feat(appsync): Standalone L2 construct for SourceApiAssociation

[ndejaco2]

As part of supporting AppSync Merged APIs, this change introduces a standalone SourceApiAssociation construct for declaring a source api association between a source API and a Merged API.

Why do we need a standalone construct?

• There are two potential deployment models when dealing with separate stacks/pipelines between the source API and Merged API: 1. Push model where the source API owners manage the association in their stack 2. Pull model where the associations are managed in the Merged API stack.
• Having a standalone construct gives developers more flexibility while still handling all the IAM permission handling in a single place.
• Developers can continue to use the GraphQLApi construct and declare the source api configuration all within a single construct as before. But, if they want to have the source api association as a standalone object this change gives them flexibility

I also fixed two issues related to IAM:

1. The resource for appsync:SourceGraphQL needs both the source api arn and the source api arn + "/*" to get all top level fields.
2. The merged api execution role also needs appsync:StartSchemaMerge if the association is using AUTO_MERGE. The fix here is preferred over existing PR: fix(appsync): Source APIs are not auto-merged by default #27025

Closes #26986

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[ndejaco2]

I went ahead and undid the renaming to not introduce a breaking change. I believe it would benefit from updating the naming, but its not a high priority worth dealing with in this PR.

[ndejaco2]

@rix0rrr any chance you could review? On the service team, we have been cut a few tickets regarding the IAM permissions bugs as well as the construct for Merged APIs so I would like to get this one addressed.

[MrArnoldPalmer]

Just some small stuff for now. Gonna ask for another set of eyes since this is new api surface area that we will need to guarantee backwards compatibility on.

Pull request has been modified.

[rix0rrr]

This is not the right way to allow that use case.

If people are passing in a role and they don't want it modified, they can pass role.withoutPolicyUpdates(), or import an existing one with Role.fromRoleName({mutable: false }).

So when implementing a construct, you should feel free to always update the role.

[ndejaco2]

The existing support works like this where it is not updating the role policy if it was passed in. Would it be a breaking change?

[MrArnoldPalmer]

it might be... since this is pre-existing we can look at changing this separately.

[rix0rrr]

I'm not necessarily against adding this function, but its use is very unlikely, right?

There isn't a single API that accepts an ISourceApiAssociation ?

[ndejaco2]

Yea not currently, but it will be necessary for this: #27170

Pull request has been modified.

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 4152ad9
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).