From c7cee1525deb48d915740c9b30bdc6f886d17aa5 Mon Sep 17 00:00:00 2001 From: paulhcsun <47882901+paulhcsun@users.noreply.github.com> Date: Fri, 27 Sep 2024 00:14:51 -0700 Subject: [PATCH] fix(appsync): lambda authorizer permission is not scoped to appsync api arn (#31567) ### Issue # (if applicable) Closes #31550. ### Reason for this change When using a lambda authorizer with a GraphqlAPI, the cdk automatically creates the AWS::Lambda::Permission required for the AppSync API to invoke the lambda authorizer. It does not however add a SourceArn. This conflicts with the control tower policy [[CT.LAMBDA.PR.2]](https://docs.aws.amazon.com/controltower/latest/controlreference/lambda-rules.html#ct-lambda-pr-2-description), and it is in general good practice to scope permissions. ### Description of changes Added new feature flag `APPSYNC_GRAPHQLAPI_SCOPE_LAMBDA_FUNCTION_PERMISSION`. Currently, when using a Lambda authorizer with an AppSync GraphQL API, the AWS CDK automatically generates the necessary AWS::Lambda::Permission to allow the AppSync API to invoke the Lambda authorizer. This permission is overly permissive because it lacks a SourceArn, meaning it allows invocations from any source. When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API. ```ts ... config?.handler.addPermission(`${id}-appsync`, { principal: new ServicePrincipal('appsync.amazonaws.com'), action: 'lambda:InvokeFunction', sourceArn: this.arn, // <-- added when feature flag is enabled }); ... ``` ### Description of how you validated changes Unit + integ tests with feature flag enabled. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../integ.graphql-lambda-permission.graphql | 3 + ...efaultTestDeployAssert7720B39B.assets.json | 19 ++ ...aultTestDeployAssert7720B39B.template.json | 36 +++ ...aws-graphql-lambda-permissions.assets.json | 19 ++ ...s-graphql-lambda-permissions.template.json | 134 +++++++++ .../cdk.out | 1 + .../integ.json | 12 + .../manifest.json | 142 +++++++++ .../tree.json | 280 ++++++++++++++++++ .../test/integ.graphql-lambda-permission.ts | 58 ++++ .../aws-appsync/test/integ.lambda-auth.ts | 6 +- .../aws-cdk-lib/aws-appsync/lib/graphqlapi.ts | 17 +- .../aws-appsync/test/appsync-auth.test.ts | 46 ++- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 20 ++ packages/aws-cdk-lib/cx-api/README.md | 16 + packages/aws-cdk-lib/cx-api/lib/features.ts | 17 ++ 16 files changed, 820 insertions(+), 6 deletions(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.graphql create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/aws-graphql-lambda-permissions.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/aws-graphql-lambda-permissions.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.graphql b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.graphql new file mode 100644 index 0000000000000..9f32315839973 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.graphql @@ -0,0 +1,3 @@ +type Query { + getMessage: String +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.assets.json new file mode 100644 index 0000000000000..221f5886b8de3 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.assets.json @@ -0,0 +1,19 @@ +{ + "version": "38.0.1", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/aws-graphql-lambda-permissions.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/aws-graphql-lambda-permissions.assets.json new file mode 100644 index 0000000000000..0da4f9497510a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/aws-graphql-lambda-permissions.assets.json @@ -0,0 +1,19 @@ +{ + "version": "38.0.1", + "files": { + "88f8b6f143ea53b46d93da4b1faa520ca524dd12b86713226337cbcf866bcae6": { + "source": { + "path": "aws-graphql-lambda-permissions.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "88f8b6f143ea53b46d93da4b1faa520ca524dd12b86713226337cbcf866bcae6.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/aws-graphql-lambda-permissions.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/aws-graphql-lambda-permissions.template.json new file mode 100644 index 0000000000000..b31935e5dfe19 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/aws-graphql-lambda-permissions.template.json @@ -0,0 +1,134 @@ +{ + "Resources": { + "AuthorizerFunctionServiceRole5B2A061B": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "AuthorizerFunctionB4DBAA43": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "\n exports.handler = async (event) => {\n console.log(\"Authorization event:\", JSON.stringify(event));\n \n const isAuthorized = true;\n if (isAuthorized) {\n return {\n isAuthorized: true,\n resolverContext: {\n userId: 'user-id-example'\n }\n };\n } else {\n return {\n isAuthorized: false\n };\n }\n };\n " + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "AuthorizerFunctionServiceRole5B2A061B", + "Arn" + ] + }, + "Runtime": "nodejs18.x" + }, + "DependsOn": [ + "AuthorizerFunctionServiceRole5B2A061B" + ] + }, + "AuthorizerFunctionapiappsync4E3369BF": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "AuthorizerFunctionB4DBAA43", + "Arn" + ] + }, + "Principal": "appsync.