feat(aws-lambda): add grantInvoke() method (#962)

Add a method that gives invoke permissions on Lambdas.

Fixes #961.

Author: rix0rrr

packages/@aws-cdk/aws-lambda/lib/lambda-ref.ts

@@ -251,6 +251,17 @@ export abstract class FunctionRef extends cdk.Construct
     };
   }
 
+  /**
+   * Grant the given identity permissions to invoke this Lambda
+   */
+  public grantInvoke(identity?: iam.IPrincipal) {
+    if (identity) {
+      identity.addToPolicy(new iam.PolicyStatement()
+        .addAction('lambda:InvokeFunction')
+        .addResource(this.functionArn));
+    }
+  }
+
   /**
    * Return the given named metric for this Lambda
    */

packages/@aws-cdk/aws-lambda/test/test.lambda.ts

@@ -1081,6 +1081,35 @@ export = {
     test.done();
   },
 
+  'grantInvoke adds iam:InvokeFunction'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const role = new iam.Role(stack, 'Role', {
+      assumedBy: new iam.AccountPrincipal('1234'),
+    });
+    const fn = new lambda.Function(stack, 'Function', {
+      code: lambda.Code.inline('xxx'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.NodeJS810,
+    });
+
+    // WHEN
+    fn.grantInvoke(role);
+
+    // THEN
+    expect(stack).to(haveResource('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 'lambda:InvokeFunction',
+            Resource: { "Fn::GetAtt": [ "Function76856677", "Arn" ] }
+          }
+        ]
+      }
+    }));
+
+    test.done();
+  },
 };
 
 function newTestLambda(parent: cdk.Construct) {