },
+  ],
+});
+
+const integ = new IntegTest(app, 'apigw-token-auth', {
+  testCases: [stack],
+});
+const hostName = `${restapi.restApiId}.execute-api.${stack.region}.${stack.urlSuffix}`;
+const testFunc = new lambda.Function(stack, 'InvokeFunction', {
+  memorySize: 250,
+  timeout: Duration.seconds(10),
+  code: lambda.Code.fromInline(`
+const https = require('https');
+const options = {
+  hostname: '${hostName}',
+  path: '/${restapi.deploymentStage.stageName}',
+};
+exports.handler = async function(event) {
+  console.log(event);
+  options.method = event.method;
+  if ('authorization' in event) {
+    options.headers = {
+      Authorization: event.authorization,
+    };
+  }
+  let dataString = '';
+  const response = await new Promise((resolve, reject) => {
+    const req = https.request(options, (res) => {
+      res.on('data', data => {
+        dataString += data;
+      })
+      res.on('end', () => {
+        resolve({
+          statusCode: res.statusCode,
+          body: dataString,
+        });
+      })
+    });
+    req.on('error', err => {
+      reject({
+        statusCode: 500,
+        body: JSON.stringify({
+          cause: 'Something went wrong',
+          error: err,
+        })
+      });
+    });
+    req.end();
+  });
+  return response;
+}
+`),
+  handler: 'index.handler',
+  runtime: lambda.Runtime.NODEJS_16_X,
+});
+
+const invokeGet = integ.assertions.invokeFunction({
+  functionName: testFunc.functionName,
+  payload: JSON.stringify({
+    method: 'GET',
+    authorization: 'allow',
+  }),
+});
+invokeGet.expect(ExpectedResult.objectLike({
+  Payload: Match.stringLikeRegexp('200'),
+}));
+
+const invokeGetDeny = integ.assertions.invokeFunction({
+  functionName: testFunc.functionName,
+  payload: JSON.stringify({
+    method: 'GET',
+    authorization: 'deny',
+  }),
+});
+invokeGetDeny.expect(ExpectedResult.objectLike({
+  Payload: Match.stringLikeRegexp('User is not authorized to access this resource with an explicit deny'),
+}));
+
+const invokeOptions = integ.assertions.invokeFunction({
+  functionName: testFunc.functionName,
+  payload: JSON.stringify({
+    method: 'OPTIONS',
+  }),
+});
+invokeOptions.expect(ExpectedResult.objectLike({
+  Payload: Match.stringLikeRegexp('204'),
+}));

packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer.ts

@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
     "fec8e8354e12687c5a4b843b4e269741f53dec634946869b276f7fd1017845c3": {
       "source": {
@@ -14,15 +14,15 @@
         }
       }
     },
-    "d121ee9744a20c9af43e516c8fb4fe93d1ed9b26130e2db68ed9534c7104c866": {
+    "d48b90b340d35b9bc726b78e652d17148e2449f6f756e4377428635071f68d09": {
       "source": {
         "path": "TokenAuthorizerInteg.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "d121ee9744a20c9af43e516c8fb4fe93d1ed9b26130e2db68ed9534c7104c866.json",
+          "objectKey": "d48b90b340d35b9bc726b78e652d17148e2449f6f756e4377428635071f68d09.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.lit.integ.snapshot/TokenAuthorizerInteg.assets.json packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.integ.snapshot/TokenAuthorizerInteg.assets.json