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "apiC8550315", + "Arn" + ] + } + } + }, + "apiC8550315": { + "Type": "AWS::AppSync::GraphQLApi", + "Properties": { + "AuthenticationType": "AWS_LAMBDA", + "LambdaAuthorizerConfig": { + "AuthorizerUri": { + "Fn::GetAtt": [ + "AuthorizerFunctionB4DBAA43", + "Arn" + ] + } + }, + "Name": "api" + } + }, + "apiSchema0EA92056": { + "Type": "AWS::AppSync::GraphQLSchema", + "Properties": { + "ApiId": { + "Fn::GetAtt": [ + "apiC8550315", + "ApiId" + ] + }, + "Definition": "type Query {\n getMessage: String\n}" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/cdk.out new file mode 100644 index 0000000000000..c6e612584e352 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"38.0.1"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/integ.json new file mode 100644 index 0000000000000..409bab9d0dddb --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "38.0.1", + "testCases": { + "GraphqlApiLambdaPermissionTest/DefaultTest": { + "stacks": [ + "aws-graphql-lambda-permissions" + ], + "assertionStack": "GraphqlApiLambdaPermissionTest/DefaultTest/DeployAssert", + "assertionStackName": "GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/manifest.json new file mode 100644 index 0000000000000..d699644b9c17e --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/manifest.json @@ -0,0 +1,142 @@ +{ + "version": "38.0.1", + "artifacts": { + "aws-graphql-lambda-permissions.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-graphql-lambda-permissions.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-graphql-lambda-permissions": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-graphql-lambda-permissions.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "notificationArns": [], + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/88f8b6f143ea53b46d93da4b1faa520ca524dd12b86713226337cbcf866bcae6.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-graphql-lambda-permissions.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-graphql-lambda-permissions.assets" + ], + "metadata": { + "/aws-graphql-lambda-permissions/AuthorizerFunction/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AuthorizerFunctionServiceRole5B2A061B" + } + ], + "/aws-graphql-lambda-permissions/AuthorizerFunction/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AuthorizerFunctionB4DBAA43" + } + ], + "/aws-graphql-lambda-permissions/AuthorizerFunction/api-appsync": [ + { + "type": "aws:cdk:logicalId", + "data": "AuthorizerFunctionapiappsync4E3369BF", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" + ] + } + ], + "/aws-graphql-lambda-permissions/api/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "apiC8550315" + } + ], + "/aws-graphql-lambda-permissions/api/Schema": [ + { + "type": "aws:cdk:logicalId", + "data": "apiSchema0EA92056" + } + ], + "/aws-graphql-lambda-permissions/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-graphql-lambda-permissions/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-graphql-lambda-permissions" + }, + "GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "notificationArns": [], + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "GraphqlApiLambdaPermissionTestDefaultTestDeployAssert7720B39B.assets" + ], + "metadata": { + "/GraphqlApiLambdaPermissionTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/GraphqlApiLambdaPermissionTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "GraphqlApiLambdaPermissionTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/tree.json new file mode 100644 index 0000000000000..22eaf0aa102f8 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/tree.json @@ -0,0 +1,280 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "aws-graphql-lambda-permissions": { + "id": "aws-graphql-lambda-permissions", + "path": "aws-graphql-lambda-permissions", + "children": { + "AuthorizerFunction": { + "id": "AuthorizerFunction", + "path": "aws-graphql-lambda-permissions/AuthorizerFunction", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "aws-graphql-lambda-permissions/AuthorizerFunction/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "aws-graphql-lambda-permissions/AuthorizerFunction/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-graphql-lambda-permissions/AuthorizerFunction/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-graphql-lambda-permissions/AuthorizerFunction/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "zipFile": "\n exports.handler = async (event) => {\n console.log(\"Authorization event:\", JSON.stringify(event));\n \n const isAuthorized = true;\n if (isAuthorized) {\n return {\n isAuthorized: true,\n resolverContext: {\n userId: 'user-id-example'\n }\n };\n } else {\n return {\n isAuthorized: false\n };\n }\n };\n " + }, + "handler": "index.handler", + "role": { + "Fn::GetAtt": [ + "AuthorizerFunctionServiceRole5B2A061B", + "Arn" + ] + }, + "runtime": "nodejs18.x" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + }, + "api-appsync": { + "id": "api-appsync", + "path": "aws-graphql-lambda-permissions/AuthorizerFunction/api-appsync", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Permission", + "aws:cdk:cloudformation:props": { + "action": "lambda:InvokeFunction", + "functionName": { + "Fn::GetAtt": [ + "AuthorizerFunctionB4DBAA43", + "Arn" + ] + }, + "principal": "appsync.amazonaws.com", + "sourceArn": { + "Fn::GetAtt": [ + "apiC8550315", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, + "api": { + "id": "api", + "path": "aws-graphql-lambda-permissions/api", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-graphql-lambda-permissions/api/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::AppSync::GraphQLApi", + "aws:cdk:cloudformation:props": { + "authenticationType": "AWS_LAMBDA", + "lambdaAuthorizerConfig": { + "authorizerUri": { + "Fn::GetAtt": [ + "AuthorizerFunctionB4DBAA43", + "Arn" + ] + } + }, + "name": "api" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_appsync.CfnGraphQLApi", + "version": "0.0.0" + } + }, + "Schema": { + "id": "Schema", + "path": "aws-graphql-lambda-permissions/api/Schema", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::AppSync::GraphQLSchema", + "aws:cdk:cloudformation:props": { + "apiId": { + "Fn::GetAtt": [ + "apiC8550315", + "ApiId" + ] + }, + "definition": "type Query {\n getMessage: String\n}" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_appsync.CfnGraphQLSchema", + "version": "0.0.0" + } + }, + "LogGroup": { + "id": "LogGroup", + "path": "aws-graphql-lambda-permissions/api/LogGroup", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_appsync.GraphqlApi", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "aws-graphql-lambda-permissions/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "aws-graphql-lambda-permissions/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "GraphqlApiLambdaPermissionTest": { + "id": "GraphqlApiLambdaPermissionTest", + "path": "GraphqlApiLambdaPermissionTest", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "GraphqlApiLambdaPermissionTest/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "GraphqlApiLambdaPermissionTest/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "GraphqlApiLambdaPermissionTest/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "GraphqlApiLambdaPermissionTest/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "GraphqlApiLambdaPermissionTest/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.ts new file mode 100644 index 0000000000000..d4cbf5b038bc9 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.ts @@ -0,0 +1,58 @@ +import * as cdk from 'aws-cdk-lib'; +import * as path from 'path'; +import * as lambda from 'aws-cdk-lib/aws-lambda'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as cxapi from 'aws-cdk-lib/cx-api'; +import * as appsync from 'aws-cdk-lib/aws-appsync'; + +const myFeatureFlag = { [cxapi.APPSYNC_GRAPHQLAPI_SCOPE_LAMBDA_FUNCTION_PERMISSION]: true }; + +const app = new cdk.App({ + context: myFeatureFlag, +}); +const stack = new cdk.Stack(app, 'aws-graphql-lambda-permissions'); + +const authorizer = new lambda.Function(stack, 'AuthorizerFunction', { + runtime: lambda.Runtime.NODEJS_18_X, + code: lambda.Code.fromInline(` + exports.handler = async (event) => { + console.log("Authorization event:", JSON.stringify(event)); + + const isAuthorized = true; + if (isAuthorized) { + return { + isAuthorized: true, + resolverContext: { + userId: 'user-id-example' + } + }; + } else { + return { + isAuthorized: false + }; + } + }; + `), + handler: 'index.handler', +}); + +new appsync.GraphqlApi(stack, 'api', { + name: 'api', + definition: { + schema: appsync.SchemaFile.fromAsset( + path.join(__dirname, 'integ.graphql-lambda-permission.graphql'), + ), + }, + authorizationConfig: { + defaultAuthorization: { + authorizationType: appsync.AuthorizationType.LAMBDA, + lambdaAuthorizerConfig: { + handler: authorizer, + }, + }, + }, +}); + +new integ.IntegTest(app, 'GraphqlApiLambdaPermissionTest', { + testCases: [stack], +}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.lambda-auth.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.lambda-auth.ts index ed955f56520f5..f10df667fbc22 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.lambda-auth.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.lambda-auth.ts @@ -4,6 +4,7 @@ import * as cdk from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; import { Construct } from 'constructs'; import * as appsync from 'aws-cdk-lib/aws-appsync'; +import * as cxapi from 'aws-cdk-lib/cx-api'; import { STANDARD_NODEJS_RUNTIME } from '../../config'; class GraphQLApiLambdaAuthStack extends cdk.Stack { @@ -49,8 +50,11 @@ class GraphQLApiLambdaAuthStack extends cdk.Stack { }); } } +const myFeatureFlag = { [cxapi.APPSYNC_GRAPHQLAPI_SCOPE_LAMBDA_FUNCTION_PERMISSION]: false }; -const app = new cdk.App(); +const app = new cdk.App({ + postCliContext: myFeatureFlag, +}); const testCase = new GraphQLApiLambdaAuthStack(app); new IntegTest(app, 'GraphQlApiLambdaAuth', { testCases: [testCase], diff --git a/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi.ts b/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi.ts index 9bf1bd3b1a8e9..0215dc0fcc6ff 100644 --- a/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi.ts +++ b/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi.ts @@ -696,10 +696,19 @@ export class GraphqlApi extends GraphqlApiBase { const config = modes.find((mode: AuthorizationMode) => { return mode.authorizationType === AuthorizationType.LAMBDA && mode.lambdaAuthorizerConfig; })?.lambdaAuthorizerConfig; - config?.handler.addPermission(`${id}-appsync`, { - principal: new ServicePrincipal('appsync.amazonaws.com'), - action: 'lambda:InvokeFunction', - }); + + if (FeatureFlags.of(this).isEnabled(cxapi.APPSYNC_GRAPHQLAPI_SCOPE_LAMBDA_FUNCTION_PERMISSION)) { + config?.handler.addPermission(`${id}-appsync`, { + principal: new ServicePrincipal('appsync.amazonaws.com'), + action: 'lambda:InvokeFunction', + sourceArn: this.arn, + }); + } else { + config?.handler.addPermission(`${id}-appsync`, { + principal: new ServicePrincipal('appsync.amazonaws.com'), + action: 'lambda:InvokeFunction', + }); + } } const logGroupName = `/aws/appsync/apis/${this.apiId}`; diff --git a/packages/aws-cdk-lib/aws-appsync/test/appsync-auth.test.ts b/packages/aws-cdk-lib/aws-appsync/test/appsync-auth.test.ts index 170dae5d34229..41ef1b93dbc6b 100644 --- a/packages/aws-cdk-lib/aws-appsync/test/appsync-auth.test.ts +++ b/packages/aws-cdk-lib/aws-appsync/test/appsync-auth.test.ts @@ -2,13 +2,22 @@ import * as path from 'path'; import { Template } from '../../assertions'; import * as cognito from '../../aws-cognito'; import * as lambda from '../../aws-lambda'; +import { App } from '../../core'; import * as cdk from '../../core'; import * as appsync from '../lib'; // GIVEN let stack: cdk.Stack; +let app: App; beforeEach(() => { - stack = new cdk.Stack(); + app = new App( + { + context: { + '@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission': true, + }, + }, + ); + stack = new cdk.Stack(app); }); describe('AppSync API Key Authorization', () => { @@ -925,4 +934,39 @@ describe('AppSync Lambda Authorization', () => { }, })).toThrow('Missing Lambda Configuration'); }); + + test('Lambda authorization properly scoped under feature flag', () => { + // WHEN + new appsync.GraphqlApi(stack, 'api', { + name: 'api', + schema: appsync.SchemaFile.fromAsset(path.join(__dirname, 'appsync.test.graphql')), + authorizationConfig: { + defaultAuthorization: { + authorizationType: appsync.AuthorizationType.LAMBDA, + lambdaAuthorizerConfig: { + handler: fn, + }, + }, + }, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', { + Action: 'lambda:InvokeFunction', + FunctionName: { + 'Fn::GetAtt': [ + 'authfunction96361832', + 'Arn', + ], + }, + Principal: 'appsync.amazonaws.com', + SourceArn: { + 'Fn::GetAtt': [ + 'apiC8550315', + 'Arn', + ], + }, + }); + + }); }); diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 82d34a2a8ef06..2de4a12515cb1 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -75,6 +75,7 @@ Flags come in three types: | [@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask](#aws-cdkaws-stepfunctions-tasksusenews3uriparametersforbedrockinvokemodeltask) | When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model. | 2.156.0 | (fix) | | [@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions](#aws-cdkaws-ecsreduceec2fargatecloudwatchpermissions) | When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration | 2.159.0 | (fix) | | [@aws-cdk/aws-ec2:ec2SumTImeoutEnabled](#aws-cdkaws-ec2ec2sumtimeoutenabled) | When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together. | 2.160.0 | (fix) | +| [@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission](#aws-cdkaws-appsyncappsyncgraphqlapiscopelambdapermission) | When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn. | V2NEXT | (fix) | | [@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId](#aws-cdkaws-rdssetcorrectvaluefordatabaseinstancereadreplicainstanceresourceid) | When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn` | V2NEXT | (fix) | @@ -140,6 +141,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false, "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true, "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true } } @@ -1418,6 +1420,24 @@ When this feature flag is enabled, if both initOptions.timeout and resourceSigna | 2.160.0 | `false` | `true` | +### @aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission + +*When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn.* (fix) + +Currently, when using a Lambda authorizer with an AppSync GraphQL API, the AWS CDK automatically generates the necessary AWS::Lambda::Permission +to allow the AppSync API to invoke the Lambda authorizer. This permission is overly permissive because it lacks a SourceArn, meaning +it allows invocations from any source. + +When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the +specific AppSync GraphQL API. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + + ### @aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId *When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`* (fix) diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index dfcb85de9bfc5..9c5d801284bf4 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -426,6 +426,22 @@ _cdk.json_ } ``` +* `@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission` + +Currently, when using a Lambda authorizer with an AppSync GraphQL API, the AWS CDK automatically generates the necessary AWS::Lambda::Permission to allow the AppSync API to invoke the Lambda authorizer. This permission is overly permissive because it lacks a SourceArn, meaning it allows invocations from any source. + +When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API. + +_cdk.json_ + +```json +{ + "context": { + "@aws-cdk/aws-ec2:appSyncGraphQLAPIScopeLambdaPermission": true + } +} +``` + * `@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId` When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`* (fix) diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 91cb1e9b675cb..b89ad272b63a4 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -109,6 +109,7 @@ export const S3_KEEP_NOTIFICATION_IN_IMPORTED_BUCKET = '@aws-cdk/aws-s3:keepNoti export const USE_NEW_S3URI_PARAMETERS_FOR_BEDROCK_INVOKE_MODEL_TASK = '@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask'; export const REDUCE_EC2_FARGATE_CLOUDWATCH_PERMISSIONS = '@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions'; export const EC2_SUM_TIMEOUT_ENABLED = '@aws-cdk/aws-ec2:ec2SumTImeoutEnabled'; +export const APPSYNC_GRAPHQLAPI_SCOPE_LAMBDA_FUNCTION_PERMISSION = '@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission'; export const USE_CORRECT_VALUE_FOR_INSTANCE_RESOURCE_ID_PROPERTY = '@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId'; export const FLAGS: Record = { @@ -1159,6 +1160,22 @@ export const FLAGS: Record = { introducedIn: { v2: '2.160.0' }, }, + ////////////////////////////////////////////////////////////////////// + [APPSYNC_GRAPHQLAPI_SCOPE_LAMBDA_FUNCTION_PERMISSION]: { + type: FlagType.BugFix, + summary: 'When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn.', + detailsMd: ` + Currently, when using a Lambda authorizer with an AppSync GraphQL API, the AWS CDK automatically generates the necessary AWS::Lambda::Permission + to allow the AppSync API to invoke the Lambda authorizer. This permission is overly permissive because it lacks a SourceArn, meaning + it allows invocations from any source. + + When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the + specific AppSync GraphQL API. + `, + recommendedValue: true, + introducedIn: { v2: 'V2NEXT' }, + }, + ////////////////////////////////////////////////////////////////////// [USE_CORRECT_VALUE_FOR_INSTANCE_RESOURCE_ID_PROPERTY]: { type: FlagType.BugFix,