fix(appsync): fully qualify service principal (#23054)

Builds on top of @jpignata 's PR #23050.

Updated integration tests.

Closes #23050
Fixes #23035

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-appsync/lib/data-source.ts

@@ -113,7 +113,7 @@ export abstract class BaseDataSource extends Construct {
  super(scope, id);
 
  if (extended.type !== 'NONE') {
- this.serviceRole = props.serviceRole || new Role(this, 'ServiceRole', { assumedBy: new ServicePrincipal('appsync') });
+ this.serviceRole = props.serviceRole || new Role(this, 'ServiceRole', { assumedBy: new ServicePrincipal('appsync.amazonaws.com') });
  }
  // Replace unsupported characters from DataSource name. The only allowed pattern is: {[_A-Za-z][_0-9A-Za-z]*}
  const name = (props.name ?? id);

packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.assets.json

@@ -1,15 +1,15 @@
 {
  "version": "21.0.0",
  "files": {
- "8af15bf3b17fb15e9d1b558caa4d5484d9b85fd19d3d939c866e805212d8d66a": {
+ "b0462850439179659920597f4327262b24073af4f4969622163b0a295fce1dda": {
  "source": {
  "path": "aws-appsync-integ.template.json",
  "packaging": "file"
  },
  "destinations": {
  "current_account-current_region": {
  "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "8af15bf3b17fb15e9d1b558caa4d5484d9b85fd19d3d939c866e805212d8d66a.json",
+ "objectKey": "b0462850439179659920597f4327262b24073af4f4969622163b0a295fce1dda.json",
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
  }
  }

packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.template.json

@@ -42,7 +42,7 @@
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
- "Service": "appsync"
+ "Service": "appsync.amazonaws.com"
  }
  }
  ],

packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/manifest.json

@@ -17,7 +17,7 @@
  "validateOnSynth": false,
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
  "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
- "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8af15bf3b17fb15e9d1b558caa4d5484d9b85fd19d3d939c866e805212d8d66a.json",
+ "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b0462850439179659920597f4327262b24073af4f4969622163b0a295fce1dda.json",
  "requiresBootstrapStackVersion": 6,
  "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
  "additionalDependencies": [

packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/tree.json

@@ -82,6 +82,14 @@
  "id": "ServiceRole",
  "path": "aws-appsync-integ/Api/testDataSource/ServiceRole",
  "children": {
+ "ImportServiceRole": {
+ "id": "ImportServiceRole",
+ "path": "aws-appsync-integ/Api/testDataSource/ServiceRole/ImportServiceRole",
+ "constructInfo": {
+ "fqn": "@aws-cdk/core.Resource",
+ "version": "0.0.0"
+ }
+ },
  "Resource": {
  "id": "Resource",
  "path": "aws-appsync-integ/Api/testDataSource/ServiceRole/Resource",
@@ -94,7 +102,7 @@
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
- "Service": "appsync"
+ "Service": "appsync.amazonaws.com"
  }
  }
  ],
@@ -363,7 +371,7 @@
  "path": "Tree",
  "constructInfo": {
  "fqn": "constructs.Construct",
- "version": "10.1.140"
+ "version": "10.1.161"
  }
  }
  },

packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/appsync-elasticsearch.assets.json

@@ -1,15 +1,15 @@
 {
  "version": "21.0.0",
  "files": {
- "677bc89625ae9e4bce11a3674b3575c54aa714db0cc253c6121311ab6a929305": {
+ "08fe8252ae99e2f46d03e04321cb848d70ee9c2656baeb387f3baae1575b1d87": {
  "source": {
  "path": "appsync-elasticsearch.template.json",
  "packaging": "file"
  },
  "destinations": {
  "current_account-current_region": {
  "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "677bc89625ae9e4bce11a3674b3575c54aa714db0cc253c6121311ab6a929305.json",
+ "objectKey": "08fe8252ae99e2f46d03e04321cb848d70ee9c2656baeb387f3baae1575b1d87.json",
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
  }
  }

packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/appsync-elasticsearch.template.json

@@ -90,7 +90,7 @@
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
- "Service": "appsync"
+ "Service": "appsync.amazonaws.com"
  }
  }
  ],

packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/manifest.json

@@ -17,7 +17,7 @@
  "validateOnSynth": false,
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
  "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
- "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/677bc89625ae9e4bce11a3674b3575c54aa714db0cc253c6121311ab6a929305.json",
+ "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/08fe8252ae99e2f46d03e04321cb848d70ee9c2656baeb387f3baae1575b1d87.json",
  "requiresBootstrapStackVersion": 6,
  "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
  "additionalDependencies": [

packages/@aws-cdk/aws-appsync/test/integ.graphql-elasticsearch.js.snapshot/tree.json