@@ -93,6 +93,66 @@
     }
    }
   },
+  "MyAuthorizer6575980E": {
+   "Type": "AWS::ApiGateway::Authorizer",
+   "Properties": {
+    "Name": "TokenAuthorizerIntegMyAuthorizer793B1D5F",
+    "RestApiId": {
+     "Ref": "MyRestApi2D1F47A9"
+    },
+    "Type": "TOKEN",
+    "AuthorizerUri": {
+     "Fn::Join": [
+      "",
+      [
+       "arn:",
+       {
+        "Fn::Select": [
+         1,
+         {
+          "Fn::Split": [
+           ":",
+           {
+            "Fn::GetAtt": [
+             "MyAuthorizerFunction70F1223E",
+             "Arn"
+            ]
+           }
+          ]
+         }
+        ]
+       },
+       ":apigateway:",
+       {
+        "Fn::Select": [
+         3,
+         {
+          "Fn::Split": [
+           ":",
+           {
+            "Fn::GetAtt": [
+             "MyAuthorizerFunction70F1223E",
+             "Arn"
+            ]
+           }
+          ]
+         }
+        ]
+       },
+       ":lambda:path/2015-03-31/functions/",
+       {
+        "Fn::GetAtt": [
+         "MyAuthorizerFunction70F1223E",
+         "Arn"
+        ]
+       },
+       "/invocations"
+      ]
+     ]
+    },
+    "IdentitySource": "method.request.header.Authorization"
+   }
+  },
   "MyRestApi2D1F47A9": {
    "Type": "AWS::ApiGateway::RestApi",
    "Properties": {
@@ -148,7 +208,7 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
-  "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb": {
+  "MyRestApiDeploymentB555B582464879c8d1f9fcce2500f142532cdaec": {
    "Type": "AWS::ApiGateway::Deployment",
    "Properties": {
     "RestApiId": {
@@ -157,7 +217,8 @@
     "Description": "Automatically created by the RestApi construct"
    },
    "DependsOn": [
-    "MyRestApiANY05143F93"
+    "MyRestApiANY05143F93",
+    "MyRestApiOPTIONS43BD7BF4"
    ]
   },
   "MyRestApiDeploymentStageprodC33B8E5F": {
@@ -167,14 +228,56 @@
      "Ref": "MyRestApi2D1F47A9"
     },
     "DeploymentId": {
-     "Ref": "MyRestApiDeploymentB555B582dcff966d69deeda8d47e3bf409ce29cb"
+     "Ref": "MyRestApiDeploymentB555B582464879c8d1f9fcce2500f142532cdaec"
     },
     "StageName": "prod"
    },
    "DependsOn": [
     "MyRestApiAccount2FB6DB7A"
    ]
   },
+  "MyRestApiOPTIONS43BD7BF4": {
+   "Type": "AWS::ApiGateway::Method",
+   "Properties": {
+    "HttpMethod": "OPTIONS",
+    "ResourceId": {
+     "Fn::GetAtt": [
+      "MyRestApi2D1F47A9",
+      "RootResourceId"
+     ]
+    },
+    "RestApiId": {
+     "Ref": "MyRestApi2D1F47A9"
+    },
+    "AuthorizationType": "NONE",
+    "Integration": {
+     "IntegrationResponses": [
+      {
+       "ResponseParameters": {
+        "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'",
+        "method.response.header.Access-Control-Allow-Origin": "'*'",
+        "method.response.header.Access-Control-Allow-Methods": "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'"
+       },
+       "StatusCode": "204"
+      }
+     ],
+     "RequestTemplates": {
+      "application/json": "{ statusCode: 200 }"
+     },
+     "Type": "MOCK"
+    },
+    "MethodResponses": [
+     {
+      "ResponseParameters": {
+       "method.response.header.Access-Control-Allow-Headers": true,
+       "method.response.header.Access-Control-Allow-Origin": true,
+       "method.response.header.Access-Control-Allow-Methods": true
+      },
+      "StatusCode": "204"
+     }
+    ]
+   }
+  },
   "MyRestApiANY05143F93": {
    "Type": "AWS::ApiGateway::Method",
