From 8ce88228dbc77e3568c99b54bad395e493ef57a2 Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Sat, 14 Mar 2026 01:34:12 +0100
Subject: [PATCH] Remove duplicate FunctionURLAllowPublicAccess permission

The function URL with NONE auth auto-creates this statement. Terraform
trying to create it again causes a 409 conflict. Only the additional
AllowPublicInvoke permission needs to be managed by Terraform.
---
 terraform/platform/lambdas/main.tf | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
index 1e1e86a..a86bfcc 100644
--- a/terraform/platform/lambdas/main.tf
+++ b/terraform/platform/lambdas/main.tf
@@ -738,16 +738,8 @@ resource "aws_lambda_function_url" "password_set" {
   authorization_type = "NONE"
 }
 
-# Public access for function URL — since Oct 2025, both InvokeFunctionUrl
-# and InvokeFunction are required for public NONE-auth function URLs.
-resource "aws_lambda_permission" "password_set_public_url" {
-  statement_id           = "FunctionURLAllowPublicAccess"
-  action                 = "lambda:InvokeFunctionUrl"
-  function_name          = aws_lambda_function.password_set.function_name
-  principal              = "*"
-  function_url_auth_type = "NONE"
-}
-
+# Public access — the function URL auto-creates FunctionURLAllowPublicAccess
+# for InvokeFunctionUrl. Since Oct 2025, InvokeFunction is also required.
 resource "aws_lambda_permission" "password_set_public_invoke" {
   statement_id  = "AllowPublicInvoke"
   action        = "lambda:InvokeFunction"