Opt-in anonymous auth via Lambda@Edge (with custom domain / CloudFront)

[sid88in]

Split out from the v2 RFC (#378, item 6).

Context

AppSync does not support true anonymous authentication. The recommended alternatives (IAM,
API key) have downsides — e.g. API keys can expire/be revoked, and there's no way to
recreate them if a stack is rebuilt (aws-appsync-community#130). @Sunac proposed a
workaround using Lambda@Edge in CloudFront to inject the IAM signature or X-Api-Key
header on the fly (aws-appsync-community#130 (comment)).

Current state (v2)

Not implemented. Custom domain support exists, but there is no Lambda@Edge auth-injection
path.

Proposal

As an extension of the custom-domain/CloudFront path, add an opt-in Lambda@Edge function
that populates the auth header before forwarding requests to AppSync, so clients don't have
to.

Considerations / why this is low priority

• Significant scope and tight coupling to a CloudFront-fronted setup.
• Lambda@Edge has its own constraints (must be deployed in us-east-1, replication, etc.).
• Concern raised in the RFC (by @vicary) that home-baked workarounds for missing AWS
  features become refactoring traps once/if AWS ships the feature natively.

Filing to track interest. Probably shouldn't be built unless there's clear, sustained
demand.