@@ -165,6 +165,14 @@
  "id": "ServiceRole",
  "path": "appsync-elasticsearch/api/ds/ServiceRole",
  "children": {
+ "ImportServiceRole": {
+ "id": "ImportServiceRole",
+ "path": "appsync-elasticsearch/api/ds/ServiceRole/ImportServiceRole",
+ "constructInfo": {
+ "fqn": "@aws-cdk/core.Resource",
+ "version": "0.0.0"
+ }
+ },
  "Resource": {
  "id": "Resource",
  "path": "appsync-elasticsearch/api/ds/ServiceRole/Resource",
@@ -177,7 +185,7 @@
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
- "Service": "appsync"
+ "Service": "appsync.amazonaws.com"
  }
  }
  ],
@@ -383,7 +391,7 @@
  "path": "Tree",
  "constructInfo": {
  "fqn": "constructs.Construct",
- "version": "10.1.140"
+ "version": "10.1.161"
  }
  }
  },

packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/aws-appsync-integ.assets.json

@@ -14,15 +14,15 @@
  }
  }
  },
- "5adac1311d44e3f6eafd25a229c84d03d0e6281172ec45c266b80a5201176917": {
+ "8d15941ec2e2ee7e1551ec111288fbf5f90d3c8054ccd83a9d3f4995d2475536": {
  "source": {
  "path": "aws-appsync-integ.template.json",
  "packaging": "file"
  },
  "destinations": {
  "current_account-current_region": {
  "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "5adac1311d44e3f6eafd25a229c84d03d0e6281172ec45c266b80a5201176917.json",
+ "objectKey": "8d15941ec2e2ee7e1551ec111288fbf5f90d3c8054ccd83a9d3f4995d2475536.json",
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
  }
  }

packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/aws-appsync-integ.template.json

@@ -74,7 +74,7 @@
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
- "Service": "appsync"
+ "Service": "appsync.amazonaws.com"
  }
  }
  ],

packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/manifest.json

@@ -17,7 +17,7 @@
  "validateOnSynth": false,
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
  "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
- "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5adac1311d44e3f6eafd25a229c84d03d0e6281172ec45c266b80a5201176917.json",
+ "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8d15941ec2e2ee7e1551ec111288fbf5f90d3c8054ccd83a9d3f4995d2475536.json",
  "requiresBootstrapStackVersion": 6,
  "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
  "additionalDependencies": [

packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.js.snapshot/tree.json

@@ -125,6 +125,14 @@
  "id": "ServiceRole",
  "path": "aws-appsync-integ/Api/ds/ServiceRole",
  "children": {
+ "ImportServiceRole": {
+ "id": "ImportServiceRole",
+ "path": "aws-appsync-integ/Api/ds/ServiceRole/ImportServiceRole",
+ "constructInfo": {
+ "fqn": "@aws-cdk/core.Resource",
+ "version": "0.0.0"
+ }
+ },
  "Resource": {
  "id": "Resource",
  "path": "aws-appsync-integ/Api/ds/ServiceRole/Resource",
@@ -137,7 +145,7 @@
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
- "Service": "appsync"
+ "Service": "appsync.amazonaws.com"
  }
  }
  ],
@@ -418,6 +426,14 @@
  "id": "LambdaIAM",
  "path": "aws-appsync-integ/LambdaIAM",
  "children": {
+ "ImportLambdaIAM": {
+ "id": "ImportLambdaIAM",
+ "path": "aws-appsync-integ/LambdaIAM/ImportLambdaIAM",
+ "constructInfo": {
+ "fqn": "@aws-cdk/core.Resource",
+ "version": "0.0.0"
+ }
+ },
  "Resource": {
  "id": "Resource",
  "path": "aws-appsync-integ/LambdaIAM/Resource",
@@ -655,6 +671,14 @@
  "id": "ServiceRole",
  "path": "aws-appsync-integ/testFail/ServiceRole",
  "children": {
+ "ImportServiceRole": {
+ "id": "ImportServiceRole",
+ "path": "aws-appsync-integ/testFail/ServiceRole/ImportServiceRole",
+ "constructInfo": {
+ "fqn": "@aws-cdk/core.Resource",
+ "version": "0.0.0"
+ }
+ },
  "Resource": {
  "id": "Resource",
  "path": "aws-appsync-integ/testFail/ServiceRole/Resource",
@@ -796,7 +820,7 @@
  "path": "Tree",
  "constructInfo": {
  "fqn": "constructs.Construct",
- "version": "10.1.140"
+ "version": "10.1.161"
  }
  }
  },

packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/appsync-opensearch.assets.json

