From d88464368574dec4255dfd0b9e313654b87634a8 Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Sat, 14 Mar 2026 01:37:08 +0100 Subject: [PATCH] Manage FunctionURLAllowPublicAccess in Terraform via import The function URL auto-creates this permission on initial creation but doesn't recreate it if deleted. Managing it in Terraform with an import block ensures it stays in sync. Import block should be removed after first successful apply. --- terraform/platform/imports.tf | 6 ++++++ terraform/platform/lambdas/main.tf | 12 ++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 terraform/platform/imports.tf diff --git a/terraform/platform/imports.tf b/terraform/platform/imports.tf new file mode 100644 index 0000000..453f15b --- /dev/null +++ b/terraform/platform/imports.tf @@ -0,0 +1,6 @@ +# One-time imports — remove after successful apply. + +import { + to = module.lambdas.aws_lambda_permission.password_set_public_url + id = "javabin-password-set/FunctionURLAllowPublicAccess" +} diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf index a86bfcc..bae9240 100644 --- a/terraform/platform/lambdas/main.tf +++ b/terraform/platform/lambdas/main.tf @@ -738,8 +738,16 @@ resource "aws_lambda_function_url" "password_set" { authorization_type = "NONE" } -# Public access — the function URL auto-creates FunctionURLAllowPublicAccess -# for InvokeFunctionUrl. Since Oct 2025, InvokeFunction is also required. +# Public access for function URL — both permissions required since Oct 2025. +# FunctionURLAllowPublicAccess is imported (auto-created by the function URL). +resource "aws_lambda_permission" "password_set_public_url" { + statement_id = "FunctionURLAllowPublicAccess" + action = "lambda:InvokeFunctionUrl" + function_name = aws_lambda_function.password_set.function_name + principal = "*" + function_url_auth_type = "NONE" +} + resource "aws_lambda_permission" "password_set_public_invoke" { statement_id = "AllowPublicInvoke" action = "lambda:InvokeFunction"