(apigatewayv2): IAM Permissions not being created for Api Gateway to access http lambda integration

[kevinmcgillicuddy]

What is the problem?

API gateway does not create needed IAM roles to connect to an HTTP Lambda integration, this started when upgrading to CDK v2

Reproduction Steps

When using AWS-CDK 2.3.0-alpha.0

"@aws-cdk/aws-apigatewayv2-alpha": "2.3.0-alpha.0",
"@aws-cdk/aws-apigatewayv2-authorizers-alpha": "^2.3.0-alpha.0",
"@aws-cdk/aws-apigatewayv2-integrations-alpha": "^2.3.0-alpha.0"

We have 2 routes that point to the same integration, permissions in cloudformation are only created for the first one

const jobsIntegration = new apiGatewayIntegrations.HttpLambdaIntegration('JobsIntegration', jobsFunction);

  props.httpApi.addRoutes({
    path: '/hr/jobs',
    methods: [ apiGateway.HttpMethod.GET ],
    integration: jobsIntegration,
    authorizer: props.Authorizer
  });

  props.httpApi.addRoutes({
    path: '/hr/job/{reqId}',
    methods: [ apiGateway.HttpMethod.GET ],
    integration: jobsIntegration,
    authorizer: props.Authorizer
  });

cloudformation:

    "HttpApiGEThrjobsJobsIntegrationPermissionFFAB51F1": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:InvokeFunction",
        "FunctionName": {
          "Fn::ImportValue": "OutputFnGetAttJobsFunction382FBD18Arn3EEB55F3"
        },
        "Principal": "apigateway.amazonaws.com",
        "SourceArn": {
          "Fn::Join": [
            "",
            [
              "arn:",
              {
                "Ref": "AWS::Partition"
              },
              ":execute-api:us-east-1:123:",
              {
                "Ref": "HttpApiF5A9A8A7"
              },
              "/*/*/hr/jobs"
            ]
          ]
        }
      },
      "Metadata": {
        "aws:cdk:path": "/ApiGateway/HttpApi/GET--hr--jobs/JobsIntegration-Permission"
      }

API gateway access logs:

   {
    "requestId": "=",
    "ip": "",
    "requestTime": "28/Dec/2021:16:25:46 +0000",
    "httpMethod": "GET",
    "routeKey": "GET /hr/job/{reqId}",
    "status": "500",
    "protocol": "HTTP/1.1",
    "responseLength": "35",
    "contenxtError": "Internal Server Error",
    "integrationErrorMessage": "The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration. Check the permissions and try again."
}

What did you expect to happen?

It to create permissions for both routes

What actually happened?

It only created for the first route - see above cloudformation output

work around is as follows - create a new integration linked to the same function

 const jobsIntegration = new apiGatewayIntegrations.HttpLambdaIntegration('JobsIntegration', jobsFunction);
 **const jobIntegration = new apiGatewayIntegrations.HttpLambdaIntegration('JobIntegration', jobsFunction);**

   props.httpApi.addRoutes({
     path: '/hr/jobs',
     methods: [ apiGateway.HttpMethod.GET ],
     integration: jobsIntegration,
     authorizer: props.Authorizer
   });

   props.httpApi.addRoutes({
     path: '/hr/job/{reqId}',
     methods: [ apiGateway.HttpMethod.GET ],
     integration: **jobIntegration** ,
     authorizer: props.Authorizer
   });

CDK CLI Version

2.3.0

Framework Version

No response

Node.js Version

14.18.0

OS

Windows 11

Language

Typescript

Language Version

4.5.2

Other information

No response