@@ -1,15 +1,15 @@
 {
  "version": "21.0.0",
  "files": {
- "903ac542751f81532f9e013089671ab922c9965229f246a3850375eab1a3ea3e": {
+ "afad76ea31dfbff09b61eded5f1d5e5fd22e29130ce087d5f25b2a31f470128a": {
  "source": {
  "path": "appsync-opensearch.template.json",
  "packaging": "file"
  },
  "destinations": {
  "current_account-current_region": {
  "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "903ac542751f81532f9e013089671ab922c9965229f246a3850375eab1a3ea3e.json",
+ "objectKey": "afad76ea31dfbff09b61eded5f1d5e5fd22e29130ce087d5f25b2a31f470128a.json",
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
  }
  }

packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/appsync-opensearch.template.json

@@ -87,7 +87,7 @@
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
- "Service": "appsync"
+ "Service": "appsync.amazonaws.com"
  }
  }
  ],

packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/manifest.json

@@ -17,7 +17,7 @@
  "validateOnSynth": false,
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
  "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
- "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/903ac542751f81532f9e013089671ab922c9965229f246a3850375eab1a3ea3e.json",
+ "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/afad76ea31dfbff09b61eded5f1d5e5fd22e29130ce087d5f25b2a31f470128a.json",
  "requiresBootstrapStackVersion": 6,
  "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
  "additionalDependencies": [

packages/@aws-cdk/aws-appsync/test/integ.graphql-opensearch.js.snapshot/tree.json

@@ -162,6 +162,14 @@
  "id": "ServiceRole",
  "path": "appsync-opensearch/api/ds/ServiceRole",
  "children": {
+ "ImportServiceRole": {
+ "id": "ImportServiceRole",
+ "path": "appsync-opensearch/api/ds/ServiceRole/ImportServiceRole",
+ "constructInfo": {
+ "fqn": "@aws-cdk/core.Resource",
+ "version": "0.0.0"
+ }
+ },
  "Resource": {
  "id": "Resource",
  "path": "appsync-opensearch/api/ds/ServiceRole/Resource",
@@ -174,7 +182,7 @@
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
- "Service": "appsync"
+ "Service": "appsync.amazonaws.com"
  }
  }
  ],
@@ -380,7 +388,7 @@
  "path": "Tree",
  "constructInfo": {
  "fqn": "constructs.Construct",
- "version": "10.1.140"
+ "version": "10.1.161"
  }
  }
  },

packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/code-first-schema.assets.json

@@ -1,15 +1,15 @@
 {
  "version": "21.0.0",
  "files": {
- "f6f3bfb6532202fee41687862ae38f3c519fa381a9af9e41f6e780c306536912": {
+ "bfa90308faf90c034f02eb4ce506884c1ec79dec3a45f8ac7003fb57500a6ec4": {
  "source": {
  "path": "code-first-schema.template.json",
  "packaging": "file"
  },
  "destinations": {
  "current_account-current_region": {
  "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
- "objectKey": "f6f3bfb6532202fee41687862ae38f3c519fa381a9af9e41f6e780c306536912.json",
+ "objectKey": "bfa90308faf90c034f02eb4ce506884c1ec79dec3a45f8ac7003fb57500a6ec4.json",
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
  }
  }

packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/code-first-schema.template.json

@@ -42,7 +42,7 @@
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
- "Service": "appsync"
+ "Service": "appsync.amazonaws.com"
  }
  }
  ],

packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/manifest.json

@@ -17,7 +17,7 @@
  "validateOnSynth": false,
  "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
  "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
- "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f6f3bfb6532202fee41687862ae38f3c519fa381a9af9e41f6e780c306536912.json",
+ "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/bfa90308faf90c034f02eb4ce506884c1ec79dec3a45f8ac7003fb57500a6ec4.json",
  "requiresBootstrapStackVersion": 6,
  "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
  "additionalDependencies": [

packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.js.snapshot/tree.json

@@ -82,6 +82,14 @@
  "id": "ServiceRole",
  "path": "code-first-schema/code-first-api/planets/ServiceRole",
  "children": {
+ "ImportServiceRole": {
+ "id": "ImportServiceRole",
+ "path": "code-first-schema/code-first-api/planets/ServiceRole/ImportServiceRole",
+ "constructInfo": {
+ "fqn": "@aws-cdk/core.Resource",
+ "version": "0.0.0"
+ }
+ },
  "Resource": {
  "id": "Resource",
  "path": "code-first-schema/code-first-api/planets/ServiceRole/Resource",
@@ -94,7 +102,7 @@
  "Action": "sts:AssumeRole",
  "Effect": "Allow",
  "Principal": {
- "Service": "appsync"
+ "Service": "appsync.amazonaws.com"
  }
  }
  ],
@@ -366,7 +374,7 @@
  "path": "Tree",
  "constructInfo": {
  "fqn": "constructs.Construct",
- "version": "10.1.140"
+ "version": "10.1.161"
  }
  }
  },