(aws-appsync): Lambda Authorizer for AppSync GraphqlApi

[Danik-Barinshtein]

Hello,

Currently the GraphqlApi Construct does not support the AWS_LAMBDA AuthorizationType

Hoping to see if its possible to extend the construct with the CfnGraphqlApi's lambda authorizer config

Use Case

While I understand that the GraphqlApi is an experimental none Cfn construct, we chose to go with it due to it providing "all" the features we needed and its syntax was preferable. At this stage we are realizing that the Lambda Authorizer is the last feature we require to proceed. Before considering switching our entire CDK setup to utilize the CfnGraphqlApi I am looking to see if this feature could be added.

Proposed Solution

Extend the developed AWS_LAMBDA authorizer configuration from the CfnGraphqlApi to the GraphqlApi construct.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[aman-hatcroft]

It is very strange for me to see that AWS released the custom Lambda authoriser feature as an Authorization mode for GraphQL on 30th Jul 2021 without the infra automation code. Are the teams for the Appsync CDK & the actual AppSync services different ?

https://aws.amazon.com/blogs/mobile/appsync-lambda-auth/

https://aws.amazon.com/about-aws/whats-new/2021/07/aws-appsync-supports-custom-authorization-with-aws-lambda-graphsql-apis/

aws/aws-appsync-community#2

@Danik-Barinshtein . Glad that you raised this.

[otaviomacedo]

Marking this as a p1, as I see this is a popular feature, that more people will want.

Having said that, whenever a new feature is added to CloudFormation, but is not yet available in CDK, you can always use escape hatches. In this case, it would look something like:

const api = new appsync.GraphqlApi(this, 'Api', ...);

const cfnApi = api.node.defaultChild as CfnGraphQLApi;
cfnApi.lambdaAuthorizerConfig = {
  ...
}

[kaizencc]

I'd like to pick this one up since it seems popular. I'll submit a PR early next week but in the meantime, I'd like to solicit thoughts on what the properties for LambdaConfig should be. If I took them verbatim from the docs they would be:

export interface LambdaConfig {
    /**
     * The number of seconds a response should be cached for
     */
    authorizerResultTtlInSeconds: number;

    /**
     * The ARN of the Lambda function to be called for authorization.
     */
    authorizerUri: string;

    /**
     * A regular expression for validation of tokens before the Lambda function is called. 
     */
    identityValidationExpression: string;
}

I feel like we could improve on these names (particularly authorizerResultTtlInSeconds) for the CDK. Any thoughts? It looks like we did something similar for OpenIdConnectConfig in making the CDK property names more user friendly.

[kaizencc]

^ It's really not a good first issue... maybe even an effort/medium but I will keep it as small because its not that important :).

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.