fix(apigateway): consolidate lambda permissions when reused for multiple operations

The maximum Lambda permission policy size could be exceeded for APIs which reused
the same Lambda function for multiple operations, as the integration added a new
permission for each operation, scoped down to the specific operation.

This change updates both the REST and HTTP API lambda integrations to consolidate
permissions when the same handler is used for two or more methods, creating a
permission scoped to the entire API rather than the operation. The behaviour
remains the same where individual lambdas are used for operations.

Fixes #9327
Fixes #19535

Author: cogwirrel

packages/aws-cdk-lib/aws-apigateway/lib/integrations/lambda.ts

@@ -59,21 +59,40 @@ export class LambdaIntegration extends AwsIntegration {
     const bindResult = super.bind(method);
     const principal = new iam.ServicePrincipal('apigateway.amazonaws.com');
 
-    const desc = `${Names.nodeUniqueId(method.api.node)}.${method.httpMethod}.${method.resource.path.replace(/\//g, '.')}`;
+    // Permission prefix is unique to the handler and the api
+    const descPrefix = `${Names.nodeUniqueId(this.handler.node)}.${Names.nodeUniqueId(method.api.node)}`;
+    const desc = `${descPrefix}.${method.httpMethod}.${method.resource.path.replace(/\//g, '.')}`;
 
-    this.handler.addPermission(`ApiPermission.${desc}`, {
-      principal,
-      scope: method,
-      sourceArn: Lazy.string({ produce: () => method.methodArn }),
-    });
+    // Find any existing permissions for this handler and this API
+    const otherHandlerPermissions = method.api.node.findAll()
+      .filter(c => c instanceof lambda.CfnPermission && (
+        c.node.id.startsWith(`ApiPermission.${descPrefix}.`)
+        || c.node.id.startsWith(`ApiPermission.Test.${descPrefix}.`)));
 
-    // add permission to invoke from the console
-    if (this.enableTest) {
-      this.handler.addPermission(`ApiPermission.Test.${desc}`, {
+    if (otherHandlerPermissions.length > 0) {
+      // If there are existing permissions, remove them in favour of a single permission scoped only to the API
+      otherHandlerPermissions.forEach(permission => permission.node.scope?.node?.tryRemoveChild?.(permission.node.id));
+      this.handler.addPermission(`ApiPermission.${descPrefix}.Any`, {
+        principal,
+        scope: method.api,
+        sourceArn: Lazy.string({ produce: () => method.api.arnForExecuteApi() }),
+      });
+    } else {
+      // No other permissions exist, so scope the permission to the specific method
+      this.handler.addPermission(`ApiPermission.${desc}`, {
         principal,
         scope: method,
-        sourceArn: method.testMethodArn,
+        sourceArn: Lazy.string({ produce: () => method.methodArn }),
       });
+
+      // add permission to invoke from the console
+      if (this.enableTest) {
+        this.handler.addPermission(`ApiPermission.Test.${desc}`, {
+          principal,
+          scope: method,
+          sourceArn: method.testMethodArn,
+        });
+      }
     }
 
     let functionName;

