(aws-cognito): `UserPool` constructor adds an incorrect Lambda permission

[Tietew]

What is the problem?

When I specify lambdaTriggers in UserPool, the function's lambda permission should have a SourceArn condition with the UserPool's ARN.

But UserPool constructor adds a lambda permisson without SourceArn condition.
UserPool.addTrigger method adds a correct permission with SourceArn.

This seems to be caused that the constructor code calls addLambdaPermission before assigning this.userPoolArn.

Reproduction Steps

const handler = new lambda.Function(this, 'Handler', { ... });
new cognito.UserPool(this, 'UserPool', {
  lambdaTriggers: {
    postConfirmation: handler,
  },
  ...
});

What did you expect to happen?

Following Lambda::Permission resource is created:

    "HandlerPostConfirmationCognitoXXXXXXXX": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:InvokeFunction",
        "FunctionName": {
          "Fn::GetAtt": [
            "HandlerXXXXXXXX",
            "Arn"
          ]
        },
        "Principal": "cognito-idp.amazonaws.com",
        "SourceArn": {
          "Fn::GetAtt": [
            "UserPoolXXXXXXXX",
            "Arn"
          ]
        }
      },
      "Metadata": {
        "aws:cdk:path": "..."
      }
    },

What actually happened?

Following Lambda::Permission resource was created:

    "HandlerPostConfirmationCognitoXXXXXXXX": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:InvokeFunction",
        "FunctionName": {
          "Fn::GetAtt": [
            "HandlerXXXXXXXX",
            "Arn"
          ]
        },
        "Principal": "cognito-idp.amazonaws.com"
      },
      "Metadata": {
        "aws:cdk:path": "..."
      }
    },

CDK CLI Version

2.18.0

Framework Version

No response

Node.js Version

14.19.0

OS

Linux

Language

Typescript

Language Version

No response

Other information

No response

[corymhall]

It looks like the solution might be to use Lazy with the sourceArn.

It seems like this issue impacts a significant number of customers, and I've tagged it as P1, which means it should be on our near-term roadmap.

We welcome community contributions! If you are able, we encourage you to contribute a bug fix or new feature to the CDK. If you decide to contribute, please start an engineering discussion in this issue to ensure there is a commonly understood design before submitting code. This will minimize the number of review cycles and get your code merged faster.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.