appsync: Unable have 2 or more API Keys (GraphqlApi construct)

[orekav]

Describe the issue

By using the L2 Construct GraphQLApi we cannot create multiple API_KEYs, if we try to do so we get this error

    if (modes.filter((mode) => mode.authorizationType === AuthorizationType.API_KEY).length > 1) {
      throw new Error('You can\'t duplicate API_KEY configuration. See https://docs.aws.amazon.com/appsync/latest/devguide/security.html');
    }

My current workaround is this, I consider it a horrible thing to do but in the meantime is what I need.

const expires = cdk.Expiration.after(
    cdk.Duration.days(365)
).toEpoch();
const firstApiKey = new appsync.CfnApiKey(this, "FirstApiKey", {
    apiId: this.apiId,
    description: "First Light API Key",
    expires,
});
const secondApiKey = new appsync.CfnApiKey(this, "SecondApiKey", {
    apiId: this.apiId,
    description: "Second API Key",
    expires,
});

this.addSchemaDependency(firstApiKey);
this.addSchemaDependency(secondApiKey);

if (!this.modes.includes(appsync.AuthorizationType.API_KEY)) {
    const authenticationProvider: appsync.CfnGraphQLApi.AdditionalAuthenticationProviderProperty =
        { authenticationType: appsync.AuthorizationType.API_KEY };
    // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
    const cfnGraphQLApi = (this as any)
        .api as unknown as appsync.CfnGraphQLApi;
    const additionalAuthenticationProviders: typeof cfnGraphQLApi.additionalAuthenticationProviders =
        [authenticationProvider];

    if (
        cfnGraphQLApi.additionalAuthenticationProviders !==
        undefined
    ) {
        if (
            Array.isArray(
                cfnGraphQLApi.additionalAuthenticationProviders
            )
        ) {
            additionalAuthenticationProviders.push(
                ...cfnGraphQLApi.additionalAuthenticationProviders
            );
        } else {
            additionalAuthenticationProviders.push(
                cfnGraphQLApi.additionalAuthenticationProviders
            );
        }
    }
    cfnGraphQLApi.additionalAuthenticationProviders =
        additionalAuthenticationProviders;
}

Links

I have not seen anything in this link saying that multiple API Keys are a problem. Furthermore, I think in that case it should be a cdk_nag rule instead or a warning in CDK but not an error.

[pahud]

I can't find any relevant document about this either. Can you elaborate more about your use case that requires multiple api keys?

[orekav]

@pahud I have a migration from Serverless Framework to CDK. In order to maintain compatibility I need to be able to create certain number of API Keys for different external consumers. It is not possible to use anything different than API Keys, otherwise that will require them to do code changes that I cannot ask.

[uclaeamsavino]

So right now I can create multiple API Keys through the AppSync console with no problems. But it's not possible to do so through the CDK, and no one wants to merge @orekav's pull request or otherwise fix the issue?

@orekav - did you find a workaround? It seems like if you add extra API Keys through the console, they don't get destroyed when AppSync is updated, even if the CDK only specifies one API Key. But that's scary to rely on.