AppSync Lambda Auth: Lambda Resource Policy is not created from CDK #20234
Description
Describe the bug
When creating an AppSync GraphQL with Lambda Authorization from CDK, the authorization does not work by just deploying CDK. I need to go into the AppSync Settings Web Console and select a different Auth format, Save, and then change it back to my Lambda Auth details and Save again. I notice when I do this, a policy document gets added in the Lambda Web Console > Configuration tab > Resource-based policyInfo section called "AppSync". This does not exist when just deploying my cdk code, despite everything looking the same in the AppSync Settings Web UI.
I have not been able to figure out how to create the resource based policy document that seems to automagically get created when the AppSync Settings Save button is clicked.
The resource based policy document that gets created looks like this:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "appsync",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:{AcctNum}:function:{LambdaName}"
}
]
}
Expected Behavior
I would expect this resource policy to be created when CDK builds and deploys.
In this AWS CLI doc: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-lambdaauthorizerconfig.html
If mentions that the resource policy needs to be run manually, but web console does it automatically. It seems that CDK does not run this step.
Current Behavior
No errors, just no resource based policy document on the Authorization Lambda.
Reproduction Steps
import path from 'path';
import { Duration, RemovalPolicy, Stack } from 'aws-cdk-lib';
import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
import { Runtime } from 'aws-cdk-lib/aws-lambda';
import { Construct } from "constructs";
import { GraphqlApi } from "@aws-cdk/aws-appsync-alpha";
import { Schema, AuthorizationType, FieldLogLevel } from '@aws-cdk/aws-appsync-alpha';
const createAppSyncApi = ({ scope, id, name, schemaDir, props, authConfig }) => {
const graphqlApiProps = {
name,
authorizationConfig: {}, // placeholder to be set later
schema: Schema.fromAsset(path.join((schemaDir), 'schema.graphql')),
xrayEnabled: true,
logConfig: {
excludeVerboseContent: false,
fieldLogLevel: FieldLogLevel.ALL,
},
removalPolicy: RemovalPolicy.RETAIN,
};
graphqlApiProps.authorizationConfig = {
defaultAuthorization: {
authorizationType: AuthorizationType.LAMBDA,
lambdaAuthorizerConfig: {
handler: authConfig.ssoLambda,
// resultsCacheTtl: 0 // DO NOT SPECIFY AS 0 - causes error in AWS - defaults to 0 if not set
},
},
}
const appSyncApi = new MonitoredGraphqlApi(scope, id, {
graphqlApiProps,
...props,
});
return appSyncApi;
};
const createLambdaFunction = ({ scope, id, functionProps }) => {
const resolvedFunctionProps = {
handler: "handler",
runtime: Runtime.NODEJS_12_X,
...functionProps,
};
const lambdaFunction = new NodejsFunction(scope, id, resolvedFunctionProps);
return lambdaFunction;
};
class MonitoredGraphqlApi extends Construct {
graphqlApi;
constructor(scope, id, props) {
super(scope, id);
const { graphqlApiProps, } = props;
this.graphqlApi = new GraphqlApi(this, "api", graphqlApiProps);
}
}
class MvTestStack extends Stack {
api;
authSSOLayer;
constructor(scope, id, props) {
super(scope, id, props);
const {
env: { account, ssoConfig, apiConfig },
} = props;
this.authSSOLayer = this.initializeSSOAuth(ssoConfig, account);
this.api = this.initializeApiLayer(apiConfig, this.authSSOLayer);
}
initializeSSOAuth() {
const ssoAuthLambda = createLambdaFunction({
scope: this,
id: 'localAuthLambdaHandler',
functionProps: {
entry: './lib/equipment/functions/ssoAuth/index.js',
timeout: Duration.minutes(1),
},
});
return ssoAuthLambda;
}
initializeApiLayer(apiConfig, authFunction) {
const api = createAppSyncApi({
scope: this,
id: 'Api',
name: 'TestApp',
schemaDir: './',
props: {},
authConfig: {ssoLambda: authFunction},
});
return api;
}
}
export default MvTestStack;
//PACKAGE.JSON
/**
{
"name": "some_name_stuff",
"version": "0.1.0",
"type": "module",
"bin": {
"app": "bin/app.js"
},
"scripts": {
"postinstall": "npm run build",
"build": "lerna bootstrap",
"cdk": "cdk"
},
"peerDependencies": {
"aws-cdk-lib": "^2.15.0",
"constructs": "^10.0.0"
},
"devDependencies": {
"aws-cdk-lib": "^2.15.0",
"constructs": "^10.0.0",
"eslint": "^7.32.0",
"eslint-config-airbnb-base": "^14.2.1",
"eslint-plugin-import": "^2.25.3",
"husky": "^7.0.4",
"lerna": "^4.0.0",
"prettier": "^2.5.1"
},
"dependencies": {
"@aws-cdk/aws-appsync-alpha": "^2.10.0-alpha.0",
"@qsrsoft/myq_cloud_common": "^2.1.11",
"aws-cdk-lib": "^2.15.0",
"aws-sdk": "^2.1048.0",
"constructs": "^10.0.0",
"csvtojson": "^2.0.10",
"date-fns": "^2.28.0",
"esbuild": "^0.11.20",
"eslint-plugin-prettier": "^4.0.0",
"lerna": "^4.0.0",
"lodash": "^4.17.21"
}
}
**/
Possible Solution
The equivalent of this snippet should be exposed in CDK or run behind the scenes for the auth lambda
aws lambda add-permission --function-name "arn:aws:lambda:us-east-2:111122223333:function:my-function" --statement-id "appsync" --principal appsync.amazonaws.com --action lambda:InvokeFunction
Additional Information/Context
No response
CDK CLI Version
2.23.0 (build 50444aa)
Framework Version
"@aws-cdk/aws-appsync-alpha": "^2.22.0-alpha.0",
Node.js Version
12
OS
MacOS
Language
Typescript
Language Version
No response
Other information
No response