add grantInvokeV2

packages/aws-cdk-lib/aws-cloudfront/lib/experimental/edge-function.ts

@@ -119,6 +119,9 @@ export class EdgeFunction extends Resource implements lambda.IVersion {
   public grantInvoke(identity: iam.IGrantable): iam.Grant {
     return this.lambda.grantInvoke(identity);
   }
+  public grantInvokeV2(identity: iam.IGrantable, grantVersionAccess?: boolean): iam.Grant {
+    return this.lambda.grantInvokeV2(identity, grantVersionAccess);
+  }
   public grantInvokeUrl(identity: iam.IGrantable): iam.Grant {
     return this.lambda.grantInvokeUrl(identity);
   }

packages/aws-cdk-lib/aws-lambda/lib/function-base.ts

@@ -95,12 +95,18 @@ export interface IFunction extends IResource, ec2.IConnectable, iam.IGrantable {
   /**
    * Grant the given identity permissions to invoke this Lambda
    */
-  grantInvoke(identity: iam.IGrantable): iam.Grant;
+  grantInvoke(grantee: iam.IGrantable): iam.Grant;
+
+  /**
+   * Grant the given identity permissions to invoke to $Latest version when grantVersionAccess is false
+   * Grant the given identity permissions to invoke All version when grantVersionAccess is true
+   */
+  grantInvokeV2(grantee: iam.IGrantable, grantVersionAccess?: boolean): iam.Grant;
 
   /**
    * Grant the given identity permissions to invoke this Lambda Function URL
    */
-  grantInvokeUrl(identity: iam.IGrantable): iam.Grant;
+  grantInvokeUrl(grantee: iam.IGrantable): iam.Grant;
 
   /**
    * Grant multiple principals the ability to invoke this Lambda via CompositePrincipal
@@ -437,6 +443,39 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC
     return grant;
   }
 
+  /**
+   * Grants the specified identity permissions to invoke this Lambda function.
+   *
+   * **Important:** Avoid using `grantInvokeV2` in conjunction with `grantInvoke`.
+   *
+   * @param grantee The principal (identity) to grant invocation permission.
+   * @param grantVersionAccess (Optional) Controls whether to grant access to all function versions. Defaults to `false`.
+   *  - When set to `false`, only the function without a specific version (`$Latest`) can be invoked.
+   *  - When set to `true`, both the function and functions with specific versions can be invoked.
+   */
+  public grantInvokeV2(grantee: iam.IGrantable, grantVersionAccess?: boolean): iam.Grant {
+    const hash = createHash('sha256')
+      .update(JSON.stringify({
+        principal: grantee.grantPrincipal.toString(),
+        conditions: grantee.grantPrincipal.policyFragment.conditions,
+        grantVersionAccess: grantVersionAccess,
+      }), 'utf8')
+      .digest('base64');
+    const identifier = `Invoke${hash}`;
+
+    // Memoize the result so subsequent grantInvokeV2() calls are idempotent
+    let grant = this._invocationGrants[identifier];
+    if (!grant) {
+      let resouceArns = [this.functionArn];
+      if (grantVersionAccess) {
+        resouceArns = this.resourceArnsForGrantInvoke;
+      }
+      grant = this.grant(grantee, identifier, 'lambda:InvokeFunction', resouceArns);
+      this._invocationGrants[identifier] = grant;
+    }
+    return grant;
+  }
+
   /**
    * Grant the given identity permissions to invoke this Lambda Function URL
    */