feat: Support EndpointAccessMode property for AWS::Serverless::Api (#3898)

Author: wandora58

docs/globals.rst

@@ -99,6 +99,7 @@ Currently, the following resources and properties are being supported:
       OpenApiVersion:
       Domain:
       SecurityPolicy:
+      EndpointAccessMode:
 
     HttpApi:
       # Properties of AWS::Serverless::HttpApi

integration/resources/expected/single/api_with_custom_domain_security_policy_edge.json

@@ -0,0 +1,26 @@
+[
+  {
+    "LogicalResourceId": "MyApi",
+    "ResourceType": "AWS::ApiGateway::RestApi"
+  },
+  {
+    "LogicalResourceId": "MyApiDeployment",
+    "ResourceType": "AWS::ApiGateway::Deployment"
+  },
+  {
+    "LogicalResourceId": "MyApiProdStage",
+    "ResourceType": "AWS::ApiGateway::Stage"
+  },
+  {
+    "LogicalResourceId": "ApiGatewayDomainName",
+    "ResourceType": "AWS::ApiGateway::DomainName"
+  },
+  {
+    "LogicalResourceId": "MyApiBasePathMapping",
+    "ResourceType": "AWS::ApiGateway::BasePathMapping"
+  },
+  {
+    "LogicalResourceId": "RecordSetGroup",
+    "ResourceType": "AWS::Route53::RecordSetGroup"
+  }
+]

integration/resources/expected/single/api_with_custom_domain_security_policy_regional.json

@@ -0,0 +1,26 @@
+[
+  {
+    "LogicalResourceId": "MyApi",
+    "ResourceType": "AWS::ApiGateway::RestApi"
+  },
+  {
+    "LogicalResourceId": "MyApiDeployment",
+    "ResourceType": "AWS::ApiGateway::Deployment"
+  },
+  {
+    "LogicalResourceId": "MyApiProdStage",
+    "ResourceType": "AWS::ApiGateway::Stage"
+  },
+  {
+    "LogicalResourceId": "ApiGatewayDomainName",
+    "ResourceType": "AWS::ApiGateway::DomainName"
+  },
+  {
+    "LogicalResourceId": "MyApiBasePathMapping",
+    "ResourceType": "AWS::ApiGateway::BasePathMapping"
+  },
+  {
+    "LogicalResourceId": "RecordSetGroup",
+    "ResourceType": "AWS::Route53::RecordSetGroup"
+  }
+]

integration/resources/expected/single/api_with_endpoint_access_mode.json

@@ -0,0 +1,14 @@
+[
+  {
+    "LogicalResourceId": "MyApi",
+    "ResourceType": "AWS::ApiGateway::RestApi"
+  },
+  {
+    "LogicalResourceId": "MyApiDeployment",
+    "ResourceType": "AWS::ApiGateway::Deployment"
+  },
+  {
+    "LogicalResourceId": "MyApiProdStage",
+    "ResourceType": "AWS::ApiGateway::Stage"
+  }
+]

integration/resources/templates/single/api_with_custom_domain_security_policy_edge.yaml

@@ -0,0 +1,27 @@
+Parameters:
+  DomainName:
+    Type: String
+  CertificateArn:
+    Type: String
+  HostedZoneId:
+    Type: String
+
+Resources:
+  MyApi:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: Prod
+      DefinitionUri: ${definitionuri}
+      EndpointConfiguration:
+        Type: EDGE
+      Domain:
+        DomainName: !Ref DomainName
+        CertificateArn: !Ref CertificateArn
+        EndpointConfiguration: EDGE
+        SecurityPolicy: SecurityPolicy_TLS13_2025_EDGE
+        EndpointAccessMode: STRICT
+        Route53:
+          HostedZoneId: !Ref HostedZoneId
+
+Metadata:
+  SamTransformTest: true

integration/resources/templates/single/api_with_custom_domain_security_policy_regional.yaml

@@ -0,0 +1,27 @@
+Parameters:
+  DomainName:
+    Type: String
+  CertificateArn:
+    Type: String
+  HostedZoneId:
+    Type: String
+
+Resources:
+  MyApi:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: Prod
+      DefinitionUri: ${definitionuri}
+      EndpointConfiguration:
+        Type: REGIONAL
+      Domain:
+        DomainName: !Ref DomainName
+        CertificateArn: !Ref CertificateArn
+        EndpointConfiguration: REGIONAL
+        SecurityPolicy: SecurityPolicy_TLS13_1_3_2025_09
+        EndpointAccessMode: STRICT
+        Route53:
+          HostedZoneId: !Ref HostedZoneId
+
+Metadata:
+  SamTransformTest: true

integration/resources/templates/single/api_with_endpoint_access_mode.yaml

@@ -0,0 +1,20 @@
+Parameters:
+  SecurityPolicyValue:
+    Type: String
+    Default: SecurityPolicy_TLS13_1_3_2025_09
+  EndpointAccessModeValue:
+    Type: String
+    Default: STRICT
+
+Resources:
+  MyApi:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: Prod
+      DefinitionUri: ${definitionuri}
+      SecurityPolicy: !Ref SecurityPolicyValue
+      EndpointAccessMode: !Ref EndpointAccessModeValue
+      EndpointConfiguration:
+        Type: REGIONAL
+Metadata:
+  SamTransformTest: true

