aws_lambda_layer_version_permission is not idempotent when more than one permission exist for a layer version

[Jorge-Rodriguez]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.8
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.67.0

Affected Resource(s)

• aws_lambda_layer_version_permission

Terraform Configuration Files

resource "aws_lambda_layer_version_permission" "authorizer" {
  for_each = toset([local.inari_accounts.staging.id, local.inari_accounts.production.id])

  layer_name     = module.authorizer_layer.lambda_layer_layer_arn
  version_number = module.authorizer_layer.lambda_layer_version
  principal      = each.value
  statement_id   = "${module.authorizer_layer.lambda_layer_version}-${each.value}"
  action         = "lambda:GetLayerVersion"
}

Error Output

╷
│ Error: error adding Lambda Layer Version Permission (layer: arn:aws:lambda:eu-west-1:***:layer:authorizer_layer, version: 52): ResourceConflictException: The statement id (52-728314938062) provided already exists. Please provide a new statement id, or remove the existing statement.
│ {
│   RespMetadata: {
│     StatusCode: 409,
│     RequestID: "988722c4-d407-4244-bd1f-e4b7b6a4207b"
│   },
│   Message_: "The statement id (52-728314938062) provided already exists. Please provide a new statement id, or remove the existing statement.",
│   Type: "User"
│ }
│ 
│   with aws_lambda_layer_version_permission.authorizer["728314938062"],
│   on apigw.tf line 55, in resource "aws_lambda_layer_version_permission" "authorizer":
│   55: resource "aws_lambda_layer_version_permission" "authorizer" {
│ 
╵

Expected Behavior

No changes to the infrastructure, infrastructure is up to date

Actual Behavior

The resources are tentatively replaced

  # aws_lambda_layer_version_permission.okta_authorizer["008049879029"] must be replaced
-/+ resource "aws_lambda_layer_version_permission" "okta_authorizer" {
      ~ id             = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer,3" -> (known after apply)
      ~ layer_name     = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer" -> (known after apply) # forces replacement
      ~ policy         = jsonencode(
            {
              - Id        = "default"
              - Statement = [
                  - {
                      - Action    = "lambda:GetLayerVersion"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::008049879029:root"
                        }
                      - Resource  = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer:3"
                      - Sid       = "3-008049879029"
                    },
                  - {
                      - Action    = "lambda:GetLayerVersion"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::728314938062:root"
                        }
                      - Resource  = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer:3"
                      - Sid       = "3-728314938062"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
      ~ revision_id    = "e86df11f-2890-4a0b-9698-7ecc5c131c24" -> (known after apply)
      ~ statement_id   = "3-008049879029" -> (known after apply) # forces replacement
      ~ version_number = 3 -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)
    }

  # aws_lambda_layer_version_permission.okta_authorizer["728314938062"] must be replaced
-/+ resource "aws_lambda_layer_version_permission" "okta_authorizer" {
      ~ id             = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer,3" -> (known after apply)
      ~ layer_name     = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer" -> (known after apply) # forces replacement
      ~ policy         = jsonencode(
            {
              - Id        = "default"
              - Statement = [
                  - {
                      - Action    = "lambda:GetLayerVersion"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::008049879029:root"
                        }
                      - Resource  = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer:3"
                      - Sid       = "3-008049879029"
                    },
                  - {
                      - Action    = "lambda:GetLayerVersion"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::728314938062:root"
                        }
                      - Resource  = "arn:aws:lambda:eu-west-1:***:layer:okta_authorizer_layer:3"
                      - Sid       = "3-728314938062"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
      ~ principal      = "008049879029" -> "728314938062" # forces replacement
      ~ revision_id    = "e86df11f-2890-4a0b-9698-7ecc5c131c24" -> (known after apply)
      ~ statement_id   = "3-008049879029" -> (known after apply) # forces replacement
      ~ version_number = 3 -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)
    }

Steps to Reproduce

1. terraform apply

Important Factoids

Note the change in principal on the last planned resource change. It would appear that terraform is comparing the second resource configuration with the first of the permissions applied to the layer version, not the second one.

[Jorge-Rodriguez]

Ping @anGie44 @Avolynsk

[fishfacemcgee]

Not sure what methods, if any, there are to "bump" an issue, but just want to report that this resource is still bugged. Going by the error, it appears the statement does not get deleted. My guess is it's related to whatever's leading the import behavior to be tied to the layer ARN and version, which is not specific enough given how granular the resource is.

[vedimuthan]

I am facing the same problem and surprised that this issue is not being addressed for more than 3 years.