Error: Cannot modify permission to lambda function. Function is either imported or $LATEST version. (AppSync + AmplifyGraphqlApi + Lambda DataSource + Custom Wrapper) #78
Description
Hi SST team,
I'm running into an error when deploying my stack with SST v2.43.4, using the AmplifyGraphqlApi construct and AppSync with Lambda resolvers.
Note: I am using a custom wrapper (CustomGraphqlAppsync) around the AppSync API construct ('@aws-amplify/graphql-api-construct').
The error occurs during npx sst dev and blocks the deployment:
Error: Cannot modify permission to lambda function. Function is either imported or $LATEST version.
If the function is imported from the same account use `fromFunctionAttributes()` API with the `sameEnvironment` flag.
If the function is imported from a different account and already has the correct permissions use `fromFunctionAttributes()` API with the `skipPermissions` flag.
at Object.addToResourcePolicy (.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.js:2:5838)
at Grant.addToPrincipalOrResource (.../node_modules/aws-cdk-lib/aws-iam/lib/grant.js:1:1606)
at Import.grant (.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.js:2:5519)
at Import.grantInvoke (.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.js:2:2983)
at new LambdaDataSource (.../node_modules/aws-cdk-lib/aws-appsync/lib/data-source.js:1:6316)
at DefaultTransformHost.doAddLambdaDataSource (.../node_modules/@aws-amplify/graphql-api-construct/node_modules/@aws-amplify/graphql-transformer-core/src/transform-host.ts:386:16)
...
Context:
- I'm using the
AmplifyGraphqlApiconstruct (wrapped in a customCustomGraphqlAppsyncclass) to define my AppSync API. - I have Lambda resolvers attached to some custom mutations and queries.
- I have recently created and deleted several Lambda functions in the same SST stack, so there may be some "stale" or orphaned Lambda resources or permissions in the environment.
- All Lambda functions are defined within the same SST app and account (not imported from outside).
- The error started after refactoring my GraphQL schema and Lambda resolvers.
What I've tried:
- Clean build (
rm -rf .build .sst node_modules/.sst). - Verified that all Lambda functions are created within the stack, not imported.
- Checked for any
$LATESTversion references, but all functions are managed by SST/CDK.
Expected behavior:
- The stack should deploy and permissions should be set for the Lambda resolvers.
Actual behavior:
- Deployment fails with the error above, specifically when trying to add permissions to the Lambda function for AppSync.
Stack trace and more context:
Click to expand
Error: Cannot modify permission to lambda function. Function is either imported or $LATEST version.
If the function is imported from the same account use `fromFunctionAttributes()` API with the `sameEnvironment` flag.
If the function is imported from a different account and already has the correct permissions use `fromFunctionAttributes()` API with the `skipPermissions` flag.
at Object.addToResourcePolicy (.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.js:2:5838)
at Grant.addToPrincipalOrResource (.../node_modules/aws-cdk-lib/aws-iam/lib/grant.js:1:1606)
at Import.grant (.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.js:2:5519)
at Import.grantInvoke (.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.js:2:2983)
at new LambdaDataSource (.../node_modules/aws-cdk-lib/aws-appsync/lib/data-source.js:1:6316)
at DefaultTransformHost.doAddLambdaDataSource (.../node_modules/@aws-amplify/graphql-api-construct/node_modules/@aws-amplify/graphql-transformer-core/src/transform-host.ts:386:16)
at DefaultTransformHost.DefaultTransformHost.addLambdaDataSource (.../node_modules/@aws-amplify/graphql-api-construct/node_modules/@aws-amplify/graphql-transformer-core/src/transform-host.ts:130:29)
at <anonymous> (.../node_modules/@aws-amplify/graphql-api-construct/node_modules/@aws-amplify/graphql-function-transformer/src/graphql-function-transformer.ts:81:47)
at Array.forEach (<anonymous>)
at <anonymous> (.../node_modules/@aws-amplify/graphql-api-construct/node_modules/@aws-amplify/graphql-function-transformer/src/graphql-function-transformer.ts:69:19)
at Map.forEach (<anonymous>)
at FunctionTransformer.FunctionTransformer.generateResolvers (.../node_modules/@aws-amplify/graphql-api-construct/node_modules/@aws-amplify/graphql-function-transformer/src/graphql-function-transformer.ts:68:25)
at GraphQLTransform.transform (.../node_modules/@aws-amplify/graphql-api-construct/node_modules/@aws-amplify/graphql-transformer-core/src/transformation/transform.ts:318:21)
at executeTransform (.../node_modules/@aws-amplify/graphql-api-construct/node_modules/@aws-amplify/graphql-transformer/src/graphql-transformer.ts:166:15)
at new AmplifyGraphqlApi (.../node_modules/@aws-amplify/graphql-api-construct/src/amplify-graphql-api.ts:222:21)
at new CustomGraphqlAppsync (.../.sst.config.1747665855415.mjs:229:5)
at EmptyStack.AppSyncApi (.../.sst.config.1747665855415.mjs:297:15)
at stack (.../node_modules/sst/constructs/FunctionalStack.js:20:35)
at App.stack (.../node_modules/sst/constructs/App.js:496:16)
at Object.stacks [as fn] (.../.sst.config.1747665855415.mjs:1121:15)
at synthInRoot (.../node_modules/sst/stacks/synth.js:56:24)
at async Module.synth (.../node_modules/sst/stacks/synth.js:19:16)
at async build (.../node_modules/sst/cli/commands/dev.js:162:38)
at async .../node_modules/sst/cli/commands/dev.js:300:13
at async Promise.all (index 0)
at async Object.handler (.../node_modules/sst/cli/commands/dev.js:327:9)
Questions:
- Is there a known issue with Lambda permissions and AppSync when using AmplifyGraphqlApi, especially with custom wrappers?
- Could recently deleted/created Lambda functions in the stack cause this error due to stale resources or permissions?
- Is there a workaround or recommended way to ensure permissions are set correctly for Lambda resolvers created within the same stack?