packages/aws-cdk-lib/aws-apigateway/test/integrations/lambda.test.ts

@@ -297,4 +297,200 @@ describe('lambda', () => {
     // should be a literal string.
     expect(bindResult?.deploymentToken).toEqual(JSON.stringify({ functionName: 'myfunc' }));
   });
+
+  test('creates single API-scoped permission when handler is reused', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const api = new apigateway.RestApi(stack, 'my-api');
+    const handler = new lambda.Function(stack, 'Handler', {
+      runtime: lambda.Runtime.NODEJS_LATEST,
+      handler: 'index.handler',
+      code: lambda.Code.fromInline('foo'),
+    });
+
+    // WHEN - Add two methods with lambda integrations with the same handler
+    const integ1 = new apigateway.LambdaIntegration(handler);
+    api.root.addMethod('GET', integ1);
+    const integ2 = new apigateway.LambdaIntegration(handler);
+    api.root.addMethod('POST', integ2);
+
+    // THEN - Should have API-scoped permissions instead of method-specific ones
+    const template = Template.fromStack(stack);
+
+    // Should have 1 permission total
+    template.resourceCountIs('AWS::Lambda::Permission', 1);
+
+    // Verify the API-scoped permission exists (without stage or method in the ARN)
+    template.hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'Handler886CB40B',
+          'Arn',
+        ],
+      },
+      Principal: 'apigateway.amazonaws.com',
+      SourceArn: {
+        'Fn::Join': [
+          '',
+          [
+            'arn:',
+            { Ref: 'AWS::Partition' },
+            ':execute-api:',
+            { Ref: 'AWS::Region' },
+            ':',
+            { Ref: 'AWS::AccountId' },
+            ':',
+            { Ref: 'myapi4C7BF186' },
+            '/*/*/*',
+          ],
+        ],
+      },
+    });
+  });
+
+  test('different handlers maintain method-specific permissions', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const api = new apigateway.RestApi(stack, 'my-api');
+    const handler1 = new lambda.Function(stack, 'Handler1', {
+      runtime: lambda.Runtime.NODEJS_LATEST,
+      handler: 'index.handler',
+      code: lambda.Code.fromInline('foo'),
+    });
+    const handler2 = new lambda.Function(stack, 'Handler2', {
+      runtime: lambda.Runtime.NODEJS_LATEST,
+      handler: 'index.handler',
+      code: lambda.Code.fromInline('bar'),
+    });
+
+    // WHEN - Add methods with different handlers
+    const integ1 = new apigateway.LambdaIntegration(handler1);
+    api.root.addMethod('GET', integ1);
+
+    const integ2 = new apigateway.LambdaIntegration(handler2);
+    api.root.addMethod('POST', integ2);
+
+    // THEN - Each handler should have its own method-specific permissions
+    const template = Template.fromStack(stack);
+
+    // Should have 4 permissions total: 2 method-specific + 2 test invoke permissions
+    template.resourceCountIs('AWS::Lambda::Permission', 4);
+
+    // Verify handler1 has method-specific permission for GET
+    template.hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'Handler11CDD30AA',
+          'Arn',
+        ],
+      },
+      Principal: 'apigateway.amazonaws.com',
+      SourceArn: {
+        'Fn::Join': [
+          '',
+          [
+            'arn:',
+            { Ref: 'AWS::Partition' },
+            ':execute-api:',
+            { Ref: 'AWS::Region' },
+            ':',
+            { Ref: 'AWS::AccountId' },
+            ':',
+            { Ref: 'myapi4C7BF186' },
+            '/',
+            { Ref: 'myapiDeploymentStageprod298F01AF' },
+            '/GET/',
+          ],
+        ],
+      },
+    });
+
+    // Verify handler1 has test invoke permission for GET
+    template.hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'Handler11CDD30AA',
+          'Arn',
+        ],
+      },
+      Principal: 'apigateway.amazonaws.com',
+      SourceArn: {
+        'Fn::Join': [
+          '',
+          [
+            'arn:',
+            { Ref: 'AWS::Partition' },
+            ':execute-api:',
+            { Ref: 'AWS::Region' },
+            ':',
+            { Ref: 'AWS::AccountId' },
+            ':',
+            { Ref: 'myapi4C7BF186' },
+            '/test-invoke-stage/GET/',
+          ],
+        ],
+      },
+    });
+
+    // Verify handler2 has method-specific permission for POST
+    template.hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'Handler267EDD214',
+          'Arn',
+        ],
+      },
+      Principal: 'apigateway.amazonaws.com',
+      SourceArn: {
+        'Fn::Join': [
+          '',
+          [
+            'arn:',
+            { Ref: 'AWS::Partition' },
+            ':execute-api:',
+            { Ref: 'AWS::Region' },
+            ':',
+            { Ref: 'AWS::AccountId' },
+            ':',
+            { Ref: 'myapi4C7BF186' },
+            '/',
+            { Ref: 'myapiDeploymentStageprod298F01AF' },
+            '/POST/',
+          ],
+        ],
+      },
+    });
+
+    // Verify handler2 has test invoke permission for POST
+    template.hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'Handler267EDD214',
+          'Arn',
+        ],
+      },
+      Principal: 'apigateway.amazonaws.com',
+      SourceArn: {
+        'Fn::Join': [
+          '',
+          [
+            'arn:',
+            { Ref: 'AWS::Partition' },
+            ':execute-api:',
+            { Ref: 'AWS::Region' },
+            ':',
+            { Ref: 'AWS::AccountId' },
+            ':',
+            { Ref: 'myapi4C7BF186' },
+            '/test-invoke-stage/POST/',
+          ],
+        ],
+      },
+    });
+  });
 });

packages/aws-cdk-lib/aws-apigatewayv2-integrations/lib/http/lambda.ts

@@ -7,8 +7,9 @@ import {
   ParameterMapping,
 } from '../../../aws-apigatewayv2';
 import { ServicePrincipal } from '../../../aws-iam';
+import * as lambda from '../../../aws-lambda';
 import { IFunction } from '../../../aws-lambda';
-import { Duration, Stack } from '../../../core';
+import { Duration, Names, Stack } from '../../../core';
 
