aws-lambda: addPermission() warning should not be shown

[jaapvanblaaderen]

Describe the bug

Incorrect warning is logged when synthesizing a HttpLambdaAuthorizer that points to a Lambda in another AWS account.

Expected Behavior

No warning message as I'm not intentionally setting any permissions on the handler.

Current Behavior

Consider a setup where a http lambda authorizer is used from another AWS account. In this case, the permissions to access the authorizer are already managed in the other account. When creating a lambda authorizer, a warning message is logged:

[Warning at /AuthorizerLambda] addPermission() has no effect on a Lambda Function with region=eu-west-1, account=12345678990, in a Stack with region=eu-west-1, account=09876543210. Suppress this warning if this is is intentional, or pass sameEnvironment=true to fromFunctionAttributes() if you would like to add the permissions. [ack: UnclearLambdaEnvironment]

Reproduction Steps

Create a HttpLambdaAuthorizer with an ARN pointing to another account:

new HttpLambdaAuthorizer('LambdaAuthorizer',
    lambda.Function.fromFunctionAttributes(this, 'AuthorizerLambda', {
         functionArn: 'arn...',
     }
),

Possible Solution

Looking at the skipPermissions option, I would actually expect that this option would make sure this warning is not logged as we do not care about permissions not being added (it's already handled). So maybe something like this could be the fix in function-base.ts:

  public addPermission(id: string, permission: Permission) {
    if (!this.canCreatePermissions) {
      if (!this._skipPermissions) {
        Annotations.of(this).addWarningV2('UnclearLambdaEnvironment', `addPermission() has no effect on a Lambda Function with region=${this.env.region}, account=${this.env.account}, in a Stack with region=${Stack.of(this).region}, account=${Stack.of(this).account}. Suppress this warning if this is is intentional, or pass sameEnvironment=true to fromFunctionAttributes() if you would like to add the permissions.`);
      }
      return;
    }
  }

Additional Information/Context

I also looked at where addPermission() is actually triggered for this use-case, which is here. Maybe we should have an option in HttpLambdaAuthorizer for not adding this permission in the first place?

CDK CLI Version

2.137.0

Framework Version

No response

Node.js Version

v18.19.0

OS

OSX

Language

TypeScript

Language Version

5.2.0

Other information

Ticket which is slightly related: #28936

[pahud]

Maybe we should have an option in HttpLambdaAuthorizer for not adding this permission in the first place?
Yes I support this option.

Are you interested to submit a PR for that? We'd love to review the PR and move this forward.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[aws-cdk-automation]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.