integration/single/test_api_with_custom_domain_security_policy.py

@@ -0,0 +1,39 @@
+from unittest.case import skipIf
+
+from integration.config.service_names import CUSTOM_DOMAIN
+from integration.helpers.base_internal_test import BaseInternalTest
+from integration.helpers.base_test import nonblocking
+from integration.helpers.resource import current_region_not_included
+
+
+@skipIf(
+    current_region_not_included([CUSTOM_DOMAIN]),
+    "Custom domain is not supported in this testing region",
+)
+@nonblocking
+class TestApiWithCustomDomainSecurityPolicy(BaseInternalTest):
+    """
+    Test AWS::Serverless::Api with SecurityPolicy and EndpointAccessMode in Domain configuration
+    """
+
+    def test_api_with_custom_domain_security_policy_regional(self):
+        self.create_and_verify_stack("single/api_with_custom_domain_security_policy_regional")
+
+        domain_name_id = self.get_physical_id_by_type("AWS::ApiGateway::DomainName")
+        result = self.client_provider.api_client.get_domain_name(domainName=domain_name_id)
+
+        end_point_config = result["endpointConfiguration"]
+        self.assertEqual(["REGIONAL"], end_point_config["types"])
+        self.assertEqual("SecurityPolicy_TLS13_1_3_2025_09", result["securityPolicy"])
+        self.assertEqual("STRICT", result["endpointAccessMode"])
+
+    def test_api_with_custom_domain_security_policy_edge(self):
+        self.create_and_verify_stack("single/api_with_custom_domain_security_policy_edge")
+
+        domain_name_id = self.get_physical_id_by_type("AWS::ApiGateway::DomainName")
+        result = self.client_provider.api_client.get_domain_name(domainName=domain_name_id)
+
+        end_point_config = result["endpointConfiguration"]
+        self.assertEqual(["EDGE"], end_point_config["types"])
+        self.assertEqual("SecurityPolicy_TLS13_2025_EDGE", result["securityPolicy"])
+        self.assertEqual("STRICT", result["endpointAccessMode"])

integration/single/test_api_with_endpoint_access_mode.py

@@ -0,0 +1,38 @@
+from unittest.case import skipIf
+
+from integration.config.service_names import REST_API
+from integration.helpers.base_test import BaseTest
+from integration.helpers.resource import current_region_does_not_support
+
+
+@skipIf(current_region_does_not_support([REST_API]), "Rest API is not supported in this testing region")
+class TestApiWithEndpointAccessMode(BaseTest):
+    """
+    Tests for AWS::Serverless::Api with EndpointAccessMode property
+    """
+
+    def test_api_with_endpoint_access_mode(self):
+        # Create stack with STRICT
+        parameters = [
+            {"ParameterKey": "SecurityPolicyValue", "ParameterValue": "SecurityPolicy_TLS13_1_3_2025_09"},
+            {"ParameterKey": "EndpointAccessModeValue", "ParameterValue": "STRICT"},
+        ]
+        self.create_and_verify_stack("single/api_with_endpoint_access_mode", parameters)
+
+        rest_api_id = self.get_physical_id_by_type("AWS::ApiGateway::RestApi")
+        rest_api = self.client_provider.api_client.get_rest_api(restApiId=rest_api_id)
+
+        self.assertEqual(rest_api["securityPolicy"], "SecurityPolicy_TLS13_1_3_2025_09")
+        self.assertEqual(rest_api["endpointAccessMode"], "STRICT")
+
+        # Update stack with BASIC
+        update_parameters = [
+            {"ParameterKey": "SecurityPolicyValue", "ParameterValue": "SecurityPolicy_TLS13_1_3_2025_09"},
+            {"ParameterKey": "EndpointAccessModeValue", "ParameterValue": "BASIC"},
+        ]
+        self.update_stack(parameters=update_parameters)
+
+        rest_api = self.client_provider.api_client.get_rest_api(restApiId=rest_api_id)
+
+        self.assertEqual(rest_api["securityPolicy"], "SecurityPolicy_TLS13_1_3_2025_09")
+        self.assertEqual(rest_api["endpointAccessMode"], "BASIC")

samtranslator/internal/schema_source/aws_serverless_api.py

@@ -196,6 +196,11 @@ class Domain(BaseModel):
     EndpointConfiguration: Optional[SamIntrinsicable[Literal["REGIONAL", "EDGE", "PRIVATE"]]] = domain(
         "EndpointConfiguration"
     )
+    EndpointAccessMode: Optional[PassThroughProp] = passthrough_prop(
+        DOMAIN_STEM,
+        "EndpointAccessMode",
+        ["AWS::ApiGateway::DomainName", "Properties", "EndpointAccessMode"],
+    )
     IpAddressType: Optional[PassThroughProp]  # TODO: add documentation; currently unavailable
     MutualTlsAuthentication: Optional[PassThroughProp] = passthrough_prop(
         DOMAIN_STEM,
@@ -306,6 +311,11 @@ class Properties(BaseModel):
     )
     DisableExecuteApiEndpoint: Optional[PassThroughProp] = properties("DisableExecuteApiEndpoint")
     Domain: Optional[Domain] = properties("Domain")
+    EndpointAccessMode: Optional[PassThroughProp] = passthrough_prop(
+        PROPERTIES_STEM,
+        "EndpointAccessMode",
+        ["AWS::ApiGateway::RestApi", "Properties", "EndpointAccessMode"],
+    )
     EndpointConfiguration: Optional[EndpointConfigurationType] = properties("EndpointConfiguration")
     FailOnWarnings: Optional[PassThroughProp] = passthrough_prop(
         PROPERTIES_STEM,
@@ -419,6 +429,11 @@ class Globals(BaseModel):
         "SecurityPolicy",
         ["AWS::ApiGateway::RestApi", "Properties", "SecurityPolicy"],
     )
+    EndpointAccessMode: Optional[PassThroughProp] = passthrough_prop(
+        PROPERTIES_STEM,
+        "EndpointAccessMode",
+        ["AWS::ApiGateway::RestApi", "Properties", "EndpointAccessMode"],
+    )
 
 
 class Resource(ResourceAttributes):