    "Properties": {
@@ -211,65 +314,80 @@
     ]
    }
   },
-  "MyAuthorizer6575980E": {
-   "Type": "AWS::ApiGateway::Authorizer",
+  "InvokeFunctionServiceRole3B980FD2": {
+   "Type": "AWS::IAM::Role",
    "Properties": {
-    "Name": "TokenAuthorizerIntegMyAuthorizer793B1D5F",
-    "RestApiId": {
-     "Ref": "MyRestApi2D1F47A9"
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
     },
-    "Type": "TOKEN",
-    "AuthorizerUri": {
-     "Fn::Join": [
-      "",
-      [
-       "arn:",
-       {
-        "Fn::Select": [
-         1,
-         {
-          "Fn::Split": [
-           ":",
-           {
-            "Fn::GetAtt": [
-             "MyAuthorizerFunction70F1223E",
-             "Arn"
-            ]
-           }
-          ]
-         }
-        ]
-       },
-       ":apigateway:",
-       {
-        "Fn::Select": [
-         3,
-         {
-          "Fn::Split": [
-           ":",
-           {
-            "Fn::GetAtt": [
-             "MyAuthorizerFunction70F1223E",
-             "Arn"
-            ]
-           }
-          ]
-         }
-        ]
-       },
-       ":lambda:path/2015-03-31/functions/",
-       {
-        "Fn::GetAtt": [
-         "MyAuthorizerFunction70F1223E",
-         "Arn"
-        ]
-       },
-       "/invocations"
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
       ]
+     }
+    ]
+   }
+  },
+  "InvokeFunctionC517E46D": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": {
+      "Fn::Join": [
+       "",
+       [
+        "\nconst https = require('https');\nconst options = {\n  hostname: '",
+        {
+         "Ref": "MyRestApi2D1F47A9"
+        },
+        ".execute-api.",
+        {
+         "Ref": "AWS::Region"
+        },
+        ".",
+        {
+         "Ref": "AWS::URLSuffix"
+        },
+        "',\n  path: '/",
+        {
+         "Ref": "MyRestApiDeploymentStageprodC33B8E5F"
+        },
+        "',\n};\nexports.handler = async function(event) {\n  console.log(event);\n  options.method = event.method;\n  if ('authorization' in event) {\n    options.headers = {\n      Authorization: event.authorization,\n    };\n  }\n  let dataString = '';\n  const response = await new Promise((resolve, reject) => {\n    const req = https.request(options, (res) => {\n      res.on('data', data => {\n        dataString += data;\n      })\n      res.on('end', () => {\n        resolve({\n          statusCode: res.statusCode,\n          body: dataString,\n        });\n      })\n    });\n    req.on('error', err => {\n      reject({\n        statusCode: 500,\n        body: JSON.stringify({\n          cause: 'Something went wrong',\n          error: err,\n        })\n      });\n    });\n    req.end();\n  });\n  return response;\n}\n"
+       ]
+      ]
+     }
+    },
+    "Role": {
+     "Fn::GetAtt": [
+      "InvokeFunctionServiceRole3B980FD2",
+      "Arn"
      ]
     },
-    "IdentitySource": "method.request.header.Authorization"
-   }
+    "Handler": "index.handler",
+    "MemorySize": 250,
+    "Runtime": "nodejs16.x",
+    "Timeout": 10
+   },
+   "DependsOn": [
+    "InvokeFunctionServiceRole3B980FD2"
+   ]
   }
  },
  "Outputs": {
@@ -298,6 +416,14 @@
      ]
     ]
    }
+  },
+  "ExportsOutputRefInvokeFunctionC517E46D32C855B5": {
+   "Value": {
+    "Ref": "InvokeFunctionC517E46D"
+   },
+   "Export": {
+    "Name": "TokenAuthorizerInteg:ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+   }
   }
  },
  "Parameters": {

packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.lit.integ.snapshot/TokenAuthorizerInteg.template.json packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.integ.snapshot/TokenAuthorizerInteg.template.json

@@ -0,0 +1,32 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136": {
+      "source": {
+        "path": "asset.456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136.bundle",
+        "packaging": "zip"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136.zip",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    },
+    "663a8c1a16f9e427d0ecfe2215cb471b582dfce87e95f6bbf85d32c371692ece": {
+      "source": {
+        "path": "apigwtokenauthDefaultTestDeployAssert2CF60E05.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "663a8c1a16f9e427d0ecfe2215cb471b582dfce87e95f6bbf85d32c371692ece.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.integ.snapshot/apigwtokenauthDefaultTestDeployAssert2CF60E05.assets.json

@@ -0,0 +1,353 @@
+{
+ "Resources": {
+  "LambdaInvoke3deec958b1e945795e38da5fc2f86753": {
+   "Type": "Custom::DeployAssert@SdkCallLambdainvoke",
+   "Properties": {
+    "ServiceToken": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F",
+      "Arn"
+     ]
+    },
+    "service": "Lambda",
+    "api": "invoke",
+    "expected": "{\"$ObjectLike\":{\"Payload\":{\"$StringLike\":\"200\"}}}",
+    "parameters": {
+     "FunctionName": {
+      "Fn::ImportValue": "TokenAuthorizerInteg:ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+     },
+     "Payload": "{\"method\":\"GET\",\"authorization\":\"allow\"}"
+    },
+    "flattenResponse": "false",
+    "salt": "1665080757293"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "LambdaInvoke3deec958b1e945795e38da5fc2f86753InvokeCB0E5D28": {
+   "Type": "AWS::Lambda::Permission",
+   "Properties": {
+    "Action": "lambda:InvokeFunction",
+    "FunctionName": {
+     "Fn::ImportValue": "TokenAuthorizerInteg:ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+    },
+    "Principal": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81Role37ABCE73",
+      "Arn"
+     ]
+    }
+   }
+  },
+  "SingletonFunction1488541a7b23466481b69b4408076b81Role37ABCE73": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Version": "2012-10-17",
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ]
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+     }
+    ],
+    "Policies": [
+     {
+      "PolicyName": "Inline",
+      "PolicyDocument": {
+       "Version": "2012-10-17",
+       "Statement": [
+        {
+         "Action": [
+          "lambda:Invoke"
+         ],
+         "Effect": "Allow",
+         "Resource": [
+          "*"
+         ]
+        },
+        {
+         "Action": [
+          "lambda:InvokeFunction"
+         ],
+         "Effect": "Allow",
+         "Resource": [
+          {
+           "Fn::Join": [
+            "",
+            [
+             "arn:",
+             {
+              "Ref": "AWS::Partition"
+             },
+             ":lambda:",
+             {
+              "Ref": "AWS::Region"
+             },
+             ":",
+             {
+              "Ref": "AWS::AccountId"
+             },
+             ":function:",
+             {
+              "Fn::ImportValue": "TokenAuthorizerInteg:ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+             }
+            ]
+           ]
+          }
+         ]
+        },
+        {
+         "Action": [
+          "lambda:Invoke"
+         ],
+         "Effect": "Allow",
+         "Resource": [
+          "*"
+         ]
+        },
+        {
+         "Action": [
+          "lambda:InvokeFunction"
+         ],
+         "Effect": "Allow",
+         "Resource": [
+          {
+           "Fn::Join": [
+            "",
+            [
+             "arn:",
+             {
+              "Ref": "AWS::Partition"
+             },
+             ":lambda:",
+             {
+              "Ref": "AWS::Region"
+             },
+             ":",
+             {
+              "Ref": "AWS::AccountId"
+             },
+             ":function:",
+             {
+              "Fn::ImportValue": "TokenAuthorizerInteg:ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+             }
+            ]
+           ]
+          }
+         ]
+        },
+        {
