fix(appsync): lambda authorizer permission is not scoped to appsync a…

…pi arn (#31567)

### Issue # (if applicable)

Closes #31550.

### Reason for this change

When using a lambda authorizer with a GraphqlAPI, the cdk automatically creates the AWS::Lambda::Permission required for the AppSync API to invoke the lambda authorizer. It does not however add a SourceArn.

This conflicts with the control tower policy [[CT.LAMBDA.PR.2]](https://docs.aws.amazon.com/controltower/latest/controlreference/lambda-rules.html#ct-lambda-pr-2-description), and it is in general good practice to scope permissions.

### Description of changes

Added new feature flag `APPSYNC_GRAPHQLAPI_SCOPE_LAMBDA_FUNCTION_PERMISSION`.

Currently, when using a Lambda authorizer with an AppSync GraphQL API, the AWS CDK automatically generates the necessary AWS::Lambda::Permission to allow the AppSync API to invoke the Lambda authorizer. This permission is overly permissive because it lacks a SourceArn, meaning it allows invocations from any source.

When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API.
```ts
  ...
  config?.handler.addPermission(`${id}-appsync`, {
    principal: new ServicePrincipal('appsync.amazonaws.com'),
    action: 'lambda:InvokeFunction',
    sourceArn: this.arn, // <-- added when feature flag is enabled
  });
  ...
```

### Description of how you validated changes

Unit + integ tests with feature flag enabled. 

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.graphql

@@ -0,0 +1,3 @@
+type Query {
+  getMessage: String
+}

packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.graphql-lambda-permission.js.snapshot/aws-graphql-lambda-permissions.template.json

@@ -0,0 +1,134 @@
+{
+ "Resources": {
+  "AuthorizerFunctionServiceRole5B2A061B": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "AuthorizerFunctionB4DBAA43": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "\n        exports.handler = async (event) => {\n          console.log(\"Authorization event:\", JSON.stringify(event));\n          \n          const isAuthorized = true;\n          if (isAuthorized) {\n            return {\n              isAuthorized: true,\n              resolverContext: {\n                userId: 'user-id-example'\n              }\n            };\n          } else {\n            return {\n              isAuthorized: false\n            };\n          }\n        };\n      "
+    },
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "AuthorizerFunctionServiceRole5B2A061B",
+      "Arn"
+     ]
+    },
+    "Runtime": "nodejs18.x"
+   },
+   "DependsOn": [
+    "AuthorizerFunctionServiceRole5B2A061B"
+   ]
+  },
+  "AuthorizerFunctionapiappsync4E3369BF": {
+   "Type": "AWS::Lambda::Permission",
+   "Properties": {
+    "Action": "lambda:InvokeFunction",
+    "FunctionName": {
+     "Fn::GetAtt": [
+      "AuthorizerFunctionB4DBAA43",
+      "Arn"
+     ]
+    },
+    "Principal": "appsync.amazonaws.com",
+    "SourceArn": {
+     "Fn::GetAtt": [
+      "apiC8550315",
+      "Arn"
+     ]
+    }
+   }
+  },
+  "apiC8550315": {
+   "Type": "AWS::AppSync::GraphQLApi",
+   "Properties": {
+    "AuthenticationType": "AWS_LAMBDA",
+    "LambdaAuthorizerConfig": {
+     "AuthorizerUri": {
+      "Fn::GetAtt": [
+       "AuthorizerFunctionB4DBAA43",
+       "Arn"
+      ]
+     }
+    },
+    "Name": "api"
+   }
+  },
+  "apiSchema0EA92056": {
+   "Type": "AWS::AppSync::GraphQLSchema",
+   "Properties": {
+    "ApiId": {
+     "Fn::GetAtt": [
+      "apiC8550315",
+      "ApiId"
+     ]
+    },
+    "Definition": "type Query {\n  getMessage: String\n}"
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}