Closed jinnko closed 1 month ago
I think I need this fix.
This PR is included in version 7.3.0 :tada:
@bcdady Please confirm that it works as expected. If not, please open a new issue.
This change is believed to be causing a cyclical dependency issues when attaching additional policies for allowed triggers:
│ Error: Cycle:
module.my_app.module.lambda_function.aws_lambda_permission.unqualified_alias_triggers["events"] (destroy deposed c82299c4),
module.my_app.module.lambda_function.aws_lambda_permission.current_version_triggers["events"], module.my_app.module.lambda_function.aws_lambda_permission.current_version_triggers["events"] (destroy deposed cef6f514),
module.my_app.module.lambda_function.aws_iam_role_policy_attachment.additional_many[1] (destroy),
module.my_app.module.lambda_function.aws_lambda_function.this[0],
module.my_app.module.lambda_function.aws_lambda_permission.unqualified_alias_triggers["events"]
@plukevdh Could you please open a new issue and provide the code snippet to reproduce the issue?
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
Update lambda permissions handling so there's no interruption to the permissions available to a lambda.
The change keeps the module interface the same and so there's no changes needed to the documentation.
The only material change visible to users is that the statement_id will now be used as a prefix rather than as a specific value.
Motivation and Context
When any parameters contain dynamic elements, e.g.
data.aws_region.name
, and that is evaluated in an intermediate module, it is not known until apply time, which causes the permission to he removed and added. During this window, Cloudwatch Logs will see errors when delivering events to the subscription and stop sending events for 10 minutes.By switching to a statement_id_prefix and using a create_before_destroy lifecycle we avoid such interruptions.
Breaking Changes
No breaking changes.
How Has This Been Tested?
examples/*
to demonstrate and validate my change(s)examples/*
projectsexamples/alias
which is confirmed to use bothmodule.lambda_function.aws_lambda_permission.unqualified_alias_triggers["APIGatewayAny"]
andmodule.lambda_function.aws_lambda_permission.current_version_triggers["APIGatewayAny"]
pre-commit run -a
on my pull requestThis has been tested via our own module that in turn calls this module. Prior to this change we saw the terraform traces showing a remove operation followed by an add operation on the lambda permissions. After this change a new lambda permission is created first, followed by removal of the old permission.