Reorder creation of dependencies

Author: kris-szlapa

packages/cdk/resources/LambdaFunction.ts

@@ -32,8 +32,8 @@ export interface LambdaFunctionProps {
 const insightsLayerArn = "arn:aws:lambda:eu-west-2:580247275435:layer:LambdaInsightsExtension:55"
 
 export class LambdaFunction extends Construct {
-  public readonly function: lambda.Function
   public readonly executionPolicy: ManagedPolicy
+  public readonly function: lambda.Function
 
   public constructor(scope: Construct, id: string, props: LambdaFunctionProps) {
     super(scope, id)
@@ -138,9 +138,9 @@ export class LambdaFunction extends Construct {
       }
     }
 
-    // Create an execution policy for external use
-    this.executionPolicy = new ManagedPolicy(this, "ExecutionPolicy", {
-      description: `Allow invoking ${props.functionName}`,
+    // Policy to allow invoking this Lambda
+    const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {
+      description: `execute lambda ${props.functionName}`,
       statements: [
         new PolicyStatement({
           actions: ["lambda:InvokeFunction"],
@@ -151,5 +151,6 @@ export class LambdaFunction extends Construct {
 
     // Outputs
     this.function = lambdaFunction
+    this.executionPolicy = executionManagedPolicy
   }
 }

packages/cdk/resources/RestApiGateway/LambdaEndpoint.ts

@@ -1,27 +1,30 @@
 import {Construct} from "constructs"
 import {IResource, LambdaIntegration} from "aws-cdk-lib/aws-apigateway"
 import {HttpMethod} from "aws-cdk-lib/aws-lambda"
+import {IRole} from "aws-cdk-lib/aws-iam"
 import {LambdaFunction} from "../LambdaFunction"
 
 export interface LambdaEndpointProps {
   readonly parentResource: IResource
   readonly resourceName: string
   readonly method: HttpMethod
+  readonly restApiGatewayRole: IRole
   readonly lambdaFunction: LambdaFunction
 }
 
-// Creates an API Gateway resource and method integrated with a Lambda function
 export class LambdaEndpoint extends Construct {
   public readonly resource: IResource
 
   constructor(scope: Construct, id: string, props: LambdaEndpointProps) {
     super(scope, id)
 
-    // Add a new resource to the parent resource
     const resource = props.parentResource.addResource(props.resourceName)
 
-    // Let CDK/APIGateway manage the Lambda invoke permission automatically
-    resource.addMethod(props.method, new LambdaIntegration(props.lambdaFunction.function))
+    resource.addMethod(props.method, new LambdaIntegration(props.lambdaFunction.function, {
+      credentialsRole: props.restApiGatewayRole
+    }))
+
+    props.restApiGatewayRole.addManagedPolicy(props.lambdaFunction.executionPolicy)
 
     this.resource = resource
   }

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -22,12 +22,12 @@ import {
 } from "aws-cdk-lib/aws-bedrock"
 import {RestApiGateway} from "../resources/RestApiGateway"
 import {LambdaFunction} from "../resources/LambdaFunction"
-import {nagSuppressions} from "../nagSuppressions"
 import {LambdaIntegration} from "aws-cdk-lib/aws-apigateway"
 import * as iam from "aws-cdk-lib/aws-iam"
 import * as ops from "aws-cdk-lib/aws-opensearchserverless"
-import * as ssm from "aws-cdk-lib/aws-ssm"
 import * as cr from "aws-cdk-lib/custom-resources"
+import * as ssm from "aws-cdk-lib/aws-ssm"
+import {nagSuppressions} from "../nagSuppressions"
 
 export interface EpsAssistMeStackProps extends StackProps {
   readonly stackName: string
@@ -367,6 +367,15 @@ export class EpsAssistMeStack extends Stack {
     })
     kbDataSource.node.addDependency(kb)
 
+    // ==== IAM Policy for Lambda to read SSM parameters ====
+    const slackLambdaSSMPolicy = new PolicyStatement({
+      actions: ["ssm:GetParameter", "ssm:GetParameters", "ssm:GetParameterHistory"],
+      resources: [
+        slackBotTokenParameter.parameterArn,
+        slackSigningSecretParameter.parameterArn
+      ]
+    })
+
     // ==== Lambda environment variables ====
     const lambdaEnv: {[key: string]: string} = {
       RAG_MODEL_ID: "anthropic.claude-3-sonnet-20240229-v1:0",
@@ -396,15 +405,6 @@ export class EpsAssistMeStack extends Stack {
       additionalPolicies: []
     })
 
-    // ==== IAM Policy for Lambda to read SSM parameters ====
-    const slackLambdaSSMPolicy = new PolicyStatement({
-      actions: ["ssm:GetParameter", "ssm:GetParameters", "ssm:GetParameterHistory"],
-      resources: [
-        slackBotTokenParameter.parameterArn,
-        slackSigningSecretParameter.parameterArn
-      ]
-    })
-
     // ==== Lambda self-invoke policy (needed for Slack Bolt lazy handlers) ====
     const slackLambdaSelfInvokePolicy = new PolicyStatement({
       actions: ["lambda:InvokeFunction"],
@@ -446,18 +446,12 @@ export class EpsAssistMeStack extends Stack {
       trustStoreKey: "unused",
       truststoreVersion: "unused"
     })
-
-    // Grant the API Gateway role permission to invoke the Lambda function
-    apiGateway.role.addManagedPolicy(slackBotLambda.executionPolicy)
-
-    // Create API resources directly to avoid circular dependencies
-    const slackResource = apiGateway.api.root.addResource("slack")
-    const askEpsResource = slackResource.addResource("ask-eps")
-
-    // Add the method with Lambda integration and explicit role
-    askEpsResource.addMethod("POST", new LambdaIntegration(slackBotLambda.function, {
+    // Add SlackBot Lambda to API Gateway
+    const slackRoute = apiGateway.api.root.addResource("slack").addResource("ask-eps")
+    slackRoute.addMethod("POST", new LambdaIntegration(slackBotLambda.function, {
       credentialsRole: apiGateway.role
     }))
+    apiGateway.role.addManagedPolicy(slackBotLambda.executionPolicy)
 
     // ==== Output: SlackBot Endpoint ====
     new CfnOutput(this, "SlackBotEndpoint", {