fix(cognito): cannot use same lambda function as trigger in multiple …

…user pools (#22444)

Create the permission in the scope of the user pool 
instead of the lambda function.

Integ tests contain destructive changes for the permissions because
of the new logical IDs. This should not cause any downtime since the new permission is created first.

Fixes #22315


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-cognito/lib/user-pool.ts

@@ -980,6 +980,7 @@ export class UserPool extends UserPoolBase {
     fn.addPermission(`${capitalize}Cognito`, {
       principal: new ServicePrincipal('cognito-idp.amazonaws.com'),
       sourceArn: Lazy.string({ produce: () => this.userPoolArn }),
+      scope: this,
     });
   }
 

packages/@aws-cdk/aws-cognito/test/user-pool-custom-sender.integ.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"21.0.0"}

packages/@aws-cdk/aws-cognito/test/user-pool-custom-sender.integ.snapshot/integ-user-pool-custom-sender.assets.json

@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
-    "7e21bf24f8c6a20d81ddd4a52096ea99176dc68bcac04483e71b011708134d30": {
+    "51bd20d4d484317d077ffb92a54630892966b5b3354ea04f9b8ac08cb5d5d1d0": {
       "source": {
         "path": "integ-user-pool-custom-sender.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "7e21bf24f8c6a20d81ddd4a52096ea99176dc68bcac04483e71b011708134d30.json",
+          "objectKey": "51bd20d4d484317d077ffb92a54630892966b5b3354ea04f9b8ac08cb5d5d1d0.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-cognito/test/user-pool-custom-sender.integ.snapshot/integ-user-pool-custom-sender.template.json

@@ -50,25 +50,6 @@
     "emailLambdaServiceRole7569D9F6"
    ]
   },
-  "emailLambdaCustomEmailSenderCognito5E15D907": {
-   "Type": "AWS::Lambda::Permission",
-   "Properties": {
-    "Action": "lambda:InvokeFunction",
-    "FunctionName": {
-     "Fn::GetAtt": [
-      "emailLambda61F82360",
-      "Arn"
-     ]
-    },
-    "Principal": "cognito-idp.amazonaws.com",
-    "SourceArn": {
-     "Fn::GetAtt": [
-      "pool056F3F7E",
-      "Arn"
-     ]
-    }
-   }
-  },
   "keyFEDD6EC0": {
    "Type": "AWS::KMS::Key",
    "Properties": {
@@ -104,6 +85,25 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
+  "poolCustomEmailSenderCognitoE3D88E99": {
+   "Type": "AWS::Lambda::Permission",
+   "Properties": {
+    "Action": "lambda:InvokeFunction",
+    "FunctionName": {
+     "Fn::GetAtt": [
+      "emailLambda61F82360",
+      "Arn"
+     ]
+    },
+    "Principal": "cognito-idp.amazonaws.com",
+    "SourceArn": {
+     "Fn::GetAtt": [
+      "pool056F3F7E",
+      "Arn"
+     ]
+    }
+   }
+  },
   "pool056F3F7E": {
    "Type": "AWS::Cognito::UserPool",
    "Properties": {

packages/@aws-cdk/aws-cognito/test/user-pool-custom-sender.integ.snapshot/integ.json

@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "testCases": {
     "integ.user-pool-custom-sender": {
       "stacks": [

packages/@aws-cdk/aws-cognito/test/user-pool-custom-sender.integ.snapshot/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "artifacts": {
     "Tree": {
       "type": "cdk:tree",
@@ -23,7 +23,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7e21bf24f8c6a20d81ddd4a52096ea99176dc68bcac04483e71b011708134d30.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/51bd20d4d484317d077ffb92a54630892966b5b3354ea04f9b8ac08cb5d5d1d0.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -51,16 +51,16 @@
             "data": "emailLambda61F82360"
           }
         ],
-        "/integ-user-pool-custom-sender/emailLambda/CustomEmailSenderCognito": [
+        "/integ-user-pool-custom-sender/key/Resource": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "emailLambdaCustomEmailSenderCognito5E15D907"
+            "data": "keyFEDD6EC0"
           }
         ],
-        "/integ-user-pool-custom-sender/key/Resource": [
+        "/integ-user-pool-custom-sender/pool/CustomEmailSenderCognito": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "keyFEDD6EC0"
+            "data": "poolCustomEmailSenderCognitoE3D88E99"
           }
         ],
         "/integ-user-pool-custom-sender/pool/Resource": [
@@ -98,6 +98,15 @@
             "type": "aws:cdk:logicalId",
             "data": "CheckBootstrapVersion"
           }
+        ],
+        "emailLambdaCustomEmailSenderCognito5E15D907": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "emailLambdaCustomEmailSenderCognito5E15D907",
+            "trace": [
+              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
+            ]
+          }
         ]
       },
       "displayName": "integ-user-pool-custom-sender"

packages/@aws-cdk/aws-cognito/test/user-pool-custom-sender.integ.snapshot/tree.json

