Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix(appsync): lambda authorizer permission is not scoped to appsync api arn #31567

Merged
merged 8 commits into from
Sep 27, 2024
Merged

fix(appsync): lambda authorizer permission is not scoped to appsync api arn #31567

merged 8 commits into from
Sep 27, 2024

Conversation

paulhcsun
Copy link
Contributor

@paulhcsun paulhcsun commented Sep 26, 2024
edited
Loading

Issue # (if applicable)

Closes #31550.

Reason for this change

When using a lambda authorizer with a GraphqlAPI, the cdk automatically creates the AWS::Lambda::Permission required for the AppSync API to invoke the lambda authorizer. It does not however add a SourceArn.

This conflicts with the control tower policy [CT.LAMBDA.PR.2], and it is in general good practice to scope permissions.

Description of changes

Added new feature flag APPSYNC_GRAPHQLAPI_SCOPE_LAMBDA_FUNCTION_PERMISSION.

Currently, when using a Lambda authorizer with an AppSync GraphQL API, the AWS CDK automatically generates the necessary AWS::Lambda::Permission to allow the AppSync API to invoke the Lambda authorizer. This permission is overly permissive because it lacks a SourceArn, meaning it allows invocations from any source.

When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API.

  ...
  config?.handler.addPermission(`${id}-appsync`, {
    principal: new ServicePrincipal('appsync.amazonaws.com'),
    action: 'lambda:InvokeFunction',
    sourceArn: this.arn, // <-- added when feature flag is enabled
  });
  ...

Description of how you validated changes

Unit + integ tests with feature flag enabled.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. p1 labels Sep 26, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team September 26, 2024 00:42
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Sep 26, 2024
@paulhcsun paulhcsun marked this pull request as ready for review September 26, 2024 00:43
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 6def716
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Sep 27, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented Sep 27, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit c7cee15 into aws:main Sep 27, 2024
16 checks passed
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 27, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Sep 27, 2024
@paulhcsun paulhcsun deleted the appsycn-graphqlapi-lambda-permision branch September 27, 2024 18:34
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@moelasmar moelasmar moelasmar approved these changes

Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(appsync): Lambda authorizer permission is not scoped to appsync api arn
3 participants
@paulhcsun @aws-cdk-automation @moelasmar