From 30a81a78e8a02137f1e172dfcb0b03b5ebb8d519 Mon Sep 17 00:00:00 2001
From: Tomoya Iwata <iwata.tomoya@classmethod.jp>
Date: Tue, 7 Jun 2022 14:22:24 +0900
Subject: [PATCH] fix(appsync): Create Lambda permission when using Lambda
 Authorizer(#20234)

---
 .../@aws-cdk/aws-appsync/lib/graphqlapi.ts    | 11 ++++++
 .../aws-appsync/test/appsync-auth.test.ts     | 39 +++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
index 3ef0b348ad768..2f5f4c22285b1 100644
--- a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
+++ b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
@@ -519,6 +519,17 @@ export class GraphqlApi extends GraphqlApiBase {
       this.apiKeyResource.addDependsOn(this.schemaResource);
       this.apiKey = this.apiKeyResource.attrApiKey;
     }
+
+    if (modes.some((mode) => mode.authorizationType === AuthorizationType.LAMBDA)) {
+      const config = modes.find((mode: AuthorizationMode) => {
+        return mode.authorizationType === AuthorizationType.LAMBDA && mode.lambdaAuthorizerConfig;
+      })?.lambdaAuthorizerConfig;
+      config?.handler.addPermission('appsync', {
+        principal: new ServicePrincipal('appsync.amazonaws.com'),
+        action: 'lambda:InvokeFunction',
+      });
+    }
+
   }
 
   /**
diff --git a/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts b/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts
index e21bcf3da62c0..4574e365b5151 100644
--- a/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts
+++ b/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts
@@ -669,6 +669,18 @@ describe('AppSync Lambda Authorization', () => {
         },
       },
     });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
+
+
   });
 
   test('Lambda authorization configurable in default authorization', () => {
@@ -702,6 +714,15 @@ describe('AppSync Lambda Authorization', () => {
         IdentityValidationExpression: 'custom-.*',
       },
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization configurable in additional authorization has default configuration', () => {
@@ -733,6 +754,15 @@ describe('AppSync Lambda Authorization', () => {
         },
       }],
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization configurable in additional authorization', () => {
@@ -768,6 +798,15 @@ describe('AppSync Lambda Authorization', () => {
         },
       }],
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization throws with multiple lambda authorization', () => {