fix(api-gateway): add validation to variables property on Stage resource

packages/@aws-cdk/cx-api/FEATURE_FLAGS.md

@@ -17,6 +17,7 @@ Flags come in three types:
 
 | Flag | Summary | Since | Type |
 | ----- | ----- | ----- | ----- |
+| [@aws-cdk/aws-apigateway:requestValidatorUniqueId](#aws-cdkaws-apigatewayrequestvalidatoruniqueid) | Generate a unique id for each RequestValidator added to a method | V2·NEXT | (fix) |
 | [@aws-cdk/aws-route53-patters:useCertificate](#aws-cdkaws-route53-pattersusecertificate) | Use the official `Certificate` resource instead of `DnsValidatedCertificate` | V2·NEXT | (default) |
 | [@aws-cdk/core:newStyleStackSynthesis](#aws-cdkcorenewstylestacksynthesis) | Switch to new stack synthesis method which enables CI/CD | 2.0.0 | (fix) |
 | [@aws-cdk/core:stackRelativeExports](#aws-cdkcorestackrelativeexports) | Name exports based on the construct paths relative to the stack, rather than the global construct path | 2.0.0 | (fix) |
@@ -90,7 +91,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
     "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
     "@aws-cdk/aws-redshift:columnId": true,
-    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true
   }
 }
 ```
@@ -320,6 +322,23 @@ Encryption can also be configured explicitly using the `encrypted` property.
 **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption.
 
 
+### @aws-cdk/aws-apigateway:requestValidatorUniqueId
+
+*Generate a unique id for each RequestValidator added to a method* (fix)
+
+This flag allows multiple RequestValidators to be added to a RestApi when
+providing the `RequestValidatorOptions` in the `addMethod()` method.
+
+If the flag is not set then only a single RequestValidator can be added in this way.
+Any additional RequestValidators have to be created directly with `new RequestValidator`.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2·NEXT | `false` | `true` |
+
+
 ### @aws-cdk/aws-route53-patters:useCertificate
 
 *Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default)

packages/aws-cdk-lib/aws-apigateway/lib/lambda-api.ts

@@ -1,9 +1,10 @@
-import * as lambda from '../../aws-lambda';
+// import * as cdk from '../../core';
 import { Construct } from 'constructs';
 import { LambdaIntegration, LambdaIntegrationOptions } from './integrations';
 import { Method } from './method';
 import { ProxyResource, Resource } from './resource';
 import { RestApi, RestApiProps } from './restapi';
+import * as lambda from '../../aws-lambda';
 
 export interface LambdaRestApiProps extends RestApiProps {
   /**
@@ -68,6 +69,22 @@ export class LambdaRestApi extends RestApi {
       this.root.addMethod = addMethodThrows;
       this.root.addProxy = addProxyThrows;
     }
+
+    this.node.addValidation({
+      validate() {
+        if (props.deployOptions?.variables) {
+          for (let key in props.deployOptions.variables) {
+            // Checks that variable Stage values match regex
+            const regexp = /[A-Za-z0-9-._~:/?#&=,]+/;
+            const value = props.deployOptions.variables[key];
+            if (value.match(regexp) === null) {
+              return ['Stage variable value ' + value + ' does not match the regex.'];
+            }
+          }
+        }
+        return [];
+      },
+    });
   }
 }
 

packages/aws-cdk-lib/aws-apigateway/test/lambda-api.test.ts

@@ -2,6 +2,7 @@ import { Match, Template } from '../../assertions';
 import * as lambda from '../../aws-lambda';
 import * as cdk from '../../core';
 import * as apigw from '../lib';
+import { LambdaRestApi } from '../lib';
 
 describe('lambda api', () => {
   test('LambdaRestApi defines a REST API with Lambda proxy integration', () => {
@@ -405,4 +406,33 @@ describe('lambda api', () => {
       },
     });
   });
+
+  test('setting deployOptions variable with invalid value throws validation error', () => {
+    // GIVEN
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app);
+
+    const handler = new lambda.Function(stack, 'handler', {
+      handler: 'index.handler',
+      code: lambda.Code.fromInline('boom'),
+      runtime: lambda.Runtime.NODEJS_10_X,
+    });
+
+    const versionAlias = lambda.Version.fromVersionAttributes(stack, 'VersionInfo', {
+      lambda: handler,
+      version: '${stageVariables.lambdaAlias}',
+    });
+
+    new LambdaRestApi(stack, 'RestApi', {
+      restApiName: 'my-test-api',
+      handler: versionAlias,
+      deployOptions: {
+        variables: {
+          functionName: '$$$',
+        },
+      },
+    });
+
+    expect(() => app.synth()).toThrow('Validation failed with the following errors:\n  [Default/RestApi] Stage variable value $$$ does not match the regex.');
+  });
 });

packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -17,6 +17,7 @@ Flags come in three types:
 
 | Flag | Summary | Since | Type |
 | ----- | ----- | ----- | ----- |
+| [@aws-cdk/aws-apigateway:requestValidatorUniqueId](#aws-cdkaws-apigatewayrequestvalidatoruniqueid) | Generate a unique id for each RequestValidator added to a method | V2·NEXT | (fix) |
 | [@aws-cdk/aws-route53-patters:useCertificate](#aws-cdkaws-route53-pattersusecertificate) | Use the official `Certificate` resource instead of `DnsValidatedCertificate` | V2·NEXT | (default) |
 | [@aws-cdk/core:newStyleStackSynthesis](#aws-cdkcorenewstylestacksynthesis) | Switch to new stack synthesis method which enables CI/CD | 2.0.0 | (fix) |
 | [@aws-cdk/core:stackRelativeExports](#aws-cdkcorestackrelativeexports) | Name exports based on the construct paths relative to the stack, rather than the global construct path | 2.0.0 | (fix) |
@@ -90,7 +91,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
     "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
     "@aws-cdk/aws-redshift:columnId": true,
-    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true
   }
 }
 ```
@@ -320,6 +322,23 @@ Encryption can also be configured explicitly using the `encrypted` property.
 **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption.
 
 
+### @aws-cdk/aws-apigateway:requestValidatorUniqueId
+
+*Generate a unique id for each RequestValidator added to a method* (fix)
+
+This flag allows multiple RequestValidators to be added to a RestApi when
+providing the `RequestValidatorOptions` in the `addMethod()` method.
+
+If the flag is not set then only a single RequestValidator can be added in this way.
+Any additional RequestValidators have to be created directly with `new RequestValidator`.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2·NEXT | `false` | `true` |
+
+
 ### @aws-cdk/aws-route53-patters:useCertificate
 
 *Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default)