+         "Action": [
+          "lambda:Invoke"
+         ],
+         "Effect": "Allow",
+         "Resource": [
+          "*"
+         ]
+        },
+        {
+         "Action": [
+          "lambda:InvokeFunction"
+         ],
+         "Effect": "Allow",
+         "Resource": [
+          {
+           "Fn::Join": [
+            "",
+            [
+             "arn:",
+             {
+              "Ref": "AWS::Partition"
+             },
+             ":lambda:",
+             {
+              "Ref": "AWS::Region"
+             },
+             ":",
+             {
+              "Ref": "AWS::AccountId"
+             },
+             ":function:",
+             {
+              "Fn::ImportValue": "TokenAuthorizerInteg:ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+             }
+            ]
+           ]
+          }
+         ]
+        }
+       ]
+      }
+     }
+    ]
+   }
+  },
+  "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Runtime": "nodejs14.x",
+    "Code": {
+     "S3Bucket": {
+      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+     },
+     "S3Key": "456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136.zip"
+    },
+    "Timeout": 120,
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81Role37ABCE73",
+      "Arn"
+     ]
+    }
+   }
+  },
+  "LambdaInvoke8e1b9f979f2329abf1ed6574d33d391a": {
+   "Type": "Custom::DeployAssert@SdkCallLambdainvoke",
+   "Properties": {
+    "ServiceToken": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F",
+      "Arn"
+     ]
+    },
+    "service": "Lambda",
+    "api": "invoke",
+    "expected": "{\"$ObjectLike\":{\"Payload\":{\"$StringLike\":\"User is not authorized to access this resource with an explicit deny\"}}}",
+    "parameters": {
+     "FunctionName": {
+      "Fn::ImportValue": "TokenAuthorizerInteg:ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+     },
+     "Payload": "{\"method\":\"GET\",\"authorization\":\"deny\"}"
+    },
+    "flattenResponse": "false",
+    "salt": "1665080757294"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "LambdaInvoke8e1b9f979f2329abf1ed6574d33d391aInvokeCCB91944": {
+   "Type": "AWS::Lambda::Permission",
+   "Properties": {
+    "Action": "lambda:InvokeFunction",
+    "FunctionName": {
+     "Fn::ImportValue": "TokenAuthorizerInteg:ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+    },
+    "Principal": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81Role37ABCE73",
+      "Arn"
+     ]
+    }
+   }
+  },
+  "LambdaInvoke0532e3d95b2a56b147278c621e5800c4": {
+   "Type": "Custom::DeployAssert@SdkCallLambdainvoke",
+   "Properties": {
+    "ServiceToken": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F",
+      "Arn"
+     ]
+    },
+    "service": "Lambda",
+    "api": "invoke",
+    "expected": "{\"$ObjectLike\":{\"Payload\":{\"$StringLike\":\"204\"}}}",
+    "parameters": {
+     "FunctionName": {
+      "Fn::ImportValue": "TokenAuthorizerInteg:ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+     },
+     "Payload": "{\"method\":\"OPTIONS\"}"
+    },
+    "flattenResponse": "false",
+    "salt": "1665080757295"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "LambdaInvoke0532e3d95b2a56b147278c621e5800c4Invoke73472D9F": {
+   "Type": "AWS::Lambda::Permission",
+   "Properties": {
+    "Action": "lambda:InvokeFunction",
+    "FunctionName": {
+     "Fn::ImportValue": "TokenAuthorizerInteg:ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+    },
+    "Principal": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81Role37ABCE73",
+      "Arn"
+     ]
+    }
+   }
+  }
+ },
+ "Outputs": {
+  "AssertionResultsLambdaInvoke3deec958b1e945795e38da5fc2f86753": {
+   "Value": {
+    "Fn::GetAtt": [
+     "LambdaInvoke3deec958b1e945795e38da5fc2f86753",
+     "assertion"
+    ]
+   }
+  },
+  "AssertionResultsLambdaInvoke8e1b9f979f2329abf1ed6574d33d391a": {
+   "Value": {
+    "Fn::GetAtt": [
+     "LambdaInvoke8e1b9f979f2329abf1ed6574d33d391a",
+     "assertion"
+    ]
+   }
+  },
+  "AssertionResultsLambdaInvoke0532e3d95b2a56b147278c621e5800c4": {
+   "Value": {
+    "Fn::GetAtt": [
+     "LambdaInvoke0532e3d95b2a56b147278c621e5800c4",
+     "assertion"
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.integ.snapshot/apigwtokenauthDefaultTestDeployAssert2CF60E05.template.json

