feat(data-classes): add missing usageIdentifierKey

Author: Michael Brewer

aws_lambda_powertools/utilities/data_classes/api_gateway_authorizer_event.py

@@ -340,10 +340,15 @@ class HttpVerb(enum.Enum):
 
 
 class APIGatewayAuthorizerResponse:
-    """Api Gateway HTTP API V1 payload or Rest api authorizer response helper
+    """The IAM Policy Response required for API Gateway REST APIs and HTTP APIs.
 
     Based on: - https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/blob/\
     master/blueprints/python/api-gateway-authorizer-python.py
+
+    Documentation:
+    -------------
+    - https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html
+    - https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html
     """
 
     version = "2012-10-17"
@@ -360,6 +365,7 @@ def __init__(
         api_id: str,
         stage: str,
         context: Optional[Dict] = None,
+        usage_identifier_key: Optional[str] = None,
     ):
         """
         Parameters
@@ -388,13 +394,18 @@ def __init__(
         context : Dict, optional
             Optional, context.
             Note: only names of type string and values of type int, string or boolean are supported
+        usage_identifier_key: str, optional
+            If the API uses a usage plan (the apiKeySource is set to `AUTHORIZER`), the Lambda authorizer function
+            must return one of the usage plan's API keys as the usageIdentifierKey property value.
+            > **Note:** This only applies for REST APIs.
         """
+        self.principal_id = principal_id
         self.region = region
         self.aws_account_id = aws_account_id
         self.api_id = api_id
         self.stage = stage
-        self.principal_id = principal_id
         self.context = context
+        self.usage_identifier_key = usage_identifier_key
         self._allow_routes: List[Dict] = []
         self._deny_routes: List[Dict] = []
 
@@ -506,6 +517,9 @@ def asdict(self) -> Dict[str, Any]:
         response["policyDocument"]["Statement"].extend(self._get_statement_for_effect("Allow", self._allow_routes))
         response["policyDocument"]["Statement"].extend(self._get_statement_for_effect("Deny", self._deny_routes))
 
+        if self.usage_identifier_key:
+            response["usageIdentifierKey"] = self.usage_identifier_key
+
         if self.context:
             response["context"] = self.context
 

tests/functional/data_classes/test_api_gateway_authorizer.py

@@ -37,7 +37,7 @@ def test_authorizer_response_invalid_resource(builder: APIGatewayAuthorizerRespo
 
 
 def test_authorizer_response_allow_all_routes_with_context():
-    builder = APIGatewayAuthorizerResponse("foo", "us-west-1", "123456789", "fantom", "dev", {"name": "Foo"})
+    builder = APIGatewayAuthorizerResponse("foo", "us-west-1", "123456789", "fantom", "dev", context={"name": "Foo"})
     builder.allow_all_routes()
     assert builder.asdict() == {
         "principalId": "foo",
@@ -55,6 +55,25 @@ def test_authorizer_response_allow_all_routes_with_context():
     }
 
 
+def test_authorizer_response_allow_all_routes_with_usage_identifier_key():
+    builder = APIGatewayAuthorizerResponse("cow", "us-east-1", "1111111111", "api", "dev", usage_identifier_key="key")
+    builder.allow_all_routes()
+    assert builder.asdict() == {
+        "principalId": "cow",
+        "policyDocument": {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Action": "execute-api:Invoke",
+                    "Effect": "Allow",
+                    "Resource": ["arn:aws:execute-api:us-east-1:1111111111:api/dev/*/*"],
+                }
+            ],
+        },
+        "usageIdentifierKey": "key",
+    }
+
+
 def test_authorizer_response_deny_all_routes(builder: APIGatewayAuthorizerResponse):
     builder.deny_all_routes()
     assert builder.asdict() == {