 /**
  * Lambda Proxy integration properties
@@ -58,15 +59,40 @@ export class HttpLambdaIntegration extends HttpRouteIntegration {
 
   protected completeBind(options: HttpRouteIntegrationBindOptions) {
     const route = options.route;
-    this.handler.addPermission(`${this._id}-Permission`, {
-      scope: options.scope,
-      principal: new ServicePrincipal('apigateway.amazonaws.com'),
-      sourceArn: Stack.of(route).formatArn({
-        service: 'execute-api',
-        resource: route.httpApi.apiId,
-        resourceName: `*/*${route.path ?? ''}`, // empty string in the case of the catch-all route $default
-      }),
-    });
+
+    // Permission prefix is unique to the handler and the API
+    const descPrefix = `${Names.nodeUniqueId(this.handler.node)}.${Names.nodeUniqueId(route.httpApi.node)}`;
+    const desc = `${descPrefix}.${this._id}`;
+
+    // Find any existing permissions for this handler and this API
+    const otherHandlerPermissions = route.httpApi.node.findAll()
+      .filter(c => c instanceof lambda.CfnPermission &&
+        c.node.id.startsWith(`ApiPermission.${descPrefix}.`));
+
+    if (otherHandlerPermissions.length > 0) {
+      // If there are existing permissions, remove them in favour of a single permission scoped to the API
+      otherHandlerPermissions.forEach(permission => permission.node.scope?.node?.tryRemoveChild?.(permission.node.id));
+      this.handler.addPermission(`ApiPermission.${descPrefix}.Any`, {
+        scope: route.httpApi,
+        principal: new ServicePrincipal('apigateway.amazonaws.com'),
+        sourceArn: Stack.of(route).formatArn({
+          service: 'execute-api',
+          resource: route.httpApi.apiId,
+          resourceName: '*/*/*',
+        }),
+      });
+    } else {
+      // No other permissions exist, so scope the permission to the specific route
+      this.handler.addPermission(`ApiPermission.${desc}`, {
+        scope: options.scope,
+        principal: new ServicePrincipal('apigateway.amazonaws.com'),
+        sourceArn: Stack.of(route).formatArn({
+          service: 'execute-api',
+          resource: route.httpApi.apiId,
+          resourceName: `*/*${route.path ?? ''}`, // empty string in the case of the catch-all route $default
+        }),
+      });
+    }
   }
 
   public bind(_options: HttpRouteIntegrationBindOptions): HttpRouteIntegrationConfig {
@@ -79,3 +105,4 @@ export class HttpLambdaIntegration extends HttpRouteIntegration {
     };
   }
 }
+

packages/aws-cdk-lib/aws-apigatewayv2-integrations/test/http/lambda.test.ts

@@ -108,20 +108,49 @@ describe('LambdaProxyIntegration', () => {
       integration,
     });
 
-    // Make sure we have two permissions -- one for each method -- but a single integration
+    // Make sure we have only one permission scoped to the full api
     Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      SourceArn: {
+        'Fn::Join': ['', Match.arrayWith([':execute-api:', '/*/*/*'])],
+      },
+    });
+
+    Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Integration', 1);
+  });
+
+  test('different handlers maintain route-specific permissions', () => {
+    const stack = new Stack();
+    const api = new HttpApi(stack, 'HttpApi');
+    const handler1 = fooFunction(stack, 'Handler1');
+    const handler2 = fooFunction(stack, 'Handler2');
+
+    new HttpRoute(stack, 'Route1', {
+      httpApi: api,
+      integration: new HttpLambdaIntegration('Integration1', handler1),
+      routeKey: HttpRouteKey.with('/foo'),
+    });
+
+    new HttpRoute(stack, 'Route2', {
+      httpApi: api,
+      integration: new HttpLambdaIntegration('Integration2', handler2),
+      routeKey: HttpRouteKey.with('/bar'),
+    });
+
+    // Make sure we have two permissions -- one for each handler
+    const template = Template.fromStack(stack);
+    template.resourceCountIs('AWS::Lambda::Permission', 2);
+
+    template.hasResourceProperties('AWS::Lambda::Permission', {
       SourceArn: {
         'Fn::Join': ['', Match.arrayWith([':execute-api:', '/*/*/foo'])],
       },
     });
 
-    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+    template.hasResourceProperties('AWS::Lambda::Permission', {
       SourceArn: {
         'Fn::Join': ['', Match.arrayWith([':execute-api:', '/*/*/bar'])],
       },
     });
-
-    Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Integration', 1);
   });
 });