From 65028c7f10ffb48cbb560bc02d150c0d7f4cf729 Mon Sep 17 00:00:00 2001
From: Douglas Naphas <douglasnaphas@gmail.com>
Date: Fri, 19 Feb 2021 01:55:25 -0800
Subject: [PATCH] Grant DescribeUserPoolClient to the backend Lambda

gh-274

Taken from the workaround in the issue description here:
https://github.com/aws/aws-cdk/issues/7112.

My error noted here:
https://github.com/aws/aws-cdk/issues/7112#issuecomment-781961143
---
 lib/madliberation-stack.ts | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/madliberation-stack.ts b/lib/madliberation-stack.ts
index 70810332..64d70791 100644
--- a/lib/madliberation-stack.ts
+++ b/lib/madliberation-stack.ts
@@ -10,6 +10,7 @@ import * as cognito from "@aws-cdk/aws-cognito";
 import { UserPool } from "@aws-cdk/aws-cognito";
 const stackname = require("@cdk-turnkey/stackname");
 const crypto = require("crypto");
+import { Effect, PolicyStatement } from "@aws-cdk/aws-iam";
 
 export class MadliberationStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
@@ -137,6 +138,16 @@ export class MadliberationStack extends cdk.Stack {
       timeout: cdk.Duration.seconds(20),
     });
 
+    fn.addToRolePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ["cognito-idp:DescribeUserPoolClient"],
+        resources: [
+          `arn:aws:cognito-idp:${userPool.stack.region}:${userPool.stack.account}:userpool/${userPool.userPoolId}`,
+        ],
+      })
+    );
+
     clientSecretBucket.grantRead(fn);
 
     const lambdaApi = new apigw.LambdaRestApi(this, "Endpoint", {