Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Why can I not disable REST API default endpoint via CloudFormation?
I have a few CloudFormation stacks containing API Gateway APIs (v1) as part of a new service I'm implementing. I will be adding some custom domain names for them eventually, and in advance of doing so I'm wanting to disable the default endpoints (as in .execute-api..amazonaws.com) as per the API Gateway docs and the CloudFormation docs.
However—even though I thought I had it working earlier this week—it appears that CloudFormation is failing to disable the endpoints in question, but is also not throwing any errors about it. I've confirmed my template has the correct property set:
"ApiGatewayRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": "**************",
"DisableExecuteApiEndpoint": true,
"EndpointConfiguration": {
"Types": [
"EDGE"
]
},
"Policy": {
And the stack shows UPDATE_COMPLETE. But when I look at the resulting API in the AWS Console, or fetch the details of it using the AWS CLI, it reports that the default endpoint is still active:
- Newest
- Most votes
- Most comments
It appears that you are encountering an issue where CloudFormation is not successfully disabling the default endpoint for your REST API, despite having the correct configuration in your template. This behavior is unexpected, as CloudFormation should be able to disable the default endpoint for REST APIs.
There are a few potential reasons why this might be happening:
-
API Deployment: After making changes to the API configuration, including disabling the default endpoint, you need to deploy the API for the changes to take effect. CloudFormation might not be automatically creating a new deployment when you update the RestApi resource. You may need to explicitly create a new deployment or update an existing deployment in your CloudFormation template.
-
CloudFormation Behavior: There might be a discrepancy between what CloudFormation reports as successful and what actually gets applied to the API Gateway configuration. CloudFormation might be considering the update complete without actually applying the change to disable the default endpoint.
-
API Gateway Caching: There's a possibility that the API Gateway console or CLI might be showing cached information, and the change hasn't propagated yet.
To troubleshoot and potentially resolve this issue, you can try the following:
-
Ensure you have a deployment resource in your CloudFormation template that gets updated when you make changes to the API configuration.
-
After updating your stack, try manually creating a new deployment for your API using the AWS CLI or console to see if that applies the change.
-
If the issue persists, you may need to reach out to AWS support for further assistance, as this behavior seems inconsistent with the documented functionality.
-
As a workaround, you could consider using the AWS Serverless Application Model (SAM) to define your API, which provides a simpler way to manage API Gateway resources and might handle this configuration more reliably.
Remember that even if you disable the default endpoint, clients can still attempt to connect to it, but they will receive a 403 Forbidden response. Ensure that you have set up your custom domain name before fully disabling the default endpoint to avoid service interruptions.
Sources
Disable the default endpoint for REST APIs - Amazon API Gateway
AWS::Serverless::Api - AWS Serverless Application Model
This issue was being caused by an old obsolete plugin for the Serverless Framework, specifically `serverless-apigw-binary', which was doing a post-deploy modification to the REST API in API Gateway that unintentionally was resetting some features of the API to their defaults, including not only the default endpoint (to Active instead of disabled), but also the API key source (to HEADER, instead of AUTHORIZER) as previously reported here: https://github.com/maciejtreder/serverless-apigw-binary/issues/53
Anybody relying on that plugin should upgrade their Serverless, as it now supports the setting of binary media types directly, anyway: https://www.serverless.com/framework/docs/providers/aws/events/apigateway#binary-media-types
Relevant content
- asked 5 years ago
I've confirmed that a brand new stack with the disable-default-endpoint setting enabled does not disable the default endpoint, and I've redeployed that stack several times, include with other changes that DID get made successfully, including to the API Gateway API, and still the default endpoint remains active.