From 61764009648a4602ffa403adda903442c48c45df Mon Sep 17 00:00:00 2001
From: cm-iwata <38879253+cm-iwata@users.noreply.github.com>
Date: Tue, 14 Jun 2022 01:05:44 +0900
Subject: [PATCH] =?UTF-8?q?fix(appsync):=20Create=20Lambda=20permission=20?=
 =?UTF-8?q?when=20using=20Lambda=20Authorizer(#=E2=80=A6=20(#20641)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR will fix #20234

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../@aws-cdk/aws-appsync/lib/graphqlapi.ts    | 16 +++++---
 .../aws-appsync/test/appsync-auth.test.ts     | 39 +++++++++++++++++++
 2 files changed, 50 insertions(+), 5 deletions(-)

diff --git a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
index 3ef0b348ad768..3dab9518ed3df 100644
--- a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
+++ b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
@@ -167,11 +167,6 @@ export interface OpenIdConnectConfig {
 export interface LambdaAuthorizerConfig {
   /**
    * The authorizer lambda function.
-   * Note: This Lambda function must have the following resource-based policy assigned to it.
-   * When configuring Lambda authorizers in the console, this is done for you.
-   * To do so with the AWS CLI, run the following:
-   *
-   * `aws lambda add-permission --function-name "arn:aws:lambda:us-east-2:111122223333:function:my-function" --statement-id "appsync" --principal appsync.amazonaws.com --action lambda:InvokeFunction`
    *
    * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-lambdaauthorizerconfig.html
    */
@@ -519,6 +514,17 @@ export class GraphqlApi extends GraphqlApiBase {
       this.apiKeyResource.addDependsOn(this.schemaResource);
       this.apiKey = this.apiKeyResource.attrApiKey;
     }
+
+    if (modes.some((mode) => mode.authorizationType === AuthorizationType.LAMBDA)) {
+      const config = modes.find((mode: AuthorizationMode) => {
+        return mode.authorizationType === AuthorizationType.LAMBDA && mode.lambdaAuthorizerConfig;
+      })?.lambdaAuthorizerConfig;
+      config?.handler.addPermission('appsync', {
+        principal: new ServicePrincipal('appsync.amazonaws.com'),
+        action: 'lambda:InvokeFunction',
+      });
+    }
+
   }
 
   /**
diff --git a/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts b/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts
index e21bcf3da62c0..4574e365b5151 100644
--- a/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts
+++ b/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts
@@ -669,6 +669,18 @@ describe('AppSync Lambda Authorization', () => {
         },
       },
     });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
+
+
   });
 
   test('Lambda authorization configurable in default authorization', () => {
@@ -702,6 +714,15 @@ describe('AppSync Lambda Authorization', () => {
         IdentityValidationExpression: 'custom-.*',
       },
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization configurable in additional authorization has default configuration', () => {
@@ -733,6 +754,15 @@ describe('AppSync Lambda Authorization', () => {
         },
       }],
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization configurable in additional authorization', () => {
@@ -768,6 +798,15 @@ describe('AppSync Lambda Authorization', () => {
         },
       }],
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization throws with multiple lambda authorization', () => {