`aws-appsync`: "Auto-merge failed" when creating Merged AppSync API with Source API merge type set `AUTO_MERGE`

[frixaco]

Describe the bug

Hi and thank you for your work on the library!

Merged API Execution Role does not automatically merge the Source API, even with merge_type=appsync.MergeType.AUTO_MERGE.
If I understood correctly, the policy added to this role only allows appsync:SourceGraphQL.

Expected Behavior

Creating Merged AppSync API should, by default and when merge_type is specifically set as AUTO_MERGE, automatically merge Source AppSync APIs.

Current Behavior

Default behaviour for Source APIs does not work. Manually setting merge_type to AUTO_MERGE also does not work.

Reproduction Steps

endpoint1_lambda = lambda_.Function(
    self,
    id="endpoint1-lambda",
    function_name="endpoint1-lambda",
    runtime=lambda_.Runtime.PYTHON_3_11,
    handler="app.lambda_handler",
    code=lambda_.Code.from_asset(
        "./lambda_functions/endpoint1",
    ),
)

source_api_1 = appsync.GraphqlApi(
    self,
    id="source-api-1",
    name="source-api-1",
    definition=appsync.Definition.from_schema(
        appsync.SchemaFile.from_asset(
            "./graphql_schemas/sourceApi1.graphql"
        )
    ),
)
endpoint1_lambda_ds = appsync.LambdaDataSource(
    self,
    id="endpoint1-lambda-ds",
    lambda_function=endpoint1_lambda,
    api=source_api_1,
)

appsync.Resolver(
    self,
    id="endpoint1-resolver",
    api=source_api_1,
    type_name="Query",
    field_name="endpoint1",
    data_source=endpoint1_lambda_ds,
    code=appsync.Code.from_asset(
        "./asd_cdk/graphql_unit_resolvers/base.js",
    ),
    runtime=appsync.FunctionRuntime.JS_1_0_0,
)

merged_api = appsync.GraphqlApi(
    self,
    id="merged-api",
    name="merged-api",
    definition=appsync.Definition.from_source_apis(
        source_apis=[
            appsync.SourceApi(
                source_api=source_api_1,
                merge_type=appsync.MergeType.AUTO_MERGE, # this doesn't work
            )
        ],
    ),
)

Possible Solution

Manually creating Execution Role fixes the issue:

...
merged_api = appsync.GraphqlApi(
    self,
    id="merged-api",
    name="merged-api",
    definition=appsync.Definition.from_source_apis(
        source_apis=[
            appsync.SourceApi(
                source_api=source_api_1,
                merge_type=appsync.MergeType.AUTO_MERGE,
            )
        ],
        merged_api_execution_role=iam.Role( # <=====
            self,
            id="merged-api-execution-role",
            assumed_by=iam.ServicePrincipal("appsync.amazonaws.com"),
            inline_policies={
                "appsync": iam.PolicyDocument(
                    statements=[
                        iam.PolicyStatement(
                            resources=["*"],
                            actions=["appsync:*"],
                        )
                    ]
                )
            },
        ),
    ),
)

Additional Information/Context

Extending allowed list of actions should fix the issue. ['appsync:*] instead of ['appsync:SourceGraphQL']?

CDK CLI Version

2.94.0 (build 987c329)

Framework Version

No response

Node.js Version

v18.16.0

OS

MacOS

Language

Python

Language Version

Python (3.11.5)

Other information

[peterwoodworth]

Makes sense, thanks for the investigation and letting us know! Feel free to help us out more by contributing

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.