Explanation/workaround for dependency cycle

[klubi]

I'm building an API Gateway that uses custom lambda authorizer. I'm using terragrunt with terraform-aws-lambda module to create lambda. Then I'm using terragrunt with terraform-aws-apigateway-v2 to create gateway.

The issue I'm facing is related to invocation permission. My gateway authorizer is created without Invoke Permissions Without that Gateway can't call custom lambda (CloudWatch logs confirm IAM issue).

So I create my gateway like this (just some pieces of config):

dependency "authorizer" {
  config_path = "../multi-issuer-authorizer"
}

inputs = {
  name = local.api_gateway_name

  protocol_type = "HTTP"

  authorizers = {
    "JWT" = {
      authorizer_type                   = "REQUEST"
      identity_sources                  = "$request.header.Authorization"
      name                              = "JWT"
      authorizer_uri                    = dependency.authorizer.outputs.lambda_function_invoke_arn
      authorizer_payload_format_version = "2.0"
      enable_simple_responses           = true
    }
  }

The issue is that lambda also needs gateway dependency, to fetch invocation ARN to use with allowed_triggers:

dependency "gateway" {
  config_path = "../external"
}

inputs = {
  function_name            = local.lambda_name
  handler                        = "authorizer.lambda_handler"

  allowed_triggers = {
    APIGatewayAny = {
      service    = "apigateway"
      source_arn = "${dependency.gateway.outputs.apigatewayv2_api_execution_arn}/*/*/*"
    }
  }
}

And this creates dependency cycle between those two modules. Is there a way around this? There isn't one from terragrunt perspective, but maybe I'm missing something that makes this possible from module perspective.

[zMynxx]

Lambda is of the RBAC (Resource Based Access Policy) type, so keeping that in mind I've planned the following:

post-actions terraform file:

resource "aws_lambda_permission" "apigw" {
  for_each      = var.items
  statement_id  = each.value.statement_id
  action        = "lambda:InvokeFunction"
  function_name = each.value.function_name
  principal     = "apigateway.amazonaws.com"
  source_arn    = each.value.source_arn
}

variable "items" {
  type = map(
    object({
      statement_id  = string
      function_name = string
      source_arn    = string
    })
  )
}

terragrunt manifest:

terraform {
  source = "${get_path_to_repo_root()}/terraform//post-actions/post-apigw-lambda"
}

inputs = {
  items ={
   some-backend = {
      statement_id = "AllowExecutionFrom_${local.env}-${local.project}-some-backend-apigw_"
      function_name = "auth-api-gateway"
      source_arn   = "${dependency.api_gateway.outputs.apigatewayv2_api_execution_arn}/authorizers/*"
    },
    some-backend2 = {
      statement_id = "AllowExecutionFrom_${local.env}-${local.project}-some-backend2-apigw_"
      function_name = "auth-api-gateway"
      source_arn   = "${dependency.api_gateway.outputs.apigatewayv2_api_execution_arn}/*/*/*"
    }
  }
}

However, this does not seems to work. As a continuous of the following post @StackOverflow.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.