Circular dependency between ApiGateway and Lambda

[artyom-melnikov]

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

• I'm submitting a ...

  • 🪲 bug report
  • 🚀 feature request
  • 📚 construct library gap
  • ☎️ security issue or vulnerability => Please see policy
  • ❓ support request => Please see note at the top of this template.

• What is the current behavior?
  If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce

I am trying to split lambdas into multiple stacks because I reached CloudFormaion 200 resource limit. This is how I am creating everything right now (before split)

// API
    this.api = new apigw.LambdaRestApi(this, apiName, {
      handler: this.createDefaultLambda(),
      proxy: false,
      options: {
        restApiName: apiName,
        endpointTypes: [ EndpointType.Regional ],
        deployOptions: {
          tracingEnabled: true
        }
      }
    });
  }

// Creating methods like this
        const fn = this.createLambda(...);
        const integration = new apigw.LambdaIntegration(fn, {
          allowTestInvoke: true,
          proxy: true
        });
        resource.addMethod(method.Method, integration, {
          authorizationType: AuthorizationType.None,
          methodResponses: [
            {
              statusCode: '200',
              responseModels: {
                'application/json': new apigw.EmptyModel()
              }
            }
          ]
        });

// Lambda
const fn = new lambda.Function(this, lambdaName, {
      handler,
      functionName: lambdaName,
      runtime: DEFAULT_RUNTIME,
      code: this.codeAsset,
      timeout: DEFAULT_TIMEOUT,
      layers: [ this.sharedLayer ],
      role: this.lambdaExecutionRole,
      tracing: Tracing.Active
    });
    fn.grantInvoke(new iam.ServicePrincipal('apigateway.amazonaws.com'));
    return fn;

For some reason, Lambda becomes dependant on the ApiGateway. I think it is because of Function Policy with a statement which allows invocation from a specific resource. The lambdas function policy looks like this:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "xxx",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:my_lambda_arn"
    },
    {
      "Sid": "xxx",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:my_lambda_arn",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:api_gateway_resource_method_arn"
        }
      }
    }
  ]
}

The first one should be added by me manually (fn.grantInvoke...), but the second one seems to be added automatically behine the scene

• What is the expected behavior (or behavior of feature suggested)?

An ability to make Lambda non-dependant on ApiGateway

• What is the motivation / use case for changing the behavior or adding this feature?

The ability to split resources into the nested stacks should be seriously considered by the CDK and ideally, some built-in features should be present. Reaching such a limit with lambdas and appsync resolvers is a very easy task

• Please tell us about your environment:

  • CDK CLI Version: 0.31.0
  • Module Version: 0.31.0
  • OS: [all | Windows 10 | OSX Mojave | Ubuntu | etc... ]
  • Language: TypeScript

• Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

[nija-at]

I believe we've already fixed this as part of 1.9.0 - #4010.

Can you pull the latest CDK version and check if you still see this issue?