From 3712226a8a903cf6416f3b2364858203bb4ac0ef Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Sat, 14 Mar 2026 00:07:27 +0100
Subject: [PATCH] Add public invoke permissions for password-set function URL

Since Oct 2025, Lambda function URLs with NONE auth require both
lambda:InvokeFunctionUrl and lambda:InvokeFunction in the resource
policy. Without InvokeFunction, requests get 403 Forbidden.
---
 terraform/platform/lambdas/main.tf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
index cd0c12e..8354e39 100644
--- a/terraform/platform/lambdas/main.tf
+++ b/terraform/platform/lambdas/main.tf
@@ -738,6 +738,23 @@ resource "aws_lambda_function_url" "password_set" {
   authorization_type = "NONE"
 }
 
+# Public access for function URL — since Oct 2025, both InvokeFunctionUrl
+# and InvokeFunction are required for public NONE-auth function URLs.
+resource "aws_lambda_permission" "password_set_public_url" {
+  statement_id           = "FunctionURLAllowPublicAccess"
+  action                 = "lambda:InvokeFunctionUrl"
+  function_name          = aws_lambda_function.password_set.function_name
+  principal              = "*"
+  function_url_auth_type = "NONE"
+}
+
+resource "aws_lambda_permission" "password_set_public_invoke" {
+  statement_id  = "AllowPublicInvoke"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.password_set.function_name
+  principal     = "*"
+}
+
 # Store function URL in SSM so team-provisioner can read it at runtime
 # (avoids circular dependency between team-provisioner and password-set)
 resource "aws_ssm_parameter" "password_set_function_url" {