fix(appsync): Populate construct name dynamically for lambda authorizer permission in appsync

packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts

@@ -534,7 +534,7 @@ export class GraphqlApi extends GraphqlApiBase {
       const config = modes.find((mode: AuthorizationMode) => {
         return mode.authorizationType === AuthorizationType.LAMBDA && mode.lambdaAuthorizerConfig;
       })?.lambdaAuthorizerConfig;
-      config?.handler.addPermission('appsync', {
+      config?.handler.addPermission(`${id}-appsync`, {
         principal: new ServicePrincipal('appsync.amazonaws.com'),
         action: 'lambda:InvokeFunction',
       });

packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts

@@ -684,6 +684,59 @@ describe('AppSync Lambda Authorization', () => {
 
   });
 
+  test('Attach Lambda Authorization to two or more graphql api', () => {
+    // WHEN
+    new appsync.GraphqlApi(stack, 'api1', {
+      name: 'api1',
+      schema: appsync.SchemaFile.fromAsset(
+        path.join(__dirname, 'appsync.test.graphql'),
+      ),
+      authorizationConfig: {
+        defaultAuthorization: {
+          authorizationType: appsync.AuthorizationType.LAMBDA,
+          lambdaAuthorizerConfig: {
+            handler: fn,
+          },
+        },
+      },
+    });
+
+    new appsync.GraphqlApi(stack, 'api2', {
+      name: 'api2',
+      schema: appsync.SchemaFile.fromAsset(
+        path.join(__dirname, 'appsync.test.graphql'),
+      ),
+      authorizationConfig: {
+        defaultAuthorization: {
+          authorizationType: appsync.AuthorizationType.LAMBDA,
+          lambdaAuthorizerConfig: {
+            handler: fn,
+          },
+        },
+      },
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties(
+      'AWS::AppSync::GraphQLApi',
+      {
+        AuthenticationType: 'AWS_LAMBDA',
+        LambdaAuthorizerConfig: {
+          AuthorizerUri: {
+            'Fn::GetAtt': ['authfunction96361832', 'Arn'],
+          },
+        },
+      },
+    );
+
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': ['authfunction96361832', 'Arn'],
+      },
+    });
+  });
+
   test('Lambda authorization configurable in default authorization', () => {
     // WHEN
     new appsync.GraphqlApi(stack, 'api', {

packages/@aws-cdk/aws-appsync/test/integ.lambda-auth.js.snapshot/GraphQlApiLambdaAuthDefaultTestDeployAssert3A9D82EA.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "29.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "GraphQlApiLambdaAuthDefaultTestDeployAssert3A9D82EA.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-appsync/test/integ.lambda-auth.js.snapshot/GraphQlApiLambdaAuthDefaultTestDeployAssert3A9D82EA.template.json

@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk/aws-appsync/test/integ.lambda-auth.js.snapshot/appsync-lambda-auth.assets.json

@@ -0,0 +1,32 @@
+{
+  "version": "29.0.0",
+  "files": {
+    "df9f207d681056c35badb6bc0d60a945b44c887b227b759715fd6a6443486443": {
+      "source": {
+        "path": "asset.df9f207d681056c35badb6bc0d60a945b44c887b227b759715fd6a6443486443",
+        "packaging": "zip"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "df9f207d681056c35badb6bc0d60a945b44c887b227b759715fd6a6443486443.zip",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    },
+    "6318a3460f2277a0215d1d3dec988f54f73d1ebd0221c7a7cc4d2bcb6324b50f": {
+      "source": {
+        "path": "appsync-lambda-auth.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "6318a3460f2277a0215d1d3dec988f54f73d1ebd0221c7a7cc4d2bcb6324b50f.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-appsync/test/integ.lambda-auth.js.snapshot/appsync-lambda-auth.template.json

@@ -0,0 +1,171 @@
+{
+ "Resources": {
+  "funcServiceRoleA96CCB44": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "funcC3A0C2E2": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "S3Bucket": {
+      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+     },
+     "S3Key": "df9f207d681056c35badb6bc0d60a945b44c887b227b759715fd6a6443486443.zip"
+    },
+    "Role": {
+     "Fn::GetAtt": [
+      "funcServiceRoleA96CCB44",
+      "Arn"
+     ]
+    },
+    "Handler": "lambda-tutorial.handler",
+    "Runtime": "nodejs14.x"
+   },
+   "DependsOn": [
+    "funcServiceRoleA96CCB44"
+   ]
+  },
+  "funcapi1appsync5C5BBFA1": {
+   "Type": "AWS::Lambda::Permission",
+   "Properties": {
+    "Action": "lambda:InvokeFunction",
+    "FunctionName": {
+     "Fn::GetAtt": [
+      "funcC3A0C2E2",
+      "Arn"
+     ]
+    },
+    "Principal": "appsync.amazonaws.com"
+   }
+  },
+  "funcapi2appsync0EE83EF2": {
+   "Type": "AWS::Lambda::Permission",
+   "Properties": {
+    "Action": "lambda:InvokeFunction",
+    "FunctionName": {
+     "Fn::GetAtt": [
+      "funcC3A0C2E2",
+      "Arn"
+     ]
+    },
+    "Principal": "appsync.amazonaws.com"
+   }
+  },
+  "api1A91238E2": {
+   "Type": "AWS::AppSync::GraphQLApi",
+   "Properties": {
+    "AuthenticationType": "AWS_LAMBDA",
+    "Name": "api1",
+    "LambdaAuthorizerConfig": {
+     "AuthorizerUri": {
+      "Fn::GetAtt": [
+       "funcC3A0C2E2",
+       "Arn"
+      ]
+     }
+    }
+   }
+  },
+  "api1SchemaFFA53DB6": {
+   "Type": "AWS::AppSync::GraphQLSchema",
+   "Properties": {
+    "ApiId": {
+     "Fn::GetAtt": [
+      "api1A91238E2",
+      "ApiId"
+     ]
+    },
+    "Definition": "type test {\n  version: String!\n}\ntype Query {\n  getTests: [test]!\n}\ntype Mutation {\n  addTest(version: String!): test\n}\n"
+   }
+  },
+  "api2C4850CEA": {
+   "Type": "AWS::AppSync::GraphQLApi",
+   "Properties": {
+    "AuthenticationType": "AWS_LAMBDA",
+    "Name": "api2",
+    "LambdaAuthorizerConfig": {
+     "AuthorizerUri": {
+      "Fn::GetAtt": [
+       "funcC3A0C2E2",
+       "Arn"
+      ]
+     }
+    }
+   }
+  },
+  "api2SchemaD5C26031": {
+   "Type": "AWS::AppSync::GraphQLSchema",
+   "Properties": {
+    "ApiId": {
+     "Fn::GetAtt": [
+      "api2C4850CEA",
+      "ApiId"
+     ]
+    },
+    "Definition": "type test {\n  version: String!\n}\ntype Query {\n  getTests: [test]!\n}\ntype Mutation {\n  addTest(version: String!): test\n}\n"
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}