feat: Added create before destroy on aws_lambda_permission

jinnko commented 2 months ago

Description

Update lambda permissions handling so there's no interruption to the permissions available to a lambda.

The change keeps the module interface the same and so there's no changes needed to the documentation.

The only material change visible to users is that the statement_id will now be used as a prefix rather than as a specific value.

Motivation and Context

When any parameters contain dynamic elements, e.g. data.aws_region.name, and that is evaluated in an intermediate module, it is not known until apply time, which causes the permission to he removed and added. During this window, Cloudwatch Logs will see errors when delivering events to the subscription and stop sending events for 10 minutes.

By switching to a statement_id_prefix and using a create_before_destroy lifecycle we avoid such interruptions.

Breaking Changes

No breaking changes.

How Has This Been Tested?

[ ] I have updated at least one of the examples/* to demonstrate and validate my change(s)
- No updates needed
[x] I have tested and validated these changes using one or more of the provided examples/* projects
- tested with examples/alias which is confirmed to use both module.lambda_function.aws_lambda_permission.unqualified_alias_triggers["APIGatewayAny"] and module.lambda_function.aws_lambda_permission.current_version_triggers["APIGatewayAny"]
[x] I have executed pre-commit run -a on my pull request

This has been tested via our own module that in turn calls this module. Prior to this change we saw the terraform traces showing a remove operation followed by an add operation on the lambda permissions. After this change a new lambda permission is created first, followed by removal of the old permission.

bcdady commented 1 month ago

I think I need this fix.

antonbabenko commented 1 month ago

This PR is included in version 7.3.0 :tada:

antonbabenko commented 1 month ago

@bcdady Please confirm that it works as expected. If not, please open a new issue.

plukevdh commented 1 month ago

This change is believed to be causing a cyclical dependency issues when attaching additional policies for allowed triggers:

│ Error: Cycle:
    module.my_app.module.lambda_function.aws_lambda_permission.unqualified_alias_triggers["events"] (destroy deposed c82299c4), 
    module.my_app.module.lambda_function.aws_lambda_permission.current_version_triggers["events"], module.my_app.module.lambda_function.aws_lambda_permission.current_version_triggers["events"] (destroy deposed cef6f514), 
    module.my_app.module.lambda_function.aws_iam_role_policy_attachment.additional_many[1] (destroy), 
    module.my_app.module.lambda_function.aws_lambda_function.this[0], 
    module.my_app.module.lambda_function.aws_lambda_permission.unqualified_alias_triggers["events"]

antonbabenko commented 1 month ago

@plukevdh Could you please open a new issue and provide the code snippet to reproduce the issue?

github-actions[bot] commented 3 weeks ago

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

terraform-aws-modules / terraform-aws-lambda