@@ -0,0 +1 @@
+{"version":"21.0.0"}

packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.integ.snapshot/asset.456da4984f762c1c25e94bd5f2df6758d2b0884d0dae8ca59bb8f4e3de7c2136.bundle/index.js

@@ -0,0 +1,12 @@
+{
+  "version": "21.0.0",
+  "testCases": {
+    "apigw-token-auth/DefaultTest": {
+      "stacks": [
+        "TokenAuthorizerInteg"
+      ],
+      "assertionStack": "apigw-token-auth/DefaultTest/DeployAssert",
+      "assertionStackName": "apigwtokenauthDefaultTestDeployAssert2CF60E05"
+    }
+  }
+}

packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.lit.integ.snapshot/asset.fec8e8354e12687c5a4b843b4e269741f53dec634946869b276f7fd1017845c3.handler/index.d.ts packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.integ.snapshot/asset.fec8e8354e12687c5a4b843b4e269741f53dec634946869b276f7fd1017845c3.handler/index.d.ts

@@ -0,0 +1,262 @@
+{
+  "version": "21.0.0",
+  "artifacts": {
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
+    },
+    "TokenAuthorizerInteg.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "TokenAuthorizerInteg.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "TokenAuthorizerInteg": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "TokenAuthorizerInteg.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d48b90b340d35b9bc726b78e652d17148e2449f6f756e4377428635071f68d09.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "TokenAuthorizerInteg.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "TokenAuthorizerInteg.assets"
+      ],
+      "metadata": {
+        "/TokenAuthorizerInteg/MyAuthorizerFunction/ServiceRole/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyAuthorizerFunctionServiceRole8A34C19E"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyAuthorizerFunction/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyAuthorizerFunction70F1223E"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyAuthorizerFunction/TokenAuthorizerIntegMyAuthorizer793B1D5F:Permissions": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyAuthorizerFunctionTokenAuthorizerIntegMyAuthorizer793B1D5FPermissions7557AE26"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyAuthorizer/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyAuthorizer6575980E"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyRestApi/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyRestApi2D1F47A9"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyRestApi/CloudWatchRole/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyRestApiCloudWatchRoleD4042E8E"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyRestApi/Account": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyRestApiAccount2FB6DB7A"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyRestApi/Deployment/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyRestApiDeploymentB555B582464879c8d1f9fcce2500f142532cdaec"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyRestApi/DeploymentStage.prod/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyRestApiDeploymentStageprodC33B8E5F"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyRestApi/Endpoint": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyRestApiEndpoint4C55E4CB"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyRestApi/Default/OPTIONS/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyRestApiOPTIONS43BD7BF4"
+          }
+        ],
+        "/TokenAuthorizerInteg/MyRestApi/Default/ANY/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "MyRestApiANY05143F93"
+          }
+        ],
+        "/TokenAuthorizerInteg/InvokeFunction/ServiceRole/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "InvokeFunctionServiceRole3B980FD2"
+          }
+        ],
+        "/TokenAuthorizerInteg/InvokeFunction/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "InvokeFunctionC517E46D"
+          }
+        ],
+        "/TokenAuthorizerInteg/Exports/Output{\"Ref\":\"InvokeFunctionC517E46D\"}": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "ExportsOutputRefInvokeFunctionC517E46D32C855B5"
+          }
+        ],
+        "/TokenAuthorizerInteg/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/TokenAuthorizerInteg/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "TokenAuthorizerInteg"
+    },
+    "apigwtokenauthDefaultTestDeployAssert2CF60E05.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "apigwtokenauthDefaultTestDeployAssert2CF60E05.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "apigwtokenauthDefaultTestDeployAssert2CF60E05": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "apigwtokenauthDefaultTestDeployAssert2CF60E05.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/663a8c1a16f9e427d0ecfe2215cb471b582dfce87e95f6bbf85d32c371692ece.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "apigwtokenauthDefaultTestDeployAssert2CF60E05.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "TokenAuthorizerInteg",
+        "apigwtokenauthDefaultTestDeployAssert2CF60E05.assets"
+      ],
+      "metadata": {
+        "/apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke3deec958b1e945795e38da5fc2f86753/Default/Default": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LambdaInvoke3deec958b1e945795e38da5fc2f86753"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke3deec958b1e945795e38da5fc2f86753/Invoke": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LambdaInvoke3deec958b1e945795e38da5fc2f86753InvokeCB0E5D28"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke3deec958b1e945795e38da5fc2f86753/AssertionResults": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "AssertionResultsLambdaInvoke3deec958b1e945795e38da5fc2f86753"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/SingletonFunction1488541a7b23466481b69b4408076b81/Role": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "SingletonFunction1488541a7b23466481b69b4408076b81Role37ABCE73"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/SingletonFunction1488541a7b23466481b69b4408076b81/Handler": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke8e1b9f979f2329abf1ed6574d33d391a/Default/Default": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LambdaInvoke8e1b9f979f2329abf1ed6574d33d391a"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke8e1b9f979f2329abf1ed6574d33d391a/Invoke": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LambdaInvoke8e1b9f979f2329abf1ed6574d33d391aInvokeCCB91944"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke8e1b9f979f2329abf1ed6574d33d391a/AssertionResults": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "AssertionResultsLambdaInvoke8e1b9f979f2329abf1ed6574d33d391a"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke0532e3d95b2a56b147278c621e5800c4/Default/Default": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LambdaInvoke0532e3d95b2a56b147278c621e5800c4"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke0532e3d95b2a56b147278c621e5800c4/Invoke": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "LambdaInvoke0532e3d95b2a56b147278c621e5800c4Invoke73472D9F"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/LambdaInvoke0532e3d95b2a56b147278c621e5800c4/AssertionResults": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "AssertionResultsLambdaInvoke0532e3d95b2a56b147278c621e5800c4"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/apigw-token-auth/DefaultTest/DeployAssert/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "apigw-token-auth/DefaultTest/DeployAssert"
+    }
+  }
+}

packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.lit.integ.snapshot/asset.fec8e8354e12687c5a4b843b4e269741f53dec634946869b276f7fd1017845c3.handler/index.js packages/@aws-cdk/aws-apigateway/test/authorizers/token-authorizer.integ.snapshot/asset.fec8e8354e12687c5a4b843b4e269741f53dec634946869b276f7fd1017845c3.handler/index.js

@@ -270,6 +270,66 @@ describe('lambda api', () => {
     });
   });
 
+  test('LambdaRestApi defines a REST API with CORS enabled and defaultMethodOptions', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    const handler = new lambda.Function(stack, 'handler', {
+      handler: 'index.handler',
+      code: lambda.Code.fromInline('boom'),
+      runtime: lambda.Runtime.NODEJS_14_X,
+    });
+
+    // WHEN
+    new apigw.LambdaRestApi(stack, 'lambda-rest-api', {
+      handler,
+      defaultMethodOptions: {
+        authorizationType: apigw.AuthorizationType.IAM,
+      },
+      defaultCorsPreflightOptions: {
+        allowOrigins: ['https://aws.amazon.com'],
+        allowMethods: ['GET', 'PUT'],
+      },
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGateway::Method', {
+      HttpMethod: 'OPTIONS',
+      ResourceId: { Ref: 'lambdarestapiproxyE3AE07E3' },
+      AuthorizationType: 'NONE',
+      AuthorizerId: Match.absent(),
+      ApiKeyRequired: Match.absent(),
+      Integration: {
+        IntegrationResponses: [
+          {
+            ResponseParameters: {
+              'method.response.header.Access-Control-Allow-Headers': "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'",
+              'method.response.header.Access-Control-Allow-Origin': "'https://aws.amazon.com'",
+              'method.response.header.Vary': "'Origin'",
+              'method.response.header.Access-Control-Allow-Methods': "'GET,PUT'",
+            },
+            StatusCode: '204',
+          },
+        ],
+        RequestTemplates: {
+          'application/json': '{ statusCode: 200 }',
+        },
+        Type: 'MOCK',
+      },
+      MethodResponses: [
+        {
+          ResponseParameters: {
+            'method.response.header.Access-Control-Allow-Headers': true,
+            'method.response.header.Access-Control-Allow-Origin': true,
+            'method.response.header.Vary': true,
+            'method.response.header.Access-Control-Allow-Methods': true,
+          },
+          StatusCode: '204',
+        },
+      ],
+    });
+  });
+
   test('LambdaRestApi allows passing GENERATE_IF_NEEDED as the physical name', () => {
     // GIVEN
     const stack = new cdk.Stack();