Skip to content

(aws-appsync): Need an option for passing a Service Role to AppSync GraphQL Lambda Data Source #16225

New issue
New issue
Open
Open
(aws-appsync): Need an option for passing a Service Role to AppSync GraphQL Lambda Data Source#16225
Labels
@aws-cdk/aws-appsyncRelated to AWS AppSynceffort/smallSmall work item – less than a day of effortfeature-requestA feature should be added or improved.p2
@DevoKun

Description

@DevoKun
DevoKun
opened on Aug 25, 2021

I have a GraphQL AppSync and a Lambda Function data source.

I want to use existing IAM Roles as the data source Service Role.

Currently, there appears to be no way to specify the service role.

I have this Typescript CDK Code:

    const figaroLambda = new NodejsFunction(this, 'FigaroLambda', {
      memorySize: 1024,
      timeout: cdk.Duration.seconds(5),
      runtime: lambda.Runtime.NODEJS_14_X,
      handler: 'handler',
      role: figaroLambdaRole,
      entry: path.join(__dirname, `figaro/index.ts`),
      vpc,
      vpcSubnets,
      securityGroups: [figaroLambdaSecurityGroup],
    });


    // https://docs.aws.amazon.com/cdk/api/latest/typescript/api/aws-appsync/graphqlapi.html#aws_appsync_GraphqlApi
    // https://docs.aws.amazon.com/cdk/api/latest/typescript/api/aws-appsync/graphqlapiprops.html#aws_appsync_GraphqlApiProps
    const api = new appsync.GraphqlApi(this, 'NeptuneGraphQLApi', {
      schema: appsync.Schema.fromAsset('schema.graphql'),
      authorizationConfig: {
        defaultAuthorization: {
          authorizationType: appsync.AuthorizationType.USER_POOL,
          userPoolConfig: {
            userPool: userPool,
          },
        }
      },
    })


    // https://docs.aws.amazon.com/cdk/api/latest/typescript/api/aws-appsync/graphqlapibase.html#aws_appsync_GraphqlApiBase_addLambdaDataSource
    api.addLambdaDataSource('LambdaDatasourceFigaro', figaroLambda);

Which creates:

  NeptuneGraphQLApiLambdaDatasourceFigaroServiceRoleCCBC152B:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: appsync.amazonaws.com
        Version: "2012-10-17"

  NeptuneGraphQLApiLambdaDatasourceFigaroServiceRoleDefaultPolicyB39D9AB9:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: lambda:InvokeFunction
            Effect: Allow
            Resource:
              Fn::GetAtt:
                - FigaroLambdaA18864CC
                - Arn
        Version: "2012-10-17"
      PolicyName: NeptuneGraphQLApiLambdaDatasourceFigaroServiceRoleDefaultPolicyB39D9AB9
      Roles:
        - Ref: NeptuneGraphQLApiLambdaDatasourceFigaroServiceRoleCCBC152B

  NeptuneGraphQLApiLambdaDatasourceFigaro8722E995:
    Type: AWS::AppSync::DataSource
    Properties:
      ApiId:
        Fn::GetAtt:
          - NeptuneGraphQLApi8AAC1DF5
          - ApiId
      Name: LambdaDatasourceFigaro
      Type: AWS_LAMBDA
      LambdaConfig:
        LambdaFunctionArn:
          Fn::GetAtt:
            - FigaroLambdaA18864CC
            - Arn
      ServiceRoleArn:
        Fn::GetAtt:
          - NeptuneGraphQLApiLambdaDatasourceFigaroServiceRoleCCBC152B
          - Arn

Need an option for passing a ServiceRole to addLambdaDataSource

Please consider this a feature request to update either addLambdaDataSource(id, lambdaFunction, options) or DataSourceOptions to include an option for specifying a service role:

addLambdaDataSource(
  id: string, 
  lambdaFunction: IFunction, 
  serviceRole: IRole, 
  options?: DataSourceOptions
): LambdaDataSource;

This is a 🚀 Feature Request

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-appsyncRelated to AWS AppSynceffort/smallSmall work item – less than a day of effortfeature-requestA feature should be added or improved.p2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions