Add gatewayResponses trait and OpenAPI mapper (smithy-lang#3089)

* Add gatewayResponses trait and OpenAPI mapper

API Gateway REST APIs support custom gateway responses that
customize error responses for authentication failures, integration
errors, and other API Gateway-generated errors.

Add the `aws.apigateway#gatewayResponses` map trait that maps
response type keys to gateway response structures containing
statusCode, responseParameters, and responseTemplates. The OpenAPI
mapper writes the trait value to the
`x-amazon-apigateway-gateway-responses` extension. The mapper runs
before the CORS gateway responses mapper so that customer-defined
response parameters take precedence over CORS-generated headers.

* Refactor GatewayResponsesTrait to use builder pattern

Add GatewayResponse value class with builder following the same
pattern as AuthorizersTrait and DefineConditionKeysTrait. Add
DANGER validator for gatewayResponses and CORS conflicts. Fix
RST header formatting in documentation.

* Update smithy-aws-apigateway-openapi/src/main/java/software/amazon/smithy/aws/apigateway/openapi/AddGatewayResponses.java

Co-authored-by: Manuel Sugawara <sugmanue@amazon.com>

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponsesTrait.java

Co-authored-by: Manuel Sugawara <sugmanue@amazon.com>

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponsesTrait.java

Co-authored-by: Manuel Sugawara <sugmanue@amazon.com>

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponsesTrait.java

Co-authored-by: Manuel Sugawara <sugmanue@amazon.com>

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponsesTrait.java

Co-authored-by: Manuel Sugawara <sugmanue@amazon.com>

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponsesTrait.java

Co-authored-by: Manuel Sugawara <sugmanue@amazon.com>

* Replace streams with loops and add bulk builder methods

Replace stream-based serialization with plain loops in
GatewayResponse.toNode() and GatewayResponsesTrait.createNode().
Add responses(), responseParameters(), and responseTemplates()
bulk setter methods to the builders.

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponse.java

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponse.java

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponsesTrait.java

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponsesTrait.java

* Update smithy-aws-apigateway-openapi/src/main/java/software/amazon/smithy/aws/apigateway/openapi/AddGatewayResponses.java

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponsesTrait.java

* Update smithy-aws-apigateway-traits/src/main/java/software/amazon/smithy/aws/apigateway/traits/GatewayResponsesTrait.java

---------

Co-authored-by: Manuel Sugawara <sugmanue@amazon.com>

Author: mee-aa

.changes/next-release/feature-a9137307ddc4298147690ffa212c94060b9710d7.json

@@ -0,0 +1,7 @@
+{
+  "type": "feature",
+  "description": "Added `aws.apigateway#gatewayResponses` trait and OpenAPI mapper with DANGER validation for CORS conflicts",
+  "pull_requests": [
+    "[#3089](https://github.com/smithy-lang/smithy/pull/3089)"
+  ]
+}

docs/source-2.0/aws/amazon-apigateway.rst

@@ -59,48 +59,6 @@ The following example sets the ``X-API-Key`` header as the API key source.
     customers.
 
 
-.. smithy-trait:: aws.apigateway#apiKeyRequired
-.. _aws.apigateway#apiKeyRequired-trait:
-
----------------------------------------
-``aws.apigateway#apiKeyRequired`` trait
----------------------------------------
-
-Summary
-    Indicates that an operation requires an API key for API Gateway usage
-    plan enforcement.
-Trait selector
-    ``operation``
-Value type
-    Annotation trait (no value)
-See also
-    - `Create and Use Usage Plans with API Keys`_ for more information on
-      API key enforcement
-
-The following example requires an API key on the ``ListItems`` operation
-but not on ``HealthCheck``:
-
-.. code-block:: smithy
-
-    $version: "2"
-
-    namespace smithy.example
-
-    use aws.apigateway#apiKeyRequired
-
-    @apiKeyRequired
-    @http(method: "GET", uri: "/items")
-    operation ListItems {}
-
-    @http(method: "GET", uri: "/health")
-    operation HealthCheck {}
-
-.. note::
-
-    This trait should be considered internal-only and not exposed to your
-    customers.
-
-
 .. smithy-trait:: aws.apigateway#authorizers
 .. _aws.apigateway#authorizers-trait:
 
@@ -282,41 +240,6 @@ Value type
     customers.
 
 
-.. smithy-trait:: aws.apigateway#minimumCompressionSize
-.. _aws.apigateway#minimumCompressionSize-trait:
-
------------------------------------------------
-``aws.apigateway#minimumCompressionSize`` trait
------------------------------------------------
-
-Summary
-    Defines the minimum payload size in bytes at which compression is applied
-    on an API Gateway REST API.
-Trait selector
-    ``service``
-Value type
-    ``integer`` value between 0 and 10485760 (10MB).
-See also
-    - `Payload compression for REST APIs`_ for more information
-    - `x-amazon-apigateway-minimum-compression-size`_ for how this relates
-      to OpenAPI
-
-The following example sets the minimum compression size to 10240 bytes:
-
-.. code-block:: smithy
-
-    $version: "2"
-
-    namespace smithy.example
-
-    use aws.apigateway#minimumCompressionSize
-
-    @minimumCompressionSize(10240)
-    service Weather {
-        version: "2018-03-17"
-    }
-
-
 .. smithy-trait:: aws.apigateway#requestValidator
 .. _aws.apigateway#requestValidator-trait:
 
@@ -485,25 +408,6 @@ following members:
       - Defines the method's responses and specifies desired parameter
         mappings or payload mappings from integration responses to method
         responses.
-    * - tlsConfig
-      - ``structure``
-      - Specifies the TLS configuration for an integration. Supported only
-        for HTTP and HTTP_PROXY integration types. Contains the following
-        member:
-
-        - ``insecureSkipVerification`` (``boolean``): When set to ``true``,
-          API Gateway skips verification that the certificate for an
-          integration endpoint is issued by a supported certificate
-          authority.
-    * - responseTransferMode
-      - ``string``
-      - Specifies how the response payload is transferred between the
-        integration and the caller. Valid values are ``BUFFERED`` and
-        ``STREAM``.
-    * - integrationTarget
-      - ``string``
-      - The ARN of an ALB or NLB listener for private integrations using
-        VPC Links V2.
 
 The following example defines an integration that is applied to every
 operation within the service.
@@ -681,29 +585,27 @@ The following example defines an operation that uses a mock integration.
     customers.
 
 
-.. smithy-trait:: aws.apigateway#endpointConfiguration
-.. _aws.apigateway#endpointConfiguration-trait:
+.. smithy-trait:: aws.apigateway#gatewayResponses
+.. _aws.apigateway#gatewayResponses-trait:
 
----------------------------------------------------
-``aws.apigateway#endpointConfiguration`` trait
----------------------------------------------------
+-----------------------------------------
+``aws.apigateway#gatewayResponses`` trait
+-----------------------------------------
 
 Summary
-    Defines the endpoint configuration for an API Gateway REST API,
-    including the endpoint type, Virtual Private Cloud (VPC) `endpoint IDs`_,
-    and whether the default ``execute-api`` endpoint is disabled.
+    Defines custom gateway responses for an API Gateway REST API. Gateway
+    responses customize error responses for authentication failures,
+    integration errors, and other API Gateway-generated errors.
 Trait selector
     ``service``
 Value type
-    ``structure``
+    ``map`` of response type ``string`` to ``GatewayResponse`` structure
 See also
-    - `API endpoint types for REST APIs`_ for more information on
-      endpoint types
-    - `x-amazon-apigateway-endpoint-configuration`_ for the related
-      OpenAPI extension
+    - `x-amazon-apigateway-gateway-responses`_ for the related OpenAPI
+      extension
+    - `Gateway response types`_ for the list of valid response type keys
 
-The ``aws.apigateway#endpointConfiguration`` trait is a structure that
-supports the following members:
+The ``GatewayResponse`` structure supports the following members:
 
 .. list-table::
     :header-rows: 1
@@ -712,111 +614,58 @@ supports the following members:
     * - Property
       - Type
       - Description
-    * - types
-      - ``list`` of ``string`` **required**
-      - The endpoint types for the API. Valid values are ``EDGE``,
-        ``REGIONAL``, and ``PRIVATE``.
-    * - vpcEndpointIds
-      - ``list`` of ``string``
-      - A list of VPC endpoint IDs for ``PRIVATE`` endpoint type APIs.
-    * - disableExecuteApiEndpoint
-      - ``boolean``
-      - Whether clients can invoke the API using the default
-        ``execute-api`` endpoint.
-
-The following example configures a private API with a VPC endpoint and
-disables the default endpoint:
-
-.. code-block:: smithy
-
-    $version: "2"
-
-    namespace smithy.example
-
-    use aws.apigateway#endpointConfiguration
-
-    @endpointConfiguration(
-        types: ["PRIVATE"]
-        vpcEndpointIds: ["vpce-0212a4ababd5b8c3e"]
-        disableExecuteApiEndpoint: true
-    )
-    service Weather {
-      version: "2018-03-17"
-    }
-
-.. note::
-
-    This trait should be considered internal-only and not exposed to your
-    customers.
-
-
-.. smithy-trait:: aws.apigateway#resourcePolicy
-.. _aws.apigateway#resourcePolicy-trait:
-
----------------------------------------
-``aws.apigateway#resourcePolicy`` trait
----------------------------------------
-
-Summary
-    Defines a resource policy for an API Gateway REST API. A resource
-    policy is a JSON policy document attached to an API that controls
-    whether a specified principal (typically an IAM role or group) can
-    invoke the API.
-Trait selector
-    ``service``
-Value type
-    ``document``
-See also
-    - `Resource policies for REST APIs`_ for more information
-    - `x-amazon-apigateway-policy`_ for how this relates to OpenAPI
+    * - statusCode
+      - ``string``
+      - The HTTP status code for the gateway response.
+    * - responseParameters
+      - ``map`` of ``string`` to ``string``
+      - Response parameters for the gateway response. Keys use the format
+        ``gatewayresponse.header.<header-name>``.
+    * - responseTemplates
+      - ``map`` of ``string`` to ``string``
+      - Response templates keyed by media type.
 
 .. note::
 
-    Smithy does not validate the contents of the resource policy document.
-    The policy is passed through to API Gateway, which validates it at
-    import time.
+    Response type keys (``DEFAULT_4XX``, ``DEFAULT_5XX``,
+    ``INVALID_API_KEY``, etc.) are validated by API Gateway at import
+    time, not by Smithy. When both ``@gatewayResponses`` and ``@cors``
+    are applied to a service, the gateway responses take precedence.
+    The CORS mapper merges its headers into gateway responses without
+    overwriting customer-defined response parameters.
 
-The following example defines a resource policy that allows any principal to
-invoke the API except for requests from the specified source IP address block:
+The following example defines custom gateway responses for 4xx and 5xx
+errors:
 
 .. code-block:: smithy
 
     $version: "2"
 
     namespace smithy.example
 
-    use aws.apigateway#resourcePolicy
+    use aws.apigateway#gatewayResponses
 
-    @resourcePolicy({
-        "Version": "2012-10-17"
-        "Statement": [
-            {
-                "Effect": "Allow"
-                "Principal": "*"
-                "Action": "execute-api:Invoke"
-                "Resource": ["execute-api:/*"]
+    @gatewayResponses(
+        "DEFAULT_4XX": {
+            statusCode: "400"
+            responseParameters: {
+                "gatewayresponse.header.Access-Control-Allow-Origin": "'*'"
             }
-            {
-                "Effect": "Deny"
-                "Principal": "*"
-                "Action": "execute-api:Invoke"
-                "Resource": ["execute-api:/*"]
-                "Condition": {
-                    "IpAddress": {
-                        "aws:SourceIp": "192.0.2.0/24"
-                    }
-                }
+            responseTemplates: {
+                "application/json": "{\"message\": \"bad request\"}"
             }
-        ]
-    })
+        }
+        "DEFAULT_5XX": {
+            statusCode: "500"
+            responseTemplates: {
+                "application/json": "{\"message\": \"Internal server error\"}"
+            }
+        }
+    )
     service Weather {
       version: "2018-03-17"
     }
 
-.. note::
-
-    This trait should be considered internal-only and not exposed to your
-    customers.
 
 -----------------------
 Shared trait data types
@@ -1110,25 +959,20 @@ integration response to two ``header`` parameters of the method response.
 
 
 .. _Enable Request Validation in API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-method-request-validation.html
-.. _x-amazon-apigateway-request-validator: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-request-validator.html
+.. _x-amazon-apigateway-request-validator: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-request-validators.requestValidator.html
 .. _x-amazon-apigateway-request-validators: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-request-validators.html
 .. _Granting Permissions Using a Resource Policy: https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html#intro-permission-model-access-policy
-.. _Integration.passthroughBehavior: https://docs.aws.amazon.com/apigateway/latest/api/API_Integration.html#passthroughBehavior
-.. _VpcLink: https://docs.aws.amazon.com/apigateway/latest/api/API_VpcLink.html
+.. _Integration.passthroughBehavior: https://docs.aws.amazon.com/apigateway/api-reference/resource/integration/#passthroughBehavior
+.. _VpcLink: https://docs.aws.amazon.com/apigateway/api-reference/resource/vpc-link/
 .. _x-amazon-apigateway-integration: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-integration.html
-.. _API Gateway integration: https://docs.aws.amazon.com/apigateway/latest/api/API_Integration.html
+.. _API Gateway integration: https://docs.aws.amazon.com/apigateway/api-reference/resource/integration/
 .. _Lambda authorizers: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-authorizer.html
 .. _x-amazon-apigateway-authtype: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-authtype.html
 .. _Create and Use Usage Plans with API Keys: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html
 .. _Choose an API Key Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-key-source.html
 .. _x-amazon-apigateway-api-key-source: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-api-key-source.html
-.. _IntegrationResponse: https://docs.aws.amazon.com/apigateway/latest/api/API_IntegrationResponse.html
+.. _IntegrationResponse: https://docs.aws.amazon.com/apigateway/api-reference/resource/integration-response/
 .. _mapping templates: https://docs.aws.amazon.com/apigateway/latest/developerguide/models-mappings.html#models-mappings-mappings
 .. _Lambda Authorizers Payload Format: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html#http-api-lambda-authorizer.payload-format
-.. _x-amazon-apigateway-endpoint-configuration: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-endpoint-configuration.html
-.. _API endpoint types for REST APIs: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html
-.. _endpoint IDs: https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html#concepts-vpc-endpoints
-.. _Payload compression for REST APIs: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gzip-compression-decompression.html
-.. _x-amazon-apigateway-minimum-compression-size: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-openapi-minimum-compression-size.html
-.. _Resource policies for REST APIs: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html
-.. _x-amazon-apigateway-policy: https://docs.aws.amazon.com/apigateway/latest/developerguide/openapi-extensions-policy.html
+.. _x-amazon-apigateway-gateway-responses: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-gateway-responses.html
+.. _Gateway response types: https://docs.aws.amazon.com/apigateway/latest/developerguide/supported-gateway-response-types.html