Add Lambda self-invoke policy and allow API Gateway to invoke the Lambda

kris-szlapa · kris-szlapa · commit 331b3a2ad73a · 2025-07-22T13:01:29.000Z
diff --git a/packages/cdk/stacks/EpsAssistMeStack.ts b/packages/cdk/stacks/EpsAssistMeStack.ts
@@ -27,6 +27,7 @@ import * as iam from "aws-cdk-lib/aws-iam"
 import * as ops from "aws-cdk-lib/aws-opensearchserverless"
 import * as cr from "aws-cdk-lib/custom-resources"
 import * as ssm from "aws-cdk-lib/aws-ssm"
+import * as lambda from "aws-cdk-lib/aws-lambda"
 import {nagSuppressions} from "../nagSuppressions"
 
 export interface EpsAssistMeStackProps extends StackProps {
@@ -377,12 +378,12 @@ export class EpsAssistMeStack extends Stack {
     })
 
     // ==== Lambda self-invoke policy (needed for Slack Bolt lazy handlers) ====
-    // const slackLambdaSelfInvokePolicy = new PolicyStatement({
-    //   actions: ["lambda:InvokeFunction"],
-    //   resources: [
-    //     slackBotLambda.function.functionArn
-    //   ]
-    // })
+    const slackLambdaSelfInvokePolicy = new PolicyStatement({
+      actions: ["lambda:InvokeFunction"],
+      resources: [
+        `arn:aws:lambda:${this.region}:${this.account}:function:*`
+      ]
+    })
 
     // ==== Lambda environment variables ====
     const lambdaEnv: {[key: string]: string} = {
@@ -415,7 +416,7 @@ export class EpsAssistMeStack extends Stack {
 
     // ==== Attach all policies to SlackBot Lambda role ====
     slackBotLambda.function.addToRolePolicy(slackLambdaSSMPolicy)
-    // slackBotLambda.function.addToRolePolicy(slackLambdaSelfInvokePolicy)
+    slackBotLambda.function.addToRolePolicy(slackLambdaSelfInvokePolicy)
 
     // ==== API Gateway & Slack Route ====
     const apiGateway = new RestApiGateway(this, "EpsAssistApiGateway", {
@@ -425,12 +426,18 @@ export class EpsAssistMeStack extends Stack {
       trustStoreKey: "unused",
       truststoreVersion: "unused"
     })
-    // Add SlackBot Lambda to API Gateway
     const slackRoute = apiGateway.api.root.addResource("slack").addResource("ask-eps")
     slackRoute.addMethod("POST", new LambdaIntegration(slackBotLambda.function, {
       credentialsRole: apiGateway.role
     }))
-    apiGateway.role.addManagedPolicy(slackBotLambda.executionPolicy)
+
+    // ==== Allow API Gateway to invoke the Lambda ====
+    new lambda.CfnPermission(this, "ApiGatewayInvokeSlackBotLambda", {
+      action: "lambda:InvokeFunction",
+      functionName: slackBotLambda.function.functionName,
+      principal: "apigateway.amazonaws.com",
+      sourceArn: `arn:aws:execute-api:${this.region}:${this.account}:${apiGateway.api.restApiId}/*/POST/slack/ask-eps`
+    })
 
     // ==== Output: SlackBot Endpoint ====
     new CfnOutput(this, "SlackBotEndpoint", {
