fix(appsync): Create Lambda permission when using Lambda Authorizer(#… (

#20641) This PR will fix #20234 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jun 13, 2022 · 6176400 · 6176400
1 parent a6fe2cb
commit 6176400
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 5 deletions.
diff --git a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
@@ -167,11 +167,6 @@ export interface OpenIdConnectConfig {
 export interface LambdaAuthorizerConfig {
   /**
    * The authorizer lambda function.
-   * Note: This Lambda function must have the following resource-based policy assigned to it.
-   * When configuring Lambda authorizers in the console, this is done for you.
-   * To do so with the AWS CLI, run the following:
-   *
-   * `aws lambda add-permission --function-name "arn:aws:lambda:us-east-2:111122223333:function:my-function" --statement-id "appsync" --principal appsync.amazonaws.com --action lambda:InvokeFunction`
    *
    * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-lambdaauthorizerconfig.html
    */
@@ -519,6 +514,17 @@ export class GraphqlApi extends GraphqlApiBase {
       this.apiKeyResource.addDependsOn(this.schemaResource);
       this.apiKey = this.apiKeyResource.attrApiKey;
     }
+
+    if (modes.some((mode) => mode.authorizationType === AuthorizationType.LAMBDA)) {
+      const config = modes.find((mode: AuthorizationMode) => {
+        return mode.authorizationType === AuthorizationType.LAMBDA && mode.lambdaAuthorizerConfig;
+      })?.lambdaAuthorizerConfig;
+      config?.handler.addPermission('appsync', {
+        principal: new ServicePrincipal('appsync.amazonaws.com'),
+        action: 'lambda:InvokeFunction',
+      });
+    }
+
   }
 
   /**

diff --git a/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts b/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts
@@ -669,6 +669,18 @@ describe('AppSync Lambda Authorization', () => {
         },
       },
     });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
+
+
   });
 
   test('Lambda authorization configurable in default authorization', () => {
@@ -702,6 +714,15 @@ describe('AppSync Lambda Authorization', () => {
         IdentityValidationExpression: 'custom-.*',
       },
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization configurable in additional authorization has default configuration', () => {
@@ -733,6 +754,15 @@ describe('AppSync Lambda Authorization', () => {
         },
       }],
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization configurable in additional authorization', () => {
@@ -768,6 +798,15 @@ describe('AppSync Lambda Authorization', () => {
         },
       }],
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization throws with multiple lambda authorization', () => {