@@ -9,7 +9,7 @@
         "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.1.85"
+          "version": "10.1.123"
         }
       },
       "integ-user-pool-custom-sender": {
@@ -92,33 +92,6 @@
                   "fqn": "@aws-cdk/aws-lambda.CfnFunction",
                   "version": "0.0.0"
                 }
-              },
-              "CustomEmailSenderCognito": {
-                "id": "CustomEmailSenderCognito",
-                "path": "integ-user-pool-custom-sender/emailLambda/CustomEmailSenderCognito",
-                "attributes": {
-                  "aws:cdk:cloudformation:type": "AWS::Lambda::Permission",
-                  "aws:cdk:cloudformation:props": {
-                    "action": "lambda:InvokeFunction",
-                    "functionName": {
-                      "Fn::GetAtt": [
-                        "emailLambda61F82360",
-                        "Arn"
-                      ]
-                    },
-                    "principal": "cognito-idp.amazonaws.com",
-                    "sourceArn": {
-                      "Fn::GetAtt": [
-                        "pool056F3F7E",
-                        "Arn"
-                      ]
-                    }
-                  }
-                },
-                "constructInfo": {
-                  "fqn": "@aws-cdk/aws-lambda.CfnPermission",
-                  "version": "0.0.0"
-                }
               }
             },
             "constructInfo": {
@@ -181,6 +154,33 @@
             "id": "pool",
             "path": "integ-user-pool-custom-sender/pool",
             "children": {
+              "CustomEmailSenderCognito": {
+                "id": "CustomEmailSenderCognito",
+                "path": "integ-user-pool-custom-sender/pool/CustomEmailSenderCognito",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::Lambda::Permission",
+                  "aws:cdk:cloudformation:props": {
+                    "action": "lambda:InvokeFunction",
+                    "functionName": {
+                      "Fn::GetAtt": [
+                        "emailLambda61F82360",
+                        "Arn"
+                      ]
+                    },
+                    "principal": "cognito-idp.amazonaws.com",
+                    "sourceArn": {
+                      "Fn::GetAtt": [
+                        "pool056F3F7E",
+                        "Arn"
+                      ]
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "@aws-cdk/aws-lambda.CfnPermission",
+                  "version": "0.0.0"
+                }
+              },
               "Resource": {
                 "id": "Resource",
                 "path": "integ-user-pool-custom-sender/pool/Resource",
@@ -299,28 +299,28 @@
             "id": "UserPoolId",
             "path": "integ-user-pool-custom-sender/UserPoolId",
             "constructInfo": {
-              "fqn": "constructs.Construct",
-              "version": "10.1.85"
+              "fqn": "@aws-cdk/core.CfnOutput",
+              "version": "0.0.0"
             }
           },
           "ClientId": {
             "id": "ClientId",
             "path": "integ-user-pool-custom-sender/ClientId",
             "constructInfo": {
-              "fqn": "constructs.Construct",
-              "version": "10.1.85"
+              "fqn": "@aws-cdk/core.CfnOutput",
+              "version": "0.0.0"
             }
           }
         },
         "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.1.85"
+          "fqn": "@aws-cdk/core.Stack",
+          "version": "0.0.0"
         }
       }
     },
     "constructInfo": {
-      "fqn": "constructs.Construct",
-      "version": "10.1.85"
+      "fqn": "@aws-cdk/core.App",
+      "version": "0.0.0"
     }
   }
 }

packages/@aws-cdk/aws-cognito/test/user-pool-explicit-props.integ.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"21.0.0"}

packages/@aws-cdk/aws-cognito/test/user-pool-explicit-props.integ.snapshot/integ-user-pool.assets.json

@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
-    "8bbf60047c97c5bdfc69a2679a633a8e0a90eee3419768262c5e1fea7b903a71": {
+    "7df3ca05ace569184cc645d485b05885dc2e13f745606873a57afa9d264ecc08": {
       "source": {
         "path": "integ-user-pool.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "8bbf60047c97c5bdfc69a2679a633a8e0a90eee3419768262c5e1fea7b903a71.json",
+          "objectKey": "7df3ca05ace569184cc645d485b05885dc2e13f745606873a57afa9d264ecc08.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }